APT – Kevin Fielder's Blog

CrestCon and IISP congress – Dr Ian Levy presentation

Today I attended the CrestCon and IISP congress. One of the keynote presentations was by Dr Ian Levy the technical director of the NCSC (National Cyber Security Centre). This was titled ‘NCSC – WTF’. It was a very interesting and refreshingly forthright talk, so I thought I would share it! He covered a lot of the work and plans of the NCSC along with some of his personal thoughts.

My notes from the presentation are below, I have included various links for ease of reference, and definitely recommend reading the materials they lead to.

National Cyber Security strategy 2016-2021

Sets out government cyber policy for the next few years – read this!
- https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021

Basically – information sharing is not enough, get off your arse and do something about it! (his words 😉 )

NCSC;

Should be single government / legal point of contact you got to for anything Cyber.
A different sort of agency

Collaborate with the NCSC – Secondments for Cyber experts to work with and help the country’s cyber security

APTs are in the press a lot, however lets be honest;

Anatomy of most unprecedented, sophisticated cyber attacks;
- Attacker does a bit of research
- Attacker sends a spear phishing email to an admin
- Admin opens email using admin account, exploiting unpatched stuff
- Attacker does nefarious stuff as admin
- Monitoring does not work
- Attacker takes data or changes data
- Profit

Most APT is not APT at all. Is the focus correct? APT – less Advanced Persistent Threat – more likely Adequate Pernicious Toe-rag.. (heard this before, not sure who first coined the term..)

XKCD – Security tips cartoon! Highlighting that some security advice is not always the best..

Some general thoughts;

Admins must not browse the web or use email with admin account – if you still allow this, you should get a new job..
Have a different, complex password for each system you use – stupid advice!
- NCSC – password security
- https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
(not)Awesome advice – Don’t open an attachment unless you trust the email.. – How do people ‘trust an email’???
- If you own an email domain and don’t use DMARC you should be ashamed..
- NCSC have open sourced their DMARC management solution – could we use this rather than paying for something? They even have a dashboard that will be open source soon.
- https://www.ncsc.gov.uk/blog-post/open-sourcing-mailcheck

The NCSC is trying to reduce harm by asking nicely – automatically asking ISPs and hosting providers to take down malicious sites

Recursive DNS is my friend.

Hosting their own DNS – moving all public sector organisations to using the NCSC DNS – they will automatically not provide details for known bad sites / services so unless you connect by IP you just wont get to them

NCSC – Active Cyber Defence programme. This provides a great overview of many of their initiatives and how they hang together;

https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk

Read Understanding Uncertainty – ‘Medicine, poison, poison, poison’;

https://understandinguncertainty.org/medicine-poison-poison-poison-%E2%80%A6%E2%80%A6
Great overview of understanding risk and uncertainty, but in context..
- Context is key to ensuring you really understand and focus correctly

Goal for NCSC – From fear to published evidence and analysis

So you can target you security strategy and spending appropriately!

Keep security advice basic, brief and relevant

E.g. 5 tips for email.. 5 tips for phones etc. something like – encrypt, keep up to date, use a pin, don’t jailbreak, only install apps from google play / apple store.

‘Hacking back’ / Offensive security – his opinion

Should be reserved for government, potentially not legal for private firms.
Must be very organised, concerted effort. Attribution is very hard..
Any private company doing this is mad, due to potential repercussions.

If you have any questions I’ll try to answer them, but I hope you have found this and the links interesting!

RSA shell crew investiagtion

I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;

The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors. During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.

They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;

– Web shells

– Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.

– Code signing of backdoor malware so it installed without warnings

– Utilising SETHC RDP backdoor

– Proxy tools installed on servers to avoid corporate proxies

– Proxy away malwae that connected out using stolen credentials

– Falsifying time and date stamps on malicious files

Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.

Looking at the tools and techniques used it appears they predominantly attacked Windows based systems

The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal. This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables). The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.

Some take away points include;

Details of the exploit were clearly captured in the web server logs – highlighting the need for proper log correlation and alerting.
They logged into the web server with the Admin password within 10 minutes of stealing the hash – 2-factor authentication should be used for web accessible accounts where possible. If passwords must be used, a large salt must be added to the hashes.
Once they were on this server they quickly moved to control / access many other servers on the compromised network.
Various ‘entrenchment methods used to ensure their presence was hard to remove including;
- They used various web shells from simple one lines ones all the way to advanced ones with trojan like capabilities. Web shells are malicious files written in web scripting languages. They have some benefits over trojans such as being rarely detected by AV programs, run within the web server so blend with other traffic and hard to block, and no need to beacon home.
- Registering malicious DLLs so that the commands they run were interpreted by the malicious DLL making them harder to detect
- Modifying the System.Web.dll file (this is a core.net dll) enabling specifically crafted posts to the server that without a # at the start would just result in a 404 page
- Installation of custom variants of the ‘Trojan.Derusbi’ malware. This monitors all open TCP ports on the server for a specific simple, but pseudo random, handshake. When it sees one it responds with a handshake. The remote user can then control the trojan with various obfuscated commands. These include file traversal, starting / stopping processes, uploading / downloading files, time stomping (deleting or modifying time stamp related information on files – makes forensics more challenging), opening reverse shells, locating and decrypting passwords stored in browsers such as IE and Firefox.
- Sethc backdoor – replacing the setch exe with cmd or explorer, or making a registry change to the setch entry. If RDP is enabled, connecting, then pressing SHIFT 5 times will then bring up CMD, explorer, or the debugger.
On top of this they also downloaded a lot of other malicious files and ‘secondary tools’ including many variants of the Derusbi trojan, notepad.exe (actually multi purpose malware including proxy capabilities, time stomping, user impersonation, Run As etc.), credential loggers etc.
The attack appears to target Windows Server 2003, 2003r2 and XP variants. – ensure you are using current versions of operating systems, and that they remain fully patched
Obfuscation of code for the various malware tools was heavily used. While it is often not complex to manually de-obfuscate the code, this technique helps malware avoid detection by automated tools and also means the code / scripts don’t look like they are code to the untrained eye if an admin or someone stumbles across them.
Credential capture / logging was attempted in various ways on compromised machines in the estate including; Hash Dumping (grabbing hashes then likely using rainbow tables to crack them), Keystroke logging, MSGINA (MS Graphical Identification and Authentication – key part of MS logon process) man in the middle, and hooking into authentication functions.

Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.

Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.

Detection and response are becoming increasingly important in a world where you will be compromised.

2013 personal review and 2014 plans

Happy New Year readers 🙂

So it’s that time again, new year, new plans and all that.

Before I look ahead to my plans for 2014, how was 2013?

The educational highlight for 2013 was completing my Masters project and gaining my MSc in ‘Distributed Systems and Networks’.

I also managed to attend a few interesting conferences including Infosec, F5, and Information Security Forum. Relevant notes from these events were uploaded to this blog throughout the year.

My education fail for the year was not getting round to taking my TOGAF exam. This is one of those things that looks like it may be career useful, but I am not particularly passionate about. I have completed the course and worked in environments where it is applied, so understand the framework and how to use it, however getting motivated to do the exam has failed to reach the top of my to-do list. I’ll see how this year goes, 2014 may be the year I get round to it.

Work wise it was all change in 2013 as well with my move from Canada Life to WorldPay in January. One of the best moves I have made, Canada Life was a pleasant place to work, but the slowest and least dynamic company I have ever been in.. Some people are very happy there, but it wasn’t for me! WorldPay is considerably more dynamic and being a payment processor places a high value on doing things securely which makes my roles as a security architect very rewarding.

There are a lot of changes happening at WorldPay so watch this space for updates on my career and where it si heading. One way or another I’ll definitely be staying the in the security field, and very likely architecture.

Which brings us nicely onto 2014..

From a work project perspective this year is still very much up in the air, some projects I definitely know about include;

– New SIEM solution unifying the log correlation solution across the business,

– Creating security road maps and strategy,

– A considerable amount of application security and WAF (Web Application Firewall) work,

– Implementing APT (Advanced Persistent Threat) protection and detection,

– Supporting the design and creation of a new Security Operations Centre,

– Setting up various avenues to better integrate security with the wider business so we can communicate better with stake holders and customers,

– Several other things not yet ready for disclosure but I will update on what I can throughout the year.

One of my main plans for this year is to get more involved with the business as I am pretty good at staying abreast of security and the technical side of things, but don’t always have as much involvement and awareness of the business as I perhaps could / should.

As a starter for 10, given that my last three role have been in the financial sector I have recently started reading the economist which is surprisingly interesting. I have also picked up a couple of projects such as the one mentioned above around communicating better with the business to aid this in my current role as well wider industry awareness.

Other than that 2014 will include my graduation ceremony, some conferences, and likely some further study. Time permitting I may also submit speaking proposals to a couple of conferences, but this is very much a maybe.

I’ll also be working to implement some more of the tips from the Productivity Ninja to aid planning and organisation.

What are your plans for the year?

Here’s to a successful 2014!

Security Awareness Training – Worthwhile?

One of the topics that I sometimes think about is the value of security awareness training.

This tends to be a topic that many people in the security industry seem fairly passionate about, either for or against the value of it.
Vendors of software / programs such as Wombat, PhishMe, SANS etc. are all very pro user awareness training and regular programs to raise security awareness.
Conversely companies who sell products and not training are likely to strongly advise security budget is spent on tools rather than awareness training. To renforce this point at RSA Europe last year I actually asked a couple of senior RSA guys about the value of awareness training when they did a presentation around improving security and where to spend, and was told somewhat strongly that awareness training was basically a waste of time.

So the question is who is right, or do both sides have a fair point?

On the for side – how can users be expected to act securely and know how to act securely without some training? People need to learn and understand how to spot phishing emails, why it is bad to send anything non public externally without it being encrypted, why stronga and unique passwords should be used, how to spot social engineering etc. Security awareness training and campaigns can serve a dual purpose –
– Ensure users learn more about security for both their work and home IT / online lives
– Raise general awareness – a continual program of advice and varied messages keep general security and secure methods of working on peoples minds – this should not be a once a year process.
Any increase in security awareness and reduction in the attack surface that is the human user must be a good thing right?

On the against side – what is the most effective way to spend a limited security budget? Does spending budget on training offer the sam improvement in overall security as say adding a further layer to the defence in depth strategy or hiring extra dedicated IT security personel? Even with training a significant number of users will stil click the link in a phishing email or give out details they shouldn’t to a social engineer, so you still need all the other defences, both technical and personel even if an extensive security awareness program is undertaken.
– Users will always be a large security risk, so it’s best to treat them and their actions as untrusted and create a security posture accordingly.

So which side is right? I think to a large extent they both are. Depending on which report you read, something like 60-80% of all APT (Advanced Persistent Threat) attacks are initiated via social engineering – e.g. getting a user to do something for the attacker. So the most insidious attacks that are very difficult to detect and currently being used by the security industry as the driver for selling new security tools tend to start with the user. Then surely reducing the chances someone will succumb to social engineering much be a good thing? Yes you’ll never get to 100%, but then no actual security device ever detects or prevents 100% of attacks. So why do security tool vendors not like awareness training? Likely money and profits.

A balanced approach is key, understand the environment and threat landscape your company operates in and create a holistic security program encompassing the necessary tools, skilled security personal and user awareness training.

So, how can awareness training be made as effective as possible? Along with mixed and continuous messages and taking the time to make security part of the culture, the key thing is to get the message to people and make them want to take it on board. I think there are two components to make this successful;
– Fear – not with lies or exaggeration, but highlight real stories, as especially stories that people will relate to so think Playstation and Bank / online shopping hacks.
– Make it relevant – Link the secure ways of working to peoples home lives so highlight how they can be secure online, not fall for scams, use social sites as safely as possible, shop safely etc.

To conclude my opinion is that security awareness training does add real value and should be part of any security program. It does not however replace in anyway the need for a strong defence in depth strategy aligned to your business and threat landscape. What do you think?

13 Security Myths Busted.. My thoughts.

I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion. As it was a fairly light and interesting I thought I would share the article and my thoughts;

The original article can be found here;

http://www.networkworld.com/slideshow/86918/13-of-the-biggest-security-myths-busted.html?source=NWWNLE_nlt_afterdark_2013-02-21

Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.

1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks. Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.

2. This one is hard to know as there is so much FUD around. It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land. I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive. Remember all the speculation around the NSAs ability to crack encryption in the past..

3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM. However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..

4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.

5. This I totally agree with. I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?

6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.

7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.

8. Completely agree with this. Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself. If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.

9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind. I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.

10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data. This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business. So I think this one is rapidly if not already becoming a myth.

11. Agree – you can likely never be 100% secure if you want to have a life or business online. I think it was an American who coined ‘eternal vigilance is the price of freedom’ we should work to be secure, but freedom both individually and as a business is too important and hard won to give up. Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept. As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.

12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.

13. I agree with this final one as well, and have actually blogged about this before. We live in an ‘assume you have or will be breached’ world. Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach. Read last years Verizon data breach report..

It would be great to hear your thoughts on this light article.

Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

Some statistics and facts to set the scene;

– 93.6% is the approximate percentage of digital currency in the global market!

– 6.4% cash and gold available as a proportion of banking and commerce funds..

– 45% US adults own a smartphone – 21% of phone users did mobile banking last year.

– 62% of all adults globally use social media

– Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

– 2015 predicted as the year when online banking will become the norm..

– Nielson global trust in advertising report for 2012;

– 28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

– NSA were working on their own secure smartphone. Plans scrapped and now they are working on how to effectively secure consumer smart phone devices. Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

– IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

– By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more. So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012. Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.

Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..

So, Next generation Information Security;

– Must be intelligence driven

Customer
Shareholder
Employee
Regulatory
Business line
Cyber threat

– Must be comprehensive

Anticipate – emerging threats and risks
Enable –
Safeguard

– Must have excellent human capabilities

– Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner. 8% actually are. 70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

– We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

– White house has stressed importance of new cyber security legislation.

– Complex laws take time to review and pass; technology environments change fast.

– Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

– Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.

Intelligence driven: the next phase in information security;

– Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

– Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

– Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

– Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012. This can be downloaded from here;

http://www.rsa.com/innovation/docs/11683_SBIC_Getting_Ahead_of_Advanced_Threats_SYN_UK_EN.pdf

Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012. Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

– If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

– If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

– Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

www.microsoft.com/trustedcloud

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry. This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

– Consult guidance from organisations such as the CSA

– Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

– Ensure clear understanding of security and compliance roles and responsibilities for delivered services

– Know the value of your data and the security and compliance obligations you need to meet

– Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.

————

Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?

Stats;

– 52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

– A new piece of malware is created every second

– Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common. Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance

2.Weaponization

3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

– Professionalism and Commoditisation of Exploit Kits

– Man in the Browser attacks becoming more common

– Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

– Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

– Mobile malware proliferation

– Application attacks

– Botnets migrating from IRC to HTTP

– Attacks against Macs

Cloud security issues / considerations;

– Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

– Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences. We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

– Has the cyber security posture of all third parties been audited?

– Is access to all sensitive systems governed by 2-factor authentication?

– Does a log inspection program exist? How frequently are they reviewed?

– Does file integrity monitoring exist?

– Can vulnerabilities be virtually patched?

– In MDM and mobile management software utilised?

– Do you utilize DLP?

– Can you migrate layered security into the cloud environment?

– Do you maintain multi level, rule based event correlation?

– Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them. The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.

————————

Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance

Recipe;

Define business relevance of each data set being moved to the cloud
Classify each data set based on business impact – must be business driven, not IT
Inventory data – technical and consultative. Mentioned that DLP one of the best ways to discover and maintain data inventories.
Destroy (or archive offline) any unnecessary data
Inventory users – into user roles / role types (can do other things as well like geography)
Associate data access with business processes, users, roles
Determine standard control requirements for each data set
Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
For each data set, identify acceptable platform based on the required controls and security level of the data
Ensure only users that need access to data have access to it, and that this access is at the appropriate level
Identify and Implement appropriate controls across each cloud environment
Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!

Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando. The week has been pretty hectic with meeting people and receiving an award etc. I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months.. On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale. The conference is obviously a lot smaller than RSA, but was surprisingly well organised. Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting. Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts. In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be. I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

– What do you do if you have a security incident in a faraway country? Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

– Have to create capabilities to share vital information globally

– Computation is changing

Exponential data growth and big data

– Adversary is professional, Global and Collaborative

We are all fighting alone

– Threat continues to increase

– Business environment is changing

– Change the way you think!

Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

– Look at things like CloudCert

Computing is changing;

– Cloud computing is just the beginning

Shared datacentres, networks, computers etc..

– Driven by cost savings and need to be competitive in a global marketplace

– Virtualisation – Mobile – BYOD (explosion of devices)

– Increasing reliance on Browser

Secure Browser ‘App’ vs. URL (Apps vs. things like HTML5)
Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc. This would stop XSS.

Exponential data growth – Big data

– In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

– Estimated volume in 2015 – 7.9ZB

– Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

Malware 26M in 2011 – 2.166M/mo. – 71,233/day. 73% Trojans.
Application lifecycle – how long will the legay apps you use be around?

– Mobile

First attacks on O/S
First mobile drive by downloads
Malicious programs in App stores
First mass Android worm

– Attacks built in the Cloud are invisible, and inexpensive

Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing.. Would you want this?

Business Environment Changes

– Drive to innovate

Scrums, agile computing initiatives change the way we work
Security needs to work in a more agile way

– Rapid delivery of features and functions

Build securely – not build and test

– Impact of Intense, Global competition

– SMBs are the foundation of US recovery but need help

– Blurring of home/personal and work

Six Irrefutable Laws of information Security;

Information wants to be free
Code wants to be wrong
Services want to be on
Users want to click
Even a security feature can be used for harm
The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get.. Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

– Global perspective

Not National
Not Government

– Global Information Sharing

Sources
Solutions

– Intelligence based security

Strategy and Budget

– We MUST eliminate the obstacles!

Global Information Sharing

– We have been trying for decades

– How do we establish trust

Methods to make data anonymous
Attack data sharing

– Who shares?

Needs of SMBs

– Role of Governments (pass treaties around data sharing and cross boundary working)

– Benefits go far beyond incident response

Incident response in the Cloud;

– Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

– Consider model you use – IaaS / PaaS / SaaS and what this means

– Network control

– Log correlation and analysis – where are these, who owns them, who can access them..

– Roles and responsibilities

– Access to event data, images etc. When will you find out about issues and breaches?

– Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

– Virtualisation benefits and issues

– Capabilities and limitations of your provider

Get Involved!

– CSA and Cloud CERT

Role critical
Participation
Partnerships

– Government initiatives

– Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical. Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including – understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

– Remove Obstacles

– Build subject matter expertise

– Global sharing is critical to success

Who will attack you, using what methods in 2013?
Where should you spend your time / money?
Intelligence based security

– Security sophistication must keep pace with attack sophistication!

RSA Conference Europe 2012 – They’re inside… Now what?

Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch

Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!

Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia. These included banks, space agencies, science agencies, nuclear material handling companies etc.

So what to the controllers of these Trojans do with the data? Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks. A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.

Moving onto examples of specifically targeted attacks and APTs.. Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT. These have attacked everything from large private companies, to critical infrastructures to the UN. All of the given examples had one thing in common – Social Engineering. Every one used Spear Phishing as their entry vector.

From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?

The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post. The interesting observation here was their likely different plaes in the attack process. Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.

A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc. Feel free to look these up if you want to do some further research.

A very recent example of a targeted attach that was only discovered in July of this year is VOHO. This campaign was heavily targeted on Geopolitical and defence targets in Boston, Washington and New York. It was a multistage campaign heavily reliant on Javascript. While focused on specific target types the attack was very broad, hitting over 32000 unique hosts and successfully infections nearly 4000. This is actually a very good success rate, with the campaign no doubt considered a success by those instigating it..

In light of this evidence it is clear we need a new security doctrine. You will get hacked despite your hard work, if it has not yet happened, it will.. Learn from the event, an honest evaluation of faults and gaps should result in implements.

Things to consider as part of this new doctrine;

– Resist – Threat resistant virtualisation, Zero day defences

– Detect – Malware traces, Big data analytics, behavioural profiling

– Investigate – Threat analysis, Forensics and reverse engineering

– Cyber Intelligence – Threat and Adversary intelligence

Cyber Intelligence was covered in some more specific details around how we can improve this;

– External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;

Can this information be quickly accessed? For speed should be in machine readable format, but use whatever works!

– Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.

Do you have the tools in place to make use of and analyse all of these disparate data sources

– Can you identify when commands like NET.. and schedulers etc. are being used?

– Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?

– Do you have the long term log management and correlation in place to put all the pieces of these attacks together?

Summary recommendations and call to action..

– Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets

– Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats

– Understand current state of malware, attack trends, scenarios, and communications

– Adjust security team skills and incident management work flow

– Learn from this and repeat the cycle..

Next steps (call to action!);

– Evaluate your defence posture against APTs, and take the advice from the rest of this post

– Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post

Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door. I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.

RSA Conference Europe 2012 – Developing Secure Software in the age of Advanced Persistent Threats

Talk presented by Dave Martin and Eric Blaze, both security officers from EMC.

March 2011 – RSA suffered a breach from an Advanced Persistent Threat (APT) type attack. This was big news and many customers we affect, having to replace their RSA tokens etc.

Security groups in high tech organisation, with EMC being the example – Product security group and IT security organisation. Where;

– Product security is focussed on the security of the products produced by the business, deploying patches to customers etc. This can be looked at as the products impact on the customer’s risk. They at EMC work on the premise that the customer’s network where the product will be deployed has been compromised so security is paramount. Secure development / code and application focussed.

– IT security organisation is responsible for the security of the IT enterprise itself. This can be looked at as the security impact on enterprise risk. Generally tend to be much more infrastructure and system focussed.

The environment is changing – environments much more likely to be compromised in a subtle, planned, long term manner (APT) rather than the traditionally more blunt and opportunistic attacks / compromises.

What are the characteristics of these changes?

– Single minded, determined and innovative

– Targeting individuals over systems

– Through reconnaissance will understand your processes, people & systems better than us

– Will exploit ANY weakness

– Countermeasures increase sophistication

– Custom malware, NOT detectable by signatures

– Are not in a hurry will take as long as it take

– Goal is long term & persistent access

– The perimeter has shifted, all systems now exist in a hostile environment

What are the implications of this?

Real attacks that have been publically reported have included;

– Loss of intellectual property

– Loss of cryptographic secrets

– Loss of source code

– Attacks against cloud services

Mandiant M-Trends 2012 reports that 94% of companies find out they have been compromised from law enforcement, and the median length of time from when a company is compromised to when the breach is discovered is 416 days! Do you know your network is secure, can you report with confidence to your board and shareholders that you have adequate, intelligent monitoring and solid layered defence in depth in place? Is your organisation aware of the risks at all levels?

We must assume that we are compromised! – the Security for Business Innovation Council in August 2011 stated;

“Consider that no organization is impenetrable. Assume that your organization might already be compromised and go from there.”

Technology providers must support this by adopting their product security strategy in the following ways;

– Create an integrated governance model

– Build intelligent monitoring into products

– Design layered defence into products

How do they do this? Product security and Organisational security must work more closely together to expand the SDL (Secure Development lifecycle) and collaborate on standards such as;

– Source code management

– Anti-counterfeiting

– Cloud / Hosting

– Supplier risk management

– Software integrity controls

– Make product strategy part of the enterprise risk strategy

– ..

Make logging of events more intelligent; Build attack-aware software.

– Leverage threat modelling within the software to log abuse such as Buffer Overflows and SQL Injections

– Evolve from logging to debug code issues towards logging that is much more useful for detection for example by including anomaly and behaviour logging in program logic

– Design software to integrate with and leverage the existing enterprise risk ecosystem – white lists, reputation awareness etc.

Incorporating layered defence into applications / services to resist APT type attacks can be done in various ways including;

– Utilising split-value cryptographic authentication. This is where Passwords are split and stored across two servers with one hosting part as an XOR’d random number and the other as a random number. Thus the attacker has to compromise two servers and crack both parts within a small time window as a new random number regularly refreshed.

– Assume source code is compromised – anything can be eventually reverse engineered;

Never hard code secrets,
Adopt a Secure Development Lifecycle,
Threat model for source code exposure,
Build integrity control into source code reviews
Pay attention to comments – we should comment for best practice and code support, but make sure things like ‘To do, must add security here’ are mot left in the code!

– If you use agile methodologies, ensure you have a security based story. Review the recommendations from SAFECode;

http://www.safecode.org/index.php

In summary we need to develop using secure methodologies and use the assumption that all systems are or will be compromised.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: