RSA Conference Europe 2012 – Adversary ROI

Adversary ROI: Evaluating Security from the Threat Actor’s Perspective

Joshua Corman – Director, Security Intelligence, Akamai Technologies
David Etue – VP, Corporate Development Strategy, SafeNet

The premise of this talk is that adversaries have developed better ROI models than we have relating to our security spend..

As an organisation we cannot protect everything.  We have scarce security resources.  Are we protecting our most critical assets?  Think like our adversaries – what is important to them, not just what we think is important to us.  It Is not just about what you have done, but WHO is after you..

Why does security ROI fail?  Security provides protect, it is not a profit centre..

Does ROSI (Return on Security Investment) improve things?

ROSI = ((Risk Exposure * % Risk Mitigated) – Solution cost) / Solution cost.

However in the real world, much of the Risk exposure and risk mitigation have to be educated guests at best.  So how accurate can we ever be?

The adversary does not care about your ROI / ROSI, they are results orientated, all their care about is whether they can get the assets of yours that they want and achieve an ROI that is acceptable to them.

Thinking about adversary ROI came about from looking at risk – A risk requires a threat and a vulnerability that results in a negative consequence.  As we have finite resources we must optimise the risk equation for our success.

Consider what is a “threat”? Proposed that is is an Actor with a Capability and a Motive.  Stuxnet, ‘0-days’ etc. are the ‘bullets’ without the actor they would do nothing..

While adversaries have limited resources, consider the adage, ‘why spend $40M on it if you can steal it for $1M?’.  There are many criminal organisations willing to spend $1M+ on a single exploit if the return makes this worth while.

Adversary ROI ((Attack Value (Value of assets compromised + adversary value of operational impact) – Cost of attack) / Cost of attack) * Probability of Success – Deterrence Measures (% chance of getting caught * Cost of getting caught)

Discussion around profiling a particular Actor or class of actors;

Actor Classes (States, Crime, Hactivists…)

Have

Motivations (Financial, Industrial, Ideological…)

Which define their

Targets (Credit card #s, Intellectual property, Cyber Infrastructure…)

With various

Impacts (Reputational, Personal, Availability…)

Via many

Methods (Tools “Metasploit”, Phishing, Malware, Physical…)

Using methods like this to understand the who and why of who is likely to be attacking you can be a great aid to your risk assessment activities.

Consider the already discussed ‘HD Moore’s Law’, suggesting that attacker power increases exponentially, double every 18 months (as with Moore’s law for CPU power).  The ability or strength of the casual attacker grows at the rate of software and tools such as Metasploit, Cain, and Pineapple etc.

Does it matter who is attacking?  Yes, as an example in the survey of top threats, Abuse of System access / privileges was number 18 in the overall list, so if you chose to try and mitigate the top 10 you may miss this one.  However for those wishing to steal intellectual property and classified information this was the number one attack.  Knowing who is trying to attack you, and why will help ensure you have the correct focus for your very finite security budget and resources.

While patching is important, once we have patching in order do we need to keep looking at this as one of our key security metrics?  For example 25% of current breaches are via SQL injection, how much effort is spent on application and code security?  What metrics do you have for ensuring the security of your applications?

I’d recommend reviewing the Verizon Business Data Breach Investigations Report for more information on breaches and breach types etc.  This contains a lot of very useful information to aid your understanding of the current landscape.

Have a look at some of these interesting free tools that can help with your security defences;

WebLabyrinth – http://code.google.com/p/weblabyrinth/

FOG Computing – http://sneakers.cs.columbia.edu:8080/fog/

SCIT: Self Cleansing Intrusion Tolerance – http://cs.gmu.edu/~asood/scit/

Honeyports – http://honeyports.sourceforge.net/

I don’t have time to cover all of these here, but have a look for yourselves if you want some more tools to make attackers lives considerably more difficult should they get onto your networks.

So, how to we best get non security executives involved?  Some questions you can put to them to get the conversation started;

–          What protected or sensitive information do we have?

–          What adversaries desire the information and why?

–          What is the value of the information to the organization?

–          How would the adversary value it?

–          What are the adversary’s capabilities?

–          What controls protect the information?

Summary and next steps;

Remember these are ways to enrich and complement your existing security, not instead of it!

–          Start with a blank slate

–          Engage non security people – you must have executive buy in, and should aim to gradually make security front and centre as part of the corporate culture

–          Identify your most likely adversaries and thus their likely motivations – work with other businesses in your industry – information and knowledge sharing!

  • Obtain and share adversary centric intelligence;
  • Threat intelligence
  • Brand chatter monitoring
  • Information sharing

–          Simulate adversary-driven scenarios – improve on your penetration testing.

K

RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

RSA Conference Europe 2012 – Encrypt your cloud

Davi Ottenheimer – president, flyingpenguin

A perceived lack of security in the cloud is still one of the primary issues preventing organisations moving to the cloud.

I was hoping from the title this would touch on the issues with encrypting data while it is processed, but the introduction really only discussed only in rest and in transit.  We all know that;

–          Technically encrypting data moving to and from and around the cloud is not difficult, we have been using SSL / TLS etc. to achieve this in the public domain for years.

–          Encrypting data at rest is also technically easy and again something we have been doing for years for example with public key cryptography.

–          Even deleting data in the cloud can effectively be dealt with via good key management – if your data is encrypted with strong encryption, when you want to ‘delete’ it you can just delete the key!

For a general overview of issues with encryption in the cloud, the talk was interesting and useful covering terminology and some details on key exchange etc.

Some useful terminology when talking about crypto;

–          Encryption: reversible operation, cryptographically turns input into illegible cipher text

–          Hashing: non-reversible operation, cryptographically transforms input to illegible message

–          Tokenization: reversible operation, substitutes input with data that has no inherent value

–          Key management: life-cycle of a secret including creation, distribution, use and deletion

Consider the human / social element.  Some good slides on the Diffie-Hellman key exchange – worth looking up if you want a better understanding of this.

Consider how safe virtual machines are – how protected are they from someone who has full hypervisor access?  What happens when a VM moves to another host – for example VMware v-motion does not support encryption so your machine is copied to another host in ‘clear text’ so data contained in the guest may be accessible to anyone with network access.

Some slides and discussion on Encryption as a Service, which is cool as this is one of the domains of Security as a Service that we have identified and documented J  I’d recommend looking up Key Management Interoperability Protocol (KMIP) and Enterprise Key Management Infrastructure (EKMI) if you want to know more and potential encryption as a service key management options.

Ensure you understand key persistence and management – where are you keys – For example, make sure they are not in things like machine templates otherwise anyone who can create a clone with your template can have root access on all the machines made from that template.  Understand who has your keys, and who can access them and your data – read up on Dropbox legal case for an example of this and how important it is to understand SLAs from providers.

The presentation ended with 6 recommendations for next steps;

Next 3 months

–          Classify data for segmentation

–          Setup key management policy and procedures

–          Select standards for interoperability

Next 6 months

–          Configure apps for key and crypto management

–          Select a key app and crypto app solution

–          Plan and initiate a project to protect data in cloud

Obviously the timings will very much depend on the speed at which your organisation moves!

Overall this was an interesting talk, with some good considerations that highlighted the fact most issues with encryption in the cloud are people / process related rather than technology.  We already have known and understood methods for encrypting data in transit and at rest.

However the talk didn’t really touch on the issues around data processing aside from a mention on tokenization that allows portions of data to be available for some processing while protecting the sensitive portion.  This was a bit disappointing for me as I was hoping this area would be covered in some depth as it’s still the one hole left in the ‘can my data in the cloud be encrypted ALL the time, even when searching and processing it?’ question.

K

RSA Conference Europe – Cybercrime, Easy as Pie and Damn Ingenious

James Lyne, Director of Technology Strategy, Sophos

Sophos current see >200,000 individual pieces of malicious code every day.

Cybercrime is becoming very professional with easy to access tools;

Sites exist for testing and quality assurance of malware, e.g. www.virtest.com – this site scans your malware with multiple (44) different anti-virus products to see if it is detected.  The benefit of this service is that it uses the vendors AV engines and signatures.  The site carries the assurance that no results will be sent back to the vendor or shared in any way so you can be assured that your malware will not be added to existing malware databases.

Another example is Gwapo that has youTube videos advertising their DDoS service.

Ransomware is also becoming common with malware that encrypts your drive(s) and requires payment to unencrypt it.  Some ransomware become a lot more scary and malicious with threats that illegal content such as child pornography is encrypted on your computer and if you don’t pay within xx hours or days the police will be sent details of how to unencrypt it.  Ransomware can be particularly harmful and effective as it does not require administrative access, for example if you have access to company files etc. they can be encrypted with your limited access.

You can get easily access ‘crime-packs’ containing various tools for exploiting and attacking tool kits.  Examples include; Firepack, ice-pack, crimepack, blackhole etc.  Some of these even come with CR tools built in!  Additionally in keeping with the times some are available as cloud based services that you can subscribe to.  Many come with technical support contacts as well.

The tools have very simple gui based interfaces for creating your own malware based on existing payloads etc.  They are also very regularly updated with new code and make use of polymorphism to try and evade detection.

As an example blockhole has features such as;

–          Blacklisting / blocking to try and prevent researchers from security companies accessing the application and infected machines

  • Only hit IPs once
  • IP blacklist
  • Referrer URL blacklist
  • TOR blacklist
  • Import blacklisted ranges (e.g. fro cloud services)

–          Auto updating / patching

–          Can target multiple client vulnerabilities simultaneously

–          Java 0-days almost as soon as they were available

–          AV scanning add ins to check if the attack is being identified by host AV systems

A few comments on adopting a more ‘offensive’ stance, this is a grey area and may be legally questionable in some jurisdictions so you should be careful when looking at these options.  Some options in escalation of scale order;

–          Bit of poking – DNS, name servers and ‘affiliations’

–          Web bug, image or alike

  • Pretty easy to legally get away with
  • Sadly basic information

–          Javascript. Web Shell. Querying more information

  • Borderline, depending on your jurisdiction

–          Full hog – exploitage

  • Oh, you didn’t patch Java in your system either? – use the attackers exploit, in this case java against their own jave based site / application
  • Where they are, what they are doing.

Two steps forward.. Using IPv6 as an example, many machines now have IPv6 on as a default, simple router flood attack available on current Backtrack etc. can max out CPU and even crash the machine.  You may not care about IPv6 yet, but if you are not disabling it or securing it you could be opening up new attack vectors in your organisation without realising it.  The message again is to understand your environment and the risks you face.

Key take away points from this talk are;

–          Consider upcoming technologies even if you are not using them yet

–          Consider any investigative / offensive moves very carefully

  • I’d recommend improving your forensics capabilities, gather solid, admissible evidence to hand to legal investigators

–          Watch the basics

  • Assumptions kill us
  • Yes people can be that silly

–          Everything in moderation – Hype hurts

On a closing not, the tools and sites mentioned in this post are real and currently accessible.  Search for and use with care and at your own peril!

K

RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.

 

Collection of thoughts presented;

 

–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

http://blog.cognitivedissidents.com/

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.

——–

Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..

K

RSA Conference Europe 2012 Keynotes; day two part one

Keynote 1 – Big Data; Threat or Opportunity>

Philippe Courtot, Chairman Qualys Inc.

Big data is everywhere, not just Facebook, Google and CERN.  Organisations from the police with cameras constantly taking photos of license plates to log data from corporate systems and web sites.  Many companies are now having to deal with or plan to deal with big data in order to understand their systems, their customers, and their users.

What is driving this for ‘ordinary’ organisations?

–          Increasingly complex and virtualised IT infrastructures

–          Workload mobility

–          Bring your own device / computer

–          Cloud computing

All require increasing amounts of data to be collected and aggregated in order for an organisation to understand and ensure compliance of their environments.

Cloud computing is both aiding this by making the storage and compute power available to any business that has to deal with big data, and driving this through its scale, virtual and always on nature.

How do we ensure the security and understanding of these complex environments?  We must build security onto to overall cloud and application architecture.  Realise that the cloud has multiple ‘flavours’ from IaaS to SaaS and these are not all the same from a design and architecture perspective.  Stop talking and thinking about the cloud as just ‘the cloud’.

From an infrastructure perspective, cloud data centres are fractal, you need to understand what your assets are, but also realise many are the same for example storage and compute.  You can monitor all your compute nodes with the same method.  Monitoring needs to be in real time and to have analysis and intelligence built in.

If you are running web applications you need to understand how many you have, where they are and how they are being used.  Need to look at hardening and understanding this perimeter and correlate logs across these environments.  How do we manage code issues and potential exploits and varying methods of authentication?  Your developers working on new code and functionality, your support staff may not have enough code experience.  Do we need a new breed of operations support with reasonably in depth coding abilities?

Was Philippe referring to DevOps here?  This is newish, but not a new idea, many organisations are already using or setting up DevOps teams with the skill sets that were talked about.

Mobile devices are also driving both big data and management challenges to organisations.  We need to ensure they are all monitored and managed; Single Sign on, Privacy, Corporate policies.  How do we do this to 100s / 1000s / 1000000s of thin devices that cannot have thick very thick applications installed on them?  Cloud based services for bath device management and aggregation of the collected data can provide these solutions and scale as required.

How do we ensure security remains ‘front and centre’  as we move to the cloud and scale up?  Many existing enterprise point solutions do not scale enough or integrate well enough with the cloud.  This is being solved by providing managed security services from the cloud; Security as a Service (SecaaS).  Obviously blowing my own trumpet here, but this neatly links to my research with the Cloud Security Alliance on SecaaS!

For me the key message of this talk is that real-time ‘Big Data’ is a key element of tomorrow’s security.  We need to understand the implications of this and plan our security strategy to take advantage of this and the insight it will bring.

——-

Keynote 2 – The struggle for control of the internet

Misha Glenny – Author and Journalist

Control of the internet focusses on the debate between security and privacy vs. demand for freedom.  The US identifies four areas that need to be managed and prevented; Crime, Hactivision, Warfare, and Terrorism.

How do we balance the need for people to have freedom with the needs for safety and protection online?  Is the internet morally neutral?

Crime (cybercrime) quickly took advantage of the internet, from card detail sales sites such as Carderplanet and DarkMarket.  Carderplanet was set up >11 years ago.  Both these sites have since been taken down, but they paved the way for much more sophisticated criminal organisations.

Criminals now spend a lot of time watching organisations like SOCA and the FBI in order to understand them and anticipate their next moves.  So while those trying to catch the criminals are watching them, they in turn are being watched!  Hackers have accessed private police files to monitor current investigations and delete intelligence records etc.

There have actually been worldwide ‘carder’ and other criminal activity conferences.  For example Carderplanet organised the first worldwide carder conference in 2002.  The invite to this conference also alluded to the fact that Carderplanet had a deal with the FSB (Russian secret service) would not interfere with their ‘work’ as long as they did not attack financial institutions, and if they would perform attacks on behalf of the Russian government / secret service as required.

The lines between government spies and criminals are becoming increasingly blurred.

Currently the UK secret service (Mi6 / Mi5) is dealing with ~500 targeted attacks every day.  This is up from ~4 per year 10 years ago!  The international spend in the west on cyber security is currently around $100 Billion per year.  This is set to double over the next few years.

The west wants to work with China and Russia to improve the situation; however they want to be allowed to manage the web within their borders in any way they like if they are to cooperate.  This obviously has issues with preventing freedom of speech.

Will the Web brak down into massive intranets?  Iran has already stated its intent to disconnect itself from the Web and set up just such an internal intranet.  China and Russia want to control and largely segregate their internal users from the rest of the Web.

We need original thinking to resolve these issues!

K

RSA Conference Europe 2012 – Developing Secure Software in the age of Advanced Persistent Threats

Talk presented by Dave Martin and Eric Blaze, both security officers from EMC.

March 2011 – RSA suffered a breach from an Advanced Persistent Threat (APT) type attack.  This was big news and many customers we affect, having to replace their RSA tokens etc.

Security groups in high tech organisation, with EMC being the example – Product security group and IT security organisation.  Where;

–          Product security is focussed on the security of the products produced by the business, deploying patches to customers etc.  This can be looked at as the products impact on the customer’s risk.  They at EMC work on the premise that the customer’s network where the product will be deployed has been compromised so security is paramount.  Secure development / code and application focussed.

–          IT security organisation is responsible for the security of the IT enterprise itself.  This can be looked at as the security impact on enterprise risk.  Generally tend to be much more infrastructure and system focussed.

The environment is changing – environments much more likely to be compromised in a subtle, planned, long term manner (APT) rather than the traditionally more blunt and opportunistic attacks / compromises.

What are the characteristics of these changes?

–          Single minded, determined and innovative

–          Targeting individuals over systems

–          Through reconnaissance will understand your processes, people & systems better than us

–          Will exploit ANY weakness

–          Countermeasures increase sophistication

–          Custom malware, NOT detectable by signatures

–          Are not in a hurry will take as long as it take

–          Goal is long term & persistent access

–          The perimeter has shifted, all systems now exist in a hostile environment

What are the implications of this?

Real attacks that have been publically reported have included;

–          Loss of intellectual property

–          Loss of cryptographic secrets

–          Loss of source code

–          Attacks against cloud services

Mandiant M-Trends 2012 reports that 94% of companies find out they have been compromised from law enforcement, and the median length of time from when a company is compromised to when the breach is discovered is 416 days!  Do you know your network is secure, can you report with confidence to your board and shareholders that you have adequate, intelligent monitoring and solid layered defence in depth in place?  Is your organisation aware of the risks at all levels?

We must assume that we are compromised! – the Security for Business Innovation Council in August 2011 stated;

“Consider that no organization is impenetrable. Assume that your organization might already be compromised and go from there.”

Technology providers must support this by adopting their product security strategy in the following ways;

–          Create an integrated governance model

–          Build intelligent monitoring into products

–          Design layered defence into products

How do they do this?  Product security and Organisational security must work more closely together to expand the SDL (Secure Development lifecycle) and collaborate on standards such as;

–          Source code management

–          Anti-counterfeiting

–          Cloud / Hosting

–          Supplier risk management

–          Software integrity controls

–          Make product strategy part of the enterprise risk strategy

–          ..

Make logging of events more intelligent; Build attack-aware software.

–          Leverage threat modelling within the software to log abuse such as Buffer Overflows and SQL Injections

–          Evolve from logging to debug code issues towards logging that is much more useful for detection for example by including anomaly and behaviour logging in program logic

–          Design software to integrate with and leverage the existing enterprise risk ecosystem – white lists, reputation awareness etc.

Incorporating layered defence into applications / services to resist APT type attacks can be done in various ways including;

–          Utilising split-value cryptographic authentication.  This is where Passwords are split and stored across two servers with one hosting part as an XOR’d random number and the other as a random number.  Thus the attacker has to compromise two servers and crack both parts within a small time window as a new random number regularly refreshed.

–          Assume source code is compromised – anything can be eventually reverse engineered;

  • Never hard code secrets,
  • Adopt a Secure Development Lifecycle,
  • Threat model for source code exposure,
  • Build integrity control into source code reviews
  • Pay attention to comments – we should comment for best practice and code support, but make sure things like ‘To do, must add security here’ are mot left in the code!

–          If you use agile methodologies, ensure you have a security based story.  Review the recommendations from SAFECode;

In summary we need to develop using secure methodologies and use the assumption that all systems are or will be compromised.

K

RSA Conference Europe 2012 – SSL is Cracked panel discussion

The panellists for this were;

Ivan Ristic; Director of Engineering, Qualys, Inc.

Marsh Ray; Senior Software Development Engineer, PhoneFactor

Gerv Markham; Governator, Mozilla

Phillip Hallam-Baker; VP and Principal Scientist, Comodo

Overall some great experience here including the guy who wrote ModSecurity and the guy who discovered the TLS renegotiation vulnerability..

The discussion covered the following topics;

Vulnerabilities / Attacks;

–          Protocol- based – TLS Renegotiation, weakness in CBC handling on web servers, Crime (TLS compression issue that can result in password exposure), BEAST (Browser Exploit Against SSL/TLS) tool.

–          Implementation-based (e.g. mixed content)

–          Practice based (certification authority bad practices)

Solutions and Remedies;

–          Those currently available (e.g. RC4 with TLS 1.0)

  • DV, OV and EV = Domain-Validated, Organization Validated, and Extended Validation SSL Certificates

–          Those in Development / Deployment

  • Online Certificate Status Protocol (OCSP) Stapling
  • HTTP Strict Transport Security (HSTS) – HTTP header that says from now on only connect to this site with HTTPS, never HTTP.
  • Content Security Policy (CSP) – way to manage the content you will accept from web sites based on declarative content statements in the headers.
  • Improved security and audit requirements for CAs (certificate authorities)

–          Those being Discussed (DANE, CAA, CT etc.)

  • DANE – DNS based Authentication of Named Entities
  • CAA – Certificate Authority Authorization (DNS Resource Record)
  • CT – Certificate Transparency (Issuance Logging)

Summary / Take away points;

–          Check Systems (Your Own and Those of Others) – Can go to https://www.SSLlabs.com and enter a URL to test its level of TLS/SSL

–          Analyse Code and Configurations for Vulnerabilities

–          “Tweak” System Configurations and Code

–          Support Implementation of Newer Versions of TLS and other emerging Protocols

–          Patch and/or Replace Systems

–          Web Security based on SSL/TLS Continues to Evolve and Improve

 

Overall this was an interesting and thought provoking discussion.  However, as is often the case, putting a bunch of passionate, opinionated and knowledgeable geeks on a discussion panel together resulted in a somewhat rambling debate.  This was very hard to capture / document in any detail, but hopefully the comments highlighting some current vulnerabilities and remedies being looked at will provide a starting point for you to do some further research if you are interested.

K

RSA Conference Europe 2012 – Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–          Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations

–          Data is evolving rapidly – explosive data growth, big data

–          Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–          Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–          Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus.  We are becoming more and more porous or boundary-less.

–          Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long.  How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–          Information deluge – too much information

–          Budget dilemma – so much hype and marketing, what do I spend limited budget on?

–          Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–          Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like.  Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

Traditional SIEM is not enough –

–          Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–          Cannot fully investigate exfiltration or sabotage of critical data

–          Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–          Stop doing things that provide little value

–          Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–          Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–          Collaborate in real time with others more effectively and gain actionable intelligence

–          Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!

Security operations require;

–          Comprehensive visibility

–          Agile analytics

–          Actionable intelligence

–          Optimise incident management

How do we improve understanding and analytics?

–          Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions.  This turns a passive system into an active one, largely using existing infrastructure.  In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K

RSA Conference Europe 2012 – The Science Lab: Live RAT Dissection

Great talk and demo from Uri Fleyder and Uri Rivner on VNC based Man In The Browser (MITB) attack.  The talk started with some general observations of the current state of the malware market, then went into the demo.

Whys rats are spreading in the underground – We are moving to much more advanced underground supply chain.  This follows neatly from the Keynote talks around the ever increasing availability of advanced tools.

A great example is the Citadel Trojan kit.  Developed from Zeus – this was sold then source code leaked..  Citadel is a live ongoing project, with many add ons from GUI based Trojan development and deployment.  Citadel only costs $2399 + modules, yearly membership of the Citadel online ‘aap store’ costs as little as $125 per year.  Modules can be bought for low amounts of money such as

Log parser for $295

Automatic iFramer of FTP accounts from logs for $1000

Recent releases of Citadel include multiple enhancements such as injects directly from the control panel.

This highlights just how easy it is to get access to advanced malware creation kits, and how low the cost of entry currently is.

Demonstration of Man In The Browser (MITB) attack showing user accessing a compromised site.  The browser appeared to crash, then the user re-opened it and carried on working.  The user then accessed their bank and received a security warning saying that some checks were being performed to updated their machines security, these may take a few minutes, please do not close or refresh the browser window.

At the same time the criminal received a text telling him a new machine had been compromised.  He then logged into his Zeus control account to see what the machine was and which bot had infected it.

The next step is that the bank site asks the customer to input their credentials including pin + key code to access their account.  This is achieved by inserting java script into the banking page on the user’s browser.

From the malicious users machine the criminal has used VNC to log into the users machine and from their into the users bank account.  The user inputting their pin and code details will enable the criminal to perform a transaction on their account such as a funds transfer.  The criminal does this in the background while the user is waiting for the initial security checks, once the criminal gets to the point where they are stuck and need the users 2-factor credentials they then update the message to request these details as mentioned in the last paragraph.

The criminal is sent the username and password from the initial login;

https://twitter.com/ufleyder/status/255643717027913729/photo/1

Then the 2-factor code from the second message;

https://twitter.com/ufleyder/status/255646235078307840/photo/1

The criminal then sends a sorry site down for maintenance screen to the user again by injecting it via JavaScript to the bank page the user thinks they are accessing.  This is to try and allay any fears or concerns so the user (victim) does not immediately suspect something malicious has occurred.

This works because the user has gone to the banking page they trust, and as they typed the url or went to their saved favourite rather than clicked a link somewhere they assume all is well.

Another advantage for the attacker of this type of attack is that they appear to come from the users machine as they are going through a VNC (remote administration) connection to the users machine.  This circumvents and checks the bank (or whatever site) has in place to be more concerned about connections or transactions initiated from unknown devices.

According to European banks something like 30% of all fraud no comes from same device attacks like this.

Summary;

–          VNC embedded in Zeus clones is a dramatic escalation of the threat level.  Make sure your defences are ready!

–          Continuous monitoring is more resilient – e.g. user behaviour analysis, how fast is the user clicking and entering data, what is their pattern of clicks etc.

–          Don’t rely on identifying the device

–          Consider randomising, encrypting DOM space

–          Zeus and other clones are polymorphic, normal scans are not effective

–          Make sure your machines are getting all relevant patches

–          We used to rely on something you know, this is broken, now we rely on something you have, this is crumbling.. What next, something you are linked with behavioural analysis?

A lot to think about here..

K