NFA Cyber Security 2016 // May 25th
Subject Matter Lead at Telenor CERT.
7 years at the national CERT — NorCERT.
Background from HW/SW dev and QA.
Tactical response to targeted intrusions.
Because your adversaries are more
than their transient infrastructure.
Getting you interested in engaging your
adversaries and not just their infrastructure.
The one is a tool, the other a threat.
Most of you are not incident responders.
So we'll spend some time on IR in general.
Prevention eventually fails.(Even the best drivers in the world eventually crash.)
Your next line of defense is
incident detection and response.
Gamble on prevention, and you risk
serious «blood loss» when it fails.
Constantly getting more,
constantly getting better.
The more serious, the less likely it is
that you will accidentally discover them.
Requires rate and very complex
competense and specialized tools.
Too much incident response is focused on
cleaning up compromised computers, not
disrupting the attacker's missions and
minimizing your organization's risk!
Before we procede: A brief story
about my dad, countermobility and other military tactics.
(Wherever they may lead...)
Hm. These tracks look suspicious...
I better check where they lead.
We have a tendency to focus on the tracks and the
shoes, not the adversary, the mission and the goals.
And when we have identified everywhere we think
those shoes have been, we wipe everything clean.
We're fighting an advancing force
with countermobility tactics only.
We're fighting infrastructure, not adversaries.
We will continue losing.Unless we start changing behaviour, shifting our
A very brief introduction
Brace for impact
Are you ready to dance?