Research

Hot on the heels of our Building an Early Warning System paper, we have taken a much deeper look at the network aspect of threat intelligence in Network-based Threat Intelligence. We have always held to the belief that the network never lies (okay – almost never), and that provides a great basis on which to build an Early Warning System. This excerpt from the first section sums it up pretty nicely: But what can be done to identify malicious activity if you don’t have the specific IoCs for the malware in question? That’s when we look at the network to yield information about what might be a problem, even if controls on the specific device fail. Why look at the network? Because it’s very hard to stage attacks, move laterally within an organization, and accomplish data exfiltration without using the network. This means attackers leave a trail of bits on the network, which can provide a powerful indication of the kinds of attacks you are seeing, and which devices on your network are already compromised. This paper will dig into these network-based indicators, and share tactics to leverage them to quickly identify compromised devices. Hopefully shortening this detection window will help to contain the damage and prevent data loss. Hit the landing page or you can download the paper directly (PDF) We would like to thank Damballa for licensing the content in this paper. Obviously we wouldn’t be able to do the research we do, or offer it to you folks for this most excellent price, without clients licensing our content. Share:

Rich here, I need to apologize a bit for sending the Summary out a day late. As most of you know, this week is the big annual RSA Conference and we, Securosis, were busy as heck with conference activities. Between e10+, the Security Blogger’s Meetup, the Securosis Disaster Recovery Breakfast, and tons of conference meetings, it is the busiest week of our year. Well, except for me. As many of you know I spent the week here in Phoenix waiting for the birth of my next child. The due date was Monday, and there was no way in hell I was going to take the risk of missing that for a conference. But as you might guess based on the tone of this post, the kid is a no show. It was weird to miss RSA for the first time in many years. I was prepared to miss the social side of the show; as much as I enjoy seeing everyone, a conference is for work and I frequently dodge parties for meetings, to finish slides, or to stay rested. On the business development front I’m the first to admit Mike is a lot better at BD, and he probably closed more business for me than I could have closed myself. It was really nice to sit back and wait for the text messages of people I need to follow up with (thanks Mike!). What I didn’t expect was how much I miss the energy boost. You see, one thing about the nature of our business is that we often work in a vacuum. We advise users and vendors, and maybe get to see the outcomes someday, but we don’t get a lot of direct feedback on our work. This is important not only to ensure we that are on the right track, but it also helps keep us motivated. I don’t get a performance evaluation and bonus at the end of the year if I did well. I am extremely internally motivated. Anyone who works at home, for themselves, has to be or they don’t survive very long. But I’m also human, and we are social creatures. At RSA we get to engage with a much wider range of people than we do in our day-to-day work, and we get face-to-face feedback from people who use our research but don’t necessarily leave comments or feedback. Based on reports from the guys who were out there we are definitely on track, but hearing it isn’t the same as shaking the person’s hand or having breakfast with them. I can’t lie – I really missed that this year. I missed the feedback, good and bad, instead of talking to a blank screen or a captive audience before running to catch a plane. I don’t regret my decision in the slightest – my family is far more important than any of what i just talked about. I like the way Chris Hoff put it during the session we would have presented together had the baby come early, “the cost of missing RSA is a lot less than the cost of a divorce”. And one advantage is that I was here to get the Cloud Security Alliance Nexus launched. The CSA Nexus is a branded version of the Nexus platform we have been developing for two years. We launched with the CSA first because, at our annual internal planning meeting, we decided we needed to rework our content a bit before we go live for Securosis customers. It’s exciting to have actual, paying customers, and to get this thing out of the lab. It’s also weird to be a product manager, not just an analyst. We are going to open up our beta test again after we get a little more server work done, and we are still working out the dates for our official Securosis Nexus launch, but it should be soon. We are making a big bet on this platform, and I suspect getting actual customers in there will more than compensate for missing a few handshakes, head nods, and spilled beers. Note: since everyone was out this week and I was focused on the Nexus launch, this week’s Summary is missing most of the usual sections. Securosis in the news Rich on passwords in Digital Trends. Securosis posts Shattered Windows – the Impact of Attack Automation. Go buy Take Control of Your Passwords. Bit9 Details Breach. About the Security Blogger’s Meetup. Looky here. Adaptive Authentication works… When is a Hack a Breach? The Nexus Is Live with the Cloud Security Alliance! Everything I need to know about security, I learned in kindergarten. The end of MDM (as we know it). Or not. Attribution Meh. Indicators YEAH! Other news More Java 0-day. We are now adding this to the Summary with a weekly script. Botnet shut down live at RSA. AirWatch grabs $200M in funding. We don’t normally cover these things, but that is an insane amount of money. An interview with a ski patroller. Because I really miss ski patrol. Share:

In 2011, our friend Josh Corman codified “HD Moore’s Law”: Casual Attacker power grows at the rate of Metasploit For those who don’t know, Metasploit, created by HD Moore, is a free penetration testing framework (it is now owned by Rapid7, who also sells a commercial version). Metasploit allows an attacker to rapidly combine an exploit with a payload and initiate attacks, dramatically reducing the complexity compared to hand-coding an attack yourself. Unlike other commercial tools such as Immunity Canvas and Core Impact, Metasploit has a large community, and when new vulnerabilities or exploits become public they are typically converted into Metasploit modules extremely quickly (sometimes within hours). Once a module is published, anyone using Metasploit can leverage that attack. But Metasploit isn’t the only automated attack tool. Criminals have their own toolsets and markets, some of which advertise inclusion of 0-day vulnerabilities (for a price) and include better support than most of the security tools on the market. Being profitable, they fund their own research teams or acquire new exploits on the open market. Some software vendors have started talking about this in public, as Microsoft outlined in their RSA talk on their response to Flame. Brad Arkin from Adobe has also talked about this and presented hard data on their patch times and public disclosures and exploits. In the article Microsoft didn’t call out Metasploit or the criminal attack tools, but the inference is clear. There is no longer a window to patch when a vulnerability or exploit is discovered, in public or private.* If it isn’t public, it has already been used in attacks or – thanks to changes in the exploit market – sold to someone who intends to use it in attacks. If it is public, it will be included in attack tools (good and bad) faster than most vendors can create and distribute a patch, or most users can deploy even if the patch is available. Some vulnerabilities are still reported privately to vendors, but we can no longer assume this is the norm, especially for some of the most serious vulnerabilities with high market value. Cloud computing also affects this in both good and bad ways, but the core principle is the same. If a cloud service is a target they have nearly no time to patch, but when they do they can patch for all users at once (for public clouds). To be clear, I don’t consider Metasploit or other penetration testing tools ‘bad’. They are extremely important for security professionals to understand and use, but that doesn’t mean they can’t be misused. Share:

Joe Kissell, with whom I ‘work’ over at TidBITS, just published Take Control of Your Passwords. Joe asked me to review the book ahead of time, and it should be mandatory reading (no, I don’t get a cut – that’s my honest opinion). Joe covers the range of password issues I have ranted on before, then includes specific strategies for managing them. Many of you who read this site might not need the book, but I guarantee nearly everyone you know will get something out of it, even if they only read some sections. Seriously, it is extremely pragmatic and informative. Share:

Bit9 released more details of how they were hacked. The level of detail is excellent, and there seems to be minimal or no spin. There are a couple additional details it might be valuable to see (specifics of the SQL injection and how user accounts were compromised), but overall the post is clear, with a ton of specifics on some of what they are finding. More security vendors should be open and disclose with at least this level of detail. Especially since we know many of you cover up incidents. When we are eventually breached, I will strive to disclose all the technical details. I gave Bit9 some crap when the breach first happened (due to some of their earlier marketing), but I can’t fault how they are now opening up. Share:

It’s funny how some technologies fall out of the hype cycle and folks kind of forget about them. But that doesn’t mean these technologies don’t work any more. Au contraire, it usually means a technology works too well, and just isn’t exciting to talk about any more. Let’s take the case of adaptive authentication: using analytics to determine when to implement stronger authentication. It appears Google has started taking an adaptive approach to authentication for Gmail over the past 18 months: Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made. If a sign-in is deemed suspicious or risky for some reason–maybe it’s coming from a country oceans away from your last sign-in–we ask some simple questions about your account. Yeah, man. Not that a targeted attacker won’t have those answers based on some rudimentary recon. Obviously there are ways to beat this approach, but for run-of-the-mill attackers, more challenging authentication provides enough of a bar to get them looking elsewhere. Remember, these folks chase the path of least resistance, and there are tons of cloud-based email services to chase that don’t perform this kind of sophisticated analytics on authentication requests. And amazingly enough, it works. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011. Good on Google. Maybe they are evil, but at least they are trying to improve security. Share:

Seven years ago I had recently started blogging and emailed a few other bloggers to see if we should get together at the RSA Conference. Some of these people I knew, many I didn’t, and I thought it would be fun to have face to face arguments with a beer in hand, instead of behind a keyboard (with a beer in hand). Very very quickly we received offers to sponsor, and we turned it into an actual invite-only event organized by myself, Martin McKeay, and Alan Shimel, with Jennifer Leggio doing, literally, all the hard work. This year I’m missing the event (and the Securosis Disaster Recovery Breakfast tomorrow morning) since my wife is about to have a baby. Maybe; these things seem somewhat unpredictable. A lot has changed about the Meetup. The RSA Conference itself is an official sponsor thanks to Jeanne Friedman. There is a waiting list for sponsors. And the number of attendees is now hitting a couple hundred, not the few dozen of that first year when we hopped cabs to a dodgy part of town for a nice dinner. We have entertainment, an effectively unlimited beverage budget, and the Social Security Awards. What hasn’t changed is what this event is all about, and based on feedback we are getting, a lot of people miss the point. The SBM is by security bloggers for security bloggers. This isn’t merely another RSA event that anyone can get into if they know the right person. The only people admitted, to the best of our ability to manage, are bloggers. No plus-ones, no friends, no marketing managers (even if they manage your blog). It doesn’t matter if you do a lot for the blogger community – you need to be a member of the community. That means someone who writes (or podcasts) and is a subject matter/technical expert (and yes, we use that term loosely) and contributes to the security community dialog. Your ticket is your name on a byline of a security blog (not a security company blog, depending on the content). Look, those of us running this thing for the past 7 years are volunteers. We do our best, and that means we sometimes make mistakes. But this isn’t run by a company or even the sponsors – it’s run by the handful of people who started it out of nowhere. We are going to make some changes next year. A bigger venue, some changes in sponsorship, and maybe a few other tweaks (like letting spouses in, which we can’t do this year due to capacity). But the one thing that won’t change is who this event is for, and why we hold it. It is the Security Blogger’s Meetup, and those words pretty clearly define the event. You can get into a lot of RSA parties based on who you know, but this one is based on what you do, and the choice is yours. Share:

As the hubbub over Apple, Twitter, and Facebook being hacked with the Java flaw slowly ebbs, word hit late last week that Microsoft was also hit in the attack. Considering the nature of the watering hole attack, odds are that many many other companies have been affected. This begs the question: does it matter? The headlines screamed “Apple and Facebook Hacked”, and technically that’s true. But as I wrote in the Data Breach Triangle, it isn’t really a breach unless the attacker gets in, steals or damages something, and gets out. Lockheed uses the same principle with its much-sexier-named Kill Chain. Indications are that Apple and Microsoft, and possibly Facebook, all escaped unscathed. Some developers’ computers were exploited, the bad guys got in, they were detected, and nothing bad happened. I do not know if that was the full scope of the exploits, but it isn’t unrealistic, and successful hacks that aren’t full-on breaches happen all the time. I care about outcomes. And someone bypassing some controls but being stopped is what defense in depth is all about. But you rarely see that in the headlines, or even in many of our discussions in the security world. It is the exact reason I didn’t really write about the hacks here before – from what I could tell some of the vendors disclosed only because they knew it probably would have come out once the first disclosure happened, because their use of the site was public. Share:

After two years of development, yesterday we flipped the switch and our Nexus product is officially live with our first partner, the Cloud Security Alliance. After all the stress of a nearly-failed launch (one of our security controls decided to filter the payment system) it is incredibly exciting to have this out there for paying customers. Here are some details: You can access the CSA Nexus at nexus.cloudsecurityalliance.org. Subscriptions are $200 annually, and it is available internationally. We launched with the CSA first because the timing was better to support a number of CSA initiatives. Also, we decided to completely rework our content structure for Securosis research to better fit our target market, and that will take us a few months. The systems are otherwise identical, running on the same platform (ain’t SaaS wonderful?). CSA customers gain access to existing and draft CSA research, some exclusive non-public research, and all the Securosis cloud research under development. Since we will be charging a lot more for the full Securosis library, this is a good way for cloud-only people to get discounted access to the exact same content. In other news, I’m a crappy sales guy. Questions submitted to the Ask an Analyst system will be handled by Securosis and CSA experts, depending on who is best for the question at hand. That’s right, full access to Securosis analysts for only $200 (on cloud issues). To support the CSA, we added a full discussion (forum) system that’s tightly integrated with the research, as well as the ability to ask the community (public) questions, not just the experts. You get to pick who you are asking when you submit a question, and our experts will watch both queues. Think of it like Quora or Stack Overflow, except you get to pick whether you want a guaranteed answer from us or responses from your peers. CSA enterprise members get licenses to the system as part of their memberships. We will have more activities and announcements over the next weeks and months, but those are the basics. We really aren’t aware of anything like this on the market that combines structured, professional research with access to both experts and peers for direct answers to your tough questions. Then again, for once, we are totally and completely biased. I also need to thank our developers JT and Jon, and James at our hosting provider (no links because they aren’t ready to take more business right now). I think once you look at what we built, you’ll be amazed that a small company without external funding could pull this off. Share:

Let’s just say I almost failed sharing back in kindergarten. Almost 40 years later I’m not a hell of a lot better at sharing (just ask my kids), but if you want to be good at security, you had better do better at sharing than me. Good points here by Don Srebnick (CISO of the City of NY) on using an ISAC to your advantage: A structure for this type of sharing has been developed within multiple sectors. If you haven’t heard, the Information Sharing and Analysis Center, or ISAC, is that structure. An ISAC provides members with a private community for dispensing information about security threats, incidents and response, and critical infrastructure protection. ISACs are an effective method of sharing your information without direct attribution. If your site is under cyber attack or you become aware of an imminent threat to your sector, details can be exchanged without ever revealing your identity, thereby facilitating sharing, but maintaining confidentiality. I’ve been doing a lot of research on threat intelligence and believe (as many of the CISOs I speak with believe) that no one organization can do it themselves. The only way to shorten the window between attack and detection is to get much better at searching for indicators of compromise in your environment. And bi-directional sharing of the attacks you’re seeing, and learning about attacks similar organizations are seeing, are becoming key success criteria for security in the age of advanced attackers. The New School guys were absolutely right years ago about the need to share. They were just way ahead of the curve. It’s good to see a lot more discussion about sharing happening in the industry. It’s about time… Photo credit: “Sharing” originally uploaded by Toban Black Share: