Research

Ah, summer. That time of year where our brains naturally start checking out, even if it’s inconvenient. You have probably noticed a bit of a slowdown on the blog as we succumb to the sweet call of adventure. And by ‘adventure’ I mean the delicate balance of being way freaking behind while trying to squeeze in family vacations and a few conferences. Since my kids are too young for school I can’t really use them as the excuse for taking time off. No, in my case it is the temperatures over 100F that started a month or so ago and won’t subside until sometime close to Halloween. Phoenix is not fun in the summer if you get my drift. Today, for example, when I do my short run after my hour on the bike trainer, the temp will be somewhere around 104F. So I was super excited to spend last week in my home town of Boulder, Colorado. I grew up in New Jersey, but moved to Boulder when I was 18, spent the next 16 years there, and consider Boulder the place I really grew up. Some places just fit a person, and Boulder appealed to me on more levels that I can explain. The culture, physical environment, and social scene all aligned with that perfect cosmic center of the Universe all the new-age freaks claim is somewhere behind Pasta Jay’s. This was the first time I had been back for any length of time in about 5 years, and it was was my first time back since becoming a parent. It was sort of funny – when I lived there I didn’t think there was much for kids to do until they were old enough to climb, hike, ski, and ride. I was all worried my kids would be bored out of their gourds. Sure, I know where all 20+ bars near the Pearl St. Mall are located, but I had to email friends to find a single playground. But man, they are all over the place! And the best part? A lot are located really close to all those bars… which were coincidentally a reasonable bike ride from the house we rented. Yep, total coincidence. I mean, it isn’t like we’d plan that sort of thing. On the downside, instead of escaping from 100+ in Phoenix to Boulder’s typical 60-80F this time of year, we landed in a heat wave. As in 90F+. The technical term for that is “extreme suckage”. They always say you can’t go home, and to some extent that’s true. The life I had in Boulder is long dead. Friends have moved on, the ones who stayed got old (like me), the bars of our youth are now – if they exist at all – the bars of someone else’s youth, and if I tried to spend my leisure time doing everything I did back then I would soon be hunting for a good divorce lawyer in between those mountain rescues. In some ways it is good that I left Boulder, even if I miss it every day. I was instantly pulled out of my single/childless life and forced to drop things – like 5 martial arts classes a week, on top of dozens of mountain rescues, and ski patrol every other weekend, and all the other ways I passed my time. They were instantly severed instead of being drawn out in a long, painful process of separation and personal realizations that life changed and I need to back off. For me, life changed instantly instead of slowly. I know this because it is 100+ fracking degrees at 9am where I live, which is an excellent reminder. I have seen how most of my other friends with kids struggled to balance their lives through this transition, and ripping off the Band-Aid isn’t a bad way to do it. On the other hand, Boulder is still Boulder. Some of the buildings change, but I felt just as at home there last week as I did 6 years ago when I left. The 15 minute rain still comes in every day between 4 and 4:30, the convenience store in Jamestown is still a perfect place to stop for some coffee while riding a (rented) road bike in the hills, and the annoying-ass Rainbow Family kids – who you know have loaded parents – still camp out on the Pearl St. Mall begging for cash. You can go home. It’s just that someone else lives there now – even if you never left. With that, daycare just called and I need to go pick up a little kid with a fever and end my work day. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences We have been on vacation – nothing to see here. Favorite Securosis Posts Adrian Lane: Market Share Nonsense. Mike Rothman: Malware Analysis Quant [Final Paper]. Check out the final paper for the epic Malware Analysis Quant research. And then play a drinking game for every step in the process you don’t do. Make sure you don’t drive after that. Rich: What Adrian said. I need to write a follow-up on some of the BS vendors have tried to pull on me over the years. Like paying cash under the table for references. I tried my best, but I know at least once I was fooled… and it probably happened more than that. Other Securosis Posts Evolving Endpoint Malware Detection: Providing Context. New Paper: Defending Data on iOS. Incite 6/13/2012: Tweeting Idiocy. Understanding and Selecting Data Masking: Management and Advanced Features. Upcoming: Tokenization Webcast This Week. Evolving Endpoint Malware Detection: Behavioral Indicators. Favorite Outside Posts Adrian Lane: Mistakes Were Made: Incident Response. An informative rant on incident response and preparedness. Mike Rothman: Pre to postmortem: the inside story of the death of Palm and webOS. As a student of business, I love stories that dig into how anything can go from the top to the bottom within a few short years.

As we discussed in the last post, detecting today’s advanced malware requires more than just looking at the file (the classic AV technique) – we now also need to leverage behavioral indicators. To make things more interesting, even suspiciuous behavior can be legitimate in certain circumstances. So for accurate and effective detection you need better context on what the code does, where it came from, and who it came from, in order to reach a reasonable verdict on whether to allow or block execution. What happens when you don’t have that context? Let’s jump into the time machine and harken back to the early days of host intrusion prevention (HIPS) and HIPS-like products. They ran on devices and scanned for both attack signatures and behaviors that indicated malware. Without proper context, these controls blocked all sorts of things – involving scads of false positives – and generally wreaking havoc on operations. That didn’t work out very well for organizations which actually needed their devices up and running, even if that imposed a cost in terms of security. Go figure. But the concept of watching for attacks on devices is solid. It was more of an implementation problem; nowadays additional context reduces false positives, increases accuracy, and limits disruption of operations – all worthy goals for a control to manage new attack vectors. So let’s dig into a few data sources (beyond behavioral indicators) that can help identify bad stuff. From Where: the Dropper In the last post we mentioned that malware writers use droppers to gain a presence on devices, and then download current and/or additional attacks, instead of attempting to get the entire malware on the device as part of the initial compromise. Of course droppers are malware just as much as anything else else, but they morph more frequently, which makes initial detection difficult. And as we described in Malware Analysis Quant, the only thing worse than being infected is getting re-infected by the same malware. So profiling malware droppers enables you to search for these files in your environment. By tracing the path of those droppers you can identify devices which have been compromised but not yet activated. The key to this effort is analysis of data about which files are on which devices; when a file is discovered to be bad, if you have the data and analytics in place it becomes easy to determine which devices have the bad file installed. Of course this is still a reactive effort. But the presence of a dropper (or similar known bad file), combined with any other bad behavior, is fairly damning evidence of a compromised device. Tracing the droppers back far enough points you to the origination point of the malware; eliminate any vestiges, and you can prevent reinfection. Who Dat: Reputation The other useful source for detecting advanced malware is the reputation of a file, sender, or IP address. Initially developed to improve the effectiveness of anti-spam gear, reputation has emerged as a fundamental aspect of every vendor’s threat intelligence offering. The larger security vendors have access to considerable amounts of data from hundreds of millions of installed endpoints and network devices; they mine their datasets to determine which files, devices, and network addresses tend to do bad things. This is all an inexact science – especially in light of the simplicity of morphing a file, spoofing an IP address, or fiddling with a device fingerprint. You need to expect advanced adversaries to look like something innocent, even when they aren’t. You cannot afford to rest your malware-or-clean verdict strictly on reputation – but you can use it as a supporting data source, for additional context when analyzing a possible attack. Of course malware writers don’t make it easy to figure out what they are doing. Your best bet is to assemble as much data as you can, analyze what’s going on within the device (behavioral analysis), and combine with data from outside sources to judge the nature and intent of code running (or attempting to run) on your devices – this at least gives you a fighting chance. So far we have focused on analysis and detection, but detection doesn’t help without a mechanism to actually block attacks once they are detected. So we will wrap up this series next week, with an assessment of the different classes of security controls that can leverage this context data to block specific attacks. Share:

It was bound to become blindingly obvious sometime. The ruse of anyone accurately tracking market share in any market has been a running joke for as long as I can remember. I guess some folks do argue with the so-called market share numbers, like McAfee recently did, but it is usually attributed to sour grapes for those with crappy numbers. I’d say that market share doesn’t matter for end users, but in reality it’s safer to go with a vendor with a large market share. And in today’s tough business environment, very few are willing to be unsafe. Clearly these numbers matter for vendors. Many bonuses, marketing campaigns, and marketing/sales jobs hinge on these numbers. You can bet that someone at McAfee has a ton of road rash, especially if the reported share numbers are wrong. And I feel for those folks because I have personally been on both ends of the market share reporting game, and it’s always unpleasant. Why? Because the numbers are basically made up. Okay, not totally made up – in mature markets vendors dutifully report revenues and units to the analysts. But there are times when vendors don’t tell the entire truth. Or manipulate the numbers. Or obfuscate reality. Or all of the above. Let me tell a little story. Back when I was in the email security business, these numbers mattered a lot internally to my company. Our perceived leadership allegedly got us on the short list for many deals and allowed us to claim market success, which begat more business success. So when we got a preliminary report from a number-crunching firm showing our main competitor gaining share rapidly, alarm bells sounded everywhere. And it was my job to fix it. But I couldn’t make our product sell faster. Nor could I combat unsavory sales tactics by the competition. But I could manipulate the market share reporting process. Or at least try. The statute of limitations is up on this deal and none of the folks involved in the travesty are still in their current jobs, so I finally feel comfortable spilling the beans. Basically I made a call to the analyst wondering if he considered that the competitor sold both email sending devices and anti-spam devices. I mentioned that we had heard 1/3 of the competitor’s business was the spam cannons, and the remainder email security gear. When I said “I heard,” I really meant “I hoped” because it wasn’t like the competitor sent me their quarterly numbers. I didn’t turn the screws or threaten or anything like that. I just mentioned it in a simple conversation. Just food for thought for the analyst. I was pleasantly surprised when the final report came out and the competitors’ alleged revenue was reduced by 1/3. Really! I couldn’t believe it worked, but it did. To be fair, there is a chance I was right about the competitor’s revenue mix. Maybe the analyst figured out a way to confirm the sales data. Maybe the vendor came clean when the analyst pressed (assuming they did). No, I don’t think so either. Why do I tell this story, especially given that it doesn’t make me shine? Like most folks, I have done things I’m not exactly proud of. So part of this is cathartic, but I also tell the story because you need to keep these numbers in context. If you buy a product because you think a company is a market share leader, you aren’t too bright. If you don’t buy a product because the vendor is a niche player, same deal. Market share reporting is a game, just like vendor ranking quadrants. Some genius figured out how to extort money from the participants in a market to prove they are good companies. And it’s not just technology markets where these shenanigans happen. It’s pretty much every market. Don’t think that public companies play fair in this game either. Revenue allocation games can be played to make certain products look better. We all know some vendors give away products they want to look better in market share rankings as part of much bigger deals. As Adrian said when I floated a draft of this post by our extended team, “when bullsh** meets bad math, it’s the customers that lose.” That’s really the point. Do the work and figure out what makes sense for your environment. Tools like quadrants and market share grids can be used to justify a decision you have already made. But they shouldn’t be the basis for decisions you haven’t made yet. Share:

A while back we ran a show-of-hands survey at a conference of senior IT security pros. Nearly none of them wanted to support iOS, but nearly all of them needed to support iOS. Which did seem odd, considering how many were using iPhones. The good news is that although we can’t manage iOS the way we have traditionally managed most of our other employee systems, the platform itself is a lot more secure than most of the other things you are using. I know, you don’t believe me, so just read this paper. We also have plenty of options for protecting data going to the device, and once it’s on the device. This is the part that tends to be a bit more complicated, with a very wide range of tools and approaches, but all the things we review in this report are realistic and working in production environments. Hopefully this report simplifies things a bit, and as far as we know it is the only place someone has compiled all the options in one place, plus provided a neutral perspective on capabilities and usefulness. So take a look: Landing Page Direct link to the PDF: Defending Data on iOS (v 1.0) Special thanks to Watchdox for licensing this content so I can feed my kids (well, the one who bothers to eat). As always the research was developed completely independently and published on this blog for peer review throughout the entire process, in accordance with our Totally Transparent Research process. Share:

It’s easy to think that the main contribution of social media tools like Twitter and Facebook is to connect you more tightly to your friends, colleagues, and family. Which is true. But don’t underestimate the immediacy of using networks like Twitter to interact directly with the companies you do business with. I have two recent examples which highlight this trend. Those of you who follow me on the Tweeter (@securityincite) know I don’t tweet a lot. I’m not going to tell you where I am. Most of the time I’m not going to tell you what I’m doing. But I lurk, ready to pounce when an interesting discussion presents itself, or to whore out something we’ve written or a speaking gig. As the boy told me this week when I asked him why he was uncharacteristically quiet earlier this week, “I only talk when I have something to say.” I’m like that on Twitter. So when I had a pretty negative experience on a recent flight, my first thought was to Tweet. I did, and got an almost immediate response from Delta, apologizing for the issue. Wait, what? Because anyone bitching on Twitter isn’t just having a one-on-one conversation – they are venting to all their followers, and anyone searching for the terms (hashtags) mentioned in the tweet. So many companies have become much more responsive to customers venting, and those Tweets get higher visibility. You have heard the stories of high-profile CEOs responding directly to nasty tweets about their companies. Delta had a good response. It didn’t take the sting out of my crappy experience with their gate agent but at least I knew someone was listening. On the other hand, Barnes and Noble had a total #FAIL Monday, a stark example of how some companies are unlikely to make it in this age of Internet commerce. We were packing the kids up for sleepaway camp, and wanted to send them with a bunch of books to not read while they are away. Normally I buy from Amazon, but they had one of the Big Nate books backordered. B&N had it in stock for the same price. There is a store right where I was, so I figured I’d just pick it up at the store. But when I got the confirmation, the price listed was different than the online price. Huh? I figured maybe it was just some idiotic system problem and they’d honor the price they offered me online. That’s what every other retailer with stores and an online presence does, right? Evidently not – B&N charges full price for books you buy at the store, even if you can get them at 40% off on their website. They also provide free shipping on website orders. And you wonder why that company is struggling. I figured if I cannot avoid being inconvenienced to order online, I’ll just order two of the books from Amazon. Voting with my dollars, as I should. I did need the other book (backordered at Amazon), so I ordered that from B&N and took advantage of their free shipping. Of course I was perplexed, so I tweeted my frustration at B&N. They would respond and try to explain their idiotic policy, right? They couldn’t have their heads up their asses that badly, right? Wrong. Crickets in my timeline. So when you hear about B&N following Borders into bankruptcy don’t be surprised. Companies that don’t understand the direct feedback customers expect through social media nowadays aren’t long for this world anyway. –Mike Photo credits: B&N tombstone created by Mike Rothman with the help of Tombstone Builder Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can see all our content in its unabridged glory. And you can get all our research papers too. Understanding and Selecting Data Masking Management and Advanced Features Technical Architecture Pragmatic Key Management Understanding Data Encryption Systems Introduction Evolving Endpoint Malware Detection Behavioral Indicators Control Lost Understanding and Selecting a Database Security Platform Final Paper Available Malware Analysis Quant Final Paper Incite 4 U Which came first: the chicken or the Flame? Evidently the folks at Kaspersky have definitively proven that Flame was a pre-cursor to Stuxnet. Bully for them. What came first isn’t really important, rather highlighting what you already know. Adversaries are very good, if you are their target. They use advanced crypto and pretty much any other tactics to achieve their mission. The interesting thing about Flame, regardless of when it appeared, is how it gamed Windows Update. Most folks, even if they do harden detection, give patching a free pass, as patches update and change executables, config settings, and registry values. But if you can’t trust the patches? Ruh-roh. I’m doing a lot of research into evolving endpoint malware detection, as with attacks like Flame you don’t know what the malware looks like, so you need to watch what it does and block bad behavior. – MR LinkedOut: I’m not going to pick on LinkedIn for losing a bunch of passwords and then mishandling their public response. That’s pretty much par for the course with this sorts of breach, and considering how often they happen it’s obvious no one listens to us anyway. I won’t even slam them for neglecting to make clear to users that if they allowed the iPhone app to read their calendar, LinkedIn would grab their data. While it is incredibly obvious to anyone with an understanding of technology that linking your calendar to a social networking app might, you know, leak the data, folks seem to enjoy being shocked more than thinking for themselves. But I will suggest that these privacy issues are starting to really grow in the public consciousness as the overlap of cloud, mobility, and services begins to enhance the personal connection people have with things they stuff in their pants every day. If

In this post we will examine many of the features and functions of masking that go beyond the basics of data collection and transformation. The first, and most important, is the management interface for the masking product. Central management is the core addition that transforms masking from a simple tool into an enterprise data security platform. Central management is not new; but capabilities, and maturity, and integration are evolving rapidly. In the second part of today’s post we will discuss advanced masking functions we are beginning to see, to give you an idea of where these products are heading. Sure, all these products provide management of the basic functions, but the basics don’t fully encompass today’s principal use cases – the advanced feature set and management interfaces differentiate the various products, and are likely to drive your choice of product. Central Management This is the proverbial “single pane of glass” for management of data, policies, data repositories, and task automation. The user interface is how you interact with data systems and control the flow of information. A good UI can simplify your job, but a bad one will make you want to never use the product! Management interfaces have evolved to accommodate both IT management and non-technical stakeholders alike, allowing them to set policy, define workflows, understand risk, and manage where data goes. Some products even provide the capability to manage endpoint agents. Keep in mind that each masking platform has its own internal database to store policies, masks, reports, user credentials, and other pertinent information; and some offer visualization technologies and dashboards to help you see what exactly is going on with your data. The following is a list of management features to consider when evaluating the suitability of a masking platform: Policy Management: A policy is nothing more than a rule on how sensitive data is to be treated. Policies usually consist of a data mask – the thing that transforms data – and a data source the mask is applied to. Every masking platform comes with several predefined masks, as well as an interface to customize masks to your needs. But the policy interfaces go one step further, associating a mask with a data source. Some platforms take this one step further – allowing a policy to be automatically applied to specific data types, such as credit card numbers, regardless of source or destination. Policy management is typically simplified with predefined policy sets, as we will discuss below. Discovery: For most customers discovery has become a must-have feature – not least because it is essential for regulatory compliance. Data discovery is an active scan to first find data repositories, and then scan them for sensitive data. The discovery process works by scanning files and databases, matching content to known patterns (such as 9-digit Social Security numbers) or metadata (data that describes data structure) definitions. As sensitive data is discovered, the discovery tool creates a report containing both the location and a list of the sensitive data types found. Once data is discovered there are many options for what to do next. The report can be sent to interested parties, archived for compliance, or even fed back into the masking product for automatic policy enforcement. The discovery results can be used to build a catalog of metadata, physically map locations within a data center, and even present a risk score based on location and data type. Discovery can be tuned to look in specific locations, refined to look for as few or as many data types as the user is interested in, and automated to find preselected patterns on a regular schedule. Credential Management: Selection, extraction, and discovery of information from different data sources all require credentialed access (typically a user name and password) to the file or database in question. The goal is to automate masking as much as possible, so it would be infeasible to expect users to provide a user name and password to begin every masking task. The masking platform needs to either securely store credentials or use credentials from an access management system like LDAP or Active Directory, and supply seamlessly them as needed. Data Set Management: For managing test data sets, as well as for compliance, you need to track which data you mask and where you send it. This information is used to orchestrate moving data around the organization – managing which systems get which masked data, tracking when the last update was performed, and so on. As an example, think about the propagation of medical records: an insurance company, a doctor’s office, a clinical trial organization, and the federal government, all receive different subsets of the data, with different masks applied depending on which information each needs. This is the core function of data management tools, many of which have added masking capabilities. Similarly, masking vendors have added data management capabilities in response to customer demand for complex data orchestration. The formalization of how data sets are managed is also key for both automation and visualization, two topics we will discuss below. Data Subsetting: For large enterprises, masking is often applied across hundreds or thousands of databases. In these cases it’s incredibly important to be as efficient as possible to avoid overtaxing databases or saturating networks with traffic. People who manage data define the smallest data subset possible that still satisfies application testers’ needs for production quality masked data. This involves cutting down the number of rows exported/viewed, and possibly reducing the number of columns. Defining a common set of columns also helps clone a single masked data set for multiple environments, reducing the computational burden of creating masked clones. Automation: Automation of masking, data collection, and distribution tasks are core functions of every masking platform. The automated application of masking policies, and integration with third party systems that rely on masked data, drastically reduce workload. Some systems offer very rudimentary automation capabilities, such as UNIX cron jobs, while others have very complex features to manage remote jobs and work

Those of you who have followed Securosis for a while know that our Quant research is the big daddy of all our projects. We build a very granular process map for a certain function, build a metrics model, and in some cases survey our community to figure out what they do and what they don’t. We have already tackled Patch Management, Network Security Operations, and Database Security Options. Our latest Quant study tackled Malware Analysis. Here’s an excerpt from the Introduction to provide some context: It has been clear for a while that today’s anti-malware defenses basically don’t work, and as a result way too much malware makes it through your defenses. When you get an infection you start a process to figure out what happened. First you figure out what the attack is, how it works, how to stop it (or work around it), and how far it has spread within your organization. That’s all before you can even think about fixing it. To the best of our knowledge, no one has built a specific process map for what this looks like, or a model for figuring out how much it costs to deal with malware on an operational basis. We built the process map and cost model to help folks understand the true impact of malware attacks. It’s not pretty, and many folks, I’m sure, would rather not know. But this research is for those who want to understand malware analysis. You can see from the process map below that this isn’t a process for the faint of heart, and that’s why most organizations fail in their malware defense efforts. B many organizations do a fair job of fighting malware because they take a very structured and analytical approach to understanding attacks, isolating attack vectors, finding already compromised devices, and updating controls to prevent reinfection. Check out the full report and the accompanying metrics model (.xlsx). As you read this report it is worth keeping the Quant philosophy in mind: the high level process framework is intended to cover all the tasks involved, but that doesn’t mean you need to do everything. Individual organizations pick and choose the appropriate steps for them. This exhaustive model can help you understand the operational processes of analyzing malware. We would like to thank Sourcefire for sponsoring the research, and all the folks who took a few minutes to fill out the survey. And finally, if you are interested in the blog posts that iteratively built up the series, check out the Malware Analysis Quant Index of Posts. Share:

If you are interested in discussing use cases and deployment models for Tokenization, you’re in luck! This Thursday (June 14th) at 1pm Eastern, I will be offering a webcast on Tokenization with Intel & McAfee. While many people are looking for scope reduction, reduced audit costs, and simplified security controls for PCI, that does not mean there is only one way to roll out a Tokenization system. There are several options, each with its own advantages, and the best fit depends entirely on your particular goals and how you manage your IT systems. In this webcast I will provide an overview of the three main deployment models and delve into the reasons customers choose each of them. If you are interested you can join us for free by registering: 3 Core Tokenization Models – Choosing the Right PCI DSS Strategy. As always, we will leave time for Q&A at the end. Share:

As we mentioned in the first post of the Evolving Endpoint Malware Detection series, Control Lost, attackers have gotten rather advanced. They don’t use the same file or malware delivery vehicle twice, constantly morph attacks, and make it very hard to use the fundamental file-based detection which underpins traditional anti-malware tools. So efforts to detect malware can no longer focus exclusively on what the malware looks like (basically a file hash or some other identifying factor) and must incorporate a number of new data sources for identification. These new sources include what it does, how it gets there, and who sent it; combined with traditional file analysis they enable you to improve accuracy and reduce false positives. No, we don’t claim there is no place for traditional anti-malware (signature matching) anymore. First of all, compliance continues to mandate AV, so unless you are one of the lucky few without regulatory oversight, you don’t have a choice. But more pragmatically, not all attacks are ‘advanced’. Many use known malware kits, leveraging known bad files. Existing malware engines do a good job of identifying files they have already seen, so there is no reason to ever let a recognizable bad file execute on your device – certainly not to confirm it’s bad. But obviously the old tactics of detecting malware aren’t getting it done. So these additional data sources provide additional information to pinpoint good and bad code more accurately, and the most promising is behavioral analysis. The good news is that the industry has made a tremendous research investment in profiling the kinds of behavior which indicating attacks, and in building detection tools to look for those kinds of behavioral indicators in real time as code executes on devices. We will cover these behavioral indicators in this post, and get to the other data sources later in the series. Profiling Behaviors When we say “malware profile”, what are we talking about? That depends on what you are trying to accomplish. One use for profiles is malware analysis, described in depth by Malware Analysis Quant. In this case the goal is to understand what the malware looks like and does, in detail. You can then use the profile to find other devices which have been compromised. Another use case leverages profiles of typical malware actions to detect an attack on a device before infection. This is all about figuring out what the malware does and when, and then using that information to stop it before it does damage. Several things are useful to know for detection: Registry settings Processes/services Injected code New executables Domains/protocols Network communication targets (C&C) Mandiant’s term, Indicators of Compromise, sums it up pretty well. Basically, if the malware injects malicious code into a standard operating systems file (such as winlogon.exe or services.exe in Windows), perhaps adds certain registry keys to a Windows device to ensure persistence, contacts particular external servers that distribute malware, or even uses an encrypted protocol (presumably command and control traffic), you have useful evidence that executable is malicious and can block it. Finite Ways to Die Malware profiles are terrific if you can capture a sample of the malware and run it through a battery of static and dynamic analyses to really figure out what it does – as documented in Malware Analysis Quant. But what happens if you can’t get the malware? Do you just wait until your devices have been owned to develop a profile? That sounds a lot like the reactive approach the industry has relied on for years – to disastrous effect. You need a list of generic behaviors that indicate malicious activity, and to use it as a early warning system indicating possible attacks. Of course, purely relying on specific behaviors can result in false positives – because injecting code and changing registry settings can be legitimate actions, such as when patching. You probably learned that lesson the hard way when using host intrusion prevention technologies (HIPS) years ago. So you need to use behavioral indicators for first-level alerting, and then additional analysis to figure out whether you are really under attack. This process is akin to receiving an alert from your SIEM. You cannot assume a SIEM alert represents an attack, but it provides a place to start investigation. A skilled analyst examines the alert and validates or dismisses the attack, as documented in Network Security Operations Quant. How does the analyst determine whether the attack is real? By applying their experience to understand the alert’s context. But on a typical endpoint or server device, you don’t have a skilled human analyst to wade through all the potential alerts. So you need a tool which can apply sufficient context to determine what is an attack and what is not – determining what to block and what to allow. Obviously this kind of black magic demands much deeper discussion, to get a feel for how it really works (and, more importantly, to figure out whether a vendor really manages to pull it off, as you evaluate offerings), so we will consider the details next in this series. Typical Behavioral Indicators To provide an idea of what kinds of behavioral indicators you should be looking for, here are some typical indicators employed by malware: Memory corruption/injection/buffer overflow: The old standard of compromising devices is to alter the “execution flow of a program by submitting crafted input to the application.” That’s not our definition – it comes from Haroon Meer’s 2010 paper (PDF) documenting the history of memory attacks. If you aren’t familiar with this attack vector, the paper provides a great primer. Suffice it to say that memory corruption is alive and well, and any behavioral detection approach must watch for these attacks. System file/configuration/registry changes: Normal executables rarely update registry, configuration, or system file settings; so any activity of this sort warrants investigation. Parent/child process inconsistencies: Some processes and executables should always be launched by specific processes and executables. If these relationships are violated, that might indicate malware. Droppers

For whatever reason, I picked up a copy of a magazine my wife received as part of her interior design study work. I was absent-mindedly thumbing through it, waiting for the microwave to heat my coffee, when suddenly one of the the pictures made me stop and pay attention. It was a picture of a woman in a red leather catsuit, posed seductively by a stove. WTF? What is this ad trying to tell me? I must really not be part of their target market – but who is their target market? And another picture, this time a woman on top of a Mercedes, wearing a showgirl costume with lots of makeup. And then a woman with several ‘handymen’ fixing stuff around the house. And so on. Now, I bought a fancy Miele dishwasher, but I didn’t notice my wife responding with a racy outfit. In fact I’m pretty sure “sexy” and “kitchen appliance” are at opposite ends of her universe. I dug a bit deeper, and saw that the articles were on with topics such as: how to keep your junk drawer organized, and the best way to store linen napkins and flatware. I dove into the pile of magazines: Architectural Digest. Cote Sud. English Country Living. They are filled with the same type of content, regardless of country. All I could think was, “Who are they selling this stuff to, exactly?” So I asked my wife. She answered, “It’s all fantasy. They selling women a fantasy about a lifestyle or a way of living they don’t currently have. In some cases it’s what they aspire to, in other cases it’s like a virtual dollhouse. And if people feel they need to go there, they ought to buy a doll house first – have you seen the prices on that stuff?” I looked a little taken aback, so my wife added “Your magazines are the same, that stereo porn you read. It’s all a fantasy.” I say “Nuh-uh. That’s all … wait a minute.” Was she right? I leafed through a couple copies of Stereophile and TAS. Yeah, there are some similarities, posing products in the home. And what the hell is that woman doing on the sofa next to those speakers? I look at some of the home theater trade rags, and now I think she’s got me. Oh, man, I feel silly. Looking for an exception to the rule she’s just thrown down, I think “Ah-ha!” – that can’t be true for business and technology! I go to the land where old technology magazines go to die: the guest bathroom. There must be some old copies of CIO or NetworkWorld, or some such nonsense from way back in 2008 to counter her argument. “My kingdom for a copy of Red Herring!”, and then I found several old magazines. Surely IT can’t be selling fantasy!?! But holy crap, there it was: Cartoons of Microsoft users brandishing swords and holding shields, teaming up to slay mythical IT problems as if they were in some Tolkienesque adventure. The ads show paperless offices, consumer personalization, private clouds, and great ideas that spawn success. User-friendly. Cost-effective. Interactive. Proactive! And then it happened: an ad spoke to me. A Citrix advertisement with a giant hand crushing servers. I must admit I have had that fantasy several times! When pulling an all-nighter in an over-chilled data center because some effing patch wouldn’t apply properly, I would have loved nothing better than to throw that machine out the third-floor data center window. So it was true – it’s all fantasy, and vendors are selling a dream. Even in technology and security, where I thought we were more grounded. With the slow death of print media, websites are not quite as in-your-face about it, but it’s still there. Granted, my experiences never included happy twenty-something models with trendy clothes, all smiling at each other like they just got laid. It was old T-shirts, yesterday’s unshaven faces, and lots of empty diet Pepsi cans in a sea of fast food wrappers. IT technology articles are just as driven by fantasy indulgence as English Country Living, and compared to real everyday lives they are just as absurd. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s 15 Ways to Get More From Log Files, at Dark Reading. Mike quoted on the “Renaissance Information Security Professional”. Favorite Securosis Posts Adrian Lane: Understanding Data Encryption Systems. This is a very simple way to visualize encryption & key management deployments. Other Securosis Posts Incite 6/6/2012: Universally Awesome. Understanding and Selecting Data Masking: Technical Architecture. Friday Summary: June 1, 2012. Favorite Outside Posts Adrian: Jamming Tripoli: Inside Moammar Gadhafi’s Secret Surveillance Network. Long but very interesting article about Internet surveillance. And the sales pitch for surveillance products to the Libyan Government cracked me up – something about “the constant struggle against criminals and terrorism”. Our own Chris Pepper pointed out that it all “sounded unpleasantly familiar.” Ask yourself again why privacy protections are not built into every email tool? Because they would make it very difficult to collect intelligence and monitor rivals – in every country, not just Libya. Rich Mogull: Rob Graham’s Confirmed: LinkedIn 6mil password dump is real. Solid analysis. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics – Monitor for Reinfection. Malware Analysis Quant: Metrics – Remediate. Malware Analysis Quant: Metrics – Find Infected Devices. Malware Analysis Quant: Metrics – Define Rules and Search Queries. Malware Analysis Quant: Metrics – The Malware Profile. Research Reports and Presentations Report: Understanding and Selecting a Database Security Platform. Vulnerability Management Evolution: From Tactical Scanner to Strategic Platform. Watching the Watchers: Guarding the Keys to the Kingdom. Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Top News and Posts Crypto breakthrough shows Flame was designed by world-class scientists. Hiding Android Malware. MD5 password scrambler ‘no longer safe’. IE 10’s ‘Do-Not-Track’