You are viewing content from a past/completed QCon

Presentation: Security & Psychology: Demotivating Persistent Threats

Track: Security: Lessons Attacking & Defending

Location: Pacific DEKJ

Duration: 10:35am - 11:25am

Day of week: Wednesday

Level: Intermediate

Persona: Architect, Developer, Security Professional

Share this on:

This presentation is now available to view on InfoQ.com

Watch video with transcript

Abstract

Preventing advanced cybercriminals from accessing and exploiting your most sensitive data requires more than just a strong threat detection infrastructure — it demands a personal understanding of the attackers themselves. Once an attack group’s motivations are identified you can start generating a profile and persona that will make disincentivizing them a whole lot easier. Without this added layer of psychological analysis, you will find yourself addressing incident after incident with no end in sight. 

At the core, an actor’s intent is always the same - motivated people with economic justification for their actions are committing large-scale attacks because their livelihood depends on it. It’s up to you to disrupt those economics so they move to softer targets. 

In this session, Shape Security Director of Engineering Jarrod Overson will break down the workflow for effective threat mitigation of sophisticated attackers into four distinct stages: 

  • Stage 1) Classification. Look at how can traffic be bucketed into distinct segments that define individual actors or groups. 
  • Stage 2) Research and generate an actor profile. Understand what these actors are getting out of these attacks, and form some hypotheses from their attack characteristics. Are they data resellers? Developers? Independent actors or full-time employees? What hours are they active? How quickly do they respond to mitigation? This actor profile will help define the approach in Stage 3.
  • Stage 3) Counter attack. Develop and deploy countermeasures that target the attack in a way that drives up cost while reducing value. Play with them, target the damage on their off hours, give sporadic and variable feedback. Increasing the psychological cost is a damage multiplier.
  • Stage 4) Rinse & repeat until all threats are cleared. This is only temporary, of course. As long as value remains then new attackers will fill the vacuum and each subsequent attack will be more sophisticated than the last. Relentless, targeted responses will eventually wear away the motivation to continue the attack. 

Jarrod has seen traffic from individual attackers, coordinated groups, state actors, and more - all of which require different approaches. Sophisticated threats rarely engage in attacks for no reason - understand where the money is coming from and the motivations behind an attack and you can disrupt the attackers with greater force.

Speaker: Jarrod Overson

Engineering Director @ShapeSecurity & JavaScript Expert

Jarrod has been developing on the web for over 15 years in both startups and global companies and currently works at Shape Security. Previously at Riot Games and Napster, Jarrod has worked in every corner of web technology and is an active proponent and contributor to open source, creator of Plato and co-author of Developing Web Components.

Find Jarrod Overson at

Tracks

  • Building & Scaling High-Performing Teams

    To have a high-performing team, everybody on it has to feel and act like an owner. Organizational health and psychological safety are foundational underpinnings to support ownership.

  • Evolving the JVM

    The JVM continues to evolve. We’ll look at how things are evolving. Covering Kotlin, Clojure, Java, OpenJDK, and Graal. Expect polyglot, multi-VM, performance, and more.

  • Trust, Safety & Security

    Privacy, confidentiality, safety and security: learning from the frontlines.

  • JavaScript & Transpiler/WebAssembly Track

    JavaScript is the language of the web. Latest practices for JavaScript development in and how transpilers are affecting the way we work. We’ll also look at the work being done with WebAssembly.

  • Living on the Edge: The World of Edge Compute From Device to Application Edge

    Applied, practical & real-world deep-dive into industry adoption of OS, containers and virtualization, including Linux on.

  • Software Supply Chain

    Securing the container image supply chain (containers + orchestration + security + DevOps).

  • Modern CS in the Real World

    Thoughts pushing software forward, including consensus, CRDT's, formal methods & probabilistic programming.

  • Tech Ethics: The Intersection of Human Welfare & STEM

    What does it mean to be ethical in software? Hear how the discussion is evolving and what is being said in ethics.

  • Optimizing Yourself: Human Skills for Individuals

    Better teams start with a better self. Learn practical skills for IC.

  • Modern Data Architectures

    Today’s systems move huge volumes of data. Hear how places like LinkedIn, Facebook, Uber and more built their systems and learn from their mistakes.

  • Practices of DevOps & Lean Thinking

    Practical approaches using DevOps and a lean approach to delivering software.

  • Microservices Patterns & Practices

    What's the last mile for deploying your service? Learn techniques from the world's most innovative shops on managing and operating Microservices at scale.

  • Bare Knuckle Performance

    Killing latency and getting the most out of your hardware

  • Architectures You've Always Wondered About

    Next-gen architectures from the most admired companies in software, such as Netflix, Google, Facebook, Twitter, & more

  • Machine Learning for Developers

    AI/ML is more approachable than ever. Discover how deep learning and ML is being used in practice. Topics include: TensorFlow, TPUs, Keras, PyTorch & more. No PhD required.

  • Production Readiness: Building Resilient Systems

    Making systems resilient involves people and tech. Learn about strategies being used from chaos testing to distributed systems clustering.

  • Regulation, Risk and Compliance

    With so much uncertainty, how do you bulkhead your organization and technology choices? Learn strategies for dealing with uncertainty.

  • Languages of Infrastructure

    This track explores languages being used to code the infrastructure. Expect practices on toolkits and languages like Cloudformation, Terraform, Python, Go, Rust, Erlang.