I had the opportunity to attend Ignite 2015 a couple of weeks ago, it was awesome to see 3,000 security professionals gather together to learn more about Palo Alto Networks, answering questions and learning to be more secure in day to day operations.
There were so many great breakout sessions that happened at Ignite 2015, but one session that I was able to attend was "Who's In Your Network and Why?", presented by Rob Downs, Intelligence Analyst from Palo Alto Network's Threat Team - Unit 42.
Here are a couple of the slides that he used in his presentation:
Recently, I took some time to sit down with Rob Downs for a short Q & A session.
Joe Delio: Rob, I want to thank you for taking time out of your busy schedule to talk with me today. I was able to sit in on your presentation at Ignite and found it insightful.
Rob Downs: My pleasure, and thank you.
JD: What do you like best about working in the Unit 42 group?
RD: What I like most about working in Unit 42 is the collaboration across a number of disciplines to discover and explore evolving threats. Paired with the visibility afforded by the Palo Alto Networks platform and information sharing channels, this allows for very interesting avenues of analysis. It is also great to have an opportunity to influence the improvement of Palo Alto Networks products and offerings through the sharing of experience and analytic findings towards a continuous improvement cycle.
JD: Do you have any Key Takeaways that you did not get to talk about at Ignite?
RD: I think the main takeaways regarding adversary motivations and objectives are the following:
Even just identifying the high level motivations around attacks is a multiplier for the efficiency and effectiveness of Computer Network Defense (CND) operations.
Trending from this effort can extend into strategic benefits towards improved overall security posture.
Over time, the granularity of attribution will naturally improve for the most persistent and sophisticated of adversaries attacking the organization.
JD: Are there some common questions that you get asked a lot working in Unit 42?
RD: There are three of them that come to mind:
 Q: If I do ___x___ in my network, will that make me more secure?
A: Invariably, this depends. Just as an adversary is observed per the aggregate of their actions, defenses need to be structured in a complementary and cumulative way. Add to that the culture, agility, and risks specific to an organization, and this question brings in quite a number of stakeholders concerned with protecting that organization. On the tail end, there are the matters of architecture and implementation, both for the soft (people) and hard (technical) aspects. A lot needs to come together properly to improve an overall security posture.
 Q: What do you think is the best approach for building out Computer Network Defense (CND) operations?
A: Every application of resources needs to be preceded by risk assessment. Figure out what needs to be protected, the relative importance of each of those, and risks against them. Next, focus on those security controls for which you have the most complete visibility and reliable processes as a foundation. From there, you can start identifying gaps and apply the priorities defined earlier to build out a roadmap for evolution.
 Q: Why the name “Unit 42”?
A: This is a “Hitchhiker’s Guide to the Galaxy” reference, related to the conclusion of an epic computation by the supercomputer Deep Thought. This was paraphrased as “Unit 42 is the answer to ___x___” in the concept form for Unit 42’s creation and the name just stuck. Ultimately, Unit 42’s goal is to add context to the threats faced by our global customers and broader communities.
JD: Was there any back story to why you chose this topic for your presentation?
RD: Context is key when it comes to intelligence-driven incident response. Incident Response (IR) can seem like a constant effort to put out fires without much room to breathe, especially for smaller or newer Computer Network Defense (CND) operations. One of the goals of my talk was to communicate how a little effort in identifying adversarial motivations and objectives can be used to tailor controls and processes against those attackers. This in turn contributes to the shift in CND operations from the reactive to the proactive, ultimately supporting more effective prioritization of activities and resources. CND is a challenging discipline; I’m a firm believer in working smarter — rather than harder — whenever possible.
JD: Rob, I really appreciate the answers. It was really great to talk with you today and learn more about Security and Unit 42.
RD: Thank you, it was a pleasure talking with you.
More about Rob Downs:
Rob Downs is a Cyber Threat Intelligence Analyst with Palo Alto Networks Unit 42, where he specializes in deep-dive malware analysis and reverse engineering towards tracking threat evolution and adversarial attribution. Prior to joining Palo Alto Networks, he performed Incident Response for the Defense Industrial Base, Department of Defense, and Intelligence Community. Rob holds a bachelor’s degree in Computer Science from Boston University, a master’s degree in Computer Information Systems (Security) from Boston University, and the SANS GREM certification.