Research

Every year there seems to be a new shiny object that works security marketeers into a frenzy. The Advanced Persistent Threat hype continues to run amok 3 years in, and doesn’t seem to be abating at all. Of course there is still lot of confusion about what the APT is, and Rich’s post from early 2010 does a good job explaining our view. That said, most security vendors are predictable animals and they adhere to the classic maxim “If all you have is a hammer, everything looks like an APT.” So it makes no difference what the security product or service does – they are all positioned as the answer to APT. Of course this isn’t useful to security professionals who actually need to protect important things. And it’s definitely not helpful to Chief Information Security Officers (CISOs) who have to communicate their organization’s security program and set realistic objectives, and manage expectations accordingly. So, as usual, your friends at Securosis will help you focus on what’s important and enable you to wade through the hyperbole to understand what’s hype and what’s real, in our new series: The CISO’s Guide to Advanced Attackers. This series will provide a high-level view of these “advanced attacks”, designed to help a CISO-level audience understand what they need to know, and map out a clear 4-step process for dealing with advanced attackers and their techniques. Before we get started I want to thank Dell SecureWorks for agreeing to potentially license the content at the end of the project. As with all our research, we will produce The CISO’s Guide to Advanced Attackers independently and objectively, and tell you what you need to know. Not what any vendor wants you to hear. Defining Advanced Attacks First let’s dismiss the common belief that advanced attackers always use “advanced attacks”. That’s just not the case. Of course there are innovative attacks like Stuxnet, stealing the RSA token seeds to attack US Defense sector organizations, and compromising Windows Update using stolen Certificate Authority signing keys. But those attacks are exceptions, not the rule. These attackers are very business-like in their operations. They don’t waste a fancy advanced attack unless they need to. They would just as soon get an unsuspecting office worker to click a phishing email and subsequently use a known Adobe Reader exploit to provide the attacker with a presence in your environment. There is no award for unique attacks. This understanding necessarily changes the way you think about adversaries. The attacks you see will vary greatly depending on the attacker’s mission and their assessment of the most likely means to compromise your environment. A better way to get your arms around potential advanced attacks is to first understand the potential targets and missions. Then profile specific attackers, based on their likelihood of be interested in the target. This can give you a feel for the tactics you are likely to face, and enables you evaluate controls that may be able to deter them – or at least slow them down. The security industry would have you believe that implementing a magic malware detection box on your perimeter or locking down your endpoints will block advanced attackers. Of course you cannot afford to believe everything you hear at a security conference, so let’s break down exactly how to determine what kind of threat you are facing. Evaluate the Mission Having the senior security role in an organization (yes, Mr./Ms. CISO, we’re talking to you) means accepting that the job is less about doing stuff and more about defining the security program and evangelizing the need for security with senior management and peers. A key first part of this process is to learn what’s important in your environment, which would be an interesting target for an advanced attacker. Since you have neither unlimited resources nor the capabilities to protect against every attack, you need to prioritize your defenses. Prioritize by focusing on protecting your valuables. The first order of business in dealing with advanced attackers is to understand what they are likely to look for. That is most likely to your: Intellectual property Customer data (protected) Business operations (proposals, logistics, etc.) Everything else It is unlikely that you can really understand what’s important to your organization by sitting in your office. So a big part of this learning requires talking to senior management and your peers to get a feel for what’s important to them. After a few of these conversations it should be pretty clear what’s really important (meaning people will get fired if it’s compromised) and what’s less important. Once you understand what the likely targets of an advanced attacker (the important stuff), you can take a reasonably educated guess at the adversaries you’ll face. Profile the Adversary We know it seems a bit simplistic to make generic assumptions about the kinds of attackers you will face, depending on what you are trying to protect. And it is simplistic, but you need to start somewhere. So let’s quickly describe a very high-level view of the adversaries you could face. Keep in mind that many security researchers (and research organizations) have assembled dossiers on potential attackers, which we will discuss with threat intelligence in the next post. Unsophisticated: These folks tend to smash and grab attacks, where they use a publicly available exploit (perhaps leveraging tools like Metasploit) or some kind of packaged attack kit. They are opportunistic and will take what they can get. Organized Crime: A clear step up the food chain is organized crime attackers. They invest in security research, test their exploits, and have a plan to exfiltrate and monetize what they find. They are still opportunistic, but can be quite sophisticated in attacking payment processors and large-scale retailers. They tend to be most interested financial data, but have also been known to steal intellectual property if they can sell it and/or use brute force approaches like DDoS threats to extort victims. Competitor: At times competitors use unsavory means to gain advantages in product development, or when seeking information on competitive bids. These folks

Security groups are the basic firewall rules associated with instances in various compute clouds. Different platforms may use different names but security group is the most common so that’s the term we will use. Basically, it is a way of defining hypervisor firewall rules. Of course this is a gross simplification – different cloud platforms enforce groups at other layers of the virtual or physical network, but you get the point. You assign instances to a security group and they inherit that rule set, which applies at a per instance level. This is key because you need to do some deeper thinking about what access rules should apply to an individual instance, which is distinctly not like a network segment with a firewall in front of it. For example you can set security group rules that restrict traffic between all instances assigned to the same security group. Thus it has traits of both a host firewall and network firewall, which is kinda cool. I was teaching our cloud security class last week and one student asked why we don’t just use IP tables or another host firewall. The answer is pretty basic. Security groups allow you to decouple network security from the operating system on the instance. This provides a few advantages: Security for specific instances can be managed without needing to instantiate or access them. Network security rules can be managed via the cloud API and management plane, supporting better automation. Security groups apply no matter the boot or security state of an instance, so if your instance is compromised you can isolate it easily with a quick security group rule change. This does not mean you don’t still need host firewalls. They still play a valuable role when you need extra granularity, such as protecting instances when they move between different security groups. Another use for a host firewall is to provide the administrator with control over the specific instance’s security without requiring cloud management layer changes. Security group capabilities vary widely between platforms but the basic principles are pretty consistent. They also don’t necessarily substitute (yet) for more advanced firewall/IPS setups, which is when virtual appliances or some of the fancy integrated technologies (such as what VMWare is doing with vShield) come into play to inspect inter-VM traffic. The more I use them the more I am becoming a big fan of security groups, even with their limitations. They are pretty dumb, without even basic stateful packet inspection capabilities. Long term, any network security tools that want to play well with the cloud will need to adopt the same degree of integration with security groups implemented via the cloud platform, as well as access to those controls via robust cloud APIs. Share:

How cool would it be if LMFAO (or a reasonable proximity – Beaker, anyone?) did a security version of “Sorry for Party Rocking,” because evidently the security job market is rocking. But it offers a great perspective on the mind of the security professional. Check out the following quotes to get a feel for how things seem, which I can anecdotally validate based on the number of calls I get from CISO types looking to grow and retain their teams. “What’s the unemployment rate for a good cybersecurity person? Zero,” Weatherford said, adding that government agencies and the private sector were stealing the best people from each other. “We are all familiar with the fratricide going on.” Salaries split in 2013, with the median staff salary declining $2,000 to $95,000 this year. Management salaries continued to rise, topping $120,000 in 2013, up $5,000 from the previous year. The trend in total compensation reflects the same split as salaries: Total compensation for staff declined in 2013 to a median of $98,000, down $5,000, while management saw a $2,000 increase, to $129,000. So salaries for staff are down marginally, but still considerably higher than general IT jobs. That’s good, right? Security folks should feel good about their job security and their place in the organization, right? Doesn’t scarcity mean companies need to be taking better care of their security folks? That would be a reasonable conclusion, no? In 2013, security practitioners showed a slight drop in how secure they feel in their jobs. While other IT disciplines continue to feel as secure in their positions as in 2012, IT security staff saw a seven-point drop, to 43%, in the number that feel very secure. It’s totally counterintuitive, or is it? The reality is that when something bad happens, and in security something bad always happens sooner or later, someone is going to take the fall. So I can kind of understand how in the Bizarro World of security, scarcity and higher salaries make folks less secure in their jobs. But here’s the real point: even if your organization throws you under the bus, there are a hundred companies waiting in line for you to chase their windmills and eventually end up under their buses. So rejoice, security professionals! You may not keep a business card for long, but you shouldn’t have to spend much time in the unemployment line. Photo credit: “Help Wanted” originally uploaded by James Share: