Your adversary is not some random piece of self-replicating software. Your adversary is a human being who—like you—is staring at a screen, mashing on a keyboard and working on a project of great importance. Does your defensive posture reflect this new reality?
Remember the good old days of Slammer, Blaster, Nimda and Code Red? They were the headline-grabbers of a bygone age in information security. In those days, our interest in the actual humans behind those big, noisy, opportunistic infections was ancillary: occasionally, months after an outbreak, we might have come across a minor news story about a pimply-faced teenager appearing in a courtroom somewhere to answer for his mischief.
Now consider today’s headline-grabbers: Aurora, Stuxnet, Flame and Gauss. What makes this a new era is not that any given piece of malware may be more sophisticated; it’s the “who” behind the malware that gives us pause. Credit for Aurora, a 2009 attack on Google and other high-profile companies, is generally given to the Chinese government. Then there’s Stuxnet, a mid-2010 state-sponsored attack against Iran’s uranium enrichment facilities. And Gauss and Flame, two notable 2012 attacks that may also have been carried out by state actors. And in parallel with this excitement about state-sponsored activity, we’ve seen an increase in grassroots hacking as well, with loose collectives like Anonymous and Lulzsec regularly making the news.
Maybe breathless headlines about cyberweapons and hacktivism are overblown and maybe they’re not. But what’s clear is that if you have a network to defend, fixation on detecting the latest malware will get you nowhere if you overlook the focused, smart, dedicated human (or humans) on the other end of the line. They’re not casting a wide net, trying random doorknobs; they’re targeting you, your employees and your partners. If the stakes are high enough, they’re even targeting your employees’ family members for backdoor access into your network. It’s perfectly likely that your adversary is probing (or has already breached) your defenses.
Are you ready? How would you know if a stealthy, focused team of adversaries quietly slipped into your network? How would you respond if you knew? Are you counting on your technologies alone to save you from the reconnaissance that leads to infection, or the infection that leads to escalation of privilege and propagation, or the expanded foothold that leads to exfiltration and/or sabotage? They won’t. And they can’t. Not without you at the helm, persistently involved in the defense of your assets.
Some of the stages in this simplified threat life cycle (reconnaissance, breach, propagation, exfiltration) certainly involve malware of some kind, but usually malware is but a small part of a much bigger picture. And while it is the case that when malware is used, it is only as sophisticated as it needs to be to get the job done (it being prudent to save the juiciest techniques for the hardest targets), your father’s antivirus, firewall, and IPS no longer pose even an interesting challenge to a talented and well-equipped adversary.
Fortunately, an array of younger companies (I work for one myself) offer updated technologies that approach the problem in any number of clever and interesting ways. Some of these new technologies are promising and exciting, but in a climate where we’re battling other humans in what amounts to real time for control over our networks, no completely automated defense will work.
People and processes are essential to augment the technologies you’re considering for your networks, sine qua non. You need hunters, actively probing for anomalous traffic using the best available network visibility and correlation technologies. You need robust detection and mitigation processes that take modern threat actors' tools, tactics and procedures into account. You need a robust and effective incident response regime to break you out of the constant whack-a-mole infection cycle. In fact, the most effective defenders regularly conduct exercises and simulations to test and continuously improve their own people, processes and technologies.
This comprehensive approach to network defense doesn’t come easy or cheaply. But if your aim involves protecting things of value from risk or harm, then you need to make sure you’re allocating scarce resources wisely. After all, your adversaries know how to focus on people and process. And your adversaries know better than to overestimate the importance of technology alone in fulfilling their mission. See that you do as well.
If you're responsible for securing your enterprise network, you regularly detect attempts from attackers trying to penetrate your perimeter defense. And, every so often, an attack succeeds. Now you know a system is compromised and while you can fix that system, you're now stuck with a few open items to resolve:
What sort of command and control communication occurred following the breach? In fact, what was all the communication from that host thereafter, since it may have involved exfiltration of key data assets?
Were any other users in your environment targeted and successfully exploited in the same campaign, likely using the same techniques?
What was the full scope of the attack - especially where external communications were involved?
Once you know these answers, you'd ideally like to go back to your security tools to write rules to help prevent future breaches using the same techniques.
You could try to do this with tools that rely on netflow, which typically means you have a listing of the IP information for all flows in your environment. But, when the attack techniques involve the same malware from different servers, potentially geographically distributed, what point does netflow serve?
You could try to do this with tools that capture all packets, index them, and then present you with the ability to do high-level queries. The issue with this is now you're establishing a SAN at every monitoring point and the queries take far too long to run, especially when they involve content level searches. Plus, when you do find what you were looking for, you then need to decide what action to take on the network. Block communication at the firewall? And, how will that help when the adversary is using assets around the world?
Starting now, you can use Fidelis XPS™ Collector, in conjunction with Fidelis XPS CommandPost and sensors to store and query rich session metadata on all traffic at your monitoring points. The sensors decode sessions in real time, extracting information about all aspects of the session – including netflow SSL signing certificates, To, From and Subject field info from enterprise e-mail and Webmail, executable signing info with build times – and much more. Further, this information is readily queried and correlated in an enterprise-class database. When you've identified enough characteristics about the attacks - perhaps a unique User-Agent string or Referrer – you can easily create rules in Fidelis XPS to block those sessions on the network the next time the attacker is back. And, in case you're wondering, all these systems are either 1U rackmount appliances or virtual appliances, giving you a pain-free operational and deployment cycle.
Regular readers of this blog may have noticed the occasional appearance of "Aunt Susie." She's my model for the ordinary mortal, one of the two billion Internet users who don't happen to be IT security experts.
One of the people who typifies my experience of Aunt Susie called me while I was on vacation last week (hey, did I miss anything?). Someone from Microsoft was on the phone, she said, and had scary things to say about a botnet infection allegedly involving her computer. (It's a well-documented scam: they get you to open the Windows "eventvwr" log display application, show you some cryptic, scary-looking errors, get you to install a remote access application so they can "fix" the "problems," and then they pwn you.) My friend literally had the scammer in one ear and me in the other as I advised her on how to handle the call. Eventually at my urging she reverted to a broken record: "tell me how to get back in touch with you and I might call you back." Above all what surprised me about the encounter was the persistence of the scammer (25 minutes!), even after knowing that his target had phoned a skeptical friend. She told me that the background noise sounded like a call center. How many people are out there dialing for dollars like this?
Lots, in fact. After the call was over I related this story to the folks I was traveling with. One reported that her mom had recently been targeted in the very same way. This, together with the volume of comments to the story linked above, suggests a staggering number of targets. In the same way that spam e-mail arose as a cost effective way to make money (most people don't bite, but you can cheaply cast a wide net with gadzillions of e-mails), this scam is made cost effective by the fact that you can staff up an overseas call center with squads of affordable, English-speaking "support reps" equipped with robodialing and VoIP technologies that cost a minuscule fraction of the long distance bills that would have made such a model unworkable just a few years ago. What makes this problem more challenging? How can we improve Aunt Susie's lot?
Computers are still intimidating, mysterious black boxes to most of the people who use them. Can the computing experience ever be friendly and secure enough that error logs like those in the Windows Event Viewer or the OSX Console are less amenable to being exploited by an attack like this? Or is there no escape to the sentiment expressed in the T-Shirt we see year after year at hacker conferences? "Social Engineering Expert/Because there is no patch for human stupidity."
I have a colleague who feels strongly that Aunt Susie simply shouldn't be permitted to operate a general purpose PC as a privileged user without "adult" supervision. iPads and Gatekeeper equipped Macs for them only, I suppose (or maybe just i-Openers?) . My colleague, quite naturally, would expect to be exempt from such draconian restrictions: I smirk to wonder if he ever disables DEP on his Windows boxes.
It's helpful that Microsoft has a page about this sort of scam. There's some good general guidance reminding folks that Microsoft doesn't go around calling customers and asking for their credit card numbers. On the other hand, the very same page makes reference to the fact that Microsoft has, in fact, contacted customers directly during campaigns to take down botnets when warranted. How is Aunt Susie to know for sure when it's Microsoft on the line and not a scammer? Microsoft misses an opportunity to provide clearer guidance on how to authenticate a genuine Microsoft representative (an admittedly sticky wicket, but I'll wager they have enough smart folks on hand to work something out).
And the "let me call you back" approach we eventually took is no guarantee of a solution either: they may give you a toll number to call back and simply linger on the phone with you while you unwittingly pay them handsomely for the privilege.
Aside from improving on the basics (better user awareness, better endpoint vulnerability management, more robust trust relationships) I don't know if there's a solution to the challenge of keeping Aunt Susie safer on the Internet. But I do believe the task of finding it is an important one even if there is no way to keep an epic hack like the one involving Mat Honan from ever happening again. We expend significant resources in the development and deployment of technologies and processes for defending corporations against smart teams of foreign adversaries; why not do more to help their employees at home?