Securosis

Research

Now China is stealing our porn

Okay, it is entirely possible he paid for it, but HOW DO WE KNOW? U.S. Finds Porn Not Secrets on Suspected China Spy’s PC A Chinese research scientist suspected of spying on the National Aeronautics and Space Administration – and pulled from a plane in March as he was about to depart for China – is set to plead to a misdemeanor charge of violating agency computer rules. Bo Jiang, who was indicted March 20 for allegedly making false statements to the U.S., was charged yesterday in a separate criminal information in federal court in Newport News, Virginia. Jiang unlawfully downloaded copyrighted movies and sexually explicit films onto his NASA laptop, according to the court filing. A plea hearing is set for tomorrow. This is why it’s important to read breaking news with skepticism. Not that China is above this sort of theft, per documented history, but that doesn’t mean everyone is working for APT1138. Share:

Share:
Read Post

The CISO’s Guide to Advanced Attackers: Breaking the Kill Chain

In our last post in the CISO’s Guide to Advanced Attacks, you verified the alert, so it’s time to spring into action. This is what you get paid for – and to be candid your longevity in the CISO role directly correlates to your ability to contain the damage and recover from the attacks as quickly and efficiently as possible. But no pressure, right? So let’s work through the steps involved in breaking the kill chain, disrupting the attackers, taking counter measures, and/or getting law enforcement involved. Incident response needs to be a structured and conditioned response. Work to avoid setting policies during firefights, even though it’s not possible to model every potential threat or gain consensus on every possible countermeasure. But try to define the most likely scenarios and get everyone on board with appropriate tactics for containment and remediation. Those scenarios provide a basis for making decisions in scenarios that don’t quite match your models. Then at least you can spin why you made certain decisions in the heat of battle. Contain the Damage As we described in Incident Response Fundamentals, containment can be challenging because you don’t exactly know what’s going on but you need to intervene as quickly as practical. The first requirement is very clear: do not make things worse. Make sure you provide the best opportunity for your investigators (both internal and external) to isolate and study the incident. Be careful not to destroy data by turning off and/or unplugging machines without first taking appropriate forensic images. Keeping the discussion high-level, containment typically involves two main parts: Quarantine the device: Isolate the device quickly so it doesn’t continue to perform reconnaissance, move laterally within your network, infect other devices, or progress toward completing its mission and stealing your data. You may monitor the device as you figure out exactly what you are doing but make sure it doesn’t cause any more harm. Protect critical data: One reason to quarantine the device is to ensure that it cannot continue to mine your network and possibly exfiltrate data. But you also can’t assume the compromised device you identified is the only one. So go back to the potential targets you outlined when you sized up the adversary, and take extra care to protect the critical data most interesting to your adversary. One thing we know about advanced attackers is that they generally have multiple paths to accomplish their mission. You may have discovered one (the compromised device), but there are likely more. So be a little extra diligence with monitoring data access and egress points, to help disrupt the kill chain in case of multiple compromises. Investigate and Mitigate Your next step is to identify the attack vectors and determine appropriate remediation paths. As mentioned above you want to be sure to gather just as much information as you need to mitigate the problem (stop the bad guys) and collect it in a way that doesn’t preclude subsequent legal (or other) action at some point. For more details on malware investigation techniques, we point you again to Malware Analysis Quant for a very granular attack investigation process. When it comes to mitigation you will set a series of discreet achievable goals and assign resources to handle them. Just like any other project, right? But when dealing with advanced attackers you have a few remediation paths to consider: Clean: People also also call this the Big Bang approach because you need to do it quickly and completely. Because if you leave the attacker with any foothold in your environment you will start all over again sooner than later. Most organizations opt for this approach – the sooner you clean your environment the better. Observe: In certain instances, such as when you are dealing with an inside job or law enforcement is involved, you may be asked not to clean all the compromised machines. But as described above, you need to take extra care to ensure you don’t suffer further losses while observing the attackers. That involves deep monitoring (likely network full packet capture and memory forensics) on traffic in and out of critical data stores – as well as tightening controls on egress filters and/or DLP gateways. Disinformation: Another less common alternative is to actively provide disinformation to adversaries. That might involve dummy bids, incorrect schematics, or files with tracking data which might help identify the attacker. This is a very advanced tactic, generally performed with the guidance of law enforcement or a very select third-party incident response firm. Executing the Big Bang To get rid an advanced attacker you need to find all compromised devices. We have been talking about how to do that by searching for indicators of compromise but you cannot assume you have seen and profiled all the malware in use. Those pesky advanced attackers may be throwing 0-day attacks at you. This, again, is where threat intelligence comes in to look for patterns others have seen (though not likely your specific files). Once you have identified all the affected devices (and we mean all of them), they need to go dark at the same time. You cannot leave the adversary with an opportunity to compromise other devices or execute a contingency plan to retain a foothold while you work through your machines during cleanup. This probably entails wiping the machines down to bare metal – even if that means losing data. Given the capabilities of advanced attackers, you cannot be sure of totally eliminating the device compromise any other way. When the affected devices are wiped and rebuilt you need to monitor them and capture egress traffic during a burn-in period to make sure you didn’t miss anything. That means scrutinizing all configuration changes for indications that the attacker is breaking back in or finding new victims, as well as looking for command and control indicators. The moment the adversary is blown out they will start working double-time to get back in. You are never done. So you need to ensure your

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.