Cybercontrol demands intelligence
- By Susan M. Menke
- Dec 11, 2002
Brian Kelly, iDefense risk manager
Brian Kelly is in the alarm business. The retired Air Force lieutenant colonel joined iDefense Inc. of Chantilly, Va., as president and chief operating officer early last year, in the midst of a spurt of Internet mischief involving the notorious Code Red and Nimda worms.
The Sept. 11 terrorist attacks brought new demands for cyberintelligence as well as a new emphasis on studying the modus operandi of what Kelly calls 'the threat actor' who is responsible for terrorism. IDefense over the years has written more than 14,000 intelligence reports on information security.
Kelly formerly was president and COO of Newbrook Technologies, which merged with iMask Inc. of Chantilly, Va. Before that, he headed the e-business security practice at Deloitte & Touche LLP and was vice president of operations at Trident Data Systems before its acquisition by Veridian Corp. of Arlington, Va.
He has bachelor's and master's degrees in business administration from Rensselaer Polytechnic Institute.
GCN chief technology editor Susan M. Menke interviewed Kelly. GCN: The Defense Department is nervous about wireless devices and networks. What do you think DOD should do?
KELLY: Wireless is a powerful technology that clearly has uses in the public and private sectors. To just abandon it is too serious an action. DOD should think carefully about how to architect and deploy wireless networks. There are techniques to provide layers of security.
The typical problem we see with wireless is a lack of understanding. There are things you can do. But if you employ wireless right out of the box without enabling any of the safeguards, you do put your organization at risk. The bottom line is, think long and hard about how to use wireless and secure it. It can be done.GCN: What about handheld computers and cell phones?
KELLY: The situation's very similar. Unless you think about the security implications, you're asking for trouble. We can deploy adequate levels of security today, and security is going to get better as time goes on. The industry is working hard on it.GCN: What do you expect in the way of widespread cyberattacks against U.S. networks?
KELLY: We're on the watch. Attacks today can be deployed with fairly elementary knowledge. In years past, launching a sophisticated attack required a sophisticated attacker. Now it's fairly easy to download various exploits and participate in distributed denial-of-service attacks without having much understanding of how the exploit tool works.
In time, the threat from these attacks is going to increase because of the ease of use and the proliferation of exploits.GCN: What are government network administrators not doing that they should be doing?
KELLY: It's hard to pinpoint without day-to-day insight. But all organizations are going to have to pay attention to what they're trying to protect. There aren't enough hours and resources to protect everything. An organization has to prioritize what's most important.
Second, you need to understand the current exposures of the asset and take steps to remediate the exposures. There's a lot of public- and private-sector activity to gain good, technical vulnerability information and to deploy vendor patches and operational workarounds for adequate, baseline security.
The third piece, I would say, is active monitoring of emerging threats. Those three pieces are the fundamental components of a risk management model. Risk is a function of your assets, threats to those assets and exposure of those assets.GCN: Are any federal organizations doing an especially good job of risk management?
KELLY: I would have trouble singling anyone out. There are pockets across all agencies that are doing things well and others that need to improve.
The one case that comes to mind is the Health and Human Services Department. I've seen HHS and its Centers for Disease Control and Prevention thinking aggressively about risk management, about emerging threats and steps to stay ahead of them in a preventive way, as opposed to waiting to detect a threat and then remediating after the fact.GCN: You've said you see cyberattacks and physical attacks converging. How would that happen?
KELLY: We no longer have the luxury of separating physical security, personnel security and cybersecurity. They're inextricably combined.
We're seeing the traditional activists'those who engage in sit-ins and spray painting'start to coordinate their activities online. The next step in this progression is that they become cyberactivists. Then they become hacktivists, and their deeds are more malicious: denial-of-service attacks, destruction of data, theft of IT.
Things that were once physical threats now seem to have a cyberdimension. Terrorists want to disrupt, degrade and destroy critical infrastructures. They don't have to blow up a dam with explosives if they can take over control of the floodgates from several thousand miles away.
The consequences of those attacks are alarming. We haven't seen direct evidence of an actual attack of a critical infrastructure, but we've already witnessed some of the consequences. Look at the last year's malicious code experiences. Take, for example, Code Red. The damage estimates were in excess of $2 billion.
That's a good case study where intelligence paid off for us. Clients were warned with ample time to protect their systems. If you remember back in June 2001, Microsoft Corp. released a notice about a buffer overflow vulnerability. Our intelligence analysts looked at the context. It's a fairly simple vulnerability to develop an exploit for, although there was no evidence one existed at the time.
The vulnerability affected Microsoft Internet Information Server, which is deployed worldwide. Our analysts that same day said it had the potential to be a serious problem. We issued what we call a critical flash the next day. Over the course of June and early July, we issued several more intelligence reports with information about remediation possibilities and where to get patches and so forth.
Around July 18, the Code Red worm was detected. By July 20, more than 250,000 servers were affected around the world.GCN: Do you provide support if a client is infiltrated?
KELLY: Everything we do is focused around cybersecurity intelligence. We do have a laboratory function that does independent verification and validation of the exploits and of the vendor-recommended patches.
We also respond to specific requests from clients, public and private, if they have an issue they need additional intelligence on.
Post-Sept. 11, we responded to a number of special requests in areas where the government needed additional coverage. There are linguists on the staff. We can go to Russian and other foreign sites that might be difficult for others to take a look at.GCN: How do you approach a government job'go on site, try to break in or what?
KELLY: No, that's more of a service offering. Ours is really a decision-support system'a fairly sophisticated knowledge management system where the clients specifically configure their intelligence needs. We develop about 20 or 25 intelligence reports per day. Those that meet the requirements of a client are pushed out to the client.
It's conceivable that no two clients receive the same daily intelligence report. One client might be focused on nontechnical, geopolitical issues. At the other end of the spectrum, another individual might be interested only in technical vulnerability information for a particular operating system'Linux, for example. He can configure his intelligence feed to receive only that type of data, no more, no less.
It's the decision-maker who determines what those needs are. We facilitate the decision support, provide the content and make the system easy to use. If something that meets their criterion arises during the day, we'll alert them by e-mail push, wireless devices or phone calls to the office or home. The e-mail pushes the summary of the intelligence report, and they click on that to see the full report.
The key to intelligence is to understand the threat actor'the motivation, the capabilities, the types of access. By looking at a threat actor over time, you get a better understanding of their modus operandi.