On the cusp of 2010, the state of information security in our society can only be described as a mess. I've come to the conclusion that my career path will now and forever be an effort to bring more science of computing to security in practice (severely lacking now), and reality of security to academia (also severely lacking now). This is at the heart of our mess, and will also be the solution to it. Few-to-no tenure-track professors at accredited universities have real-world experience.
Academic papers are written around decade-old problems, using decade-old data sets, demonstrating a decade-old mindset and ignorance to the volatility of security in practice. There are few models - even fewer that are relevant - and little agreement on terminology as fundamental as risk, threat, and vulnerability.
Industry makes risk decisions with scant or no objective data, builds models on subjective criteria, suffers from physics envy, and is often totally incapable of performing analysis that adheres to the scientific method. In some cases, industry still fails to recognize that security is risk management, evident by the all-too-common requests for ROI to justify security spending. I've seen nearly every word in the English language prefixed by "cyber-" in the last 24 months, simply because it's a buzzword. It's so overused I cringe the few times I have to say it, and the hype risks an overcorrection in the coming years that will back-burner the issues at hand, or water them down with gimmicks and sales pitches to the point where serious concerns in need of resolution are met with the eye-rolling more appropriately reserved for notions such as "cyber Katrina" or "cyber 9/11."
The US now has a "cyber security czar," virtually ensuring failure of public policy just as we've seen with most other "czars" (how's that war on drugs going?). Policymakers don't realize that electronic espionage is just as serious if not moreso than traditional methods of espionage. No agreement has been made on how conflicts (espionage and outright aggression) escalate beyond the internet into the real world, despite having very serious real-world implications in and of themselves. We are not holding to account other countries who tacitly or explicitly permit attacks against our country's critical infrastructure, ensuring their continuity for lack of any sort of risk associated with their actions. Open dialogue is taking place, but only on the most greatly exaggerated, dated, or unlikely risks, reducing national information security strategy to the same level of effectiveness as airline security.
I normally don't like rants without solutions, so for that I apologize. Maybe I'm just in a bad mood. At the risk of reducing all these problems to one oversimplified solution, I strongly feel that bringing academia and industry closer together in how to approach information security issues is the only way to begin to fix most of these problems.
On the 12th day of Christmas, my CIRT did find for me...
12 users clicking
11 hackers hacking
10 sites cross-scripting
9 drives receiving
8 gigs a-taken
7 widgets stolen
6 passwords broken
5 forged emails,
3 word docs,
... and a hole in Adobe new-Player
Intelligence-driven Response for Computer Network Defense
Network defense against sophisticated adversaries requires a new approach than what the information security industry typically prepares its analysts for. From the overarching incident response process down to the specific questions each analyst must be able to answer, classic incident response techniques and procedures are insufficient in the face of persistent and focused intrusion attempts. A detailed understanding of one’s enemy, specifically, is an overlooked concept in industry-standard information security pedagogy and mindset which can offer strategic, actionable insight into effective response. This presentation extends some information warfare concepts to discuss how intelligence-driven analysis and response can improve the defensive posture of organizations facing advanced persistent threat actors. Examples will be given at the micro and macro level; attendees should be technically well-versed as they are able to see the “big picture” of computer network defense.
- Commercial Security Intelligence Service Providers as a moderator
- Noncommercial Security Intelligence Service Providers as a moderator
- Unix and Windows Tools and Techniques as a panelist
- CIRTs and MSSPs as a panelist
Well said, sir.
The concerns are real, but the concept of a digital Hurricane Katrina and similar doomsday theories might be embellished, said Jim Lewis, director and senior fellow at the Technology and Public Policy Program at the Center for Strategic and International Studies. “It’s really hard to derail a large country that has a lot of infrastructure,” he said. “People tend to exaggerate. I love the Bruce Willis movies, but that’s just not the truth.”
Lewis said less dramatic but equally dangerous espionage and crime represent the true perils.
“How would you feel about China getting our designs for the F-35" stealth fighter jet? he asked. “What about those who rob U.S. banks over the Internet from Russia, with no chance of prosecution? [Hackers] that are breaking into our systems to steal military secrets or prepare for potential sabotage…these are the real threats.”
In terms of event attendance, I appreciated for the first time the value of Twitter as a social situational awareness tool. Following #blackhat inspired me to switch presentations on at least two occasions to see something better, and kept me abreast of the dynamic nature of peripheral events like happy hour gatherings, etc. It also helped me keep track of and share my thoughts on presentations as they happened - notes I'm happy to share with the public, and which allow me to summarize the event here.
On to the presentations. Below I'll summarize my notes only on presentations that I feel I attended enough of to speak intelligently on.
Rod Beckstrom: Beckstrom's Law
I won't attempt to recreate Rod's law here, but the gist of it is that the value of a network to an individual is the difference in cost of that individual performing an action without the network and with the network. His example was buying a book: if one could buy a book at a brick-and-mortar store for $26, but buys it online for $16, the value for that transaction is $10. Extrapolating this, the value of a network is the cost savings of all actions for all users of that network. It's an interesting academic exercise, but I do not really see its applicability even in microcosms of the internet or limited scope environments for two reasons: first, the notion of value seems to be subjective in nature, making any derivative metric itself subjective. Second, and more indisputably, it is an exponential evaluation to compute this value, severely limiting the size of a "network" (however you may define it) that could be valuated.
One argument Rod made in his talk was that the best investment we can make in security is to improve internet protocols. I disagree. The threats we face in 2009 are so far up into the application layer that internet protocols really aren't a serious risk by comparison. If we want to invest money, we need to make it in areas that reduce the profit margin for the adversary, or increase their risk when they attack. This means a major shift in public policy, lobbying congress and the presidency for sane, threat-driven measures to go after perpetrators, and financial backing for investigations (local, federal) and prosecutions. There also needs to be more accountability on the part of software manufacturers, something that the government can assist with as well possibly via FTC incentives. These are "softer," more ambiguous investments than re-architecting protocols, but they will go much further in their effect.
Nathan Hamiel & Steve Davis: Weaponizing the Web
Nathan and Steve spent a lot of time building up and pontificating about proper web design, but when they got to the meat of their presentation the material was quite valuable. The primary focus was on different ways to leverage cross-site scripting, with a heavy emphasis on Cross-site Request Forgery. This is a technique I was naive to until their talk, and their discussion definitely piqued my interest. A lot of good work has been done on browser-based trust exploitation of late. I suggest everyone check out the work done on this modern twist on the browser trust issues first exploited with XSS. I will add as a critique, though, the material could have been presented more clearly. Even with a pretty strong understanding of related exploits, I found their presentation hard to follow at times.
Nitesh Dhanjani: Psychotronica
I was a little worried about this presentation given its name, but I certainly was not disappointed. Nitesh's presentation was one of the most insightful and effective presentations I've seen in a long time. In it, he discussed his research based on open-source intelligence on relative "happiness" of people, using various words and contexts to quantify the overall attitude of, say, a blog entry. Nitesh then takes this technique and builds it into a tool which can digest tokenized social network entries to illustrate how satisfied or happy a person is over time. In one stunning demonstration of this tool, he maps the long misery of a man, married with a child. At one point in the timeline, the nature of the man's language changed for the positive, rather unexpectedly. Days after this behavioral change, the man killed his wife, child, and then himself. It was a shockingly poignant example of how attitdues can, in retrospect, amplify understanding of the behavior of individuals. There are many possible applications of this technique to OSINT in terms of known threat actors in our field - perhaps not in the dimension of happiness, but maybe financial status, busy-ness, or stress level, to name a few. If patterns of open-source intelligence can be established prior to certain security "events," then perhaps detection can be pushed into the reconnaisance phase of an attack in a very new way.
Steve Topletz, Jonathan Logan & Kyle Williams: Global Spying
My mother always said "if you don't have anything nice to say..." I'll make an exception here. This was a tinfoil-hat presentation that made sweeping generalizations and rattled off 'facts' without a single citation, all to sell fear to the audience that their every move is being monitored by the government - an attitude that conveniently maps to their company's business model of protecting your privacy. The cherry on top was giving everyone a free trial of their company's software, because of course you can trust a for-profit entity so much more than a democracy...
Alessandro Acquisti: I just found 10 Million SSNs
I don't need to say much on this, as the beans were effectively spilled weeks ago. I will say this was a fantastic presentation that clearly followed the scientific method to present and defend a theory using statistically relevant conclusions with heavy - if somewhat unsurprising - social implications. I don't think I can personally pay a higher compliment to a presenter. Alessandro summed it up nicely when he pointed out that identity and authentication cannot be the same thing, but that is precisely what we've been doing with SSN's: the public identifier is also used as a private authenticator, and thus we have the identity theft problems of today. The contrast to the previous presentation in the same room (Global Spying) was truly amazing.
Nick Harbour: Win at Reversing
Nick always puts on a good show, and this was no exception as he illustrates an elegantly simple, but brilliantly constructed tool to facilitate malware unpacking. I'll do my best to describe it here, begging your pardon if my memory isn't dead-on. Nick starts off by articulating the limitations of kernel-level API hooking when analyzing malware behavior. While certain common procedure calls used by malware (like GetHostByName) are executed in ring 0, many other common ones like GetProcAddress are strictly user-land. Makes sense. Nick then turns the user-land rootkit on its head by inline hooking the malicious code, opening access to all API calls by the code, not just those touching ring 0. From here, a procedure likely to be called after the code has been unpacked in memory is identified. Replace this call with an infinite loop (only 2 bytes) prior to execution, and bam! Running the patched PE leaves the unpacked code idling in memory for extraction & analysis. To take it to the next level, Nick then introduces Apithief, which automates much of the complexity of this process for the analyst. The tool should soon be available on Mandiant's site, according to Nick (it wasn't as of the writing of this entry).
Bruce Schneier: Reconceptualizing Security
I can't really say anything here that you won't read on Bruce's blog, nor would I be so eloquent in doing so, but I will say this was my first time seeing him talk, and it was a pleasure to do so. A few take-aways I found particularly significant:
- One underlying problem that facilitates the divergence between feeling secure and being secure is language: 'security' can apply to both states.
- Everyone has their own model of reality from which they make decisions. This applies on an individual level as well as instinctual within our species. This is the first time in the history of humankind where our reality is changing faster than our individual and natural model of reality. Whether or not we will ever be able to catch up remains to be seen, but the gap seems to be accelerating.
Never been before, but looking forward to the chaos. I'm going to try to attend DefCon, but if I can arrange it, I'll only be there Friday. Due to some housing shenanigans, I must be back in DC for the weekend.
Case in point #1: Allen Paller's statements on the recent (and long overdue) analysis of the predictability of SSN's. To wit,
"I don't think this is a high priority, because it doesn't deliver a big enough payoff" for hackers, he said. "You do identify theft so you can steal money, but it's easier to steal money by taking over someone's computer."Are you serious? One compromises a computer to impersonate another. If you have an SSN, name, and other basic information like birthday, etc (that's often publicly available on social networking sites), it's Game Over - impersonation can be achieved at a much deeper level than simply userid/password - nevermind that more and more sites are implementing some sort of 2-factor authentication. This reeks of "look over here where I can make money," ignoring reality. SANS has a lot to offer the information security community, but when its leaders make such questionably accurate and profit-driven comments, it hurts all of our credibility (what professional doesn't have a cache of SANS certs these days) and devalues the institution as a whole.
Case in point #2: The questionably accurate stories floating around about this alleged North Korean-sourced DDoS against a completely random set of targets. I don't know for sure, but it seems the source of this attributional rumor is the Korea Communications Commission. Here's a sample of one of their statements:
“An aggressive distribution of vaccine programs against the attack has helped fight back,” the official, Shin Hwa-soo, said. “But we are not keeping our guard down. We are distributing the vaccine programs as widely as possible and monitoring the situations closely because there might be a new attack.”A vaccine? Really? Please tell me we're not taking these people seriously. It seems to be a fact that some sort of DDoS attempt took place, but keep in mind the attribution to DPRK is hinging on people who distribute "vaccine programs" against a DDoS - whatever the hell that means. Initially, the attacks were downplayed - until 24/7 news got a hold of it and realized that CNA can be sexy. Then the "cyber security professionals" realized there was a platform for advancing an agenda and poured fuel on the hype fire. There are plenty of examples. Below are a few.
All of this hype, yet when you ask the victims, they tell you that the impact was negligible [source: ABC World News Tonight, 7/8/2009]. This underscores the classic properties of CNA that makes it much less effective in terms of real economic impact than CNE:
Google hosted news:
"Just from looking at footprint, it was Bigfoot, not Bambi," said Charles Dodd, founder and chief technology officer for Nicor Cyber Security.
What started off as "Cyber Attacks" on the east coast became "massive" by the time they got to San Francisco.
The US sites experienced a “massive outage”, according to Keynote Systems, a company which monitors 40 government sites in America.
Even Ron Beckstrom, whose comments were mostly well tuned, eventually fell victim to the hype cycle in a most spectacular way:
"[It's] a little bit like launching some Scud missiles towards the U.S.," noted Beckstrom. "These are cyber-scuds, very low-tech, but a lot of them, and kind of annoying."
No, Ron, it is nothing like this.
- Its effectiveness is often limited to the period over which it can be sustained - except when machine or software destruction is involved, in which case it simply becomes a DR exercise,
- It is difficult to sustain,
- It is open conflict and identifiable immediately, and
- It rarely maps to the intended strategic or tactical goals of the executor (what, for instance, was achieved here?)
In any case, a quick update. After many months of consideration, I decided it was in my best professional and personal interest to join Facebook and Twitter. If I don't understand these communication and interaction technologies as I understand others, I will inevitably find myself falling behind and unable to exist at the forefront of security (whether I will ever get there is debatable as well, heh). I likely won't be very active with these accounts, but will likely tweet at BlackHat this year in an effort to keep in touch with all the folks I'll know there. It'll be my first BlackHat, and I'm looking forward to it!
Opinions aside, I think it's interesting that the job of computer network defense at a national level is being placed subordinate to its equivalent offensive arm. An insight into fundamental policy shift? Time will tell...
In information security, we often keep saying the same thing over and over again, because we know it's right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don't, and yet we keep saying those things. We tell them they "have to" fix all the security problems all the time.I'd like to go further, and do, in my reply to his post. At issue is our propensity to reflect all of the hardest problems in security today onto those who are least equipped or capable of handling them: end users. Nobody asks to get in the security business when they buy a computer, they want to entertain themselves, or positively contribute to some task, or fill an everyday need... yet we do. We ask everyone who buys a computer to join us in our perverse universe of paranoia. This is a lazy, improper, and unsustainable approach. If anyone is looking for the hardest problems to solve in our industry, look no further than your parents' complaints about their computer, your friends' complaints about websites, or your coworkers' complaints about corporate policy. We've left them holding the bag on the hardest problems.
My comment on Adam's post is reproduced below.
I write on this topic frequently... I can only hope more people begin to realize the seriousness of this problem, and that we must begin to make it a tractable one.
Careers in Information Security and Tales from the Front Lines of Network Defense
In this two-part presentation, Michael will introduce the field of information security from a career development perspective, giving attendees a broad view of the industry and how their various academic backgrounds may align. As the lecture progresses, Michael will give an insider's view into what it's like to defend a network used for the design of the next generation of national defense technologies.
Naturally, the notion of a bastion host evolved to be a not-so-exposed system, partially protected by firewalls and isolated from the internal network so as to mitigate the damage resulting from compromise. The crown jewels are, by this model, inside the LAN and isolation was tantamount. And thus have we operated since...
Naturally, this model has made various evolutions. Initially, the focus on protection was outside-in. Various pressures - security, policy, and otherwise - necessitated greater control on network egress. If you want to make sure a compromised internal system can't arbitrarily funnel data outbound over some ephemeral port, you need to restrict what services can be accessed on the internet from clients on the LAN. If you want to keep your employees from surfing pr0n on the job, you needed to be able to restrict what web sites they access. From this came proxied services: HTTP, DNS, email, and other services now must be funneled through a relay for greater control.
Do you see what's happening here? Our control over our networks has slowly crept up the OSI model as we realize the perils of a lack of control over the next layer up. From the flat networks of the early 80's, to segmentation later in the 80's and early 90's, to control over the transport layer with firewalls, and finally up as far as the application layer with insistence on proxying all services in the most "secure" networks accessing the internet today, our defenses were pushed upward by adversaries who understood how to exploit the lack of control at higher layers.
I've got bad news: even this isn't good enough. While we've definitely raised the bar for adversaries, they have nevertheless stepped up to the plate. How do you compromise systems and funnel data out of a protected network which insists upon protocol compliance and restricted connections? Obey the rules. Comply to the protocol. Repurpose the available communication points outside of the network. And this is precisely what adversaries are doing.
If you didn't already know, I'm telling you now: protocol-compliant command-and-control channels that communicate to compromised websites are all the rage in sophisticated attacks today. How can one attack a computer? Use the inbound communication channel: email. How can one establish bi-directional control over a compromised host? Use the outbound data channels to initiate a connection, and proceed from there: HTTP, DNS, email, these all permit bi-directional communication to every workstation in a protected network connecting to the internet today.
What does this mean? It means that every host which can participate in these types of data transmission is an internet-facing host. Bastion hosts, firewalls, proxied services, all exist in vain against these techniques. This is the very point of this whole post: your most exposed hosts are your workstations. And today, in 2009, you have as many internet-exposed hosts as you have workstations. Considering that today, all work is done on workstations, this means your data is residing on the most vulnerable systems on your network - even if only temporarily while in active use or development. There are many implications here, which I won't go into, beyond to say if you've been sleeping soundly because you believe your network controls are strong, I hope you've enjoyed it.
Update: Somehow this got back-dated... fixing.
A few other confounding aspects of this breach:
- The date of compromise is unknown
- Heartland had to be notified of this by Visa and Mastercard. They did not discover it on their own.
- Transactions occur unencrypted, according to the bankinfosecurity.com report: 'Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."'
For the past year, Robert O. Carr, Heartland's chairman and chief executive officer, has been advocating for payments industry adoption of this technology — which will protect data at rest as well as data in motion — as an improvement for payment transaction security.Certainly this claim seems dubious. In any case, the data capture and exfiltration appears to be enabled by malware installed on hosts in their payment systems network. Disk, database, and transactional encryption won't prevent compromised hosts from having access to the data in clear-text form as it's processed - clearly, this data must be unencrypted at some point in the process in memory (at least).
This is a whole bucket of fail right here.
Partially as a consequence of this change, I began thinking on the definition of the word "analysis" and how its use has been watered down in our industry. On one hand, to the extent which my job encompasses computer and network forensic analysis, the word is most certainly applicable. Digging into the most nuanced details of the history of reads and writes to a hard disk, inspecting TCP sessions and packets to observe content, absolutely fits the definition of a word whose meaning is "to take apart." But security intelligence often represents an inflection point in vision, between re-creating the events that took place as a forensic task, and painting broader picture - assembling the comparatively scant data offered by forensic investigation, monitoring tools, logs, and other artifact sources to develop a modus operandi, discover other past or future actions perpetrated in the same vein, and possibly even discover the individuals behind the activity and their motives. In short, intrusion synthesis - the antonym of analysis.
Of course, this is all very academic. I will be doing the job I've done in the past regardless of whether my title is Cyber Intel Analyst or Banana Peeler. But as I've said in the past, vocabulary is important, and it's an insightful exercise to see where such a description intersects and diverges from what one does, as that activity itself can yield insights into how to better do whatever it is we do.