Research

Before we get to the Incite we should probably explain why it’s a day late. Like many other sites we have huge issues with PIPA and SOPA, so we took down our site yesterday in protest. We don’t expect the big companies with big lobbying budgets to give up, so we need to keep the pressure on. Copyright holders have a right to protect their content, but not at the cost of our freedom and liberty. Period. Now back to our regularly scheduled pot stirring. Growing up I spent a lot of time in our den. It was a pretty small room, in a pretty small house, but it’s where the TV was. First it was a cabinet-style tube TV. Remember those? Yeah, you kids today have no appreciation for the TV repair man who showed up to fix your TV with a case full of tubes. Then we got a 15” model with cable, and my brother and I spent a lot of time in that room. The furniture was pretty spartan as well. We had a chair and we had a couch. The couch was, uh, uncomfortable. A plaid model with fabric that was more like sandpaper. Not that microsuede stuff we see today. So amazingly enough, there was a lot of competition for the chair. I usually won. OK. I always won, mostly because I was older and a lot bigger. That may have been the only positive to having a childhood weight problem. I always got the chair. Even if my brother was there first. I’d just sit down. Yes, right on him. It didn’t take long for him to realize I wasn’t moving and my bulk wasn’t going to get any more comfortable. After about the zillionth time I used this approach to get the chair, and my Mom got (justifiably) fed up with my brother crying about it, she instituted a new policy. You could call “my seat” once you entered the den, and you’d have to respect the call. Kind of like calling “shotgun” to sit in the front of the car. My brother may have been small, but he was quick. And more often than not, he beat me to the den and called the seat. I wasn’t happy about it, and when the babysitter was there I’d forget the rule. But inevitably I’d suffer the consequences when Mom got home. So it was funny to see XX2 sit in the passenger side captain’s chair in the van over the weekend. That’s where XX1 usually sits. The little one had this look, like she ate a canary, sitting in that seat. XX1 was not happy at all. I’m not sure whether it was because she likes her seat or that XX2 got the best of her. So the squealing started. And I’m not too tolerant of squealing. For a second I thought about instituting the my seat policy for the van. But that’s overkill for now. The girls don’t physically bully each other, and even if they did, I’m not sure XX2 wouldn’t win her fair share of battles. Though it did give me a chuckle to remember the old days of abusing my little bro. Speaking of which, it’s probably time to take him out to dinner, since I’m still running a huge karma deficit with him. Suffice it to say sitting on him was probably the nicest thing I did when we were growing up. -Mike Photo credits: “I gotta get me one of these!” originally uploaded by sk8mama Heavy Research We have been busy blasting through process descriptions for the Malware Analysis Quant project. Here are the last week’s posts, which zero in on the Malware Proliferation subprocess: Defining Rules Find Infected Devices Remediate Monitoring for Reinfection You can find all the posts on the Project Quant blog. We have also finished up our Network-based Malware Detection series, so here is a link to the last post, on assessing the impact of the cloud. Yes, the forecast is cloudy. Ha ha. Network-based Malware Detection: The Impact of the Cloud As always you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Incite 4 U Revisiting the STRATFOR breach: Looks like Nick re-graded the folks at STRATFOR on their breach response and it went from a B- to a D-. Personally I think that’s too harsh, but ultimately it’s a subjective opinion and Nick is entitled to his. The key is constant communication, which STRATFOR failed at. It seems they spent the two weeks totally rebuilding their infrastructure, as they should have. I also liked the video from their CEO and agree it should have come earlier, if only to initially accept responsibility at the highest level. Then you communicate what you know as you can. I guess everything is relative and I personally think STRATOR did an okay job of response. You can always improve, and you should learn by what they didn’t do well, so you can factor that into your own response plans. – MR Unbreakably irresponsible: I think Adrian is going to cover the latest Oracle security flaw/patch in more detail, but I want to address a long-standing pet peeve I have with the big O. First, let’s give them credit for getting this out relatively quickly, even though it isn’t something that will (probably) affect a large percentage of Oracle customers. Then again, the ones most at risk tend to have 3-4 letter acronym names. Knowing that some flaws are ignored for years, it’s nice to see a relatively quick response – even if it may be due to the press being involved from the beginning. But that isn’t my peeve. You’ll notice that patches only go back a few versions for Oracle 10 and 11, and aren’t available for anything earlier. Oracle reps have told me (not that we talk much anymore) that they don’t believe a significant number of customers are running older versions. And if they are, since said versions are out of support, those customers are

We blacked out Securosis (mostly – it was a rush job) to protest SOPA, PIPA, and the future variants we are sure will appear now that everyone has targeted these two acronyms. We don’t support criminal activity, but by the same token we don’t support poorly-written laws that can do nearly nothing to prevent privacy while doing a lot to stifle free speech. Especially when these laws would seriously undermine our ability to secure the Internet. ‘Nuff said. You can read more at americansensorship.org. Share:

Is it that time already? Yep, it’s time to wrap up our series on Network-based Malware Detection. We started with the need to block malware more effectively on the perimeter, particularly because you know you have users who are not the sharpest tools in the shed. Then we discussed the different techniques involved in detecting malware. Finally we tackled location, assessing critically whether the traditional endpoint protection model has outlived its usefulness. So far we have made the case for considering gateway-based malware detection as one of the next key capabilities needed on your perimeter. Now it’s about wading through the hyperbole and evaluating the strengths and weakness of each approach. AV on the Box To provide a full view of all the alternatives we need to start with the status quo, which is a traditional AV engine (typically OEMed from an endpoint AV vendor) on your gateway. Yes, this is basically what lower-end UTM devices do. This approach focuses on detecting malware within the content stream (think email/web filtering), and (just like traditional AV approaches) it isn’t very effective for detecting modern malware. AV doesn’t work very well on your endpoint, and alas it’s not much better on perimeter gateways. Sandboxing on the Box The latest iteration, beyond running a traditional AV engine on the box, involves executing malware in a protected sandbox on the perimeter device and observing what it does. Depending on the behavior of the file – whether it does bad things – it can be blocked in real time. Virtualizing victim devices on perimeter platforms to test malware at network speeds is a substantial advance. And we have seen these devices provide a measurable improvement in ability to block malware at the gateway. But of course this entails trade-offs. First of all, do you really want to be executing malware within your production network? Of course it is supposed to be an isolated environment, but it’s still a risk – even if a small one. The second trade-off is performance. You are limited to the performance of the perimeter device. Only so many virtual victims can be spun up on a given network device at a time, so at some point you will hit a scalability wall. You can throw bigger boxes at the problem but local analysis is inherently limiting. And remember that these are new and additional dedicated devices. For some organizations that isn’t a problem – they simply get a new box to solve a new problem. Others are more resistant to spending rack space on the perimeter on one more niche device. Finally, this model provides no leverage. This approach requires you to execute every suspicious file locally, even if the malware has been sent to every company in the world. And because detecting malware is an inexact science, you will probably miss the first time something comes in, and suffer the consequences. You need a feedback loop to take advantage of what you learned during incident response / malware analysis (as described in the Malware Analysis Quant research) on the device. Shame on you if you do all the work to analyze the malware, but don’t make sure it cannot strike again. So to net this out, doing more sophisticated malware detection on the perimeter gateway represents a major advance, and has helped to detect a lot of the lower-hanging fruit missed by traditional AV. It is at a disadvantage against truly targeted unique malware, but then again nothing aside from unplugging from the Internet can really solve that problem. Leveraging the Cloud for Malware Detection We often point out there is rarely anything really new – just recycled ideas packaged a bit differently. We see this again with network-based malware detection, as we did for endpoint AV. When it became impractical to continue pushing a billion malware signatures to each protected endpoint, AV vendors started leveraging the cloud to track the reputation of individual file, determine if they are bad, and then tell endpoints to block them. The vendor’s AV cloud would analyze unknown files and make a determination of goodness or badness depending on what the file does. Of course that analysis isn’t real-time, so the first couple iterations of each new attack end poorly for the victims. But over time the malware is profiled, and then blocked when it shows up again. This concept also applies to detecting malware on the perimeter security gateway. A list of bad files can be cached on the devices, and new unrecognized files can be uploaded to the cloud service for analysis and an approve/block verdict. This addresses a number of the issues inherent to local analysis, as described above. You send the malware off to someone else’s cloud service rather than executing it locally. You have no performance limitations (assuming the network itself is reasonably fast) because the analysis isn’t on your hardware, and this capability adds little overhead to perimeter security gateways, which are likely already overburdened dealing with all these new application-aware policies. And you can take full advantage of the vendor’s cloud service, with its excellent leverage. If organization A sees a new malware file and the cloud service learns it’s bad, all subscribers to the cloud service can automatically block that malware and any recognizable cousins. So the larger the network, the less likely you are to see (and be infected by) the first specimen of any particular malware file – instead you can learn from other people’s misfortune and block the malware. So what’s the catch? It’s about the same as the latest generation of endpoint AV. The latency between when you see the attack and when specific malware files are known bad. That could be days at this point, but as the technology improves (and it will) the window will shrink to hours. But there will always be a window of exposure, since you aren’t actually analyzing the malware at the perimeter. And detection will never be perfect – malware writers already make it

You’ve probably noticed we have not been doing a lot of blogging lately. Sorry about that – we’ll start back up with a bang very soon. This will be a very exciting year for Securosis – we have a bunch of projects in the pipe. I’ll be launching a re-start of the Database Activity Monitoring 2.0 series now that we have finally settled on the terminology and done sufficient research on the trends to actually convey what’s going on. Mike and I want to cover some Log Management topics, and I have a data masking research project underway as well. All that is over and above new developments with the Securosis Nexus, the Cloud Security Alliance Training, and our RSA Guide – so Q1 will be very busy and we will be writing a lot. I’ll publish my Q2 research agenda in the coming weeks, so if you have anything you want to talk about at RSA we can go into detail then. And I wanted to comment on a ton of great posts I have seen, but alas… On a personal note, during the Christmas break I was wandering the local mall, when I saw this guy with a mountain bike. It’s cool! It’s got carbon fiber, big-azz shocks, and hydraulic disk brakes. He let me pick it up and it’s like 20 lbs. 20 lbs is less than a tire from my old bike! So I was fascinated. I had to have one. I did some looking on the Internet and decided to visit the last couple bike shops still in business in my area. I found a bike I like, they threw some pedals on it, and I headed out. I got on the bike and the first thing that ran through my mind was “FREEDOM! I can go anywhere. And I should!” Weird. Freedom. I felt like a kid with my first new bike – which would prove prophetic as I crashed it 4 times a few days later, just as I did with my first bike at age four. That was a weird sensation. It’s not like I don’t have freedom, and I have owned cars since I was sixteen, so I can pretty much go anywhere I want. But this was different. I went back into the shop, and the guy asked me how I liked it. “Beautiful” I said, and bought it. I got home, saddleed up, and headed straight out into the desert. I just pointed the bike in a direction I had never gone, over a hill I had never seen the other side of, and started pedaling. Open desert. Cactus, coyotes, and boulders be dammed! And it was awesome. Of course there are practical downsides to this freedom – other than plucking thorns out of my skin with tweezers and bathing road rash in betadine. I have over 10k hours on a BMX bike as a kid, and 5k hours on road bikes, so I considered myself an expert rider. Wrong! This is a totally difference experience. I am a novice, as proven emphatically by the four crahes on my second ride. Well, ‘crashed’ is not quite correct – technically the bike and I just swapped places, with the bike taking me for a short ride. And as with a new pair of shoes, you should make sure everything is broken in and comfortable before you go pushing the envelope. I found out – about 2 milliseconds after I needed to bail out – that my new snap-in pedals were much too tight. Jumping simply meant the bike followed me, turning the tables, so it was – ahem – in the driver’s seat. And I learned that mountain bikes have a variable stall speed: when pedaling furiously uphill in low gear you don’t actually have sufficient momentum to go over boulders like a badass – instead you can quickly find yourself going backwards. It’s a thought-provoking experience. Regardless, I am hooked. And now Christmas break is over and I am back at work. But like a little kid I keep looking out the window, wishing I could play with my new Christmas toy instead of talking to this vendor about a product of questionable quality, with its suspect value proposition. “Please tell me more about how you stop APT in a totally new way nobody has ever thought of before.” sigh On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted in Sandhill Channels. Rich’s guest post on Trustworthy Computing. Mike and Jack Daniel on Continuous Monitoring. Securosis Posts Checking out a bootable Windows TPM thumb drive. Incite 1/11/2012: Spoilsport. Social Security Blogger Awards: Voting Open! Network-based Malware Detection: Where to Detect the Bad Stuff? Favorite Outside Posts Mike Rothman: Costco’s Value Chain. Of course it’s Gunnar who points out a great perspective on understanding your company’s value and sticking to that, using an example from Costco. Even if it’s hard. Even if it costs money in the short term. Rich: Nick Selby on how we need to stop blaming the victims. I’m not going to defend Stratfor’s massive mistakes, but we need to stop acting like a room full of a-holes, blaming the victims of crimes for being stupid… especially because we will all be eventual victims. And for the record, good luck using my 20-character random Stratfor password. Adrian Lane: Apple iWallet Security? Leverage “what you have” security – provided you don’t leave it in your hotel room! Dave Mortman: AES on the iPhone isn’t broken by Default. Project Quant Posts Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Malware Analysis Quant: Confirm Infection. Malware Analysis Quant: Process Map (Draft 1). Research Reports and Presentations Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM?. Fact-Based Network Security: Metrics and the Pursuit of

It’s almost RSA time again. Which means one very important thing: I need to finally post the review of the very slick TPM-based Windows bootable thumb drive Jeff Jones (@securityjones) gave me at RSA 2011. I have been promising him this review since last March, and it would be just too embarrassing to not get it done before RSA 2012. So here we go. As I said above, this slick little device provides a full self-contained Windows install protected by TPM. The entire thing is encrypted. When I was still doing ops, I kept it in my car for when I was out and about without my laptop. It was great for doing quick and dirty troubleshooting using a friend’s computer or library machine without having to worry about what might be on the machine I was using. You know, those public machines can be cesspools of all sorts of badness. Unfortunately it gets less use now that I’m during pure security, but I still pull it out now and again. Pluses Completely encrypted Uses its own memory and disk instead of the host’s Great form factor Ridiculously easy to use Minuses Doesn’t play nice with some laptop video cards Not as fast as using the native hardware by a long shot Can’t boot off a Mac or via a virtual machine What would have made this better? If it completely blocked access to the underlying drives and memory of the host box. Then I would have also used it as a safe browsing environment for conferences and airports and the like. That kind of capability would also be useful for those of you who need research NSFW sites using corporate machines. Admittedly, this would be a substantial feat, especially considering the need to access USB drivers for access to the host. When I used it regularly it was great for confirming that production services were live at my company, and it also allowed me to respond to email using the web gateway. For long emails this was far more efficient then trying to use my phone. If I were buying one, I’d have them preinstall essential security tools such as gpg, 1Password or another password manager, and the appropriate strong authentication software (such as a soft token). You’d also need ssh and VPN clients to make it even more useful. And while I’m putting together a shopping list, how about Skype? That would be really nice to communicate in a pinch. Though I’m not sure if it supports audio devices. Jeff? There are a couple other good use cases. For onsite incident response I would want forensics tools. If I were doing more technical consulting/pen testing I’d want one that booted Linux so I could have tools like BackTrack at my disposal. All in all, even without those tools, it’s a nice form factor for carrying around an emergency OS. I wonder if it’d be possible to get one that dual-booted – that would be even cooler then carrying a couple. You know you have to cut ounces of extra weight when you can. And I know I can get a lot of this functionality from a regular USB thumb drive, which would greatly expand the available options and undoubtedly lower the cost. But for specialized use cases, including toting around ssh and X.509 keys, having a TPM chip and an encrypted drive is very attractive – not to mention the dedicated memory & disk. There are a couple of this type of device out there, and adhering to Securosis’ policy of not being vendor-specific, I won’t mention specific models, but if you have this kind of requirements you should check them out. Share:

The winter holidays aggravate me. They are a consumption binge, and I know we all want a healthier global economy (which includes folks spending money they don’t have on things they don’t need) but it still irks me. I grew up modestly in a single-parent home, and we did stuff, but not a lot. We didn’t have the fancy things, which forced me to go out and earn whatever I’ve gotten. I remember being ecstatic one Hanukkah when I got a plastic briefcase-type thing to bring my books to school. We didn’t get 8 gifts or have a big-ass tree with all sorts of goodies under it. We got one thing and it was fine. I know how hard it was for my Mom to even provide those little things, and how hard she worked. That awareness has always driven me. I’ve been very fortunate, and we can provide plenty of gifts to our kids over the holidays. And we do. And the grandparents do. And they get lots of stuff from their cousins. The list goes on and on. But in the back of my mind is a fear that the kids don’t appreciate what they have. We have had to threaten to take all the stuff out of their room more than once, when they act like spoiled brats. I do try to lead by example. They see that I work a lot, but I’m not sure they understand that just working hard might not be enough. That they’ll have to find their talent, be persistent, and have a little luck, to achieve and earn everything they want. Though at times we get a glimmer of hope that despite their very comfortable lifestyle the kids have some perspective. When we got back from our holiday trip, the Boss sat down with XX2, who had a pretty interesting question. XX2: Mom, am I spoiled? The Boss (TB): You tell me? Do you think you are spoiled? XX2: Yes. I have everything I need, and get pretty much everything I want, so I guess I am spoiled. Win! Of course just because one of three understood, at that moment in time, that she has it pretty good, doesn’t mean she won’t be squealing like a stuck pig the next time we won’t buy something she wants when she wants it. But at least we can remind her of this conversation to introduce some perspective. It’s a fine line, because I work hard and have earned a certain lifestyle. I shouldn’t have to sacrifice having some nice things to make a point to my kids. But ultimately it’s our responsibility as parents to make sure they understand that the world is a tough and unforgiving place. Which means at times I need to be a spoilsport and say no, even when I get the cute pouty face. But that’s a lot better than allowing my kids to be soft, spoiled, and unprepared to deal when they leave the nest. -Mike Photo credits: “spoiled” originally uploaded by Kim ‘n’ Cris Knight Heavy Research We’re plowing through the latest Quant project on Malware Analysis. Here are the posts over the past week: Static Analysis Dynamic Analysis The Malware Profile Defining Rules You can find all the posts on the Project Quant blog. We are also finishing up our Network-based Malware Detection series. You see a trend here? Yep, it’s all malware, all the time. Here are the posts so far in that series, which we will wrap up this week. Introduction Identifying Today’s Malware Where to Detect the Bad Stuff? In case you aren’t interested in our Heavy RSS Feed, where you can get all our content in its unabridged glory. Incite 4 U The Sound of Inevitability: Kevin Mandia says if you are targeted by an advanced attacker, you will be breached (pdf). That’s not when, not if. And he should know – his firm spends a lot of time doing high-end breach response. If the effectiveness of targeted attacks by knowledgable attackers is approximately 100%, do you just accept this as an inevitability? Or do you ratchet up protections to make it harder for attackers? Those are the basic questions – they are the two most common CEO responses to this type of choice. Do you just accept this as part of the business landscape – cost of doing business – or are you determined to be a faster than the other gazelles competitors for the lions attackers to eat focus their intensive and persistent efforts on. Or maybe you can compartmentalize damage – knowing some user will inevitably click an email link with targeted malware – to just the mail server or select employee systems? It’s a worthwhile read: he lists all the data we repeatedly say you should keep – but which companies don’t have, can’t find, or take a week to recover. Breach preparedness drills? Anyone? – AL Brute force still works: King Krebs does some very interesting research into how the bad guys are defeating tests to figure out whether forms, etc. are being filled out by bots or other automated mechanisms. Basically, they’ve built sweatshops where all folks do is fill out CAPTCHAs and respond to other tactics to bypass bot detection tests. Even better, these folks have basically built a multi-level marketing scheme to get other folks to fill out the CAPTCHAs. The folks at the top of the pyramid can make real money, while folks at the bottom might make $3/day. Not unlike other MLM schemes, I guess. It’s just interesting to see tried and true business models applied to computer crime. What’s old is new again… – MR Nothing to see here. Really! Last week I got a call from a reporter at a major publication I have worked with in the past, to ask about some Symantec source code hackers claimed they stole from the Indian government and then posted online. Normally when something like this happens and the vendor denies it’s

It’s hard to believe, but the RSA Conference is almost upon us. We have a lot of very cool stuff planned, including an update to our RSA Guide, a few cool partnerships, and of course the Disaster Recovery Breakfast. We will have more details on all the above as we get closer to the show. In the meantime we want you to know that voting has opened for the 2012 Social Security Blogger Awards. Rich, Adrian, and I are unbelievably flattered to be nominated for two awards this year: The Most Entertaining Security Blog and The Blog that Best Represents The Security Industry. Us? Really? But we’ll take it – especially in light of the esteemed panel which handled the nominations. So go vote. For whoever you think should win the award. As long as it’s us, because we’ll know. We are hackers after all, and we’re watching. I kid! See you at the Blogger Party! Share:

For a football fan, there is nothing like the New Year holiday. You get to shake your hangover with a full day of football. This year was even better because the New Year fell on a Sunday, so we had a full slate of Week 17 NFL games (including a huge win for the G-men over the despised Cowboys) and then a bunch of college bowl games on Monday the 2nd. Both of my favorite NFL teams (the Giants and Falcons) qualified for the playoffs, which is awesome. They play on Sunday afternoon. Which is not entirely awesome. This means the season will end for one of my teams on Sunday. Bummer. It also means the other will play on, giving me someone to root for in the Divisional round. Yup, that’s awesome again. Many of my friends ask who I will root for, and my answer is both. Or neither. All I can hope is for an exciting and well-played game. And that whoever wins has some momentum to go into the next round and pull an upset in Green Bay. The end of the football season also means that many front offices (NFL) and athletic departments figure it’s time to shake things up. If the teams haven’t met expectations, they make a head coaching change. Or swap out a few assistants. Or inform the front office they’ve been relieved of their duties. Which is a nice way of saying they get fired. Perhaps in the offseason blow up the roster, or search to fill a missing hole in the draft or via free agency, to get to the promised land. But here’s the deal – as with everything else, the head coach is usually a fall guy when things go south. It’s not like you can fire the owner (though many Redskins fans would love to do that). But it’s not really fair. There is so much out of the control of the head coach, like injuries. Jacksonville lost a dozen defensive backs to injury. St. Louis lost all their starting wide receivers throughout the year. Indy lost their hall of fame QB. And most likely the head coaches of all these teams will take the bullet. But I guess that’s why they make the big bucks. BTW, most NFL owners (and big college boosters) expect nothing less than a Super Bowl (or BCS) championship every year. And of course only two teams end each year happy. I’m all for striving for continuous improvement. Securosis had a good year in 2011. But we will take most of this week to figure out (as a team) how to do better in 2012. That may mean growth. It may mean leverage and/or efficiency. Fortunately I’m pretty sure no one is getting fired, but we still need to ask the questions and do the work because we can always improve. I’m also good with accountability. If something isn’t getting done, someone needs to accept responsibility and put a plan in place to fix it. Sometimes that does mean shaking things up. But remember that organizationally, shaking the tree doesn’t need to originate in the CEO’s office or in the boardroom. If something needs to be fixed, you can fix it. Agitate for change. What are you waiting for? I’m pretty sure no one starts the year with a resolution to do the same ineffective stuff (again) and strive for mediocrity. It’s the New Year, folks. Get to work. Make 2012 a great one. -Mike Photo credits: “drawing with jo (2 of 2)” originally uploaded by cuttlefish Heavy Research We’ve launched the latest Quant project digging deeply into Malware Analysis. Here are the posts so far: Introduction Process Map Draft 1 Confirm Infection Build Testbed Static Analysis Given its depth we will be posting it on the Project Quant blog. Check it out, or follow our Heavy Feed via RSS. Incite 4 U Baby steps: I have been writing and talking a lot more about cloud security automation recently (see the kick-ass cloud database security example and this article. What’s the bottom line? The migration to cloud computing brings new opportunities for automated security at scale that we have never seen before, allowing us to build new deployment and consumption models on existing platforms in very interesting ways. All cloud platforms live and die based on automation and APIs, allowing us to do things like automatically provision and adapt security controls on the fly. I sometimes call it “Programmatic Security.” But the major holdup today is our security products – few of which use or supply the necessary APIs. One example of a product moving this way is Nessus (based on this announcement post). Now you can load Nessus with your VMWare SOAP API certs and automatically enumerate some important pieces of your virtualized environment (like all deployed virtual machines). Pretty basic, but it’s a start. – RM Own It: It seems these two simple words might be the most frequently used phrase in my house. Any time the kids (or anyone else for that matter) mess something up – and the excuses, stories, and other obfuscations start flying – the Boss and I just blurt out own it. And 90% of the time they do. So I just loved to see our pal Adam own a mistake he made upgrading the New School blog. But he also dove into his mental archives and wrote a follow-up delving into an upgrade FAIL on one of his other web sites, which resulted in some pwnage. Through awstats of all things. Just goes to show that upgrading cleanly (and quickly) is important and hard, especially given the number of disparate packages running on a typical machine. But again, hats off to Adam for sharing and eating his own dog food – the entire blog is about how we don’t share enough information in the security business, and it hurts us. So learn from Adam’s situation, and share your own stories of pwnage. We won’t

We spent the first two posts in this series on the why (Introduction) and how (Detecting Today’s Malware) of detecting malware on the network. But that all assumes the network is the right place to detect malware. As Hollywood types tend to do, let’s divulge the answer at the beginning, in a transparent ploy. Drum roll please… You want to do malware detection everywhere you can. On the endpoints, at the content layer, and also on the network. It’s not an either/or decision. But of course each approach has strengths and weaknesses. Let’s dig into those pros and cons to give you enough information to figure out what mix of these options makes sense for you. If we recall the last post Detecting Today’s Malware, you have a malware profile of something bad. Now comes the fun part: you actually look for it, and perhaps even block it before it wreaks havoc in your environment. You also need to be sure you aren’t flagging things unnecessarily (the dreaded false positives), so care is required when you decide to actually block something. Let’s weigh the advantages and disadvantages of all the different places we can detect malware, and put together a plan to minimize the impact of malware attacks. Traditional Endpoint-centric Approaches If we jump in the time machine and go back to the beginning of Age of Computer Viruses (about 1991?), the main threat vector was ‘sneakernet’: viruses spreading via floppy disks. Then detection on actual endpoint made sense, as that’s where viruses replicated. That started an almost 20-year fiesta (for endpoint protection vendors, anyway), of anti-virus technologies becoming increasingly entrenched on endpoints, evolving three or four steps behind the attacks. After that consistent run, endpoint protection is widely considered ineffective. Does that mean it’s not worth doing anymore? Of course not, for a couple reasons. First and foremost, most organizations just can’t ditch their endpoint protection because it’s a mandated control in many regulatory hierarchies. Additionally, endpoints are not always connected to your network, so they can’t rely on protection from the mothership. So at minimum you still need some kind of endpoint protection on mobile devices. Of course network-based controls (just like all other controls) aren’t foolproof, so having another (even mostly ineffective) layer of protection generally doesn’t hurt. And keeping anything up to date on thousands of endpoints is a challenge, and you can’t afford to ignore those complexities. Finally, by the time your endpoint protection takes a crack at detection, the malware has already entered your network, which historically has not ended well. Obviously the earlier (and closer to the perimeter) you can stop malware, the better. Detecting malware is one thing, but how can you control it on endpoints? You have a couple options: Endpoint Protection Suite: Traditional AV (and anti-spyware and anti-everything-else). The reality is that most of these tools already use some kind of advanced heuristics, reputation matching, and cloud assistance to help them detect malware. But tests show these offerings still don’t catch enough, and even if the detection rate is 80% (which it probably isn’t) across your 10,000 endpoints, you would be spending 30-40 hours per day cleaning up infected endpoints. Browser Isolation: Running a protected browser logically isolated from the rest of the device basically puts the malware in a jail where it can’t hurt your legitimate applications and data. When malware executes you just reset the browser without impacting the base OS or device. This is more customer-friendly than forcing browsing in a full virtual machine, but can the browser ever be completely isolated? Of course not, but this helps prevent stupid user actions from hurting users (or the organization, or you). Application Whitelisting: A very useful option for truly locking down particular devices, application whitelisting implements a positive security model on an endpoint. You specify all the things that can run and block everything else. Malware can’t run because it’s unauthorized, and alerts can be fired if malware-type actions are attempted on the device. For devices which can be subjected to draconian lockdown, AWL makes a difference. But they tend to be a small fraction of your environment, relegating AWL to a niche. Remember, we aren’t talking about an either/or decision. You’ll use one or more of these options, regardless of what you do on the network for malware detection. Content Security Gateways The next layer we saw develop for malware detection was the content security gateway. This happened as LAN-based email was becoming pervasive, when folks realized that sneakernet was horribly inefficient when the bad guys could just send viruses around via email. Ah, the good old days of self-propagating worms. So a set of email (and subsequently web) gateway devices were developed, embedding anti-virus engines to move detection closer to the perimeter. Many attacks continue to originate as email-based social engineering campaigns, in the form of phishing email – either with the payload attached to the message, more often as a link to a malware site, and sometimes even embedded within the HTML message body. Content security gateways can detect and block the malware at any point during the attack cycle by stopping attached malware, blocking users from navigating toa compromised sites, or inspecting web content coming into the organization and detecting attack code. Many of these gateways also use DLP-like techniques to ensure that sensitive files don’t leave the network via email or web sessions, which is all good. The weakness of content gateways is similar to the issues with endpoint-based techniques: keeping up with the rapid evolution of malware. Email and web gateways do have a positive impact by stopping the low-hanging fruit of malware (specimens which are easy to detect due to known signatures), by blocking spam to prevent users from clicking something stupid, and by preventing users from navigating to compromised sites. But these devices, along with email and web based cloud services, don’t stand much chance against sophisticated malware, because their detection mechanisms are primarily based on old-school signatures. And once

As we discussed in the Introduction to the Network-based Malware Detection series, traditional approaches to detecting malware cannot protect us any more. With rapidly morphing executables, increasingly sophisticated targeting, zero-day attacks, and innovative cloaking techniques, matching a file to a known bad AV signature is simply inadequate as a detection mechanism. We need to think differently about how to detect these attacks, so our next step is to dig into each of these specific tactics to figure out exactly what a file is doing and determining whether it’s bad. Sandboxing and Evolving Heuristics We are talking about network-based malware detection, so we will assume you see all the streams coming into your network from the big bad Internet. Of course this depends on architecture, but let’s assume it for now. With visibility into all the ingress traffic, the perimeter device can re-assemble the files from these streams and analyze them. There are two main types of file-based analysis: static and dynamic. Static testing is basically taking a look at the file and looking for markers that indicate malware. This generally involves looking for a file hash which indicates a known bad file – effectively a signature – which may identify a file packer and function calls that indicate badness. Of course network-based static testing provides limited analysis (and we wouldn’t want to bet on its findings) – especially given that modern malware writers encrypt and otherwise obscure what their files do. Which means you really need dynamic analysis: actually executing the file to see what it does. Yes, this is playing with live ammo – you need proper precautions (or to make sure your device includes them). Dynamic analysis effectively spins up an isolated, vulnerable virtualized system (the proverbial sandbox) to host and execute the file; then you can observe its device and network impact. Clear indications of badness include configuration changes, registry tampering, installing other executables, buffer overflows, memory corruption, and a zillion other bad things malware can do. Based on this analysis, the perimeter gateway flags files as bad and blocks them. Given the real-time nature of network security, it not feasible to have a human review all dynamic analysis results, so you are dependent on the detection algorithms and heuristics to identify malware. The good news is that these capabilities are improving and reducing false positives. But innovative malware attacks (including zero-days) are not caught by perimeter gateways – at least not the first time – which is why multiple layers of defense still make a lot of sense. What’s the catch? Clearly sandbox analysis is less effective for advanced malware which is VM-aware. The malware writers aren’t dummies, so they now check whether the OS is running in a virtual environment and mask accordingly – typically going dormant. Obviously this isn’t the primary driver for virtualized desktops, but it is another upside to consider. Network analysis Another aspect of dynamic malware analysis is profiling how the malware leverages the network. Remember back to the Securosis data breach triangle: without exfiltration there is no breach. Any malware must rely on the network, both to get commands from the mother ship and to exfiltrate the data. So the sandbox analysis tracks what networks the malware communicates with as another indication of badness. But how can these network-based devices keep track of the millions of domains and billions of IP addresses which might be command and control targets? The good news is that we have seen this movie before. Reputation analysis has evolved to track these bad IP addresses and networks. The first incarnation of reputation data was URL blacklists maintained by web filtering gateways. That evolved to analysis of IP addresses, predominately to identify compromised mail relays for anti-spam purposes. Now that model been has extended to analyzing DNS traffic to isolate command and control (C&C) networks as they emerge. Malware writers constantly test malware and new obfuscation approaches for their C&C traffic. Similar heuristic approaches can identify emerging C&C targets by analyzing DNS requests, exfiltration attempts, and network traffic. For example, if an IP address is the target of traffic that looks an awful lot like C&C traffic, perhaps it’s an emerging bot master. It’s not brain surgery, and this type of analysis is increasingly common for network security gateway vendors. Obviously, to keep current, any vendor providing this kind of botnet tracking needs access to a huge amount of Internet traffic. So if your vendor claims to track botnets, be sure to investigate how they track C&C networks and substantiate their claims. Why is isolating C&C traffic important? It all gets back to the detection window. Even with network-based malware gateways, you will miss malware on the way in. So devices will still be compromised, but obfuscated communications to known C&C targets are a strong indication of pwned devices. This may not be definitive, but it’s an excellent place to start, and a strong signal to work from. Outside of C&C traffic, analyzing the network characteristics of malware also provides insight into proliferation. How does the malware perform reconnaissance and subsequently spread? What kind of devices does it target? We are discussing this analysis in great detail in our Malware Analysis Quant research, and of course network-based analysis is inherently limited, but it is worth mentioning (again) the wealth of information you can get from file-based malware analysis. Wherefore art thou, malware? The ultimate goal of any malware analysis is to be able to profile a malware file and then block it when it shows up again. That’s what AV did in the early days, and what your malware detection defense must continue to do. So that’s the what, but not necessarily the where. When designing your security architecture you need to determine the best place to look for these malware files. Is it on the devices, within content security gateways (web/email), on the network perimeter, or even in the cloud? Of course this isn’t an either/or question, but there are pros and cons to each