Events
Speaker and Topic Information
Next Meeting: Tuesday, July 15, 2008
1st Speaker: Edward Schwartz, NetWitness Corporation
Topic (1 of 2): Detection of Beacon Trojans and Advanced Data Exfiltration Techniques
Drawing upon experience with Titan Rain and more sophisticated attacks observed within the public and private sectors, this session provides an in-depth examination of advanced data exfiltration techniques. This session describes methodologies and technologies for analyzing and detecting these zero-day attacks and provides techniques for building an alerting function for detecting beacon Trojans.
Many successful attacks today fly way under the radar of current intrusion detection methodologies. For example, foreign intelligence agencies and organized crime rings use targeted spear phishing techniques combined with fresh application exploits to gain a foothold inside of their quarry’s networks. Attackers maintain access to victimized organizations by installing simple, but effective code that “beacons” to one or more hosts outside of the organization under the control of the adversary.
“Beacon receiver hosts” are typically hard-coded into the malicious code as canonical hostnames that are pre-registered in advance of the initial attack – most often with free dynamic DNS hosting services. These hosting services are based overseas, which complicates effective law enforcement investigations. Embedding canonical DNS names vs. IP addresses in the beacon code allows attackers to change beacon receiver hosts on the fly. Attackers often register DNS names that look legitimate to decrease the possibility that they will be noticed within network traffic, host and security system logs.
This session demonstrates how using statistical analyses and mathematical operations, it is possible to identify stealthy beacon traffic hiding in rivers of data. We show how to determine if your organization currently is being exploited by beacon Trojans (which many are, and do not know it), and how to build a monitoring infrastructure that will help you identify this type of activity as soon as it begins, rather than after the adversary has captured gigabytes of your data.
About the 1st Speaker:
Eddie Schwartz Chief Security Officer for NetWitness, the leading provider of next generation network monitoring software. Eddie has 25 years experience as an information technology professional and as an information security and privacy expert, specializing in the financial services and federal government sectors. He has performed a broad range of work including technical architecture and engineering, and technology management consulting for many large commercial and U.S. Government entities. Prior to joining NetWitness, Eddie was CTO for ManTech, Executive VP and General Manager for Predictive Systems (acquired by INS), COO at Guardent (acquired by Verisign), and Chief Information Security Officer (CISO) for Nationwide Insurance Enterprise. Eddie has an M.S. in Technology Management and a B.I.S. in Information Security from George Mason University
2nd Speaker: George Spafford, Principal Consultant, Pepperweed
Topic (2 of 2): The Visible Ops Presentation
This presentation will present the concepts of Visible Ops and will cover the topics of background of the need and 4 phases of Phase 1: Stabilize the Patient and Get Plugged into Production, Phase 2: Find Business Risks and Fix Fragile Artifacts, Phase 3: Implement Development and Release Controls, Phase 4: Continual Improvement
About the 2nd Speaker:
George is a and an experienced practitioner in business and IT operations. He is a prolific author and speaker, and has consulted and conducted training on regulatory compliance, IT Governance, and process improvement in the U.S., Australia, New Zealand and China. Publications include co-authorship of “The Visible Ops Handbook" and “Visible Ops Security”. George holds an MBA from Notre Dame, a BA in Materials and Logistics Management from Michigan State University and an honorary degree from Konan Daigaku in Japan. He is a ITIL Service Manager, TOCICO Jonah and a Certified Information Systems Auditor (CISA). George is a current member of the IIA, ISACA, ITPI, ITSMF, and the TOCICO.