Research

5 years. It doesn’t seem that long. It seems like yesterday I was on the phone screaming at the office manager of my (previous) dentist. He told the Boss something and then backtracked on it, and I had to write a check to fix the problem. I had just dropped my dental insurance and that little optional procedure wasn’t going to be covered as he had said it would. I told them to pound sand, which was a good move – I settled for perhaps 30% of the cost 18 months later, before it went to collection. But at the same time, I dropped the dentist. He violated my trust and that was that. Though I seemed to have forgotten to find a new one. This was pretty uncharacteristic – I had been going every 6 months for cleanings since I was a kid. I had a handful of cavities but my teeth were in great shape. But none of my pals had a dentist they liked, so I kind of forgot about it. No big deal, I’ll find one. Sooner or later. And one year became two years, which then turned into 5. Turns out a friend of ours recently moved his dental practice around the corner, so I had a new guy I trusted. Combined with the call I got last week about the Boss needing a root canal (she hadn’t been in 5 years either), I knew it was time. The fact that Arthur Treacher’s famous Tartar Sauce was caked onto my teeth notwithstanding, it was time to pay my penance and go in. First of all, my guy does it right. Most folks hate the dentist, so he staffs his office with the nicest people on Earth. I wasn’t in a great mood, and within a minute they had me smiling and chatting it up. That is nothing short of amazing, given my general state of grumpiness. They were all super helpful and by the time my hygienist got through my health forms and X-rays, I knew her life story. Then she proceeded to sandblast my teeth for 35 minutes to clean them off. Evidently a lot of crap sticks to your teeth over 5 years. Yes, it was uncomfortable. But penance is never pleasant. At least she gave my gums a rest halfway through. A little polish, a bunch of floss and I was ready to meet with the big man. I was a little apprehensive because I figured with all the plaque build-up my teeth must be a train wreck. He cracks some jokes and then pokes and prods with his tools. Oh crap, here it comes… 3 new cavities and about 5 other areas to watch. Wow, it could have been a lot worse. I guess all that fluoride my Mom made me take when I was a kid worked okay. Of course he did mention my habit of grinding my teeth. Evidently that’s my subconscious way of dealing with the stress and paranoia of being me. Though it’s not causing too much damage right now. So I’ll need to be more aware and cut it out. Evidently I need to find another stress outlet. Maybe some vendor will have a nice squeeze toy or punching bag to give away at the RSAC next week. He also made an impassioned plea for me to floss more. I hate flossing. I mean hate. But hey, if it means I won’t have to get more fillings next year and the year after that, then I’ll just do it. I have declared war on tartar, and that damn floss is a key armament in my arsenal so I have no choice. A man’s got to do what a man’s got to do. –Mike Photo credits: Thong Lor dentist originally uploaded by Mrs Hilksom Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Network-based Threat Intelligence Quick Wins with NBTI Following the Trail of Bits Understanding the Kill Chain Understanding Identity Management for Cloud Services Architecture and Design Integration Newly Published Papers Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U Attribution. Meh. Indicators. WIN! With the Mandiant APT1 report making mass market waves yesterday (Rich covered it, and Adrian has some thoughts below), attribution is now big news. John Sawyer discussed this on Dark Reading last week, of course quoting the Mandiant PR machine. His point is that attribution is hard and the kind of profiling and work done by Mandiant is required to really be sure who a specific attacker is. And although Jeffrey Carr brings up some decent points about considering other actors before attributing (though he has no way to know to what degree Mandiant considered competing hypotheses), the reality is that Mandiant did the work and showed with reasonable certainty the specific actor is who they think it is. But ultimately will this do anything besides force the attackers to change tactics and reconsider their OpSec? Probably not, but that misses the point. What will be most valuable is the hundreds of indicators published with the research. Kudos to Mandiant for that. – MR Siri, build me a cloud: If you have been paying any attention to anything I have written or said on cloud security the past couple years (something I’m definitely not about to assume), you know I’m a huge fan of cloud automation and software defined security. We really cannot manage cloud security manually, and need to take lessons from the whole DevOps movement to become much more efficient in protecting cloud instances. One thing I have mentioned frequently is use of tools like Chef and Puppet for configuration automation (in the

We have to admit, this year’s Securosis Guide to RSA is a little over the top. A lot over the top. You know how sometimes you start something, and then you start amusing yourself, and things go just a little too far? This is like that, except we loaded it with a ton of useful information… and no alcohol was involved. That includes key themes, breakdowns of trends and vendors by major coverage areas, and a version of the show floor vendor list with websites so you can look them up later. We hope you find it useful. From the introduction: Over the 15+ years we’ve been going to the show, it has gotten bigger and harder to navigate as the security industry has grown bigger and harder to navigate. This guide should give you a good idea of what to expect at the show – laying out what we expect to be key themes of the show, diving into the major technology areas we cover, and letting you know where to find us. Like last year, we have done our best to break out vendors by tech areas, and added a more comprehensive vendor list including web addresses, so you track down your favorite vendors after the show, since they probably won’t be hammering your phone 10 minutes after you get back to the office. We’d also like to thank all our Contributing Analysts – David Mortman, Gunnar Peterson, Dave Lewis, and James Arlen – for helping keep us honest and contributing and reviewing content. And we definitely need to acknowledge Chris Pepper, our stalwart editor and Defender of Grammar. Enjoy the show. We look forward to seeing you in San Francisco. Rich, Mike and Adrian The 2013 Securosis Guide to RSA (PDF)  Share:

Unless you have been living in a cave, you know that earlier today Mandiant released a report with specific intelligence on the group they designate as APT1. No one has ever released this level of detail about state-sponsored Chinese hackers. Actually, “state-employed” is probably a better term. This is the kind of public report that could have political implications, and we will be discussing it for a long time. The report is an excellent read, and I highly recommend any infosec professional take the time to read it top to bottom. In information security we often repeat the trope “trust, but verify”. Mandiant has received a fair bit of criticism for pointing fingers at China without revealing supporting information, so this time they laid out their cards with a ton of specifics. They also released a detailed appendix (ZIP file) with specific, actionable data – such as domain names, malware hashes, and known malicious digital certificates.   Seriously – read the entire thing. Do not rely on the executive summary. Do not rely on third-party articles. Do not rely on this blog post. I can’t express how big a deal it is that Mandiant released this information. In doing so they reduced their ability to track the attackers as APT1 (and possibly other teams) adjust their means and operational security. I suspect all the official PLA hackers will be sitting in an OpSec course next week. I’m generally uncomfortable with the current line between intelligence gathering and common defense. I believe more information should be made public so a wider range of organizations can protect themselves. By the same token, this data is Mandiant’s work product, and whatever my personal beliefs, it is their data to share (or not) as they see fit. Mandiant states APT1 is the most prolific of over 20 APT groups they track in China. In other words, this is big, but just the tip of the iceberg, and we cannot necessarily expect more reports like this on other groups, because each one impacts Mandiant’s operations. That’s the part of this game that sucks: the more information is made public, the less valuable the intelligence to the team that collected it, and the higher the cost (to them) of helping their clients. I hope Mandiant shares more detailed information like this in the future, but we aren’t exactly entitled to it. Now if it was financed with public funding, that would be a different story. Oh, wait! … (not going there today). I strongly believe you should read the entire report rather than a summary, so I won’t list highlights. Instead, below are some of the more interesting things I personally got out of the report. The quality of the information collected is excellent and clear. Yes, they have to make some logical jumps, but those are made with correlation from multiple sources, and the alternatives all appear far less likely. The scale of this operation is one of the most damning pieces tying it to the Chinese government. It is extremely unlikely any ad hoc or criminal group could fund this operation and act with such impunity. Especially considering the types of data stolen. Mandiant lays out the operational security failures of the attackers. This is done in detail for three specific threat actors. Because Mandiant could monitor jump servers while operations were in progress, they were able to tie down activities very specifically. For example, by tracking cell phone numbers used when registering false Gmail addresses, or usernames when registering domains. It appears the Great Firewall of China facilitates our intelligence gathering because it forces attackers to use compromised systems for some of these activities, instead of better protected servers within China. That allowed Mandiant to monitor some of these actions, when those servers were available as part of their investigations. Soldiers, employees, or whatever you want to call them, are human. They make mistakes, and will continue to make mistakes. There is no perfect operational security when you deal with people at scale, which means no matter how good the Chinese and other attackers are, they can always be tracked to some degree. While some data in the report and appendices may be stale, some is definitely still live. Mandiant isn’t just releasing old irrelevant data. From page 25, we see some indications of how data may be used. I once worked with a client (around 2003/2004) who directly and clearly suffered material financial harm from Chinese industrial espionage, so I have seen similar effects myself – Although we do not have direct evidence indicating who receives the information that APT1 steals or how the recipient processes such a vast volume of data, we do believe that this stolen information can be used to obvious advantage by the PRC and Chinese state-owned enterprises. As an example, in 2008, APT1 compromised the network of a company involved in a wholesale industry. APT1 installed tools to create compressed file archives and to extract emails and attachments. Over the following 2.5 years, APT1 stole an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the CEO and General Counsel. During this same time period, major news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities. Per page 26, table 3, APT1 was not behind Aurora, Nitro, Night Dragon, or some other well-publicized attacks. This provides a sense of scale, and shows how little is really public. Most of the report focuses on how Mandiant identified and tracked APT1, and less on attack chaining and such that we have seen a lot of before in various reports (it does include some of that). That is what I find so interesting – the specifics of tracking these guys, with enough detail to make it extremely difficult to argue that the attacks originated anywhere else or without the involvement of the Chinese government. Also of interest, Aviv Raff correlated

Now that we have posted our RSA Conference Guide, we can get back to lampooning the annual ritual of trying to get folks to scan their badges on the show floor. Great perspective here from Ranum on the bad behavior you’ll see next week, all in the name of lead generation. I’m not sure if I should be howling or repulsed by this idea: “this afternoon I was standing in my studio looking at some high-heeled stripper shoes (in my size) some fishnet stockings, and a knife-pleated Japanese Schoolgirl skirt (also in my size) and thinking “It’s too cold to do this …” Or something like that. My plan was to take a photograph of myself in “booth uniform” from the waist down, and my normal business-casual-slacker from the waist up. Because I threatened my boss that I’d work our booth at the conference wearing high heels and stockings.” Ranum in high heels and stockings is probably a pretty effective way to get out of jury duty as well. Marcus figures booth babes with platform shoes establish solid security credibility, right? What about vehicles? I also wanted to see if we could get an old WWII Sherman Tank to park by our booth, because apparently having a ridiculously irrelevant vehicle parked at your booth says a great deal about how well your products work. I wonder how much the union workers at Moscone would charge to place a Sherman tank on the show floor? But more seriously, what do these irrelevant vehicles have to do with security? Damn Ranum, asking these kinds of questions: How does dollars spent, length of inseam, or miles per hour, correlate to telling us something useful about: The quality of the product? How well it meets customers’ needs? How easy the product is to use? The company’s ability to innovate? Actually – it tells me quite a lot. It tells me I’m looking at a company that has a marketing organization that’s as out of touch as the management team that approved that booth set-up. Here’s a good idea: replace the Ferrari with a cardboard cut-out of a Ferrari and use the money you just saved to hire a new marketing team. But evidently there is another way: And I remember how, last year, I went by Palo Alto’s booth and Nir Zuk, the founder, was doing the pitches to a massive crowd – and answering some pretty crunchy technical question, too. (No: Nir was not in a miniskirt) That’s the kind of performance that would impress me if I were shopping for a company to invest in on their IPO. That’s the kind of performance that might interest me enough to take a look at their product – instead of their founder’s butt. Though if a security company founder has a butt worth looking at, well I’m probably OK with that… Yes, I’m kidding. See you next week at RSAC… Share:

As we get back into Network-Based Threat Intelligence, let’s briefly revisit our first two posts. We started by highlighting the Kill Chain, which delved into the typical attack process used by advanced malware to achieve the attacker’s mission, which usually entails some kind of data exfiltration. Next we asked the 5 key questions (who, what, where, when, and how) to identify indicators of an advanced malware attack that can be captured by monitoring network traffic. With these indicators we can deploy sensors to monitor network traffic, and hopefully to identify devices exhibiting bad behavior, before real damage and exfiltration occur. That’s the concept behind the Early Warning System. Deployment As described, network-based threat intelligence requires monitoring key network segments for indicators of attack traffic (typically command and control). Many organizations have extensive and sprawling network infrastructure, so you probably cannot monitor everything initially. So it’s about initial prioritization of networks to give yourself the best chance to get the Quick Win and hopefully break the Data Breach Triangle. So where do you start? The first and easiest place to start monitoring the network is your egress pipes to the Internet. Today’s malware systematically uses downloaders to get the latest and greatest attack code, which means the compromised device need to communicate with the outside world at some point. This Internet communication offers your best opportunity to identify devices as compromised, if you monitor your egress networks and can isolate these communications. Besides providing an obvious choke point for identification of command and control traffic, egress connections tend to be lower bandwidth than a internal network segments, making egress monitoring more practical than full internal monitoring. We have long advocated full network packet capture, in order to enable advanced analytics and forensics on network traffic. As part of our React Faster and Better research, we named the Full Packet Capture Sandwich: deploying network capture devices on the perimeter and in front of particularly critical data stores. This approach is totally synergistic with network-based threat intelligence, since you will be capturing the network traffic and can look for command and control indicators that way. Of course, if full packet capture isn’t deployed (perhaps because it’s beyond the sophistication of your operations team), you can just monitor the networks using purpose-built sensors looking specifically for these indicators. Obviously real-time network-based threat intelligence feeds integrated into the system are critical in this scenario, as you only get one chance to identify C&C traffic because you aren’t capturing it. Another place for network traffic monitoring is internal DNS infrastructure. As described previously in the series, DNS request patterns can indicate domain generation algorithms and/or automated (rather than human) connection requests to the C&C network. Unless your organization is a telecom carrier you won’t have access to massive amounts of DNS traffic, but large enterprises running their own DNS can certainly identify trends and patterns within their infrastructure by monitoring DNS. Finally, in terms of deployment, you will always have the push/pull of inline vs. out-of-band approaches to network security. Remember that network-based threat intelligence is a largely reactive approach for identifying and finding command and control traffic which indicates a compromised device. In fact the entire Early Warning System concept is based on shortening the window between compromise and detection, rather than an effort to prevent compromise. Of course it would it even better to be able to identify C&C traffic on the egress pipe and block it, preventing compromised devices from communicating with attackers. But we need to be cautious with the bane of every security practitioner: the false positive. So before you block traffic or kill an IP session, you need to be sure you are right. Of course most organizations want the ability to disrupt attack traffic, but very few actually do. Most “active network controls”, including network-based malware detection devices, are implemented in monitoring/alerting mode, because most practitioners consider impacting a legitimate connection far worse than missing an attack. A jury of (network) peers So you have deployed network monitors – what now? How can we get that elusive Quick Win to show immediate value from network-based threat intelligence? You want to identify compromised devices based on communication patterns. But you don’t want to wrongly convict or disrupt innocent devices, so let’s dust off an analogy dating back to the anti-spam battles: the jury. During the early spam battles, analyzing email to identify unsolicited messages (spam) involved a number of analysis techniques (think 30-40) used to determine intent. None of those techniques is 100% reliable alone, but in combination, using a reasonable algorithm to properly weigh techniques effectiveness, spam could be detected with high reliability. That “spam cocktail” still underlies many of the email security products in use today. You will use the same approach to weigh all network-based malware indicators to determine whether a device is compromised or not, based on what you see from the network. It’s another cocktail approach, where each jury member looks at a different indicator to determine guilt or innocence. The jury foreman – your analysis algorithm – makes the final determination of compromise. By analyzing all the traffic from your key devices, you should be able to identify the clearly compromised ones. This type of detection provides the initial Quick Win. You had a compromised device that you didn’t know was compromised until you monitored the traffic it generated. That’s a win for monitoring & analysis! You should worry about whether you will find anything with this approach. In just about any reasonably-sized enterprise, the network will show a handful to a few dozen compromised devices. Nothing personal, folks, but we have yet to come across an environment of a few thousand machines without any compromised devices. It’s just statistics. Employees click on stuff, and that’s all she wrote. The real question is how well you know which devices are compromised and how severe the issues are – how quickly do you have to take action? Intelligence-driven focus Once you have identified which devices you believe have been compromised, your incident response process kicks in. Given resource constraints, it would likely be impractical to fully investigate every device, analyze each one, isolate

Oh F-Secure, how you amuse me. In a post about the hack of Facebook, F-Secure claims it is likely Macs were targeted, and that this could be related to the recent Twitter hack: And while everybody else is bashing Oracle, we have a more interesting question: what malware on what type of laptop? Why? Because Macs are the type of laptop we almost aways see in Facebook’s employee photos. and Well, interestingly enough, last Friday evening, we received (via a mailing list) new Mac malware samples to analyze. Samples that were uploaded to VirusTotal on January 31st, one day before Twitter’s announcement. Now look, I see where they are coming from, and I know Macs get infected by malware at times (especially when targeted), but the evidence is definitely too thin to speak in absolutes here. But then it gets worse: There are hundreds of thousands if not millions of mobile apps in the world. How many of the apps’ developers do you think have visited a mobile developer website recently? With a Mac… and a very false sense of security? Er… how about we go back to Facebook’s post on the hack (quoted by F-Secure themselves): The laptops were fully-patched and running up-to-date anti-virus software. In other words, Mac or Windows, whatever the platform, it was patched with AV installed. That seems like a safer conclusion to draw, without resorting to pictures of Macs on Facebook’s website. Share:

It’s Friday, so here is a quick link to The Verge’s latest. Developers infected via Java in the browser from a developer info site. You get the hint? Do we need to say anything else? Didn’t think so. Share:

Given the number of recent high profile CA compromises, it seems some of the folks who milk the SSL cash cow figured they should do something to sooth customer concerns about integrity. So what to do? What to do? Put a security council together to convince customers you take security seriously. From Dark Reading’s coverage of the announcement: “We felt SSL needed a leader,” says Jeremy Rowley, associate general counsel for DigiCert, which, along with Comodo, Entrust, GlobalSign, Go Daddy, Symantec, and Trend Micro, today officially launched the new organization. “We felt a group of CAs, rather than one CA,” was a better approach, he says. So the group will push for OCSP Stapling and then other technologies to be determined. But it’s not a standards body. So what is it again? “CASC is not a standards body. Instead, we will work on helping people understand the critical polices on SSL and … promote best practices in advancing the trust of CA operations,” DigiCert’s Rowley says. “Our main goal is to be an authoritative resource on SSL.” Guess these guys forgot that the weakest link breaks the chain. And out of the hundreds of root certs in the typical browser, one of those CAs will be the next weakest link. Photo credit: “Trust us, we’re expert” originally uploaded by Phauly Share:

Given RSA’s investment in security management technology (cough, NetWitness, cough) and the investments of the other big RSAC spenders (IBM, McAfee, HP), you will see a lot about the evolution of security management this year. We alluded to this a bit when talking about Security Big Data Analytics in our Key Themes piece, but let’s dig in a bit more… SIEM 3.0? We can’t even get SIEM 1.0 working. The integration of logs and packet capture is now called Security Analytics; we will hear a lot about how SIEM is old news and needs to evolve into Security Analytics to process, index, search, and report on scads of data. Make that two scads of data. So the buzz at the show will be all about NoSQL data structures, MapReduce functions, Pigs, and all sorts of other things that are basically irrelevant to getting your job done. Instead of getting caught up in the tsumami of hype, at the show focus on a pretty simple concept. How are these new tools going to help you do your job better? Today or maybe tomorrow. Don’t worry about the 5-year roadmap of technology barely out of the lab. Can the magic box tell you things you don’t know? Can it look for stuff you don’t know to look for? You need to understand enough to make sure you don’t trading one boat anchor, which you could never get to work, for another shinier anchor. So focus heavily on your use cases for that tool. You know, boring and unsexy things like alerting, forensics, and reporting, as we discussed in Selecting SIEM and Security Management 2.0 in days gone by. We do expect these new data models, analysis capabilities, and the ability to digest packet traffic and other data sources will make a huge difference in the effectiveness of security management platforms. But it’s still early, so keep a skeptical eye on show-floor marketing claims. Deeper Integration (Big IT’s Security Revenge) Big IT got religion over the past two years about how important security is to things like, well, everything. So they wrote big checks, bought lots of companies, and mostly let them erode and hemorrhage market share. The good news is that at least some of the Big IT players learned the errors of their ways, reorganized for success, and have done significant integration; all aimed at positioning their security management platforms in the middle of a bunch of complimentary product lines providing application, network, endpoint, and data security. Of course they all play lip service to heterogeneity and coopetition, but really they hate them. They want to sell you everything, with lock-in, and they are finally starting to provide arguments for doing it their way. Back in the real world you cannot just forklift the entire installed base of security technologies you have implemented over years. But that doesn’t mean you have to tell either your incumbent or competitors about that. Use better product integration as leverage when renewing or expanding controls. And especially for more mature technologies, looking at an integrated solution from a Big IT/Security player may be a pretty good idea. Share:

Computerworld UK ran an interesting article on how Deutsche Bank and HMRC are struggling to integrate Hadoop systems with legacy infrastructure. This is a very real problem for very large enterprises with significant investments in mainframes, Teradata, Grids, MPP, EDW, whatever. From the post: Zhiwei Jiang, global head of accounting and finance IT at Deutsche Bank, was speaking this week at a Cloudera roundtable discussion on big data. He said that the bank has embarked on a project to analyse large amounts of unstructured data, but is yet to understand how to make the Hadoop system work with legacy IBM mainframes and Oracle databases. “We have been working with Cloudera since the beginning of last year, where for the next two years I am on a mission to collect as much data as possible into a data reservoir,” said Jiang. I want to make two points. First, I don’t think this particular issue applies to most corporate IT. In fact, from my perspective, there is no holdup with large corporations jumping into big data. Most are already there. Why? Because marketing organizations have credit cards. They hire a data architect, spin up a cloud instance, and are off and running. Call it Rogue IT, but it’s working for them. They’re getting good results. They are performing analytics on data that was previously cost-prohibitive, and it’s making them better. They are not waiting around for corporate IT and governance to decide where data can go and who will enforce policies. Just like BYOD, they are moving forward, and they’ll ask forgiveness later. As far as very large corporations integrating the old and the new, it’s smart to look to leverage existing data sets. To the firms referenced in the article, if analytic system integration is a requirement, this is a very real problem. Integration, or at the very least sharing data, is not an easy technical problem. That said, my personal take on the whole slowdown of adoption, unless you have compliance or governance constraints, is “Don’t do it.” If it’s purely a desire to leverage existing multi-million dollar investments, it may not be cost effective to do so. Commodity computing resources are incredibly cheap, and the software is virtually free. Copy the data and move on. Leveraging existing infrastructure is great, but it will likely save money to move data into NoSQL clusters, and extend capabilities on these newer platforms. That said, compliance, security and corporate governance of these systems – and the data they will house – is not well understood. Worse, extending security and corporate governance may not be feasible on most NoSQL platforms. Share: