Verzeichnis
TaoSecurityRichard Bejtlich's blog on digital security and the practices of network security monitoring, intrusion detection, and incident response.
As stated on their Web site, the U.S. Congress created the U.S.-China Economic and Security Review Commission in October 2000 with the legislative mandate to monitor, investigate, and submit to Congress an annual report on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China, and to provide recommendations, where appropriate, to Congress for legislative and administrative action. The Commission holds hearings to solicit testimony from subject matter experts and builds on those hearings to produce an excellent annual report.
You can access the 2011 report on the Commission Web site, and even request a printed copy if you'd prefer to read paper.
A few weeks ago the Commission staff requested that I answer a set of questions, and I provided a draft response last Monday. When I testified each of us had seven minutes to make a statement, after which the Commissioners asked questions. The testimony posted online is the "extended" version of my remarks. I used an abridged version when speaking today, but didn't read it verbatim.
After we each made a seven minute statement, the Commissioners asked a round of questions. Each received about five minutes. We tried to keep to the rotation, which as you might expect was tough. Several questions were fairly complicated (like discussing the costs and benefits of "the cloud") so it was difficult to be anything near complete when responding. A few Commissioners were interested in supply chain questions and the problems posed by Chinese made telecommunications equipment.
I expect an audio recording of the event to be available at the Commission Web site within the next few weeks. Once that is posted I'll review it and share a few more thoughts on the Mandiant Blog.
In addition to my wife, thanks also to the members of the local computer network defense and intelligence communities who attended the briefing and said hello!
Last week in my post SEC Guidance Is a Really Big Deal I mentioned the potential significance of whistleblowers with respect to digital security. I came to this conclusion while participating in a panel for those involved with Directors and Officers insurance. This post provides a few more details. This morning I reviewed slides by Frederick Lipman, author of Whistleblowers: Incentives, Disincentives, and Protection Strategies, pictured at left. Mr Lipman spoke about whistleblowers at the same conference, but I didn't see his presentation.
You can read Mr Lipman's slides on this shared Google drive in .pdf format.
To briefly summarize Mr Lipman's work, Dodd-Frank, the False Claims Act, IRS rules, and other regulations have created an environment more favorable to those who wish to report wrongdoing within their organizations. Bounties for whistleblowers can amount to tens of millions of dollars. Yes, that's right: individuals have received millions of dollars after reporting violations by their employers. If that weren't enough, following penalties levied by the government against companies, the private sector also joins the fray through shareholder law suits.
I'm predicting that due to the increase in regulation during the last decade, whistleblowers will begin to report digital risks or incidents to their boards and/or outsiders.
Consider the following scenario: a publicly traded firm targeted by the APT suffers a major loss of intellectual property. The loss will likely result in decreased revenues for a particular product line because foreign companies will clone and sell the technology, undermining the victim's competitiveness and qualifying as a material event.
The firm decides to not report the event in its SEC disclosure documents. Frustrated with the cover-up, members of the security team act as whistleblowers. If the firm is lucky the whistleblowers use the firm's reporting process to notify the audit committee of the board. If the firm is not lucky, or if the whistleblowers don't feel their concerns are addressed, they report to the SEC or other outside entities.
I could imagine many permutations of this scenario to make it better or worse for all parties involved. The bottom line is that I expect this aspect of additional regulations to be a new driver for disclosure, once it becomes more widely recognized and understood.
For fun, imagine a different scenario where hacktivists compromise the same victim and publish its email. Regulators read the email (or learn via those who read the email) that the hacktivism victim is also failing to report material losses due to APT compromise...
Thank you to Mr Lipman for agreeing to let me post his slides publicly. I plan to check out his book too.
In fact, you may be aware that papers and approaches like Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, Ph.D. were inspired by the desire to move "left of boom" regarding IEDs.
In this post I will highlight elements from the interview which will likely resonate with those working digital security problems.
- The threat "shares information globally," and engages in an "arms race" with defenders, sometimes by "sitting in front of a computer" devising the latest tools and techniques.
- The adversary can introduce changes to tools and techniques in weeks and months, not years or decades as was the case with conventional or strategic weapons.
- For a "meagre expenditure," the adversary can impose "huge costs on defenders."
- The goal of the security program (i.e., JIEDDO) is to provide commanders freedom of maneuver to conduct operations (business) in an IED environment.
- "If you're worrying about the device, you're playing defense." Don't focus only on the device, put pressure on the networks (of adversaries who design, build, and operate the weapons.)
- Intelligence plays a key role in defeating adversaries. Winning involves applying "lethal pressure, "along with government techniques. "It takes a network to defeat a network."
- Defeating the device attracts the most attention and funding, but training users and attacking the network must also be pursued. Training involves ensuring that operators are using countermeasures effectively and appropriately.
- JIEDDO shares threat intelligence in unclassified form so industry partners can devise countermeasures. The unclassified documents are backed by a classified appendix that describes how troops deploy countermeasures in operational settings.
If you'd like to see examples of the IEDs encountered in the field and some US countermeasures, check out the first segment.
In November I wrote SEC Guidance Emphasizes Materiality for Cyber Incidents, my thoughts after reading an article by Senator Jay Rockefeller and former DHS Secretary Michael Chertoff. They explained why the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC in October is a big deal. Since then I attended a conference on Director's and Officer's insurance in Connecticut, and spoke on a panel about that SEC guidance. During the conference I learned that the SEC guidance isn't a big deal -- it's a really big deal. We're talking a game changer, potentially on three fronts. Here's what I heard at the conference.
- First, lawyers who read the language in the SEC guidance treated it as a "stop whatever you're doing and read this" moment. The lawyers I spoke to said the SEC guidance absolutely defined new reporting duties for companies, despite talk of it being merely a "clarification" or restatement of existing guidance.
Clients bombarded insurance firms asking what language they should use in their SEC disclosure documents. They asked "what are other companies saying? What should we say?" The firms noted similar boiler plate shared among clients, most of which insufficiently met the SEC's requirements.
One lawyer I spoke with said she expects the SEC to give publicly traded firms a "one year pass" before bringing enforcement actions against them for insufficiently outlining digital risk, pre- and post-breach.
- Second, the SEC language will encourage shareholder lawsuits against companies by disgruntled parties who believe boards are not disclosing risks and actual breach details to investors. This will probably not be the primary cause for a suit but it will likely be one of other factors a shareholder action uses to show that a board is not fulfilling their duties to investors.
- Third, the SEC language may prompt whistleblower reports from dissatisfied IT and security staff to organizations like the SEC Office of the Whistleblower. (That is a real organization!) In the seven weeks beginning with this new office's launch in August 2011, parties reported 334 tips from 37 states and 11 countries, with successful enforcement actions in up to 30% of cases.
Although it doesn't appear that this new office has paid any whisteblowers yet, it is apparently gearing up to do so. Imagine a case where security staff believes that management is not treating a breach as the staff thinks it should be treated, and decides to report the incident to the SEC -- with the possibility of a payout waiting!
At least a half-dozen major U.S. companies whose computers have been infiltrated by cyber criminals or international spies have not admitted to the incidents despite new guidance from securities regulators urging such disclosures.
Top U.S. cybersecurity officials believe corporate hacking is widespread, and the Securities and Exchange Commission issued a lengthy "guidance" document on October 13 outlining how and when publicly traded companies should report hacking incidents and cybersecurity risk.
But with one full quarter having elapsed since the SEC request, some major companies that are known to have had significant digital security breaches have said nothing about the incidents in their regulatory filings.
Now Senator Rockefeller is taking a closer look as reported by Jennifer Martinez of Politico this week:
Senate Commerce Chairman Jay Rockefeller thinks the SEC needs to ensure hacked companies are adequately informing their investors about when they suffer a security breach or cybersecurity risk that could jeopardize their financial standing.
The West Virginia Democrat wants the full commission to issue guidance for companies — right now they only have staff-level instructions — on when they have to report cyber breaches or threats and what steps they’re taking to minimize the risks.
"It’s crucial that companies are disclosing to investors how cybersecurity risks affect their bottom lines, and what they are doing to address those risks," Rockefeller said in a statement to POLITICO.
Rockefeller will soon introduce an amendment that calls on the SEC to issue interpretive guidance on when companies must disclose cybersecurity risks and intrusions. Staffers for the Commerce Committee are finalizing the amendment and aim to introduce it before Sen. Joe Lieberman’s (I-Conn.) cybersecurity bill goes to the floor.
This is the sort of activity that I think is going to mark a sea change in digital security over the coming years. I don't expect engineering or technical developments to have anywhere near the same level of impact as issues that involve legislators, lawyers, insurers, and financiers. Stay tuned!
If you've been reading this blog for a while, you know I don't think very highly of mathematical valuations of "risk." I think even less highly of the clowns in the financial sector who call security professionals "stupid" because we can't match their "five digit accuracy" for risk valuation. We all know how well those "five digit" models worked out. (And as you see from the last link, I was calling their bluff in 2007 before the markets imploded.) Catching up on last week's Economist this morning I found another example of financial buffoonery that boggles the mind. The article is online: Inter-bank interest rates; Cleaning up LIBOR -- A benchmark which matters to everyone needs fixing:
It is among the most important prices in finance. So allegations that LIBOR (the London inter-bank offered rate) has been manipulated are a serious worry.
LIBOR is meant to be a measure of banks’ own borrowing costs, and is used as the foundation for a host of other interest rates. Everyone is affected by LIBOR: it influences the payments made on mortgages and personal loans, and those received on investments and pensions.
Given its importance, the way LIBOR is calculated is astonishingly flimsy. LIBOR rates are needed, every day, for 15 different borrowing maturities in ten different currencies. But hard data on banks’ borrowing costs are not available every day, and this is the root of the LIBOR problem.
The British Bankers’ Association (BBA), responsible for LIBOR, gets around it by asking banks, each day, what they feel they should pay to borrow.
So LIBOR rates—and the returns on $360 trillion of financial contracts related to them, five times global GDP—are based on best guesses rather than hard data.
Let that sink in and forget about what you learned in business school or economics classes. LIBOR isn't based on actual rates; it's based on feelings!
The next part of the article talks about suspicions that banks manipulate this broken process to the advantage of the financial sector.
The remainder offers recommendations for improvement:
[T]he BBA should revamp LIBOR to ensure it is simple, transparent and accountable. These principles suggest LIBOR should be based on actual inter-bank lending, with any gaps filled in with the help of statistical techniques. Banks’ own guesses should be used as a last resort, not the first.
And regulators should collect data that could help spot LIBOR cheats: banks should be required to submit information on other banks’ borrowing costs, as well as their own. Regulators could cross-check submissions against hard data on banking-sector risk, and publicly report LIBOR abusers.
Keep this system in mind the next time a so-called "master of the universe" offers a lecture on measuring risk in digital security.
Today I joined a panel held at FOSE chaired by Mischel Kwon and featuring Amit Yoran. One of the attendees asked the following: At another session I heard that "80% of all breaches are preventable." What do you think about that?
My brief answer explained why that statement isn't very useful. In this post I'll explain why.
The first problem is the "80%." 80% of what? What is the sample set? Are the victims in the retail and hospitality sectors or the telecommunications and aerospace industries? Speaking in general terms, different sorts of organizations are at different levels of maturity, capability, and resourcefulness when it comes to digital security.
In the spirit of salvaging this poorly worded statistic, let's assume (rightly or wrongly) that the sample set involves the retail and hospitality sectors.
The second problem is the term "breach." What is a breach? Is it the compromise of a single computer? (What's compromise? Does it mean executing malicious code, or login via stolen credentials, or...?) What is the duration of the incident? There are dozens of questions that could be asked here.
To salvage this part, let's assume "breach" means "an incident involving execution of unauthorized code by an unauthorized intruder" on a single computer.
The third problem is the word "preventable." "Prevention" as a concept is becoming less useful by the second. Think about how an intruder might try to execute malicious code against a victim. Imagine a fully automated attack that happens when a victim visits a malicious Web site. An exploit kit could throw a dozen or more exploits against a browser and applications until one works. Are they all non-zero day, or are some zero day? Again, many questions beckon.
To salvage the end of the original statement, let's translate "preventable" into "exploitation of a vulnerability for which a patch had been publicly available for at least seven days."
Our new statement now reads something like "In the retail and hospitality sectors, 80% of the incidents where an unauthorized intruder successfully executed unauthorized code on a single computer exploited a vulnerability for which a patch had been publicly available for at least seven days."
Isn't that catchy! That's why we heard shortcuts like the original statement, which are basically worthless. Unfortunately, they end up driving listeners into poor conceptual and operational models.
The wordy but accurate statement says nothing about preventability, which is key. The reason is that a determined adversary, when confronted by a fully patched target, may decide to escalate to using a zero-day or other technique for which patches are irrelevant.
Fuzzing by Michael Sutton, Adam Greene and Pedram Amini struck me as a good overview of many types of fuzzing techniques. If you read the Amazon.com reviews, particularly the verdict by Chris Gates, you'll see what I mean. For my purposes, the degree to which the authors covered the material was just right. If you're more in the trenches with this topic, you would probably want more from a book on fuzzing. I liked the following aspects of the book: integration of history, real examples, diversity of approaches, case studies, and examples. I thought the book was easy to read and well presented. Paired with more specific, newer books on finding vulnerabilities, I think Fuzzing is a winner.
My only real dislike involved the quotes by former US President George W. Bush at the start of each chapter. I thought they were irrelevant and a distraction.
I don't hunt security bugs for a living, but I've worked on teams that do and I find the process important to understand. A defender should appreciate the work that an adversary must perform in order to discover a vulnerability and weaponize an exploit. That is the spirit with which I read Hunting Security Bugs by Tom Gallagher, Bryan Jeffries, and Lawrence Landauer. When the book was published in 2006 all the authors worked at Microsoft and Microsoft Press published the book. (Yes, I did wait a long time to take a look at this title...) Despite the passage of time, I thought HSB stood up very well. Most of the problems discussed in the book and the techniques to find them should still work today. The targets have changed somewhat (XP was the target in the book; Windows 7 would be more helpful today -- thought not everywhere).
Again, this is an impression and not a review, so I only offer thoughts and not opinions or judgements on the text. From what I saw, the book appears well written with helpful diagrams and screen shots. It covers a lot of surface area and ways to exploit it.
One note for the history buffs: the foreword says:
When Jesse James, the famous outlaw of the American West, was asked why he robbed banks, he replied, Thats where the money is.
I'm sure most of you think that Willie Sutton said that, not Jesse James. According to Snopes neither of them said it:
While lore would have it that the bank robber replied "Because that's where the money is" to that common question, Sutton denied ever having said it. "The credit belongs to some enterprising reporter who apparently felt a need to fill out his copy," wrote Sutton in his autobiography. "I can't even remember where I first read it. It just seemed to appear one day, and then it was everywhere."
But back to the book -- should you buy it? If your job involves finding vulnerabilities in Windows software (and this book does have more of a Windows slant), I would take a close look at it.
In late 2009 I reviewed the first edition of The Web Application Hacker's Handbook. It was my runner-up for Best Book Bejtlich Read 2009. Now authors Dafydd Stuttard and Marcus Pinto have returned with The Web Application Hacker's Handbook, 2nd Ed. This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience.
The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with answers posted on the book Web site, mdsec.net/wahh.
Speaking of the Web site, the authors also post source code, links to tools, and checklists, plus labs costing a $7/hour fee. That is a new approach I haven't seen elsewhere, but I think it's an interesting idea.
At 912 pages WAHH2E offers a ton of content written in a clear and convincing style. Great work guys. My only concern was their refusal to cite sources. That makes a real difference in my mind; give credit where credit is due in the third edition.
As you might remember, when I write impressions of a book it means I didn't read the book thoroughly enough (in my mind) to write a review. In that spirit, I read Web Application Security: A Beginner's Guide by Bryan Sullivan and Vincent Liu. I liked the book because the authors spend the time explaining the technology in question. For example, I appreciated the discussion on the same origin policy, featuring memorable advice like "the same origin policy can't stop you from sending a request; it can only stop you from reading the response" (p 175). I had one small issue with the book, and that involved its introduction to Microsoft's STRIDE model. I blogged about this years ago in Someone Please Explain Threats to Microsoft. The Web sec book says on p 36:
STRIDE is a threat classification system originally designed by Microsoft security engineers. STRIDE does not attempt to rank or prioritize vulnerabilities... instead, the purpose of STRIDE is only to classify vulnerabilities according to their potential effects. This is immensely useful information to have when threat modeling an application...
To see my critique of STRIDE, please see my linked post. Basically, STRIDE is best describe as "bad stuff," and includes a mix of attacks and vulnerabilities with no real "threats."
Nevertheless, if you're looking for a compact and detail-packed exploration of Web application security, take a look at Web Application Security: A Beginner's Guide.
By the way, I've written alot about confusing terms like "threat," "vulnerability," "risk," etc. over the years. One of my earliest posts provides background -- The Dynamic Duo Discuss Digital Risk if you are so inclined.
Amazon.com just published my five star review of SSH Mastery by Michael W. Lucas. From the review: This is not an unbiased review. Michael W. Lucas cites my praise for two of his previous books, and mentions one of my books in his text. I've also stated many times that MWL is my favorite technical author. With that in mind, I am pleased to say that SSH Mastery is another must-have, must-read for anyone working in IT. I imagine that most of us use OpenSSH and/or PuTTY every day, but I am sure each of us will learn something about these tools and the SSH protocol after reading SSH Mastery.
This year I spoke at the Executive Security Action Forum on a panel moderated by PayPal CISO Michael Barrett alongside iDefense GM Rick Howard and Lockheed Martin CISO Chandra McMahon. I thought our panel offered value to the audience, as did much of the remainder of the event.
Most of the speakers and attendees (about 100 people) appeared to have accepted the message that prevention eventually fails and that modern security is more like a counterintelligence operation than an IT operation.
After ESAF (all day Monday) I divided my time among the following: speaking to visitors to the Mandiant booth, discussing security issues with reporters and industry analysts, and walking the RSA exposition floor. I also attended the Wednesday panel where one of our VPs, Grady Summers, explained how to deal with hacktivists.
Speaking of the RSA floor, I took the photo at left praising the 55 new vendors appearing at the exposition for the first time. I counted 13 I recognized as "established" companies or organizations (Airwatch, CyberMaryland, Diebold, FireHost, Fluke Networks, Global Knowledge, GoDaddy.com, Good Technology, Nexcom, PhishMe, Prolexic Technologies, Qosmos, and West Coast Labs). I didn't recognize the other 42. There were probably dozens more who were not first-time RSA vendors that I wouldn't recognize either.
I suppose there are different ways to think about this situation. A positive way would be to view these new companies as signs of innovation. However, I didn't really see much that struck me as new or innovative. For example, a company specializing in password resets doesn't really get the heart pumping.
Another point of view could be that the presence of so many new companies means venture capital is active again. I saw plenty of that at work for certain companies who I know have just rebranded, relaunched, or have been resuscitated in recent months. Several of them sported mammoth booths and plenty else. They must figure that if they have 7 or 8 figures to spend, they're going to put it into marketing!
I was in some ways overwhelmed by the number of attendees. I saw references to over 20,000 people attending RSA 2012. I believe many of them wore $100 (or even free, courtesy of vendors) "expo only" passes. With 20,000 people willing to participate in a security event, that tells me my @taosecurity Twitter follower count (over 11,000 today) has more room to grow. I would not have expected to rise much beyond 10,000 when I started Tweeting.
One of the best aspects of RSA 2012 was the Security Bloggers Meetup, which I was able to attend in person as I blogged previously.
My buzzphrase of the conference was "big data." To me, "big data" sounds like SIEM warmed over. I'll have more to say on this topic in future posts.
I'll probably return to RSA next year on behalf of my company, and again I will focus on the exposition and non-session activities. It's the only place where you can see so many security vendors in one place.
What did you think of RSA this year?
A recent issue of the Economist featured an article titled Corporate fraud: Mind your language -- How linguistic software helps companies catch crooks. It offered the following excerpts: To spot staff with the incentive to steal (over and above the obvious fact that money is quite useful), anti-fraud software scans e-mails for evidence of money troubles...
Ernst & Young (E&Y), a consultancy, offers software that purports to show an employee’s emotional state over time: spikes in trend-lines reading "confused", "secretive" or "angry" help investigators know whose e-mail to check, and when. Other software can help firms find potential malefactors moronic enough to gripe online, says Jean-François Legault of Deloitte, another consultancy...
Dick Oehrle, the chief linguist on the project, explains how it works. First, the algorithm digests a big bundle of e-mails to get used to employees’ language. Then human lawyers code the same e-mails, sorting things as irrelevant, relevant or serious. The human feedback and the computers’ results are then reconciled, so the system gets smarter. Mr Oehrle says the lawyers also learn from the computers (presumably such things as empathy and the difference between right and wrong).
To find employees with the opportunity to steal, the software looks for what snoops call "out of band" events: messages such as "call my mobile" or "come by my office" suggest a desire to talk without being overheard. E-mails between an employee and an outsider that contain the words "beer", "Facebook" or "evening" can suggest a personal relationship...
Employers without such technology are "operating blind", says Alton Sizemore, a former fraud detective at America’s FBI... [N]early all giant financial firms now run anti-fraud linguistic software, but fewer than half of medium-sized or small financial firms do...
Prospective users typically pay for a single "snapshot" search of 12 months of company records, according to APEX Analytix, a developer of the software in Greensboro, North Carolina. For a company with 10,000 employees, this costs about $45,000. Unless a company is very small, evidence of fraud almost always surfaces, convincing clients to sign up for a yearly package that costs three or four times as much as a spot-check, says John Brocar of APEX Analytix.
Why spend the money... If a company shows it has systems in place to detect this kind of thing, and starts investigating before outsiders do, it may have an easier time in court.
When I read this story it reminded me of my advice to keep CIRT and Internal Investigations separate. Notice the repeated mention of "lawyers" in the Economist story. There is no reason for this sort of technology or responsibility to reside in the Computer Incident Response Team. CIRTs should focus on external threats. Internal Investigations should focus on internal threats, e.g. employees, contractors, and other authorized parties who may perform unauthorized activities. II should collaborate closely with legal and human resources and should not use CIRT tools or techniques. This separation of duties was invaluable when I ran GE-CIRT because we could reassure constituents that our analysts focused on bad guys outside the company, not our own users.
I'm pleased to announce that TaoSecurity Blog won Most Educational Security Blog at the 2012 Social Security Bloggers Awards. I attended the event held near RSA and spent time talking with a lot of security bloggers and security people in general. I'd like to thank the sponsors of the event, depicted on the photo of the back of the T-shirt at left. Props to whomever designed the shirt -- it's one of my favorites. The award itself looks great, and the gift certificate to the Apple store will definitely help with an iPad 3, as intended!
Long-time readers may remember that I won Best Non-Technical Blog at the same event in 2009.
Winning this award has given me a little more motivation to blog this year. I admit that communicating via Twitter as @taosecurity is much more seductive due to the presence of followers and the immediate feedback!
Speaking of Twitter, SC Magazine named @taosecurity as one of their 5 to follow, which I appreciate.
And speaking of SC Magazine, they awarded my company Mandiant their best security company award.
If the malware authors are ready to provide the samples, the authors of the book you’re reading are here to provide the skills. Practical Malware Analysis is the sort of book I think every malware analyst should keep handy. If you’re a beginner, you’re going to read the introductory, hands-on material you need to enter the fight. If you’re an intermediate practitioner, it will take you to the next level. If you’re an advanced engineer, you’ll find those extra gems to push you even higher—and you’ll be able to say "read this fine manual" when asked questions by those whom you mentor.
Practical Malware Analysis is really two books in one—first, it’s a text showing readers how to analyze modern malware. You could have bought the book for that reason alone and benefited greatly from its instruction. However, the authors decided to go the extra mile and essentially write a second book. This additional tome could have been called Applied Malware Analysis, and it consists of the exercises, short answers, and detailed investigations presented at the end of each chapter and in Appendix C. The authors also wrote all the malware they use for examples, ensuring a rich yet safe environment for learning.
Therefore, rather than despair at the apparent asymmetries facing digital defenders, be glad that the malware in question takes the form it currently does. Armed with books like Practical Malware Analysis, you’ll have the edge you need to better detect and respond to intrusions in your enterprise or that of your clients. The authors are experts in these realms, and you will find advice extracted from the front lines, not theorized in an isolated research lab. Enjoy reading this book and know that every piece of malware you reverse-engineer and scrutinize raises the opponent’s costs by exposing his dark arts to the sunlight of knowledge.
To announce the book, the publisher is running this promotion: Use discount code REVERSEIT to get 40% off Practical Malware Analysis. One week only! Free ebook with all print book purchases.
The authors also started a new blog at practicalmalwareanalysis.com.
I Want to Detect and Respond to Intruders But I Don't Know Where to Start!Mon, 13 Feb 2012 18:59:00 +0000
"I want to detect and respond to intruders but I don't know where to start!" This is a common question. Maybe you have a new security role in an organization, or a new service or business in your current organization, or some other situation where you want to find and stop attackers. However, you have no idea where to begin. Do you have the data you need? If not, what should you add? What do intrusions look like in the data you collect? These questions can be tough to answer from a purely theoretical perspective. I propose the following approach.
First, conduct a tabletop exercise where you simulate adversary actions. At each stage of the imagined attack, consider what evidence an intruder might create while taking actions against your systems. For example, if you are trying to determine how to detect and respond to an attack against a Web server, you're almost certainly going to need Web server logs. If you don't currently have access to those logs, you've just identified a gap that needs to be addressed. I recommend this sort of tabletop exercise first because you will likely identify deficiencies at low cost. Addressing them might be expensive though.
Second, conduct a technical exercise where a third party simulates adversary actions. This is not exactly a pen test but it is the sort of work a red team conducts. Ask the red team to carry out the attacks you previously imagined to determine if you can detect and respond to their activity. This should be a controlled action, not an "anything goes" event. You will see whether the evidence and processes you identified in the first step help you detect and respond to the red team activity. This step is more expensive than the previous because you are paying for red team attention, and again fixes could be expensive.
Third, you may consider re-engaging the red team to carry out a less restrictive, more imaginative adversary simulation. In this exercise the red team isn't bound by the script you devised previously. See if your improved data and processes are sufficient. If not, work with the red team to devise better detection and response so that you can handle their attacks.
At this point you should have the data and processes to deal with the majority of real-world attacks. Of course some intruders are smart and creative, but you have a chance against them now given the work you just performed.
Five years ago I reviewed the first edition of Network Warrior by Gary A. Donahue. Thank to O'Reilly I can post my "impressions" of the second edition of this great book. Although I read almost all of it, I am unable to post another review because Amazon.com has my previous review attached to the new edition. In brief, Network Warrior, 2nd Ed is the book to read if you are a network administrator trying to get to the next level. All of my praise from the previous review apply to the new book. The book is really that good, primarily because it combines very clear explanations with healthy doses of real-world experience. Thanks to Mr Donahue for taking the time to update his book!
Mark Russinovich and Aaron Margosis have written another awesome addition to the Microsoft Press catalog, Windows Sysinternals Administrator's Reference. Per my policy, because I did not read the whole book I am only posting "impressions" here and not a full Amazon.com review. In brief this book will tell you more about the awesome Sysinternals tools than you might have thought possible. One topic that caught my attention was using Process Monitor to summarize network activity (p 139). This reminded me of Event Tracing for Windows and Network Tracing in Windows 7. I remain interested in this capability because it can be handy for incident responders to collect network traffic on endpoints without installing new software, relying instead on native OS capabilities.
I suggest keeping a copy of this book in your team library if you run a CIRT. Thorough knowledge of the Sysinternals tools is a great benefit to anyone trying to identify compromised Windows computers.
Six years ago I reviewed Michal Zalewski's first book, Silence on the Wire. Michal is a security researcher who has consistently created high-quality content for a very long time, so I was pleased to receive a review copy of his newest book The Tangled Web. I did not read the whole book, hence I'm posting only my "impressions" here. I recommend reading this book if you want to know a lot, and I mean a lot, about how screwed up Web browsers, protocols, and related technologies truly are. Because many points of the book are tied to specific browser versions, I suspect its shelf life to degrade a little more rapidly than some other technical titles. Still, I am shocked by the amount of research and documentation Michal performed to create The Tangled Web.
As always, Michal's content is highly readable, very detailed, and well-sourced. It's a great example for other technical authors. Great work Michal!
The toughest question in digital security is "who cares?" The recent Tweet by hogfly (@4n6ir) made me ponder this question. He points to an Aviation Week story by David Fulghum, Bill Sweetman, and Amy Butler titled China's Role In JSF's Spiraling Costs. It says in part:
How much of the F-35 Joint Strike Fighter’s spiraling cost in recent years can be traced to China’s cybertheft of technology and the subsequent need to reduce the fifth-generation aircraft’s vulnerability to detection and electronic attack?
That is a central question that budget planners are asking, and their queries appear to have validity. Moreover, senior Pentagon and industry officials say other classified weapon programs are suffering from the same problem. Before the intrusions were discovered nearly three years ago, Chinese hackers actually sat in on what were supposed to have been secure, online program-progress conferences, the officials say.
The full extent of the connection is still being assessed, but there is consensus that escalating costs, reduced annual purchases and production stretch-outs are a reflection to some degree of the need for redesign of critical equipment. Examples include specialized communications and antenna arrays for stealth aircraft, as well as significant rewriting of software to protect systems vulnerable to hacking.
It is only recently that U.S. officials have started talking openly about how data losses are driving up the cost of military programs and creating operational vulnerabilities, although claims of a large impact on the Lockheed Martin JSF are drawing mixed responses from senior leaders. All the same, no one is saying there has been no impact.
While claiming ignorance of details about effects on the stealth strike aircraft program, James Clapper, director of national intelligence, says that Internet technology has "led to egregious pilfering of intellectual capital and property. The F-35 was clearly a target," he confirms.
The point of this article is to question the impact, in business and operational terms, of the cyberwar China continues to prosecute against the West.
The toughest question in digital security is "who cares" because it is usually extremely difficult to determine the impact of an intrusion. Consider the steps required to define the business and operational impact of the theft of intellectual property (as one example -- there are many others).
- The victim must learn that an intrusion occurred.
- The victim must determine exactly what IP was stolen.
- The victim must understand the adversary's capability and intention to exploit the stolen IP.
- The victim must recognize when the adversary exploits the stolen IP by using it in an operational context.
- The victim must determine what countermeasures or changes in courses of actions are possible to mitigate the adversary's exploitation of the stolen IP.
- The victim must synthesize most or all of the previous points into an assessment of the business and operational cost of the IP theft.
Steps 1 and 2 are largely technical, but 3-6 are more business-focused. From what I have seen, everyone who is a victim in the ongoing cyberwar struggles to conduct "battle damage assessment" (BDA) for digital intrusions. Articles like the one I cited are examples showing how difficult it is to determine if anyone should care about China's exploitation of Western IP.
It's time to name the winner of the Best Book Bejtlich Read award for 2011! I've been reading and reviewing digital security books seriously since 2000. This is the 6th time I've formally announced a winner; see my bestbook label for previous winners.
Compared to 2010 (31 books), 2011 saw a decrease to 22 books. Remember all reading is neither equal nor fast. When I review a book, I am sure to read it and not just skim it. For 10 books last year, I chose not to read them but to instead post impressions. Posts called "impressions" provide my sense of the book but I do not publish them in my Amazon.com reviews.
My ratings for 2011 can be summarized as follows:
- 5 stars: 10 books
- 4 stars: 7 books
- 3 stars: 4 books
- 2 stars: 1 book
- 1 stars: 0 books
Here's my overall ranking of the five star reviews; this means all of the following are excellent books. The links point to my reviews.
- 10. pfSense by Jim Pingle; Reed Media Services.
- 9. Beginning Visual C++ 2010 by Ivor Horton; Wrox
- 8. Windows System Programming, 4th Ed by Johnson M. Hart; Addison-Wesley.
- 7. Beginning C, 4th Ed by Ivor Horton; Apress
- 6. Robust Control System Networks by Ralph Langner; Momentum Press.
- 5. Managed Code Rootkits by Erez Metula; Syngress.
- 4. Ghost in the Wires by Kevin Mitnick and William L. Simon; Little, Brown and Company.
- 3. America the Vulnerable by Joel Brenner; Penguin Press HC.
- 2. Windows Internals, 5th Ed by Mark Russinovich, David A. Solomon, and Alex Ionescu; Microsoft Press.
And, the winner of the Best Book Bejtlich Read in 2011 award is... - Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson; No Starch. My review said in part:
Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft.
Thank you to all publishers who sent me books in 2011. I have plenty more to read in 2012.
Congratulations to all the authors who wrote great books in 2011, and who are publishing titles in 2012!
The Economist presents these charts for the following reason:
In the spring of 2011 the Pew Global Attitudes Survey asked thousands of people worldwide which country they thought was the leading economic power. Half of the Chinese polled reckoned that America remains number one, twice as many as said "China". Americans are no longer sure: 43% of US respondents answered "China"; only 38% thought America was still the top dog. The answer depends on which measure you pick. (emphasis added)
The reason I like these charts is that they remind me of how many security practitioners think about "being secure." Managers likely often ask security staff "Are we secure?" The truth is there is no single number, so anyone selling you a "risk" number is wasting your time (and probably your money). However, it would be much more useful to display a chart like that created by the Economist. The security staff could choose a dozen or more simple metrics to paint a picture, and let the viewer interpret the answer using his or her own emphasis and bias.
Another reason I like the Economist chart is that the magazine built it using specified assumptions of future activity, listed in the article. If you disagree with these assumptions you can visit the second link I posted to devise your own charts. Although not shown here, what would be even more useful is showing these charts as a time series, with snapshots for January, then February, and so on. This "small multiples" approach (promoted by Tufte) capitalizes on the skill of the human eye and brain to observe and observe differences in similar objects.
If you had to pick a dozen or so indicators of security for a chart, what would you depict? The two I consider non-negotiable are 1) incidents per unit time and 2) time to containment for incidents.
Today, 8 January 2012, is the 9th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2843 posts later, I am still blogging. Looking at all 9 years of blogging, I averaged 315 per year, but in the age of Twitter (2009-2011) I averaged only 171 blog posts per year. I plan to continue blogging, but I expect around the same number as last year -- somewhere in the 60 to 100 post range. I spend a lot more time expressing my views to the press and market researchers and analysts, so I'm often less inclined to do more of that in my free time through this blog. I plan to devote any decent chunks of free time to more traditional writing. I love to use Twitter for quick commentary. Thanks for joining me these 9 years -- I hope to have a 10 year post in 2013!
If you're a security blogger, and you like this blog, please consider voting for me via the 2012 Social Security Bloggers Awards. I'm nominated for "Most Educational Security Blog" and the Hall of Fame. Thank you again!
Don't forget -- today is Elvis Presley's birthday. Coincidence? You decide. The image shows Elvis training with Ed Parker, founder of American Kenpo. As I like to tell my students, Elvis' stance is so wide it would take him a week to react to an attack. Then again, he's Elvis.
I studied Kenpo in San Antonio, TX but I'm going to try Tai Chi again, something I first practiced about 16 years ago in Billerica, MA during grad school.
Tweet
I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011. Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.
If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.
Tweet
I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.David Spark asked for my "security tip for 2012," which I listed as:
Improve your incident detection and response program by answering two critical questions:
1. How many systems have been compromised in any given time period; and
2. How much time elapsed between incident identification and containment for each system?
Use the answers to improve and guide your overall security program.
Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.
Tweet
