I had beers and cigars last night at the Cancun Cantina with three old friends. One of the guys was a Marine E6 when we met. I was a new LTjg. He's preparing to retire as a Warrant Officer now. Another was the head of Incident Response when we worked together, now, Chief Technology Officer. The last is the CISO for a local defense contractor.
Our talk sounded like sea stories. In the late 90s my Marine friend and I (and others) earned our stripes analyzing Moonlight Maze, Solar Sunrise, the downing of the EP3 in Hainan Island and just about any cyber event (they weren't called cyber at the time), or events with cyber consequences. Our team authored first models for behavioral analysis, spending countless hours with Suresh Konda coding thousands of compiled computer intrusions, to be used in the early days of SiLK models.
I was reintroduced to this world in 2006 as Titan Rain was wrapping down, and another set of intrusions (perhaps just renamed?) was ramping up --known by a name I believe to be still classified, I'll refer you to a link. Before any new attribution names were assigned to the new activities, my incident response buddy and I sat on opposite sides of the table. Me, the intel guy wanted to leave systems up to learn the lessons. His job was to get them back online. We joked about lots of beer, midnight Guitar Hero in our Mass based lab, and many, many near fistfights with wide open screaming mouths, and a LOT of spit flying over the table as we discussed ways forward.
The last, the CISO, has been doing this from the start, but we only met a couple of years ago. He's seen it all, developed all of his own tools, and takes pride in changing log-in credentials to offensive messages because he knows the attackers will read them.
It was a fun night. Working 166 of the 168 hours available during the week at the time burns you out fast, but looking back on it now, it doesn't seem so bad. The shared experience of having been on the cutting edge of this new era of cyber, while not good for computers, was a real learning experience for us. All three of us --and many others, had real impact on the way these events are handled today, and the lessons that will be passed to those who've not yet experienced their oh sh*t moment... that moment when you realize someone is in your network; you've never seen it before, and you have absolutely no idea what to do about it.
For us, I wish we knew then what we know now. In uniform, who we asked for help was easy. Unfortunately we were the experts! Roughly 10 years ago we joined FIRST, and looked for active places to share lessons learned and ask for help, but FIRST members hadn't been seeing the kinds of activities we were working, so out of sheer exhaustion, three companies signed NDAs and started sharing APT information. I believe they're up to about 60 or so now.. I've not kept up.
Today, there's no end to the number of places that'll sell you Indicators of Compromise (IOCs). You can read about much of the happenings in open source Google groups, an endless supply of links on LinkedIn. There is no easy button, but there are seemingly hundreds of vendors that'll sell you a box with a red light that lights up when spies or thieves are being gangster-slapped at the border router automatically by your new magic box, or a green light when that sexy magic box is humming along, bored, because it's not killing connections.
So yes, the codger moniker? The idea that I look at everything in this space with one eye closed, squinting with the other isn't just because my bifocals require their now annual update. It's because when I hear a vendor tell a customer that their magic 8 ball answers 'yes you can' to the question 'can I buy a box that'll kill every bad connection, allow every good' at at the same time fill all of the compliance needs, supply metrics required by management, and when asked, prepare and deliver a perfect whoopie pie in a little glass door that serves as both the ingestion spot for gobbling all of those IOCs and when needed, the dispensing door for that really awesome chocolatey creamy taste of heaven... I laugh... out loud.
Yup. I've been doing this a while. I need some intellectual tennis with people new to the space, so Monday morning before heading out of Manchester, I spoke to a class at the University of New Hampshire. The class had kids from all areas - computer information systems/science, liberal arts, business, and included a couple of veterans. I offered a talk, as I often do, on the state of cyber --What is APT? How is it that companies lose credit cards? ..a basic threat brief. I wasn't peppered with questions, but the ones I did get were good:
- Are we winning the cyberwar? If not, why not?
- What are my thoughts on Edward Snowden?
- How do we get involved? What is the path to follow to get into information security?