Security Vendors Vow to Defend Against Cyber-Boogeyman

Monday, March 21, 2011

J. Oquendo

850c7a8a30fa40cf01a9db756b49155a

Seems like McAfee is making a run to become the security industry's "Minitru" [1]. This is not the first time a company wishes to do so and it will not be the last.

Who will come out standing, remains to be seen as there is also Computer Associates and a variety of other bridge salesmen in this arena.

Someone at McAfee did, however, impress me with her comments. She is the CTO, Phyllis Schneck, someone who is likely in the know when it comes to pie charts and a variety of other data correlation and statistics which ultimately mean nothing.

According to McAfee's website [2]: "Dr. Schneck, who testified before the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, outlined some policy recommendations to improve public/private sector information sharing that is essential to provide the government with the capabilities it needs to respond to the cyber threat."

No offense with the pie-chart jab Dr. Schneck (if you stumble upon this) the reality is that the data, you see, can be a figment of an attacker's creativity. This was discussed in depth in "Art of Cyberwarfare - Analysis Fail" [3]. Nevertheless for those looking to waste time in looking for needles in the haystack, feel free to do so.

Regardless of my view of the security landscape, I do believe that there is a vast and increasing need to share information between companies that are either under a cyber attack or from companies that have been compromised, however, I doubt this could ever happen.

For example, the recent notification of compromise coming out of RSA is alarming and enigmatic. We have RSA stating: "We were compromised, intellectual property concerning key fobs were stolen. Nothing taken so far will affect those key fobs." Define so far? And why did it take them a week to stop this attack (as they stated.) I smell a pattern of deception here.

Companies do not want to publicly admit they were compromised. Financially it is not beneficial for them to report a compromise. Although I cannot point out accurate statistics concerning that statement (the benefits/downsides of reporting) - I am basing this on experience.

Besides, I am nothing more than a security engineer slash hacker monkey creating, developing, deploying, exploiting and researching security based services, not a statistician. I can infer "financial downsides" as being the TOP reason that companies are not willing to disclose information concerning a compromise.

After all, would you want to continue putting my hard earned money in a bank which was just "hacked?"

Following good media whoring security industry practices, I will label this as the "Compromise Dilemma." According to Wikipedia's definition: A dilemma is a problem offering at least two possibilities, neither of which is practically acceptable. During a compromise there is the dilemma of reporting the incident:

1) "If we report it investor confidence will be shaken, we stand to lose millions."

2) Under certain regulatory guidelines, we have to report this. We stand to lose millions."

Offering a third option under controlled circumstances yields a more positive future outcome.

3) "Working with other companies in identifying how I was compromised would enable them to defend themselves. The more companies that report this, the more information can be shared and the less risk we would collectively have."
 
For all the hype surrounding all of these "sophisticated" attacks, not an iota of the compromise information has come to light in either academia or public circles. Private circles is an altogether different arena here.

So here lies an issue I have: "What constitutes sophistication?" Imagine for a moment that I state that I was compromised by a "recurring complex attack" would you look at me strangely as a security professional? How about if I said: "the attack was advanced and it was persistent?"

I theorize that the reasons for the misuse and abuse of the APT acronym is because companies simply want to save face: "we cannot disclose we were had. For crying out loud, we are the first line of defense!!!"

What is being overlooked however, is that you (the company) were already compromised. Game over. Whether a company forgot to change a default password or whether someone used 200 PS3s [4] to do the job, the fact is, someone walked in where they were not supposed to.

How did they do it? Where did they come from? What did you notice in your analysis? In reporting this type of information, companies not only allow other companies to defend, but there is a likelihood that many security researchers could chime on OSINT style and offer clues, theories and so on.

Another set of eyes never hurt and data can be zeroized to prevent further security calamity - so notions of proprietary and other clever verbiage can take a backseat.

Companies do not need to waste time looking backwards, historical research is for academia, intelligence analysts need forward looking data to work with. Where and when will this collaboration come to light should be the big question here.

Ultimately, the only reality behind any "advanced persistent threat" is in the wording. ALL attacks can be considered advanced once a compromise has taken place. Obviously the attackers were more advanced than the security professionals and technologies a company had in place.

Persistent is rather irrelevant since I would bet my the shirt off of my back in stating: "Companies online will always be attacked." Finally, there will always be threats. Why the need for useless terminology other than to scare up pictures of a "cyber-boogeyman"

While I was impressed by some of Dr Schneck statements I was not surprised to see the usual finger pointing at the boogeyman. Rather, cyber-boogeyman to be cyber-politically correct. "She spoke about McAfee Global Threat Intelligence, which offers the most comprehensive threat intelligence in the industry, and how it was used to detect and remediate both the Operation Aurora and Night Dragon cyber attacks."

Really? That simple? And the answer was front of us all this time. Purchase and deploy McAfee's HBSS (HIPS) which will then alert when someone compromises your machines, all would be fine.

Sounds like the same old security "détritus" being pitched for the better part of a decade (Intrusion Prevention/Detection/Tolerance). I wish McAfee and other companies got a clue outside of pie-charts though.

Reality check: hackers slash tinkerers have been bypassing those HIPS all along. For the better part of over 13 years at least. Its only because they are advanced and persistent like that though. Or should I say, they have a keen ability to create "Recurring Complex Attacks."

Honestly speaking though, if companies created a consortium of security pros to disseminate real time attack data though (remember as I said above, controlled circumstances), the industry would be better off.

No one wants to report a compromise and there is little reason why this data cannot be shared other than companies wanting to save face (PR). Most data can be zeroized/regex'd to prevent identification of whom was compromised and what was stolen.

Otherwise, we can continue to fork out millions of dollars to security companies promising the latest and uber-protection tool which will only be bypassed by a Recurring Complex Attacker.


[1] http://en.wikipedia.org/wiki/Ministry_of_Truth
[2] http://www.zdnet.com/blog/security/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/2339
[3] http://www.infiltrated.net/index.php?option=com_content&view=article&id=22&Itemid=28
[4] http://investor.mcafee.com/releasedetail.cfm?ReleaseID=558559

Possibly Related Articles:
3959
Network->General
RSA McAfee Cyber Security Advanced Persistent Threats Infrastructure vendor
Post Rating I Like this!
591052017c12c3277d83b0b437c13302
Tom Coats Full disclosure, It is obvious that I work for a security vendor.
You have identified a solid point when you ridicule phrases like phrases like APT and RCA. But I think you have missed the boat on the historical analysis. "Dwell on the past and you lose an eye, forget the past and you lose both eyes." The historical analysis is being done and it is getting better every year.
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
The main learning point here is that the data collected, can be, and often is confidential, but organizations like the US Secret Service and Verizon do a fair job of filtering the important learnings to help make us all safer in the future.
Second SANS provides and has provided a wonderful service for years, which just for an example warned the world of Slammer in a matter of hours (I am showing my age, where is my walker?).
http://isc.sans.edu/index.html
The mix of old school internet gurus and new school business IT Security professionals has worked pretty well so far but admittedly doesn't get the wide spread glamour press. But then this isn't a world of "password swordfish" and most of the world thinks our jobs are pretty boring... but we save the world every day... That is boring after a while I admit.
1300788365
4ce009efd2b0f7a9c9507c94ed61bb5a
Kenneth Bechtel I hate to splash cold water on your article, but unfortunately you didn't dig deep enough. there are MULTIPLE industry platforms for organizations or individuals IN organizations to share this type of information. In the interest of Full disclosure I'm one of the founding members of one of the earliest of this type organization. The Anti-Virus Information Exchange Network (AVIEN) which was formed in 2000. You are correct, Companies do NOT like to talk about being infected, or compromised, but the people in the security industry HAVE banded together and addressed these short comings. I suggest you look for the organization that deals with your industry (there's one for DOD contractors, the Banking industry, and many more). They're out there, you just have to look for them.
1300796685
850c7a8a30fa40cf01a9db756b49155a
J. Oquendo @Tom Coates: You state: "The historical analysis is being done and it is getting better every year." This is what security managers keep missing, timing isn't always everything.


Attacks and attack vectors are here and right now. For the research being done, but the time an analysis is finished, the researcher will almost always be chasing after ghosts. IP is realtime and subject to ever constant changing so attribution is pointless.


I will share my experience while taking the RWSP exam. If you need to/want to know more about the certification check out the BlackHat information at: http://www.blackhat.com/html/bh-dc-11/training/bh-dc-11-training_PEAK-RealWorldSec.html


During my second day of the RWSP course, it was my time to mimic an attacker. The goal, get in and get the family frakels while other equally or more experienced security professionals actively blocked me. This was not a "sitting target." During the recon phase, I lit up the network with dozens of decoys of their own servers attacking themselves while I was lost among the logging information. The opposing team used their budget money to purchase a firewall rule to "block the attacker." Bad move. Because they didn't take the time to understand their own infrastructure, they ended up blocking themselves while I strolled unnoticed right through the front door.


Lesson learned: "Understand your own infrastructure"


You also state: The main learning point here is that the data collected, can be, and often is confidential, but organizations like the US Secret Service and Verizon do a fair job of filtering the important learnings to help make us all safer in the future."


I respectfully disagree with this statement and will explain why. When these reports come out, they offer a point of view while is tailored for the security manager. Someone who isn't in the trenches of "warfare."


Imagine a military operation for a moment. Imagine "Command Center" giving orders based on data: "They're in a building 100 meters east" What does that do for a grunt on the battlefield. Simply tells them: "to the east 100 meters." What the command center fails to understand from the grunts point of view is, the battlefield is littered with debris. He cannot take the shot because in the vicinity of those 100 meters, he is seeing civilians in his cross-hairs. What options does the grunt have? He can fire at the risk of casualties, he can try to get closer, he can ask for more definitive information. He cannot (because of the chain of command) use his own judgement lest he be court martialed.


The same applies during a compromise. When I hear instances of "RSA has been battling an attacker for a week..." I stop and wonder: "and why can't you a) block the attackers offending address b) move the folders/files under attack elsewhere until you situate your security posture c) actively perform the same measures they're using to attack you, understand it and lock it down d) pull the plug until you situate the security posture. In the case of d), I would be willing to deal with irrate customers knowing I can minimize their complaints once they know the situation versus the alternative: "we got owned... After one week, we couldn't stop them..." The approach is flawed.


You also state: "Second SANS provides and has provided a wonderful service for years, which just for an example warned the world of Slammer in a matter of hours (I am showing my age, where is my walker?)."


SANS and other organizations do good when there is a high level of visibility of an attack vector. SANS and others will do nothing against a carefully orchestrated attack. In fact, by the time anything is done, the data is old news and an attacker's identifiable information will go dark.


---------------
@ Kenneth


You state: "unfortunately you didn't dig deep enough. there are MULTIPLE industry platforms for organizations or individuals IN organizations to share this type of information."


Fail... You seem to not understand the attacker's and researchers perspective here. "Multiple industry platforms ... sharing IN the organization" but what happens when those "IN" those organizations don't understand themselves? Imagine placing a bunch of kindergarten students in a classroom at Stamford with Chaos Theory mathematics on the chalkboard. What are they seeing? Gibberish.


You state: "I suggest you look for the organization that deals with your industry"


Fail. Name me an attacker that focuses on one specific industry. You and others need to realize that attackers target everything and anything. It is not about specifics when we look at the protocol level. There are electronic signals and data moving across them. It all boils down to the protocol levels which too many "professionals" aren't "getting."


Wearing a security researcher hat, I can likely download any program for a test drive. Do my best to understand how it works in an effort to subvert this. I may see things that you will not. As a hobbyist, security tinkerer, there is a high likelihood that others like me will outnumber your entire stuff thousands to your every one. This needs to be thought about. For every "defender there will likely be 100 attackers." With that said, zeroized information on attacks can help more than hurt companies. Publicizing the information for ALL to see is a much more robust solution. This is where creativity shines as opposed to the decades old herding instinct: "Well this security manager said..." See my response to Tom, is that security manager in the trenches? Is he constantly looking through the cross-hairs?


The whole pie chart, historic data, looking backwards motions does little at the end of the day but waste time. When security professionals learn how to be proactive versus reactive, only then will defensive security bloom. In order for defense to bloom though, offense needs to be understood. You will never see a baseball game won with solely defense what you WILL see is either a tie ballgame going into extra innings until someone scores (offense).
1300798338
E376ca757c1ebdfbca96615bf71247bb
shawn merdinger "Ultimately, the only reality behind any "advanced persistent threat" is in the wording. ALL attacks can be considered advanced once a compromise has taken place. Obviously the attackers were more advanced than the security professionals and technologies a company had in place."

PRICELESS.
1300807391
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.