Original Post Author: Chris Sanders [Twitter: @chrissanders88]
Original Date Published: 22 February 2013

All of us at InGuardians are really excited to welcome you to the first post on our InGuardians Labs blog. In addition to consulting, InGuardians prides itself on being one of the leading information security research firms, with interest in several important facets of information security. This blog will serve as a mechanism for us to continue sharing some of that information with the community.

In this first post, several of InGuardians Senior Security Analysts discuss a few of the trends they’ve been thinking about and some of the neat things they’ve been working on as we delve further into 2013.

Tom Liston (@tliston)

You hear it all the time from security professionals: “Things don’t seem to be getting better. If anything, they’re getting worse.”

And so, over the past few months, I’ve found myself doing a lot of thinking about how the things that we do affect the overall “security landscape.” Having been in the “security game” for longer than I care to admit, I think I have a reasonably good handle on how the climate of our profession has changed over the past ten to fifteen years, and I’ve noticed some trends that I think are interesting.

To start this conversation, I want to turn to something that may, at first glance, seem totally unrelated to security. I live in the Midwest and, as those of you who know me personally may be aware, my home is, quite literally, in the middle of farm fields. My father-in-law spent his entire life farming, and recently, while I was listening to him talk about a growing problem with some specific types of crops, it struck me that the issues he spoke of were very much analogous to what we’ve seen in the security industry over the past several years.

So let me tell you a little about corn.

Yes, corn.

You see, back in the mid-90’s a company called Monsanto had a problem. They had an amazingly effective herbicide called glyphosate (marketed under the name RoundUp™) but a rather limited marketplace. A “herbicide” is a chemical that kills plants – all plants. While there are some limited applications for this type of chemical death squad, generally it isn’t the kind of stuff that farmers were buying in bulk. Then someone at Monsanto had a brilliant idea: “What if we could make crops that tolerated being sprayed with RoundUp?” Thus was born a genetically modified plant: RoundUp-Ready™ Corn. The idea was that you plant some RoundUp-Ready™ corn, spray your field with RoundUp™, and sit back and watch everything but the genetically modified plants die. Just like magic, weed-free fields. It was awesome, and it worked like a charm. Then, the weeds began to change…

While Monsanto spent several years making a ton of money off of their patents for RoundUp™ and RoundUp-Ready™ seed, they sort of forgot that natural selection had been doing genetic modification for a lot longer than they had. Ol’ Mother Nature decided to ignore Monsanto’s patents, and began manufacturing RoundUp-Ready™ weeds.

Driving around my “neighborhood,” I see the resultant “end game” all the time. Fields that a few years ago were essentially perfect, with beautiful crops with no weeds to be seen, are now beginning to be over-run with various types of weeds. Worse still, farmers have nothing in their chemical arsenal to use on these new, genetically modified weeds.

So how does this relate to security?

I know that it’s disheartening to listen to the news and continue to hear about security breaches. I watch the attacks against my honeypot systems (tweeted as @netmenaces) and often find myself wondering if all of the work we’ve done to secure systems over the past fifteen years has had any positive impact.

Then I look at the “weeds.”

You see, over the past fifteen years, the “weeds” in the security world have changed too. Back in 1998, our biggest worry was the CIH/Chernobyl virus. While it certainly caused some damage in its time, comparing it to the type of stuff we’re seeing today is like comparing a tricycle to a Ferrari. The problem isn’t that we haven’t made an impact. The problem is our expectations about what that impact should be. Sure, it would wonderful if we woke up one morning and all the bad guys were all gone, but just like the farmers who sprayed their fields with RoundUp™, that expectation ignores the dynamic aspects of the fight we’re in.

Somewhere, out there, people are making their living off of intrusions, phishing, and malware and they’re not just going to give up and go softly into the night if the going gets tough. Just like the RoundUp-Ready™ weeds, when we up our game, they up theirs. It’s survival of the fittest. Natural selection. The “circle of life.” Just like the farmers, though, we also are finding ourselves looking at fields of “weeds,” knowing full well that the tools we have in our arsenal just aren’t up to the task. We’ve pushed the bad guys and they’ve upped their game. We need to up ours.

Signature-based, reactive security has reached its limit. Many of us in the industry have been clamoring for innovation for some time, and we find ourselves watching an antivirus industry content to sit on its “laurels,” raking in subscription fees for signature updates while Rome burns. Something has to change. And so, as we begin a new year, I find myself looking to the past to give myself hope. We have made a difference. When you find yourself doubting that, do what I do: take a look at the weeds.

But don’t spend too much time congratulating yourself. There’s still a lot more work to be done.

Jimmy Alderson (@jimmyZATL)

Well, 2012 came and went and the world didn’t end. Though for some organizations that experienced compromises of their infrastructure it probably felt like it was going to. This is why planning for the great information security cataclysm in your organization is so important. The one deciding factor that determines whether a security incident is fatal to an organization or not is readiness.

Readiness comes in many different varieties, and for a successful incident response program, one has to address each of these. The first is understanding the threats. Are you a target of opportunity or are you a target of choice? This past year I saw more and more executive support of engagements that helped to answer these questions. I was impressed by how many organizations were interested in finding out who it was that was after their data, but I was also a bit dismayed when those answers themselves were questioned. Are governments really plotting attacks on strategic targets? Is organized crime really trying to get into your networks? Are hacktivists really something we have to be concerned about? You mean I have to worry about malware in my supply chain?

The answers to all of these, as we have found, is a resounding YES. But, what to do about it? This brings us to our next type of readiness, exercising the current security posture of the infrastructure. Continued penetration testing is a must for any organization that has something to lose. Once you know WHO wants to attack you, you have to understand HOW they would do this. The arsenal of todays attacker is greater than it has ever been, and security research is more funded than it has ever been. This means organizations have to be more vigilant than they have ever been as well. We can no longer simply focus on the disappearing perimeter devices, but rather, we have to pen test the physical buildings that house our data centers, the people and processes which guard them, and the products we buy from vendors BEFORE we deploy them.

Finally, the capstone of readiness is incident response. This is probably the most difficult and cost intensive piece of the puzzle, but it’s also the most important. Once you suffer a compromise of cataclysmic proportions, you have two choices: respond or fail. The ability of organizations to respond to the successful attack could mean the difference between re-provisioning a couple of systems or tens of thousands of systems. Strong incident response programs allow a business to continue moving as if they simply hit a speed bump, where weak IR programs can result in the destruction of the entire organization. Never assume that hackers can access network, assume hackers are already on your network. Your job is to make their attacks difficult and to detect and respond to their presence in as short of an amount of time as possible. 2012 passed with the world still in tact, but in order for us to be prepared for the serious threats that we will face in 2013 and the years to come, we have to continue to ask ourselves if we prepared for the unthinkable, or do we simply see the threat as a myth?

John Sawyer (@johnhsawyer)

Why is it that we keep hearing that security is fighting a losing battle? Is telling corporate security teams that they’re still going to get hacked regardless of what they do the message that’s going to make them want to work harder? I’m no self-help guru, but that seems to be contradictory to how we should be inspiring defenders to protect their networks.

I spent the first decade of my IT career primarily focused on defense, incident response, and forensics. There were bits and pieces of offensive activities sprinkled about during those years, but those efforts were primarily done with a goal of increasing defenses, limiting the attack surface of our network, and being able to respond quickly and effectively to attacks. The lesson I learned throughout those years is that defense is hard. Not impossible, but quite hard. However, it can be fun provided you’re not looking at it as a lost cause.

So, the question is why do we keep hearing that security is a losing battle? The simplest answer is that while defenders need to do their job right every time, an attacker only needs to do their “job” right once. That single success, often amongst many failures, is all the attacker needs to get a foothold into the network. After that, it’s often trivial to pivot within the network, exploit additional hosts, and exfiltrate data. Rinse, lather, repeat.

As a security consultant and penetration tester, I regularly see the truth behind the statement above. I just need to find one misconfiguration, vulnerable web application, or system with a default password, and I’m in. It’s easy to get caught up in the coolness of an attack and forget about how to defend against it. I’m seeing a couple new blogs every week that describe some cool new attack without getting to what’s more important — touching on what needs to be done to prevent the attack or at least limit the damage caused by the attack.

I consider myself extremely fortunate to work with a team that has a diverse background in both offense and defense. That diversity allows them to appreciate the awesomeness of a new attack while also immediately working on ways to make the attack better and defend against it. It’s a great dynamic to see and be a part of.

For example, let’s say we find a clever way to attack a smart meter or wireless device. While that’s great, we must also show how to mitigate the vulnerability through a configuration change or additional security controls. Going a step further, we also need to explain how to detect the attack through application log and/or network security monitoring. Without those three components, no discovery is complete.

With the new year already in full swing, I’m looking forward to exploring more embedded devices and working on projects like rfcat and heatermeter, continuing to find new ways to attack networks, and developing defenses against those attacks. It’s already been an exciting first few weeks and there’s so much more coming down the pipeline.

Chris Sanders (@chrissanders88)

As we’ve gotten off to a quick start in these first few months of 2013 with a hot mess of new Java zero days, I’ve been thinking a lot about “the next big thing” in network security monitoring (NSM). The NSM Cycle happens in terms of Collection, Detection, and Analysis, so let’s talk about the big things happening in each area.

I think people are really starting to grasp the importance of collection as a part of the NSM process. I’ve seen a great number of organizations spending millions of dollars on SIEM solutions, and then dumping every bit of data they can into them. Of course, this model isn’t sustainable and hampers detection and analysis as a result. It’s at this point these organizations really have to dig deep into their data and determine what is important from a risk perspective. Ultimately, this tells an organization what data provides the most “bank for your buck” when it comes to storage/processing overhead and analytic value. When organizations finally come to this realization, they can begin seeing what true NSM is capable of.

When it comes to detection, it’s all about Bro right now. While I think signature-based detection is still critical, its not news to anybody that this type of detection alone isn’t enough. I’ve been playing around with Bro a lot lately, and I’m finding that there is a plethora of unique ways to use its flexibility to do true anomaly-based detection. Although I’ve used Bro a fair amount, I still feel like I’m only scratching the surface. I think a lot of other movers and shakers in the NSM business are starting to really recognize Bro as a bit of a game changer. I’m hoping to write quite a bit more on this topic and spend more time with anomaly and statistically based detection.

Along with this, I’ve really been thinking a lot about “Canaries” lately, as a function of detection. In mining, they used to place Canaries in the shafts because they were more susceptible to gases that might cause the miners harm. If the Canary bit the dust, the miners knew to get out of dodge. A lot of unique things can be done with this concept as it relates to network defense. For instance, you can generate alerts tied to the access of hidden web directories, or even place “special files” on high-value servers that can phone home if exfiltrated. Canaries within the context of NSM can be implemented in a lot of unique ways, and while I’ve seen some researchers discuss this concept, I haven’t seen a lot of organizations actually implementing the strategy. I’ve got a lot of ideas here and am hoping to spend some development time writing some code and developing some scenarios that can be used for enhanced attack sense and warning with various canary techniques.

I believe the biggest area for improvement within NSM comes in the analysis phase of the NSM cycle. I’ve spent a lot of time in a lot of SOC’s, and sometimes watching people try to work together to collectively analyze a potential incident is like watching a group of people trying to baptize a cat. It just doesn’t work well. Every SOC seems to have “pockets of excellence”, which consist of one or two individuals who are very good at analysis, but for some reason, this talent never seems trickle down to lesser skilled analysts. I believe the main reason for this is that we don’t really have a lot of solid, repeatable analytic methods that can be taught to young analysts. Most new analysts are drilled with the concept of “Learn what normal looks like, and you will be able to spot what is abnormal.” While the statement itself is general true, relying on that statement as the entire basis for your analytic approach isn’t acceptable. I’ve written a bit on this topic before, specifically on using differential diagnosis as an analytic method. I’ve actually been writing a lot on this topic recently for my latest book project. This book will be titled “Applied Network Security Monitoring”, and I’m incredibly excited about it, but more on that later.

Although I spend the bulk of my time playing around within the NSM space, I’ve really enjoyed getting into hardware lately (thanks/blame largely to my coworkers). In the past couple months I’ve really been working a lot with my Raspberry Pi’s, and have finished building a Heatermeter to assist in my BBQing (my passion outside of NSM). I’ve also been working on a project called RaspberryPig, which is a small Linux distro designed to run a slimmed down configuration of Snort and Netflow capture software on the Raspberry Pi. The goal is for this to serve as a portable, tactically used data collection and detection interface during incident response. Outside of that, I’ve also been enthralled by amateur drone construction, and have just about finished the completion of my first built-from-scratch quadcopter. I don’t know how that applies to NSM or information security, but it sure is cool.

/me Cues the Top Gun theme song

Jay Radcliffe (@jradcliffe02)

Flipping the calendar to another year I look forward to diving deeper into the abyss that is embedded device security. In the push to connect everything we own to Twitter and Facebook, we have neglected to secure these devices in an acceptable manner. The last two years have exposed a new class of security problems, resulting in the exposure of security flaws in a wide variety of embedded devices. Some of these security flaws are even associated with medical devices, and could prove to be nothing less than deadly.

I have been working on developing a framework for securing these devices, and working on methods that companies can use to be better prepared to respond to vulnerabilities in their devices. We’ll be featuring this talk at BlackHat Europe in March and Design West San Jose in April.

Also under the microscope are the millions of devices that communicate wirelessly. Not just medical devices, but smart meters, home security equipment, and even children’s toys now have wireless chips allowing them to communicate out to the world. With this, come all of the security problems that we have seen in the computer world for the past decade. We are going to apply the decade of knowledge to bring protection to these devices over the coming years.