Editor's Note: This is a guest post from Mike Perez, Implementation Engineer for Cryptzone.
Since my initial introduction to Rapid7's UNITED Summit customer conference in 2015, I had been looking forward to the opportunity to attend again. The conference is a mixture of good fun, great food, and excellent content in my hometown of Boston at a vibrant venue (the Seaport Hotel). The event covers Rapid7's product line and how the offerings can help their customers. However, in my opinion, Rapid7 does a decent job of ensuring that the conference is not a straight product pitch but provides insight into relevant topics affecting the information security professional; topics such as: crisis communications management, incident response strategies, and bug bounty participation considerations, to highlight a few from this year.
The event starts off with a chaotic free for all that's open to the general public: Rapid Fire, which might be described as part InfoSec security buzzword bingo, part drinking game and part serious discussion. Deliberately controversial or hyper pertinent infosec topics are chosen by a moderator and argued by the panelists pro or con, regardless of their actual viewpoints, with the loser (by audience applause), taking a drink. With Josh Corman, Dave Kennedy, Chris Wysopal and Chris Nickerson as panelists and Jen Ellis moderating, the 60 minutes went too quick with winning argument gems like “Bug Bounties are the equivalent of walking into a bar and offering $100 to anyone who can perform open heart surgery on me with a buck knife.”
The theme of the conference this year was Empowered, which was highlighted by the conference talks as well as by the opening and closing keynotes. General McChrystal was a great speaker with a message that he indicated was hard won after many setbacks in the field: Leadership can no longer be the old model of one individual taking information, analyzing and then providing direction. This model proved to be too slow during his campaigns and according to the General, was taken advantage of by his adversaries. The new model needs to be more like a gardener: planting, weeding, caring, and feeding to allow subordinates sufficient autonomy to further the institutional goals. He indicated operations could not have a top down structure anymore - but rather, a team of teams with distributed knowledge is needed.
The conference itself had three tracks - Threat Exposure Management (TEM), Incident Detection & Response (IDR) and Research. There's too much to cover in each track so I'll only be hitting some of the highlights from my perspective.
In the IDR track, I was drawn to “An Analytic Response to Advanced Threats & Malware (Threat Hunting)” by Tim Stiller. Threat Hunting is assuming that there has been or there is an ongoing intrusion or malicious activity, then looking for signs of the activity by searching for anomalies. Tim spoke about three components: User, Host, & Processes (“UHP”) and needing to know their normal states so that anomalies stand out. Example considerations for each respective domain are:
USERS - What users are on the network? What are “normal” login dates, times, locations, etc?
HOSTS - What hosts are they accessing? How often are these hosts accessed?
PROCESSES - What processes are users running on those hosts? How often are these processes accessed?
Using the UHP model, Tim took us through an example event where a user was logging in from outside of the United States for the first time. While this event in and of itself would raise the profile of the event, the Incident Response team would look at the Hosts being accessed and what kind of Processes and the classification of data being accessed. In other words, UHP looks at the totality of the event and does not rely on one factor for Incident Response reaction to an event.
In the Research track, Katie Moussouris' “When Bug Bounties Attack!” was a cautionary but ultimately encouraging discussion of the considerations and preparations needed before participating in a bug bounty program. Katie discussed the three categories of preparedness for companies: Basic, Advanced and Expert. Some of the characteristics Katie indicated exhibited by each stage of preparedness are below.
BASIC - Executive support at a minimum is needed, with a defined method to receive vulnerability reports, and an established internal bug database to track fixes to resolution. This group has the ability to receive vulnerability reports in a verifiable format (webpage or signed email). Incentives which might be appropriate at this level: SWAG, with a promise of no legal action for bug bounty submitters.
ADVANCED - This stage has an established policy and process for addressing vulnerabilities according to ISO29147 and ISO30111, with dedicated security tracking. Tailored, repeatable communications strategy for each audience, including partners, customers and media. At this level, organizations use root cause analysis to feed into their software development lifecycle. Incentives which might be appropriate at this level: Organization actually pays for serious vulnerabilities.
EXPERT - This group uses vulnerabilities and root cause analysis, ISO 27034 as well as the characteristics of the Advanced group. They have structured information sharing programs with coordinated distribution of remediation methods. For example, Microsoft has a partner network with antivirus members to notify them of patches and bug signatures. Real time tracking telemetry of active development is evident. An understanding of their adversaries and the ability to create a disruptive market for them for bug purchases. At this level to keep your developers, don't create perverse incentives by overpaying for bounties.
For the closing keynote, Chris Nickerson waxed philosophical about leadership, freedom of choice, and recognizing one's own influence and attitude on how one handles difficult situations.
Regarding influencing one's own attitude towards an unpleasant situation, Chris gave the example of taking a walk thru a torrential rainstorm with a friend who was getting increasingly agitated at getting soaked. Instead of lecturing his friend to lighten up, Chris simply asked him ‘Is it the rain that's hurting you and making you mad, or is it just you?'. On the topic of leadership, Chris emphasized that the purpose of the powerful is to give power to the powerless. This means that leaders should allow subordinates to take information, digest and then have the freedom to choose the corresponding action, without being “bullied” into a decision by datasets or co-workers. Chris called it “decisions vs. freedom of choice”, where leaders should empower co-workers to make decisions counter to possibly bad data.
The above is just a small sliver of the presentations and topics offered at UNITED Summit. I've helped organize various conferences across the U.S. and can appreciate the hard work that goes into ensuring an event has great content, opportunities to network (“hallwaycon”) and runs smoothly. UNITED Summit does a great job in all of these aspects.
Mike Perez is an Implementation Engineer for Cryptzone, a global provider of dynamic, context aware network, application and content security solutions and is a board member of OWASP Boston. He has experience in organizing conferences in four different states and two countries and has taught ‘Offensive Countermeasures: The Art of Active Defense' at Black Hat Europe.
For more information on UNITED Summit, or to register for UNITED 2017, visit https://www.unitedsummit.org/.