Research

Raising children in the age of the Internet is both exhilarating and terrifying. As a geek I am jealous of the technology my children will grow up with. You can make the argument that technology always advances, and my children will feel the same way about their offspring, but I think the genesis of the Internet is a clear demarcation line in human history. There is the world before the Internet, and the world after. The closest equivalents are the rise of agriculture and the Industrial Revolution, and I argue the Internet hit harder and faster. Mix in mobile devices, near-ubiquitous wireless data, and “the cloud”, and the changes are profound. Part of me feels incredibly lucky to have lived through this change, and another part is sad it wasn’t around sooner. It is an exciting time to raise kids. The resources available to us as parents are truly stunning. We have access to information resources our parents couldn’t conceive of. Want to know how to build a robot? Make the perfect sand castle? Build a solar-powered treehouse? Answer nearly any imaginable question? It’s all right there in your pocket. Anything my children choose to explore, I can not only support, I can get the supplies deliverd with free two-day shipping. My kids will grow up with drones, robots, 3D printers, and magical books with nearly all of human knowledge inside. Which isn’t always a good thing. Once they figure out the way around my filters (or go to a friend’s house), there won’t be any mysteries left to sex. Not that what they’ll find will represent reality, and some of it will warp their perceptions of normality. They will post their innermost thoughts online, without regard to what that may mean decades later. They will see and learn truly horrible things that, before the Internet, were physically isolated. They will witness lies and hatred on a colossal scale (especially if they post anything in a gaming forum). I accept that all I can do is try my best to prepare them to understand, filter, and think critically on their own. But I truly believe the benefits outweigh the dangers. Like this author, I will flood my children with technology. They have, today, essentially infinite access to technology. I don’t limit iPad time. I don’t count the television hours. We don’t restrict the laptops. This may change as they grow older, but my gut feeling is that the more you restrict something, the more they want it. And our family’s lifestyle is more centered on physical activity and creating than consuming. There is, however, one place where I have started restricting technology. Not for my children, but for myself. This week as I sat in the parents’ observation area at our swim school, I noticed every adult head wasn’t focused on their kids, but on the screens in their hands. Go to any playground or Chuck E Cheese and you will see more parental heads staring down than up. I noticed I do it. And my children notice me. Children, especially young children, don’t necessarily remember what we try to teach them. They, like nearly every other species, learn by watching us. And they remember absolutely everything we do, especially when it involves them. I don’t want my kids thinking that the screen in my hand is more important than they are. I don’t want them thinking that these wonderful devices are more important than the people around them (well, I do prefer Siri over most people I meet, but I’m a jerk). I can’t just tell them – I need to show them. I have started weaning myself off the screen. When I’m with my family, I try to only use it when absolutely necessary, and I verbalize what I’m doing. I am trying to show that it is a tool to use when needed, not a replacement for them. I am not perfect, and there are plenty of times it’s okay to catch up on email in front of my kids – just not when I should be focused on them. And, to be honest, once I got over the initial panic, it’s nice to just relax and see what’s around me. It doesn’t hurt that my kids are damned cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Watering Hole Attacks. Adrian’s DR post: Database Security Operations. Favorite Securosis Posts Mike Rothman: Compromising Cloud Managed Infrastructure. You cloud is only as secure as the web interface you use to configure it… Adrian Lane: The BYOD problem is what? Rich: Ramp up the ‘Cyber’ Rhetoric. Other Securosis Posts Email-based Threat Intelligence: Quick Wins. Email-based Threat Intelligence: Industrial Phishing Tactics (New Series). A Brief Privacy Breach History Lesson. Incite 3/13/13: Get Shorty. Could This Be the First Crack in the PCI Scam? TripWire nCircles the Vulnerability Management Wagon. Untargeted Attack. Email-based Threat Intelligence: Analyzing the Phish Food Chain. In Search of … Data Scientists. Encryption Spending up in 2012. Security Education still an underused defense. Favorite Outside Posts Mike Rothman: Father hacks ‘Donkey Kong’ for daughter, makes Pauline the heroine. Hacking for the win. This is the right example to set for young girls. They can do anything they want. Adrian Lane: Which Encryption Apps Are Strong Enough to Help You Take Down a Government? People talk about privacy, but Matt Green arms you with some tools to actually help. The question is would you actually use these tools. Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names – in a word: insane. Top News and Posts Spy Agencies to Get Access to U.S. Bank Transactions Database Microsoft and Adobe release patches to fix critical vulnerabilities. Deja patch. Obama Discusses Computer Security With Corporate Chiefs. Update on iOS 6 exploitation. TL;DR: it’s really hard. Blog Comment of the Week This week’s best comment goes to Nate, in response

The big ChoicePoint breach of 2004 was the result of criminals creating false business accounts and running credit reports on hundreds of thousands of customers (probably). Every major credit/background company has experienced this kind of breach of service going back decades – just look at the Dataloss DB. Doxxing isn’t necessarily hacking, even when technology is involved. All this has happened before, and all this will happen again. Even very smart humans are fooled every day. Share:

It’s hard to believe, but my family and I have been in Atlanta almost 9 years. The twins were babies; now they are people. Well, kind of. I grew up in the Northeast and spent many days shoveling our driveway during big snowstorms. Our 15 years in Northern Virginia provided a bit less shoveling time, but not much. But the ATL is a different animal. It snows maybe once a year, and the dusting is usually gone within a few hours. I can recall one time, over the past 8 winters, when we got enough snow to actually make a snowman. We are usually pummeled by one good ice storm a year, which wreaks havoc because no one in the South knows how to drive in bad weather, and I think there are a total of 3 snow plows in the entire state. Now that it’s starting to warm up a bit I look forward to breaking out my flipflops and summer work attire, which consists of shorts and T-shirts. Unless I have a meeting – then I wear a polo shirt. But that’s still probably 6 weeks away for me. Having grown up with the cold, I hate it now. I just don’t like to be cold. I get my Paul Bunyan on with a heavy lumberjacket (one of those flannel Thinsulate coats) to take the kids out to the bus in the AM. Even if it’s in the 40s. I have been known to wear my hat and gloves until May. Whatever it takes for me to feel toasty warm, regardless of how ridiculous I look. The Boy has a different opinion. It’s like he’s an Eskimo or something. Every morning (without fail) we have an argument about whether he can wear shorts. Around freezing? No problem, shorts work for him. Homey just doesn’t care. He’ll wear shorts at any time, literally. There was one morning earlier this year where I called his bluff. I said “fine, wear your shorts.” It was about 35 degrees. He did, and he didn’t complain at all about being cold. I even made him walk the two blocks to the bus and stand outside (while I sat in the warm car). He didn’t bat an eyelash. But the Boss did. I took a pounding when he came off the bus in shorts that afternoon. I tried to prove a point, but he took my point and fed it back to me, reverse alimentary style. No matter the temperature, a hoody sweatshirt and shorts are good for him. His behavior reminds me of returning to NYC after a college spring break in Acapulco many moons ago. Most of us were bundled up, but one of my buddies decided to leave his Jose Cuervo shorts on, while wearing his winter jacket. It was about 20 degrees, and after a week of chips and guacamole and Corona and 4am Devil Dogs (and the associated Montezuma’s revenge), we just absolutely positively needed White Castle. Don’t judge me, I was young. My friend proceeded to get abused by everyone in the restaurant. They asked if he was going to the beach or skiing. It was totally hilarious, even 25 years later. I can totally see the Boy being that guy wearing shorts in the dead of winter. But part of being a parent is saving the kids from making poor decisions. The Boss is exceptional at that. She proclaimed the Boy cannot wear shorts if it will be below 50 degrees at any time during the day. There were no negotiations. It was written on a stone tablet and the Boy had no choice but to accept the dictum. Now he dutifully checks the weather every night and morning, hoping to get the high sign so he can wear his beloved shorts. Who knows, maybe he’ll become a meteorologist or something. Unless they tell him he can’t wear shorts on air – then he’ll need to find something else to do. –Mike Photo credits: Taking a jog in shorts after Winter Storm Nemo originally uploaded by Andrew Dallos Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training in Reading, UK April 8-10. Sign up now. Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Quick Wins Analyzing the Phishing Food Chain Industrial Phishing Tactics Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Everything increases risk if firewall management sucks: In this week’s mastery of the obvious piece, we hear that Segmentation Can Increase Risks If Firewalls Aren’t Managed Well. The article provides a bully pulpit the firewall management vendors to tell us how important their stuff is. Normally I’d lampoon this kind of piece, but operating a large number of firewalls really is hard. Optimizing their use is even harder. Do it wrong, and you create a hole big enough to drive a truck through. So after years of maturing, these tools are finally usable for large environments, which means we will be doing a series within the next month or so. Stay tuned… – MR Preparation: I loved the idea of Netflix’s Chaos Monkey when I heard of it. An application that looks for inefficient deployments and deliberately causes them to fail. Very much in the Big Data design philosophy, where you assume failure occurs regularly – which both makes Netflix service better and continually verifies system resiliency. So when I read Threatpost’s How Facebook Prepared to Be Hacked I thought it would be

A sports clothing retailer is suing Visa to recover a $13M fine for a potential data breach. The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based. PCI is designed to push nearly all risks and costs onto merchants and their banks through a series of contracts. The PCI Security Standards Council has stated that no PCI compliant organization has ever been breached. This is a clear fallacy – merchants pass their assessments, they get breached, and then PCI retroactively revokes their certifications. Fines are then levied against the acquiring bank and passed on to the merchant. When a breach occurs, the card companies collect their fines from the third-party banks that process the card transactions, instead of the merchants, who have more incentive to fight the fines. Third-party banks then simply collect the money from the customer’s account or sue them for uncollected balances, using the indemnification clauses in their contracts to justify it. The card companies collect their fines with no hassle and merchants, in the meantime, are left fighting to dispute the fines and get their money back from the card companies. In this case, the retailer (Genesco) is suing Visa for violating their own policies, especially since there was no evidence that card numbers were exfiltrated or used for fraud. Watch this one closely. If it succeeds there will likely be a flood of similar cases. This case doesn’t seem to attack the root of the PCI system itself (the contract system), but I could see that easily getting wrapped into either this case or a future one if Genesco is successful. Seriously – I don’t think all of PCI is bad, but the PCI SSC claims that no compliant organization has been breached is a load of (my favorite word beginning with ‘s’). That position and their policies on fines convinces me PCI is a scam. Especially since they even try to intimidate PCI assessors who speak negatively about PCI in public (yes, direct warnings to shut up or else, I have been told). The card companies, especially Visa (who pulls most of the strings), have a chance to change course and clean up the issues that undermine a program that could be very beneficial. But PCI is currently losing what little legitimacy it has. Share:

It’s funny how you suddenly remember random conversations from months ago at the strangest times. I recall having breakfast with some of my pals at TripWire at RSA 2012 (yes, 13 months ago), and them peppering me about the vulnerability management market. Obviously they were shopping for deals, but most of the big players then seemed economically out of reach for TripWire. And there was nothing economically feasible I could recommend for them in good conscience. What a difference a year makes. It seems the Thoma Bravo folks have TripWire hitting on all cylinders, and they are starting to flex some of that cash flow muscle by acquiring nCircle, one of the 4 horsemen of Vulnerability Management (along with Qualys, Tenable, and Rapid7). Both are private companies, so we won’t hear much about deal value, but with alleged combined revenue of $140 million in 2012, the new TripWire is a substantial business. As I wrote in Vulnerability Management Evolution, VM is evolving into more of a strategic platform and will add capabilities like security configuration management (as opposed to pure auditing) and things like benchmarking and attack path analysis to continue increasing its value. TripWire comes at this from the perspective of file integrity and security configuration management, but they are ultimately solving the same customer problem. Both shops help customers prioritize operational security efforts by poses the greatest risk – in concept, anyway. And for good measure, they both generate a bunch of compliance-relevant reports. The video describing the deal talks about security as business value and other happy vision statements. That’s fine, but I think it undersells the value of the integrated offering. You see, TripWire has a very good business assessing and managing devices using a device-resident agent. nCircle, on the other hand, does most of its assessment via a non-persistent agent. We believe there will continue to be roles for both modalities over time, where the agent will be installed on important high-risk devices for true continuous monitoring, and the non-persistent agent handles assessment for less-important devices. It’s actually a pretty compelling combination, if they execute the technical integration successfully. But this isn’t our first rodeo – good technical integration of two very different platforms is very very hard, so we remain skeptical until we see otherwise. In terms of market analysis, the deal provides continued evidence of the ongoing consolidation of security management. TripWire has said they will be doing more deals. Qualys has public market currency they will use to bring more capabilities onto their cloud platform. Tenable and Rapid7 both raised a crapton of VC money, so they can both do deals as well. As VM continues to evolve as a platform, and starts to overlap a bit with more traditional IT operations, we will continue to see bigger fish swallowing small fry to add value to their offerings. Our contributor Gal brought up the myth of TripWire’s ecosystem and questioned the openness and accessibility of integration, given what they have accomplished to date. I’m more inclined to put every vendor’s ecosystem in the BS camp at this point. TripWire and nCircle will be tightly integrated over the next two years. They don’t have a choice, given the drive to increase the value of the combined company. Any other integration is either tactical (read: customer-driven) or for PR value (read purple dinosaur driven). Security companies pay lip service to integration and openness until they reach a point where they don’t have to, and can control the customer (and lock them in). To think anything else is, well, naive. To wrap up, on paper this is a good combination. But the devil is in the integration, and we have heard nothing about a roadmap. We heard nothing about what the integrated management team will look like. Nor have we heard anything about go-to-market synergies. There is a lot of work to do, but at least it’s not hard to see the synergy. Even if it’s not obvious to Jeremiah. Photo credit: “Circling the Wagons” originally uploaded by Mark O’Meara Share:

We are big on Quick Wins at Securosis. Mostly because we know how hard it is to justify new technology (or processes or people), and that if you can’t show value quickly on a new project, every subsequent request gets harder and harder to get through. Until you have a breach, that is. Then your successor gets carte blanche for a honeymoon period to do the stuff you were trying to do the whole time. Ultimately disrupting a phishing attack is an application simple economics. If it costs more for attackers to phish your brand, their margins will go down and eventually they will look to other attacks (or other targets) that return more profit. So for Quick Wins, focus on making phishing campaigns more expensive. That means messing with their sites, more effectively helping customers protect themselves, and ultimately shortening the window attackers have to monetize your customers. Your quiver is filled with the key intelligence sources we discussed in Analyzing the Phish Food Chain, so what comes next? How can you use information like phisher email addresses, IPs, and domains to disrupt and/or stop attacks on your brand? Taking the Phish out of the Pool The first and most common remediation remains the phishing site takedown. Obviously phishing attacks are frustrated if the evil site is not available to harvest account credentials and/or deliver malware. But this is not an immediate fix – it takes time to prepare the documentation ISPs need, domain registrars, domain owners, browser vendors, telecom providers, and any other organization that can take the site offline. But remember that many phishing sites are hosted on legitimate – albeit compromised – web sites, so site takedowns inflict collateral damage on legitimate sites as well. We are not in the excuses business, so it’s not like we would feel bad when a compromised site is taken down until fixed, but keep in mind that the cost isn’t only to the phisher. One of the keys to dealing with advanced malware is determining whether it makes more sense to observe the attacker to gain intelligence about tactics, objectives, etc., than to remediate the device immediately. Phishing sites demand a similar decision. If you have identified the phisher as a frequent attacker, does it make more sense to observe traffic from those sites? Or to monitor the attack kits and analyze the malware downloaded to compromised devices? The answer varies, but this kind of analysis requires sophisticated incident response and malware analysis capabilities. A few other tactics can be helpful in disrupting phishing attacks, including directly notifying browser vendors of malicious sites because all major browsers now include real-time checks for phishing and other malware sites, and warn users from visiting compromised sites. Similarly, communicating with the major security vendors and submitting IP addresses and domains to their security & threat research teams, can give these sites and IPs negative reputations and block them within web and email security gateways. If you have been able to identify the email address the phisher uses to harvest account credentials, you can work with their service provider (typically a major consumer email provider such as Google, Yahoo!, or Microsoft) to limit access to the account. Or work with law enforcement to track the attacker’s identity as they access the account to collect their spoils. All these tactics make it harder for phishers to lure victims to their phishing sites, steal information, and then harvest it. Speaking of law enforcement, much of the information you need to gather to facilitate phishing site takedowns, such as IP addresses, domains, email addresses, and phishing kit specifics, is directly useful for law enforcement’s ultimate efforts to prosecute the phishers. Prosecution is rarely job #1, especially because many attackers reside in place where prosecution remains difficult, but if you need to gather the data anyway, you might as well let law enforcement run with it. Other Tactics for Disrupting Phishing Taking down the phishing site isn’t your only means to disrupt attacks. You can also use active controls already in place in your environment to minimize the damage caused by the attack. Let’s start with the network: your intelligence efforts have yielded a number of data points, such as IP addresses and domains associated with an attack. You may be able to work with the network operations team to block devices connecting to your site from these IPs or domains. At least you should be able to tag these devices and monitor their transactions for suspicious activity. When dealing with fraud attacks against millions of customers, being able to focus your efforts on accounts more likely to be compromised really helps. Another tactic is to adaptively require stronger authentication for accounts exhibiting suspicious activity. Phishers collect account numbers and passwords, rarely worrying about security questions or additional authentication factors. So if you see a login attempt from a suspicious IP address or domain, you can further challenge the user attempting to login by requiring additional authentication details. Attackers generally attack the easiest targets, so this is a great way to make attacks against you more expensive, and is likely to drive phishers elsewhere. Finally, you can work harder to stop the original phishing emails from reaching your customer’s inboxes in the first place. Leverage new standards like DMARC, which enables service providers and other large-scale senders to leverage DKIM and/or SPF message authentication technologies to provide more accurate sender authentication. Combined with traditional anti-spam analysis techniques, these technologies can minimize false positives and ensure phishing messages get tossed before customers get an opportunity to hurt themselves. Addressing the Root Cause Ultimately, much of what you can do to disrupt phishing is reactive. But it may also make sense to try reducing the likelihood of compromise at the point of attack: your customer. You can start with security education, working to help customers identify phishing domains and recognize the security mechanisms most consumer brands apply to email they send to customers. We are painfully familiar with the frustration of security awareness training, but

The Nibble security blog had a very good post on Subverting a Cloud-based Infrastructure with XSS and BEEF. They essentially constructed an XSS attack to issue network infrastructure management commands without user knowledge. The idea is pretty neat: all network devices and security appliances (wired and wireless) can be managed by a cutting-edge web interface hosted in the cloud, allowing Meraki networks to be completely set up and controlled through the Internet. Many enterprises, universities and numerous other businesses are already using this technology. As usual, new technologies introduce opportunities and risks. In such environments, even a simple Cross-Site Scripting or a Cross-Site Request Forgery vulnerability can affect the overall security of the managed networks. There are two important takeaways here, so don’t get caught up with a specific vendor’s vulnerabilities or the specific tool used to craft this attack. The management interfaces for all cloud services are browser-accessible, and browsers – and the web services they use – are open to these attacks. XSS and CSRF are major issues, and we have considerable evidence – the Mandiant report being just one source – that browser-based attacks are one of the top two current attack vectors. These are problems that most organizations don’t consider when building web applications, so they are common vulnerabilities. Which leads directly into the second issue: that all cloud services, by definition, offer broad network access. That means applications and management interfaces are both browser accessible. The beauty of cloud services for IT management is that you can access all cloud management functions from any browser, anywhere. And from that single connection you do just about anything. Very convenient! For attackers too – once they compromise a customer’s management plane for a cloud service, that is equivalent to root access. Only in this case it’s the entire cloud infrastructure, not just one server. Because the attack originates from your browser, it does not matter whether you restricted management access to in-house IP addresses – your system has one of the approved IP addresses. There are not many quick and easy ways to protect against this type of attack, but use a dedicated browser for management if you can. Other than that … be careful what you surf for. Share:

I was perplexed by the wording of many initial reports on the recent attacks ‘against’ Apple, Facebook, Twitter, and Microsoft. Sure, maybe they were targeted, but it seems just as likely that the attackers just picked popular developer sites and harvested some big fish. That is the essence of a a good piece at securityledger: Rather, the wide net of watering hole web sites pulled in employees from organizations across a broad swath of the U.S. economy, say those with knowledge of the incident. That has made the operation look more like a fishing expedition than a narrowly focused operation.   Developers are typically soft targets, with extensive access to internal resources. In this case I would bet that most Mac-based developers have Java enabled in their browsers. As a former dev myself, they spend a lot of time in various fora with crappy security and which are thus prone to compromise. I still spend a lot of time on those sites, but I am probably more careful than most devs or admins. Developers and administrators are in jobs that require deep access to sensitive resources, more control over their own systems, and a larger software attack surface (Java is essential for managing certain systems and platforms); but they aren’t necessarily more secure than average users, beyond basic attacks. Targeting job roles rather than organizations seems like a good strategy. Hit something popular enough within the development or admin communities, and the odds are very good that you will gain access to a variety of prime targets. No one works in a vacuum. Image: a real watering hole, with a croc you can’t see. Took this one myself in Africa. He/she wasn’t hungry that day. Share:

As we discussed in Industrial Phishing Tactics, phishing is a precursor to many attacks in the wild. Phishing attacks are designed to get victims to click something, then to share the victim’s account credentials and download malware; and of course they leave a trail like everything else. Following that trail can help you prioritize remediation activities, identify adversaries, and ultimately take action to protect both your environment and your customers. But first you must be able to analyze the email to identify the patterns to look for. And that requires a lot of email – a whole lot. Sampling all the phish in the sea Email-based threat intelligence entails analyzing scads of spam emails using Big Data Analytics. You didn’t think we’d be able to resist that buzzword, did you? Of course not! But whether you call it big data or just “a lot of data,” the first step in implementing an email-based threat intelligence program is to aggregate as much email as you can. Which brings up a reasonable question: where do you get that kind of email? If you are a private enterprise it can be hard. There are various spam archives available on the Internet (Google is your friend), but not many fresh ones. Alternatively, you could establish partnerships with email service providers, who tend to have millions of blocked emails from internal spam filters lying around. Another source would be other consumer brands – perhaps some of them would be willing to swap. You give them a copy your spam mailbox in exchange for theirs. Besides the email addresses, there isn’t likely to be sensitive data in obvious spam, so this shouldn’t trip the general security aversion to sharing data. But you will likely need an intelligence feed from a third-party analysis provider. As discussed in both the Early Warning System and Network-based Threat Intelligence (NBTI) research, we see a market emerging for intelligence providers specializing in aggregating and analyzing these data sources. They provide intelligence that can be used by enterprises to shorten the window between attack and detection. Let’s dig into the kinds of intelligence we are looking for in phishing emails, and get back to the metaphor we introduced in the NBTI paper: the Who, What, Where, and When of phishing. Who? Establishing the ‘who’ behind phishing is probably the most important intelligence you can receive. Because a select few highly effective phishers (hundreds, not thousands) are behind many of the attacks you will see in the wild. So the ability to identify the author of attacks can yield all sorts of information, enabling you to profile and analyze your adversaries. Why is adversary analysis important? Motive: Is the phish part of a targeted attack (spear phishing)? Is it part of a widespread attack on a financial institution to harvest account information? Is it to steal intellectual property? Knowing your adversary allows you to determine his/her motives, and thus to more effectively judge the true threat of the attack to your organization. Tactics: Does this phisher use malware extensively? Do they just harvest account information? Is key logging their main technique? Understanding and profiling the adversary can indicate which controls to be implement to ensure protection. Also keep in mind that the ultimate target of the phishing attack is usually your customers, rather than your employees. So this helps you decide whether helping customers protect themselves is a worthwhile expense for you. Capabilities: Finally, isolating your adversary and tracking them over time (as discussed below) provides clues to their capabilities. Do they rely purely on commercial phishing kits? Are they able to package 0-day attacks? Is it something in the middle? The more you know about the attackers, the more effectively you can make decisions about how to react. The ultimate objective of adversary analysis is to more effectively prioritize remediation activities. Knowing who you are dealing with and what they are capable of is key, and can help you determine the urgency of response. What? So how do you find a specific attacker within a corpus of millions of spam and phishing messages? It all comes back to profiles. The links embedded in the phishing messages indicate the locations of phishing sites, and you will see patterns in the domains and IP addresses used in attacks. Working backwards you can analyze the phishing site to determine the attack(s) in use, the tactics and capabilities used, and if you get lucky perhaps the attacker’s identity. This next level of analysis involves looking at ‘what’ the attack does. A key development that made phishing far more accessible to unsophisticated attackers was phishing attack kits. These kits provide everything an attacker needs to launch a phishing campaign – including images, email copy, and specific tactics to capture account credentials. Of course phishing messages still need to evade an organization’s spam filters, but that tends to be reasonably straightforward given that phishing messages should look exactly like legitimate messages. That takes most of the sophisticated content analysis done by anti-spam filters out of play. But these kits leave a trail, in the form of the source code used to install the kit on a compromised server. If you get an actual phishing kit you can analyze it just like any other malware (as discussed ad nauseum in Malware Analysis Quant) for clues to the malware used and what is ultimately done with stolen account credentials – all of which can help identify the attacker’s email. Even better, profiling attack kits enables you to look for similar attack profiles, to identify the attacker far more quickly next time. Given a sufficient corpus of spam and phishing messages, you can mine the data for patterns of IP addresses and domains, to help identify the adversary and assist in identifying appropriate remediations. Where? As described above, phishing messages look like legitimate email, so much of anti-spam filters’ content analysis cannot detect them. But you can (and need to) analyze email headers to figure out where the messages come from, the path they take to your gateway, and for clues in links to phishing sites. That brings

In the immortal words of Jay-Z, you’ve got 99 problems but BYOD ain’t one of them. Colin Steele does a good job of putting the BYOD (and broader mobility) situation in proper context in You can’t solve BYOD because it’s not a problem Not a week goes by that I don’t receive a press release or read a news article about some new product or other that “solves BYOD.” Vendors and customers that look at BYOD as a problem to solve, and not an opportunity to take advantage of, are missing the point. There is a lot of truth in that statement. It’s a technology version of “Vendors are from Mars, Customers are from Venus.” Customers want to bitch and vent about things, so vendors think that means they need to solve the problem. Mobility is something all organizations need to deal with, but it’s not something you can ‘fix’ by installing an agent or bolting an appliance into a rack. BYOD is disruptive. It brings challenges. It takes control out of IT’s hands. But these issues are simply the natural fallout from IT’s inability to keep up with users’ technology needs. That is the problem that needs to be solved. Let me highlight the money quote there. “…the natural fallout from IT’s inability to keep up with users’ technology needs.” Yup. But security folks know how this movie ends much better than most other technology disciplines. Employees do what they feel they need to do, whether you like it or not. They will get around your controls. They will skirt your policies. And they will get their jobs done. Of course we don’t advocate a wild west, “do whatever the hell you want,” approach. But it is essential to place mobility in its proper context, which means an acceptance that it is happening. So get on board and work collaboratively with the right folks to apply some reasonable control. Or get run over… Photo credit: “No problems” originally uploaded by Gamma Man Share: