Elastic{ON} Tour D.C. - Tackling Cyber with RockNSM

Transcript

1. 1 CPT Derek “dcode” Ditch October 27, 2017, MOCYBER Twitter:

   @dcode http://rocknsm.io Fending Off the Adversary with a

2. 2 $ whois dcode • keybase.io/dcode • github.com/dcode • linkedin.com/in/dditch

   Some of my identities on the web

3. 3 $ whois derek.ditch • Cyber Officer* in the Missouri

   Army National Guard, 17 years of service • Senior sensor platform engineer for major US bank • Former senior intrusion analyst in NTOC • MS Computer Science, published research in critical infrastructure protection • Father of 3 boys • Live in San Antonio My physical persona * I was previously an all-source intelligence officer

4. 4 $ whois MOCYBER • We’re an ad-hoc unique &

   beautiful snowflake ‒Part Army CPT ‒Part National Guard DCO-E ‒Part Air National Guard • We’re all volunteer militia • Since 2010, 31 missions & exercises The Team

5. 5 Less talk… more ROCK

6. 6 What is ROCK? A collection platform designed for Network

   Security Monitoring focused on: • Security. Passive sensors are one of the most valuable information assets on your network. Keep them to yourself. • Performance. Processing line-rate network data is taxing on your systems. Let's make the most of them. • Analysis. Connect the dots that make sense at collection time to aid human-driven analysis. • Production-Ready. Sometimes you have to spin up a sensor on short notice. If you wait until the last minute, it better only take a minutes.

7. 7 What is ROCK? Yeah, but what’s in it?

8. 8 Basically… all the things you need. Nothing you don’t.

9. 9 I only want to sell you an idea... and

   it won't cost you... or the taxpayers a dime.

10. 10 What’s the goal? Accept some foundational ideas: • Secure

    Architecture • Smart tactics • Defend with a purpose

11. 11 I’m not trapped in here with you… you’re trapped

    in here with me. ~ Adversary in Your Network, Probably

12. 12 Secure Architecture

13. 13 What’s the goal? Accept some foundational ideas: • Secure

    Architecture • Smart tactics • Defend with a purpose

14. 14 14 ...

15. 15 15 ...

16. 16 Let’s explore this tabletop scenario

17. 17 Assume Everything is Compromised.

18. 18 Smart Tactics • Passive first! • Use ephemeral infrastructure

    • Minimize use of privileged tokens • Collect all the things and cross reference your observations

19. 19 What’s the goal? Accept some foundational ideas: • Secure

    Architecture • Smart tactics • Defend with a purpose

20. 20 Cyber is a human versus human conflict. ~ Me

21. 21 Analysis Focused Operations

22. 22 Analysis Focused Operations

23. 23 Analysis Focused Operations

24. 24 Analysis Focused Operations

25. 25 Analysis Focused Operations

26. 26 Analysis Focused Operations

27. 27 Analysis Focused Operations

28. 28 SOF Truths • Humans are more important than hardware.

    • Quality is better than Quantity. • Special Operations Forces (SOF) cannot be mass produced. • Competent SOF cannot be created after emergencies occur. • Most Special Operations require non-SOF assistance.

29. 29 Thanks! CPT Derek "dcode" Ditch [email protected] | [email protected] http://linkedin.com/in/dditch

    Try RockNSM today! http://rocknsm.io