Perhaps you've heard the old information security gag: "if you're a diver, you don't have to swim faster than the shark, just faster than your buddy." It's sometimes good for a chuckle and suggests that we should merely aspire to implement enough security to make us a less attractive target than our peers. Nowadays the joke is a little stale, because as Josh Corman points out in his recent TEDx talk*, sometimes the shark has a buddy too. As risks proliferate and as the bad guys of all kinds get better (badder?) at what they do, "good enough" security hasn't been remotely good enough for years. So I was particularly glad to have the opportunity to gather with some of our best and brightest customers this weekend at our second annual Customer Advisory Board meeting for a frank discussion about how we're all doing before we headed down to San Francisco for the annual RSA Conference.
Today’s attackers are, well, persistent. They’re constantly improving their tools and tactics, employing new evasion techniques, and finding new methods to exploit weaknesses in your network infrastructure. For security teams to effectively protect their organizations they need to ensure their network security ecosystems are evolving too.
But with tight budgets and competing priorities, organizations are forced to make a choice: continue to invest in security people, process and technology, or accept the risk associated with cutting corners. Underinvesting may save money in the short term, but organizations have to consider how much risk is acceptable in light of the damage caused when someone slips through the cracks.
To fight an advanced threat, you need an advanced security arsenal. Here are three things to keep in mind when developing your network security that will help ensure you aren’t taking on more risk than your organization can bear:
When I wasn’t staffing our booth and tweeting clues for our annual $1,000 giveaway, I managed to sneak away and, you know, learn some stuff (session details are here). Here are a few quick hits:
Million Browser Botnet
Jeremiah Grossman and Matt Johansen from WhiteHat Security do not have good news for us. Attendees were reminded that when you visit a web page (yes, this one too), you are essentially granting total control over your browser to the operator of the site. Last year, they took us through an alphabet soup of rotten stuff that can happen to Aunt Susie when she browses to a page: CSRF, XSS, clickjacking (more on that below) and on and on. Today’s session was all about taking these attacks to the next level, and on a distributed scale. What would it cost to borrow the combined computing and network power of, say, a million web browsers?
Without hacking. As the presenters pointed out, “The web is supposed to work this way.” Bummer.
Your adversary is not some random piece of self-replicating software. Your adversary is a human being who—like you—is staring at a screen, mashing on a keyboard and working on a project of great importance. Does your defensive posture reflect this new reality?
Remember the good old days of Slammer, Blaster, Nimda and Code Red? They were the headline-grabbers of a bygone age in information security. In those days, our interest in the actual humans behind those big, noisy, opportunistic infections was ancillary: occasionally, months after an outbreak, we might have come across a minor news story about a pimply-faced teenager appearing in a courtroom somewhere to answer for his mischief.
Now consider today’s headline-grabbers: Aurora, Stuxnet, Flame and Gauss. What makes this a new era is not that any given piece of malware may be more sophisticated; it’s the “who” behind the malware that gives us pause. Credit for Aurora, a 2009 attack on Google and other high-profile companies, is generally given to the Chinese government. Then there’s Stuxnet, a mid-2010 state-sponsored attack against Iran’s uranium enrichment facilities. And Gauss and Flame, two notable 2012 attacks that may also have been carried out by state actors. And in parallel with this excitement about state-sponsored activity, we’ve seen an increase in grassroots hacking as well, with loose collectives like Anonymous and Lulzsec regularly making the news.
Maybe breathless headlines about cyberweapons and hacktivism are overblown and maybe they’re not. But what’s clear is that if you have a network to defend, fixation on detecting the latest malware will get you nowhere if you overlook the focused, smart, dedicated human (or humans) on the other end of the line. They’re not casting a wide net, trying random doorknobs; they’re targeting you, your employees and your partners. If the stakes are high enough, they’re even targeting your employees’ family members for backdoor access into your network. It’s perfectly likely that your adversary is probing (or has already breached) your defenses.
Are you ready? How would you know if a stealthy, focused team of adversaries quietly slipped into your network? How would you respond if you knew? Are you counting on your technologies alone to save you from the reconnaissance that leads to infection, or the infection that leads to escalation of privilege and propagation, or the expanded foothold that leads to exfiltration and/or sabotage? They won’t. And they can’t. Not without you at the helm, persistently involved in the defense of your assets.
Some of the stages in this simplified threat life cycle (reconnaissance, breach, propagation, exfiltration) certainly involve malware of some kind, but usually malware is but a small part of a much bigger picture. And while it is the case that when malware is used, it is only as sophisticated as it needs to be to get the job done (it being prudent to save the juiciest techniques for the hardest targets), your father’s antivirus, firewall, and IPS no longer pose even an interesting challenge to a talented and well-equipped adversary.
Fortunately, an array of younger companies (I work for one myself) offer updated technologies that approach the problem in any number of clever and interesting ways. Some of these new technologies are promising and exciting, but in a climate where we’re battling other humans in what amounts to real time for control over our networks, no completely automated defense will work.
People and processes are essential to augment the technologies you’re considering for your networks, sine qua non. You need hunters, actively probing for anomalous traffic using the best available network visibility and correlation technologies. You need robust detection and mitigation processes that take modern threat actors' tools, tactics and procedures into account. You need a robust and effective incident response regime to break you out of the constant whack-a-mole infection cycle. In fact, the most effective defenders regularly conduct exercises and simulations to test and continuously improve their own people, processes and technologies.
This comprehensive approach to network defense doesn’t come easy or cheaply. But if your aim involves protecting things of value from risk or harm, then you need to make sure you’re allocating scarce resources wisely. After all, your adversaries know how to focus on people and process. And your adversaries know better than to overestimate the importance of technology alone in fulfilling their mission. See that you do as well.
I'm thrilled that our friend David Schuetz is getting some much-deserved accolades for figuring out last week's story about one million stolen Apple UDIDs.
To review: a UDID is an identifier akin to a serial number that uniquely identifies an Apple iPhone, iPad or iPod Touch. iOS app developers have grown accustomed to using these numbers to manage their relationships with their customers and because of widely reported privacy concerns Apple has recently started forcing developers to use other ways to track their users. Last week someone claiming to be Anonymous (how can one tell?) released a million records including names, UDIDs and some other interesting tidbits, and I was one of over a half million people to download the data to see if I was in it. (Nope.) The leak was accompanied by a claim that the data came from the laptop of an FBI agent, hacked in a 0-day Java attack. The FBI quickly denied this claim, which was--naturally--interpreted as confirmation.
We know David because he solved our 2012 Decode This II puzzle, and was very nearly the person who solved our 2011 puzzle as well. It's only natural that his brain would be the one to find the needles in the UDID dump haystack, find the patterns and anomalies, and make sense of their meaning. And to do it first!
Regular readers of this blog may have noticed the occasional appearance of "Aunt Susie." She's my model for the ordinary mortal, one of the two billion Internet users who don't happen to be IT security experts.
One of the people who typifies my experience of Aunt Susie called me while I was on vacation last week (hey, did I miss anything?). Someone from Microsoft was on the phone, she said, and had scary things to say about a botnet infection allegedly involving her computer. (It's a well-documented scam: they get you to open the Windows "eventvwr" log display application, show you some cryptic, scary-looking errors, get you to install a remote access application so they can "fix" the "problems," and then they pwn you.) My friend literally had the scammer in one ear and me in the other as I advised her on how to handle the call. Eventually at my urging she reverted to a broken record: "tell me how to get back in touch with you and I might call you back." Above all what surprised me about the encounter was the persistence of the scammer (25 minutes!), even after knowing that his target had phoned a skeptical friend. She told me that the background noise sounded like a call center. How many people are out there dialing for dollars like this?
Lots, in fact. After the call was over I related this story to the folks I was traveling with. One reported that her mom had recently been targeted in the very same way. This, together with the volume of comments to the story linked above, suggests a staggering number of targets. In the same way that spam e-mail arose as a cost effective way to make money (most people don't bite, but you can cheaply cast a wide net with gadzillions of e-mails), this scam is made cost effective by the fact that you can staff up an overseas call center with squads of affordable, English-speaking "support reps" equipped with robodialing and VoIP technologies that cost a minuscule fraction of the long distance bills that would have made such a model unworkable just a few years ago. What makes this problem more challenging? How can we improve Aunt Susie's lot?
Computers are still intimidating, mysterious black boxes to most of the people who use them. Can the computing experience ever be friendly and secure enough that error logs like those in the Windows Event Viewer or the OSX Console are less amenable to being exploited by an attack like this? Or is there no escape to the sentiment expressed in the T-Shirt we see year after year at hacker conferences? "Social Engineering Expert/Because there is no patch for human stupidity."
I have a colleague who feels strongly that Aunt Susie simply shouldn't be permitted to operate a general purpose PC as a privileged user without "adult" supervision. iPads and Gatekeeper equipped Macs for them only, I suppose (or maybe just i-Openers?) . My colleague, quite naturally, would expect to be exempt from such draconian restrictions: I smirk to wonder if he ever disables DEP on his Windows boxes.
It's helpful that Microsoft has a page about this sort of scam. There's some good general guidance reminding folks that Microsoft doesn't go around calling customers and asking for their credit card numbers. On the other hand, the very same page makes reference to the fact that Microsoft has, in fact, contacted customers directly during campaigns to take down botnets when warranted. How is Aunt Susie to know for sure when it's Microsoft on the line and not a scammer? Microsoft misses an opportunity to provide clearer guidance on how to authenticate a genuine Microsoft representative (an admittedly sticky wicket, but I'll wager they have enough smart folks on hand to work something out).
And the "let me call you back" approach we eventually took is no guarantee of a solution either: they may give you a toll number to call back and simply linger on the phone with you while you unwittingly pay them handsomely for the privilege.
Aside from improving on the basics (better user awareness, better endpoint vulnerability management, more robust trust relationships) I don't know if there's a solution to the challenge of keeping Aunt Susie safer on the Internet. But I do believe the task of finding it is an important one even if there is no way to keep an epic hack like the one involving Mat Honan from ever happening again. We expend significant resources in the development and deployment of technologies and processes for defending corporations against smart teams of foreign adversaries; why not do more to help their employees at home?