Utica College - Computer Science
Founder and CEO, Dragos, Inc.
Defense & Space
Robert M.
Lee
Gambrills, Maryland
Robert M. Lee is the founder and CEO at Dragos Inc. where he and his team develop solutions for some of the industrial control system (ICS) community's hardest cyber security challenges. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was named one of Passcode’s Influencers, awarded EnergySec's 2015 Cyber Security Professional of the Year, and named one of Forbes' 30 under 30 in Enterprise Technology in 2016.
A passionate educator, Robert is the course author of SANS ICS515 – “Active Defense and Incident Response”, the co-author of SANS FOR578 – “Cyber Threat Intelligence” and an Adjunct Lecturer at Utica College for the M.S. Cyber Operations specialization.
Robert obtained his start in cyber security in the U.S. Air Force where he served as a Cyber Warfare Operations Officer. He has performed defense, intelligence, and attack missions in various government organizations including the establishment of a first-of-its-kind ICS/SCADA cyber threat intelligence and intrusion analysis mission. Robert routinely writes articles and journals in publications such as Control Engineering and the Christian Science Monitor’s Passcode. He is also a frequent speaker at conferences around the world. Lastly, Robert, along with Jeff Haas, creates a weekly technology and security web comic titled Little Bobby.
Advisor
In the role of Advisor, serves the company on a limited basis with input into the threat intelligence community, trends, and positioning.
Recorded Future’s mission is to empower customers with real-time threat intelligence, to defend their organizations against threats at the speed and scale of the internet. With billions of indexed facts, and more added every day, their patented Web Intelligence Engine continuously analyzes the entire web to give unmatched insight into emerging threats. Recorded Future helps protect four of the top five companies in the world, and over 20,000 IT security professionals use Recorded Future everyday.
Chief Executive Officer and Founder
Dragos industrial cybersecurity software platform codifies advanced threat analytics to provide OT and IT practitioners unprecedented visibility and prescriptive procedures to respond to adversaries in the industrial threat landscape.
Dragos' platform distills decades of real-world experience from an elite team of ICS cybersecurity experts across the U.S. intelligence community and private industrial companies enabling ICS cybersecurity personnel to independently identify ICS assets, detect ICS threats and determine ICS cybersecurity specific responses.
Dragos' offerings include: the Dragos Platform for ICS Threat detection and response, Dragos Threat Operations Center for ICS threat hunting and incident response services, and Dragos ICS WorldView for weekly threat intelligence reports.
More information can be found here: https://dragos.com
Dragos, Inc. was covered here by the Washington Post: https://www.washingtonpost.com/world/national-security/theyre-on-the-lookout-for-malware-that-can-kill/2018/04/27/33190738-32c1-11e8-8abc-22a366b72f2d_story.html
Dragos, Inc. founders Robert Lee, Jon Lavender, and Justin Cavinee were profiled here http://www.forbes.com/sites/thomasbrewster/2016/03/23/saving-america-from-hacker-blackouts/
Dragos, Inc. founder and CEO Robert Lee was also profiled here:
http://thehill.com/business-a-lobbying/lobbyist-profiles/341363-cybersecurity-expert-fights-for-realism
Non-Resident National Cybersecurity Fellow
A non-resident fellow at New America as part of their Cybersecurity Initiative. The purpose of this fellowship is to produce recommendations for policy on securing industrial control systems and critical infrastructure. This will be accomplished through authoring papers, participating in discussions, and speaking at public events.
Advisor
The Industrial Cybersecurity Center (Centro de Ciberseguridad Industrial) is a think tank focused on advocating for and educating on industrial cybersecurity especially for Spanish-speaking countries. Industrial control systems (ICS) are a major component of modern society and their protection from digital threats ensures a more reliable and safe future.
In this role I will be advising them especially in areas of industrial network monitoring, incident response, and threat intelligence.
Advisor
The Cyber Resilient Energy Delivery Consortium (CREDC) works to make energy delivery system (EDS) cyber infrastructure more secure and resilient. CREDC funding support is provided by DOE-OE and DHS S&T. CREDC is the successor to the TCIPG Project which was also funded by the DOE and DHS and is seeking to be independently funded by 2020 to continue research into making the energy infrastructure of North America more reliable and secure.
Intermediate Network Warfare Training is a three month Air Force technical school focused on training students in red team and blue team ops and various advanced cyber related skills to perform the Air Force cyber ops missions.
Master of Science (M.S.)
Cybersecurity - Computer Forensics
Doctor of Philosophy (PhD) (Not Finished)
War Studies
Attempting a PhD in War Studies with a focus on cyber conflict to industrial environments (ICS cybersecurity). Taking a 2 year break because of having a kid and the company doing well.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. The continuum between the five categories helps visualize that not all actions are static or easily defined. Understanding these interconnected categories that contribute to cyber security helps individuals and organizations better understand the purpose and impacts of their resource investments, establish a maturity model for their security program, and break down cyber attacks to identify root cause analysis in a way that encourages growth by defenders over time. The understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. The goal should be to invest resources starting on the left hand side of the scale and address those issues to achieve a proper return on investment before allocating significant resources to the other categories. This approach recognizes the increasing cost of success to adversaries facing properly prepared organizations and empowers defenders to engage security in a manner that evolves over time.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. The continuum between the five categories helps visualize that not all actions are static or easily defined. Understanding these interconnected categories that contribute to cyber security helps individuals and organizations better understand the purpose and impacts of their resource investments, establish a maturity model for their security program, and break down cyber attacks to identify root cause analysis in a way that encourages growth by defenders over time. The understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. The goal should be to invest resources starting on the left hand side of the scale and address those issues to achieve a proper return on investment before allocating significant resources to the other categories. This approach recognizes the increasing cost of success to adversaries facing properly prepared organizations and empowers defenders to engage security in a manner that evolves over time.
Amazon Createspace
Threat Intelligence is a topic that has captivated the cybersecurity industry. Yet, the topic can be complex and quickly skewed. Author Robert M. Lee and illustrator Jeff Haas created this book to take a lighthearted look at the threat intelligence community and explain the concepts to analysts in a children's book format that is age-appropriate for all. Threat Intelligence and Me is the second work by Robert and Jeff who previously created SCADA and Me: A Book for Children and Management. Their previous work has been read by tens of thousands in the security community and beyond including foreign heads of state. Threat Intelligence and Me promises to reach an even wider audience while remaining easy-to-consume and humorous.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. The continuum between the five categories helps visualize that not all actions are static or easily defined. Understanding these interconnected categories that contribute to cyber security helps individuals and organizations better understand the purpose and impacts of their resource investments, establish a maturity model for their security program, and break down cyber attacks to identify root cause analysis in a way that encourages growth by defenders over time. The understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. The goal should be to invest resources starting on the left hand side of the scale and address those issues to achieve a proper return on investment before allocating significant resources to the other categories. This approach recognizes the increasing cost of success to adversaries facing properly prepared organizations and empowers defenders to engage security in a manner that evolves over time.
Amazon Createspace
Threat Intelligence is a topic that has captivated the cybersecurity industry. Yet, the topic can be complex and quickly skewed. Author Robert M. Lee and illustrator Jeff Haas created this book to take a lighthearted look at the threat intelligence community and explain the concepts to analysts in a children's book format that is age-appropriate for all. Threat Intelligence and Me is the second work by Robert and Jeff who previously created SCADA and Me: A Book for Children and Management. Their previous work has been read by tens of thousands in the security community and beyond including foreign heads of state. Threat Intelligence and Me promises to reach an even wider audience while remaining easy-to-consume and humorous.
Christian Science Monitor
The case against encryption ‘back doors’ simplified so even a child can understand it.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. The continuum between the five categories helps visualize that not all actions are static or easily defined. Understanding these interconnected categories that contribute to cyber security helps individuals and organizations better understand the purpose and impacts of their resource investments, establish a maturity model for their security program, and break down cyber attacks to identify root cause analysis in a way that encourages growth by defenders over time. The understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. The goal should be to invest resources starting on the left hand side of the scale and address those issues to achieve a proper return on investment before allocating significant resources to the other categories. This approach recognizes the increasing cost of success to adversaries facing properly prepared organizations and empowers defenders to engage security in a manner that evolves over time.
Amazon Createspace
Threat Intelligence is a topic that has captivated the cybersecurity industry. Yet, the topic can be complex and quickly skewed. Author Robert M. Lee and illustrator Jeff Haas created this book to take a lighthearted look at the threat intelligence community and explain the concepts to analysts in a children's book format that is age-appropriate for all. Threat Intelligence and Me is the second work by Robert and Jeff who previously created SCADA and Me: A Book for Children and Management. Their previous work has been read by tens of thousands in the security community and beyond including foreign heads of state. Threat Intelligence and Me promises to reach an even wider audience while remaining easy-to-consume and humorous.
Christian Science Monitor
The case against encryption ‘back doors’ simplified so even a child can understand it.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. The continuum between the five categories helps visualize that not all actions are static or easily defined. Understanding these interconnected categories that contribute to cyber security helps individuals and organizations better understand the purpose and impacts of their resource investments, establish a maturity model for their security program, and break down cyber attacks to identify root cause analysis in a way that encourages growth by defenders over time. The understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. The goal should be to invest resources starting on the left hand side of the scale and address those issues to achieve a proper return on investment before allocating significant resources to the other categories. This approach recognizes the increasing cost of success to adversaries facing properly prepared organizations and empowers defenders to engage security in a manner that evolves over time.
Amazon Createspace
Threat Intelligence is a topic that has captivated the cybersecurity industry. Yet, the topic can be complex and quickly skewed. Author Robert M. Lee and illustrator Jeff Haas created this book to take a lighthearted look at the threat intelligence community and explain the concepts to analysts in a children's book format that is age-appropriate for all. Threat Intelligence and Me is the second work by Robert and Jeff who previously created SCADA and Me: A Book for Children and Management. Their previous work has been read by tens of thousands in the security community and beyond including foreign heads of state. Threat Intelligence and Me promises to reach an even wider audience while remaining easy-to-consume and humorous.
Christian Science Monitor
The case against encryption ‘back doors’ simplified so even a child can understand it.
Oil and Gas Engineering
An introduction to the active cyber defense cycle specifically tailored to the discussion of the oil and gas industry.
SANS Institute
Threat hunting is a proactive and iterative approach to detecting threats. On the Sliding Scale of Cyber Security, hunting falls under the active defense category because it is performed primarily by a human analyst. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated nor can any product perform hunting for an analyst. One of the human’s key contributions to any hunt is the initial conception of what threat the analyst would like to hunt and how he or she might find that type of malicious activity in the environment. We typically refer to this initial conception as the hunt’s hypothesis, but it is really just a statement about the hunter’s testable ideas of what threats might be in the environment and how to go about finding them.
SANS Institute
This paper will explain what threat hunting is (and what it is not), why it is needed, when threat hunting is appropriate, where it fits into maturity efforts, how to get started and who should do the hunting.
SANS Institute
Cyber attacks on industrial control systems (ICS) differ in impact based on a number of factors, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes. Cyber attackers target systems not in single incidents and breaches but, instead, through a campaign of efforts that enables access and provides sufficient information to devise an effect. A campaign represents the entirety of the operation against the defender organization and its systems. Understanding where an adversary is in his or her campaign can enable defenders to make better-informed security and risk management decisions. Additionally, this knowledge of the adversary’s operations can help defenders appreciate the attacker’s possible intent, level of sophistication, capabilities and familiarization with the ICS, which together work to unveil the potential impact of the attack on an organization. The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable. The authors introduce the concept of the ICS Cyber Kill Chain to help defenders understand the adversary’s cyber attack campaign
Wired
The FBI’s statement that North Korea is responsible for the cyber attack on Sony Pictures Entertainment has been met with various levels of support and criticism, which has polarized the information security community. At its core, the debate comes down to this: Should we trust the government and its evidence or not? But I believe there is another view that has not been widely represented. Those who trust the government, but disagree with the precedent being set.
SANS Institute
The Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories of actions and investments that contribute to cyber security. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. The continuum between the five categories helps visualize that not all actions are static or easily defined. Understanding these interconnected categories that contribute to cyber security helps individuals and organizations better understand the purpose and impacts of their resource investments, establish a maturity model for their security program, and break down cyber attacks to identify root cause analysis in a way that encourages growth by defenders over time. The understanding of each phase helps individuals and organizations understand that categories on the left hand side of the scale build the appropriate foundation that make the other actions of the scale more obtainable, useful, and less resource intensive. The goal should be to invest resources starting on the left hand side of the scale and address those issues to achieve a proper return on investment before allocating significant resources to the other categories. This approach recognizes the increasing cost of success to adversaries facing properly prepared organizations and empowers defenders to engage security in a manner that evolves over time.
Amazon Createspace
Threat Intelligence is a topic that has captivated the cybersecurity industry. Yet, the topic can be complex and quickly skewed. Author Robert M. Lee and illustrator Jeff Haas created this book to take a lighthearted look at the threat intelligence community and explain the concepts to analysts in a children's book format that is age-appropriate for all. Threat Intelligence and Me is the second work by Robert and Jeff who previously created SCADA and Me: A Book for Children and Management. Their previous work has been read by tens of thousands in the security community and beyond including foreign heads of state. Threat Intelligence and Me promises to reach an even wider audience while remaining easy-to-consume and humorous.
Christian Science Monitor
The case against encryption ‘back doors’ simplified so even a child can understand it.
Oil and Gas Engineering
An introduction to the active cyber defense cycle specifically tailored to the discussion of the oil and gas industry.
Christian Science Monitor's Passcode
A new report from the security firm Norse that claims growing Iranian cyberattacks on critical infrastructure relies on questionable data. It's the latest in a string of cybersecurity vendor reports that grab headlines but erode trust in the industry.
The following profiles may or may not be the same professor:
The following profiles may or may not be the same professor: