While traditional cybersecurity defenses focus on prevention, there are many vulnerabilities and potential attacks against weapon systems. While weapon systems are more software dependent and networked than ever before, cybersecurity has not always been prioritized with regards to weapon systems acquisition. Threat actors have advanced in their sophistication as they are well-resourced and highly skilled, oftentimes gathering detailed knowledge of the systems they want to attack. Ensuring stronger detection methods is imperative, but because these types of threats are very targeted and advanced, agencies need the capability to proactively hunt.

1. Hunting for Cyber Threats
Targeting Weapon Systems

2. © Fidelis Cybersecurity
Today’s Speakers
Robert Henry
Technical Security Engineer
Fidelis Cybersecurity, Federal
Bob Gourley
OODA LLC Co-Founder and CTO
Editor of CTOvision.com
2

3. Cyber Threats: A practitioner’s view
Bob Gourley
22 Feb 2019

4. About this presentation…
• Perspectives on the cyber threat
• From history
• And personal experience
• Concluding with actionable recommendations

5. Based On Three Sources:
Human History Trusted Analysis
Experience
• A lesson from every
great period of
history
• The case of Hannibal
• Civil War
• OODAloop.com
• Recorded Future and
other open intel
sources
• Learning from adversaries
in government and
industry systems

6. A Brief History
If you know human
history you have the
most important things
down already

7. The Condensed History of the Cyber Threat
• 1862 Civil War: Both sides attacked, exploited, hacked. Cyber attack enabled “The
Great Locomotive Chase” which also destroyed comms infrastructure
• 1998 Moonlight Maze: It takes a nation to fight a nation
• 2007 Estonia: Be ready to weather a storm
• 2008 Georgia: Expect cyber attacks timed to military ops
• 2008 Turkey Pipeline: Large cyber to physical attack
• 2011 Wikileaks: Know the human element. Balance info sharing and protection
• 2013 DSB Report: Software for most weapon systems stolen
• 2013 Mandiant Report: Cyber intel is strategic
• 2013 Snowden Leaks: Know the threat before it strikes
• 2013/14 Banks and Retail: Nothing stops this adversary
• 2014/15 Embedded IT, including in DoD: Threat actors will find a way
• 2015 Healthcare and Governments: No sector immune
• 2016: Turla Attacks: Telecom sector a target
• 2016: Shift to small and mid-sized businesses, supply chain, and home users
• 2017/18: Privacy attacks at scale, ICS/SCADA/Telecom, Cyberwar
• 2019: Adversary use of AI and Machine Learning7

8. Now Some Historical Context
8
8 How we think.
Today’s hackers are made of the same stuff as the famously
persistent Hannibal, who did not give up till he got through the
impassible firewall of the Alps

9. Observations What is going on in
cyberspace right now?

10. What Are We Seeing Today:
• Phishing remains dominant path to organizations… exploits human traits of compassion and
curiosity.
• Adversaries constantly shift tactics. When Phishing doesn’t work there are plenty of other
avenues in.
• The big breaches get the press, but many criminals prefer mid-sized businesses, individual
users (you!), and government agencies.
• DDoS attacks evolved. Can be large enough to take companies offline.
• IoT is here... But little indication of IoT security solutions (Lots more room for innovation here).
• Complex command and control infrastructures leverage unsuspecting companies and their
servers/telecom.
• Ransomware evolving/becoming harder to prevent/beat.
• 28% of breaches involved insiders. The worse were working for criminals or nations so the “outsider”
is still a huge threat.
• Adversaries also exploiting vulnerabilities in hardware (Spectre and meltdown)
• Governments (especially Russia, China, Iran, DPRK) invest in targeting infrastructure and
weapon systems
10

11. Recommended
Actions
What does all this
mean for
organizations today?

12. Actions: Know The Adversary
• Be Prepared To Be Surprised: Big lesson from both history and
study of current threats. You will be surprised, so have an incident
response plan and exercise it.
• Know that the adversaries have weaknesses too: They must obey
the same laws of physics that constrain defenders. And when they
are in your networks they are on your turf which gives you an
advantage. Ensure your defenses are agile enough to take
advantage of their weaknesses. Be ready to deceive your adversary.
12

13. Actions: Know Yourself
• Know your own organization: Assess and Understand: Know what data,
systems and capabilities are most important to the function of your
organization, and maintain continuous automated awareness of their
status.
• It takes teams to beat teams: No organization can match the technical
talent of the modern cyber criminal or nation. Build trust based teams
now. Leverage the power of other organizations for your defense.
Security professionals, law enforcement, cloud service providers, the
FBI, the US CERT, and the appropriate ISAC (FS-ISAC for financial
sector).
• Test yourself: through independent assessment and realistic
training/evaluations (table top exercises)
13

14. Actions: Raise Your Defenses
• Enhance Defenses: The adversary in cyberspace is continuing to
innovate, which means we must continue to review our defenses
and modernize. Automating is key. Automate configuration
management, automate detection, automate response, automate
deception.
• Design for Containment: Early detection and rapid incident
response will be aided if systems are designed to contain
adversaries. Containment of attacks is especially important in
malicious code. IoT devices critical to segment.
• Ensure Backup: Every critical system must have a backup, and
recovery methods must be defined and tested.
14

15. Get Your Mental Model Right: Think OODA
• Observe: What do you know about the
situation, including adversary actions, your own
systems and the environment.
• Orient: Consider your observations in the
context of everything you know including your
business objectives, strengths and
weaknesses.
• Decide: In dynamic situations the speed of
decision is critical.
• Act: Minimize the gap between decision and
action. The loop continues, now observe what
changes in the situation your actions caused
15

16. One Slide Summary The Key Takeaways

17. The State Of Cybersecurity Today
17
The
Threat
Unique
Tech
Factors
The
Situation
A great deal is known about who is attacking
and what their motivations are. By studying
them we can build better defenses before
attack and respond smarter during attack. Get
the right info for strategic, operational and
tactical decisions.
Every sector of the economy and every
government and every citizen is under almost
constant attack. Most suffer ongoing
infections with malware. Attackers get in fast
and remain undetected for months. But risk
can be reduced/mitigated.
Your
Action
Governments, businesses, homes, aircraft,
cars, roads, trains, ships increasingly
interconnected. But cyberspace is hard to
observe. Well instrumented systems overseen
by trained/experienced people are key to
defense.
Lead with understanding that cybersecurity
is not just a tech function. Must have
executive leadership and engagement by
entire team. Ensure external verification and
validation of strategy, policy, process and
tech.
Successful Attacks Are By Organizations Defenders Should Collaborate on Lessons
Ensure Tech is Independently Assessed Victory Must Be Earned
Nations Crime Groups Extremists Hackers Insiders
Encryption ID mgnt SDP 2FA AutoPatching Deception
Tools To Consider:
Adversaries Are:
Attackers are persistent, we must prepare for breach
Top Lessons Are:
Engage with CSA, Collaborate with Peers, Study Threats
Top Actions:

18. OODA LLC
• OODA helps our clients identify, manage, and respond to global risks and
uncertainties while exploring emerging opportunities and developing robust and
adaptive strategies for the future. We provide advanced intelligence and analysis,
strategy and planning support, investment due diligence, risk and threat
management, training, decision support, crisis response, and security services to
global corporations and governments.
• OODA is comprised of a unique team of international experts lead by co-founders
Matt Devost and Bob Gourley.

19. Bob Gourley bob@ooda.com
OODA.com

20. Automate Detection, Hunting, and Response
One Platform.
Multiple Use Cases.
Protecting the World’s Most Sensitive Data

21. © Fidelis Cybersecurity21
Relied on by 40+ U.S.
government agencies
Trusted by 12
of the Fortune 50
Depended on by 24
of the Fortune 100
Trusted by the World’s Largest Brands
& Government Organizations
Protecting the World’s Most Sensitive Data
FINANCIAL
SERVICES GOVERNMENT RETAIL HEALTHCARE
PHARMA
& BIO TECHNOLOGY INDUSTRIALS ENERGY TELECOM OTHER

22. © Fidelis Cybersecurity
The Security Objective: Protect Data andAssets
In Order to Protect Mission,
YOU MUST KNOW YOUR TERRAIN
1. What do we need to secure?
2. What information is of value?
3. What assets do we have?
4. What is their behavior?
Adversaries Know How to Exploit
Blind Spots in Cyber Terrain
22
Know Your
Network
Determine most likely paths of:
Exfiltration
C&C
Surveillance
Etc.

23. © Fidelis Cybersecurity23
Agents Sensors Decoys
Threat Intelligence
Fidelis Insight
3rd Party Threat Intel
Customer Defined Intel
Sandboxing
Execution Analysis
File & Web Analysis
ML-based Malware Detection
ACurated Security Stack— Integrated,Automated & Correlated
FIDELIS ELEVATE™
SIEM
Real Time Analysis –
Detect and Respond
Historical Metadata –
Hunt and Investigate
Response Automation and Analytics Engine
Breadcrumbs | Decoys
AD | MITM
Gateway | Internal |Cloud
Email | Web
Windows | Linux
Mac | Cloud
Data Science
Statistical analysis
Supervised learning models
SOAR

24. © Fidelis Cybersecurity
Understanding the Power of Metadata
24
Manual searching, automatic analytics, anomaly detection…
At a fraction of the cost of full PCAP storage and much faster response times
WHO:
Domain user, Webmail
user, FTP user, email
address, device ID,
organization name
WHAT:
filenames, SHA256, MD5,
content tags, malware
name, malware type
WHEN:
From right now back through
time – as long as you’re
willing to store the data
HOW:
protocols, applications,
file type, User Agent,
custom protocols,
obfuscated files and
scripts
WHERE:
Source, Destination,
country, IP address,
organization, URL,
Domain

25. © Fidelis Cybersecurity25
Threat Hunting – Your Last Line of Defense
Reduce the Dwell Time of an Attack
No
YesYes
No
DetectedPrevented
Incident
Response
Secure Trusted
Configuration
Attack
Dwell Time
Threat
Hunting

26. © Fidelis Cybersecurity26
Distribute
▪ Continuously map
networks, clouds
and assets
▪ Profiles created and
updated for asset
location, use, type,
etc.
▪ Automatically builds
deception layer from
discovery
▪ Automatically creates
decoys based on real
assets, services and
processes
▪ Automatically
deploys decoys in
networks and cloud
▪ Seeds breadcrumbs
in real assets and
Active Directory, plus
DNS and ARP
poisoning
▪ Alerts from decoy
access & engagement,
MITM and network
traps
▪ Analysis and alerting of
poisoned data use
(credentials)
▪ Recognizes new
assets, network and
cloud topologies
▪ Automatic updates to
discovery mapping and
decoys
Agentless automation across on-premise and cloud environments
Discover DetectDecoys Adapt

27. © Fidelis Cybersecurity
What You Get With Fidelis Deception
27
UNDERSTAND YOUR
TERRAIN
▪ Lure attackers to decoys that
divert away from real
resources
▪ Detect malware and intruders
moving laterally within the
network
▪ Active Directory breadcrumbs
add privileged users that can
be tracked and monitored in
the decoys
▪ High-fidelity alerts with very
few false positives
▪ Automatically build an
accurate deception layer
based on the real network
▪ Automatically adapt the
deception layer as network
changes occur
▪ Rapidly deploy decoys and
breadcrumbs for immediate
effectiveness – with minimal
resources and time required
▪ Understand the network the
way an attacker would
▪ Remove the blind spot to
discover network assets
including legacy systems and
shadow IT
▪ Classify all asset types
including enterprise IoT
▪ Discover typical internal and
external activity including web
traffic, browser types, OS in
use and IoT connections
AUTOMATE THE DECOY
LAYER
DETECT LATERAL
MOVEMENT

28. Demonstration

29. © Fidelis Cybersecurity
Next Steps: Proof of Concept
29
See Fidelis in Action
Map Your Terrain and Find the Blind Spots
▪ Full platform or individual products
▪ Easy-to-implement with flexible deployment
options based on your requirements:
▪ VM / Cloud
▪ On-premise
▪ Tactical
▪ You define success criteria and timeline
https://www.fidelissecurity.com/contact-us

30. Thank You