Securosis

Menu

Research

Firestarter: China and Career Advancement

Rich July 14, 2014 1 Comment

Mike’s at the Jersey Shore, Rich is in Boulder, and Adrian is… baking in Phoenix in between tree-killing monsoons. This week we kept it simple with two topics. First up, China’s accusations that iOS and iDevices are a security risk. Which they should know, since they are all built there. Second is a discussion on security careers. How to break in, and what hiring managers should really look for. The audio-only version is up too. Share:

Share:
Read Post

Leverging TI in Incident Response/Management: Really Responding Faster

Mike Rothman July 14, 2014 1 Comment

In the introduction to our Leveraging Threat Intelligence in Incident Response/Management series we described how the world has changed since we last documented our incident response process. Adversaries are getting better and using more advanced tactics. The difficulty is compounded by corporate data escaping our control into the cloud, and the proliferation of mobile devices. When we started talking about reacting faster back in early 2007, not many folks were talking about the futility of trying to block every attack. That is less of an issue now that the industry understands security is imperfect, and continues to shift resources to detection and response. Butt the problem becomes more acute as the interval between attack and exfiltration continues to decrease. The ultimate goal of any incident management process is to contain the damage of attacks. This requires you to investigate and find the root causes of attacks faster. The words are easy, but how? Where do you look? The possible attack paths are infinite. To really react faster you need to streamline your investigations and make the most of your resources. That starts with an understanding of what information would interest to attackers. From there you can identify potential adversaries and gather threat intelligence to figure out their targets and tactics. With that information you can protect yourself, look for indicators of compromise via monitoring, and streamline your response when you (inevitably) miss. Adversary Analysis We suggest stating with adversary analysis because the attacks you will see vary greatly based on the attacker’s mission and assessment of the most likely (and easiest) way to compromise your environment. Evaluate the Mission: To start the process you need to learn what’s important in your environment, which leads you to identify interesting targets for attackers. This usually breaks down into a few discrete categories including intellectual property, protected customer data, and business operations information. Profile the Adversary: To defend yourself you will need to not only know what adversaries are likely to look for, but what kinds of tactics those attackers typically use, by type of adversary. So next figure out which categories of attacker you are likely to face. Categories include unsophisticated (uses widely available tools), organized crime, competitors, and state-sponsored. Each class has a different range of capabilities. Identify Likely Attack Scenarios: Based on the mission and the adversary’s general tactics, put your attacker hat on and figure out the path you would most likely take to achieve the mission. At this point the attack has already taken place (or is still in progress) and you are trying to assess and contain the damage. Hopefully investigating your proposed paths will prove or disprove your hypothesis. Keep in mind that you don’t need to be exactly right about the scenario. You need to make assumptions about what the attacker has done, and you will not predict their actions perfectly. The objective here is to get a head start on response, which means narrowing down the investigation by focusing on specific devices and attacks. Gathering Threat Intelligence Armed with context on likely adversaries we can move on to intelligence gathering. This entail learning everything we can about possible and likely adversaries, profiling probable behaviors, and determining which kinds of defenses and controls make sense to address higher probability attacks. Be realistic about what you can gather yourself and what intel you may need to buy. Optimally you can devote some resources to gathering and processing intelligence on an ongoing basis based on the needs of your organization, but in the real world you may need to supplement your resources with external data sources. Threat Intelligence Indicators Here is a high-level overview of the general kinds of threat intelligence you are likely to leverage to streamline your incident response/management. Malware Malware analysis is maturing rapidly; it is now possible to quickly and thoroughly understand exactly what a malicious code sample does, and define both technical and behavioral indicators to seek out within your environment, as described in gory detail in Malware Analysis Quant. More sophisticated malware analysis is required because classical AV blacklisting is no longer sufficient in the face of polymorphic malware and other attacker tactics to defeat file signatures. Instead you will identify indicators of what malware did to a device. Malware identification has shifted from what file looks like to what it does. As part of your response/management process, you’ll need to identify the specific pieces of malware you’ve found on the compromised devices. You can do that via a web-based malware analysis service. You basically upload a hash of a malware file to the service – if it recognizes the malware (via a hash match), you get the the analysis within minutes; if not you can then upload the whole file for a fresh analysis. These services run malware samples through proprietary sandbox environments and other analysis engines to figure out what malware does, build a detailed profile, and return a comprehensive report including specific behaviors and indicators you can search your environment for. Malware also provides additional clues. Can you tie the malware to a specific adversary? Or at least a category of adversaries? Do you see these kinds of activities during reconnaissance, exploitation, or exfiltration – a useful clue to the degree the attack has progressed. Reputation Reputation data, since its emergence as a primary data source in the battle against spam, seems to have become a component of every security control. Which makes sense because entities that behave badly are likely to continue doing so. The most common reputation data is based on IP addresses, offered as a dynamic list of known bad and/or suspicious addresses. As with malware analysis, identifying an adversary helps you look for associated tactics. Aside from IP addresses, pretty much everything within your environment can (and should) have a reputation. Devices, URLs, domains, and files, for starters. If you see traffic going to a site known to be controlled by a particular adversary, you can look for other devices communicating with that adversary.

Share:
Read Post
dinosaur-sidebar

Research

view all

Sign Up for Our Newsletter

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.