Always A Bad Day For Adversaries

Tag: threat

5 Cyber Security Predictions for 2013

2013 Crystal Ball2012 has been an interesting year with a growth in our understanding of our adversaries and some high-profile international security incidents.  2013 will continue to impress, but differently.  It will ultimately be a year of strategic growth.

 

Here are 5 cyber security predictions for 2013.

 

 

1. There will be little change to the threat landscape

There will be little change to the threat landscape in 2013 as our adversaries are already achieving their intent (extrapolating the size and scale of currently known adversary operations) and therefore have little pressure to change.  However, I do not see this as holding into 2014 as greater innovation in the threat intelligence and mitigation space is made (prediction #4) and the role of government is better defined (#5).

 

2. Cyber attacks will have a greater impact to a greater number

As data and service providers co-locate in cloud environments, attacks on the infrastructure providing these services will rise (attackers will always go to where the data lives) resulting in greater collateral damage to non-intended victims simply based on with whom they are co-located.

 

2.1 Corollary: Risks will be more difficult to assess as control of the location of data and an accurate knowledge of the infrastructure is lost in the cloud.  This will cause businesses to continue to mismanage public and customer relations when incidents occur.

 

3. The cost of cyber threats will grow and there will be an increased awareness and visibility of those costs resulting in greater effective action in the mid-and-long term.

Based on prediction #3 the cost of cyber threats to all organizations will grow.  However, as has been the trend, visibility of security issues and incidents will rise forcing business change to address this challenge in new ways (hence prediction #5).   Innovation will then lead to greater effective action in the mid-and-long term.

 

4. The role of government in securing computer systems from domestic and foreign cyber threats will continue to be muddled.

The role of government in any area is generally slow to evolve.  Cyber security has not been any different.  As governments around the world are consumed by domestic and international economic affairs, little attention will be focused on this problem further delaying necessary action.

 

5. Private industry, vice government or research, will make great innovations in the threat intelligence and mitigation space.

Based on: (1) the amount of venture capital flowing into cyber security industry to produce innovations in threat intelligence and mitigation, (2) the market growth for such innovations (based on predictions #2 & #3), and (3) with the growth in funding means the ability for private industry to recruit and retain the best talent in the field — it is no great stretch of the imagination to see that this is where the innovations necessary to combat the threat and increase risk and cost on the adversary will originate during 2013 changing the threat landscape in 2014 and beyond.

20 Questions for an Intrusion Analyst

There are many approaches to finding the right people with the right talent to solve problems.  Intrusion analysis and incident response is no different.

I recently saw a great recruiting quiz to test potential employees in various knowledge areas which included programming, packet analysis, protocol analysis, snort rule writing, reverse engineering, data encoding, advanced mathematics, and other topics.  The test was designed so that it crossed so many topics one person would likely not successfully complete it.  However, it would highlight a person’s strengths and interests to give the assessor a more complete picture of the applicant.

This made me think, what topics and questions would I use to achieve the same effect?   After some deliberation, I have developed my own “20 Questions for an Intrusion Analyst” recruitment quiz (below) to highlight areas I think are important about a potential analyst joining a team.

As you may notice, I have covered several areas with these questions: analytic reasoning, creativity, adversary operations, packet analysis, intrusion detection, programming, reverse engineering, vulnerability analysis, exploit writing, and teaming.

I am purposefully not providing the answers 🙂

20 Questions for an Intrusion Analyst

  1. Describe you first experience with a computer or network threat
  2. You are given 500 pieces of straw and told that one piece is a needle which looks like straw.  How would you find the needle?  What other pieces of information would you like to have?
  3. Explain the difference between intrusion and extrusion detection
  4. Describe an adversary pivot, give an example, and explain its importance to intrusion analysis.
  5. Describe your analytic biases.
  6. Use the bit string 1101 to answer the following questions:
    1. The bit string when XORed with 0
    2. The decimal value of the string
    3. The string represented in hexadecimal
    4. Does this represent a printable ASCII character?  If so, which character?
  1. What is your favorite intrusion detection system?  What are its biases and limitations?
  2. Circle any of the following films you have seen: Hackers, War Games, Sneakers, Tron
  3. Describe a method to find an intruder using only network flow data (no content).
  4. Explain insertion and evasion of intrusion detection systems.  Give an example.
  5. Describe the activity detected by the following Snort rule.  What could be done to make the rule more effective?   alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg: “activity alert!”; sid:10000011; content:”MZ”;)
  6. Write a code snippet to sort the following data by the first column
10,bob
8,sally
2,suzy
3,billy
5,joey
  1. How much time/week do you spend on your own researching computer security/threat topics?  What sources do you use to maintain situational awareness on threats in the wild?
  2. What will the following code print out?  Is there a vulnerability in the code?  If so, describe the vulnerability and a potential method of exploitation.
#include
#include
int main(int argc, char *argv[])
{
   char string[40];
   strcpy(string, argv[1]);
   printf("The message was: %s\n", string);
   printf("Program completed normally!\n\n");
   return 0;
}
  1. Describe and explain any “interesting” entries in the netstat log:
Proto Local Address     Foreign Address    State
 TCP  0.0.0.0:53        0.0.0.0:0          LISTENING
 TCP  0.0.0.0:135       0.0.0.0:0          LISTENING
 TCP  0.0.0.0:445       0.0.0.0:0          LISTENING
 TCP  0.0.0.0:5357      0.0.0.0:0          LISTENING
 TCP  192.168.1.4:53    91.198.117.247:443 CLOSE_WAIT
 TCP  192.168.1.4:59393 74.125.224.39:443  ESTABLISHED
 TCP  192.168.1.4:59515 208.50.77.89:80    ESTABLISHED
 TCP  192.168.1.4:59518 69.171.227.67:443  ESTABLISHED
 TCP  192.168.1.4:59522 96.16.53.227:443   ESTABLISHED
 TCP  192.168.1.4:59523 96.16.53.227:443   ESTABLISHED
 TCP  192.168.1.4:53    208.71.44.30:80    ESTABLISHED
 TCP  192.168.1.4:59538 74.125.224.98:80   ESTABLISHED
 TCP  192.168.1.4:59539 74.125.224.98:80   ESTABLISHED
  1. A host sends out an ICMP ECHO REPLY packet.  List all of your hypotheses to explain this activity.
  2. Describe the protocol stack of the following packet and the payload. Is the packet legitimate? Why or why not?
0000  00 00 c0 9f a0 97 00 a0 cc 3b bf fa 08 00 45 10   .........;....E.
0010  00 89 46 44 40 00 40 06 72 c7 c0 a8 00 02 c0 a8   ..FD@.@.r.......
0020  00 01 06 0e 00 17 99 c5 a1 54 17 f1 63 84 80 18   .........T..c...
0030  7d 78 cc 93 00 00 01 01 08 0a 00 9c 27 34 00 25   }x..........'4.%
0040  a6 2c ff fa 20 00 39 36 30 30 2c 39 36 30 30 ff   .,.. .9600,9600.
0050  f0 ff fa 23 00 62 61 6d 2e 7a 69 6e 67 2e 6f 72   ...#.bam.zing.or
0060  67 3a 30 2e 30 ff f0 ff fa 27 00 00 44 49 53 50   g:0.0....'..DISP
0070  4c 41 59 01 62 61 6d 2e 7a 69 6e 67 2e 6f 72 67   LAY.bam.zing.org
0080  3a 30 2e 30 ff f0 ff fa 18 00 78 74 65 72 6d 2d   :0.0......xterm-
0090  63 6f 6c 6f 72 ff f0                              color..
  1. What type of encoding is used in this example: aGVsbG8gd29ybGQNCg==
  2. Who do you turn to most on technical questions?

You didn’t expect the 20th question to be here did you?  You should expect the unexpected by now.

Why Malware Numbers Don’t Matter and What it Means for Security Accounting

McAfee recently reported over 75 million new malware samples detected in 2011. This number, while shocking, no longer matters as an absolute value. It also highlights a glaring flaw in network defense philosophy.

First, this number is only calculated from all detected hashes. Any changes in the binary results in a new, unique, hash. This means that only a small change by the adversary is necessary to effect a “new” piece of malware. A simple thought experiment: if there were 75 million malware samples, each with only one byte difference between them – this method would count 75 million “unique” pieces of malware.

Second, the number alone says nothing about the threat environment. It does not illustrate the attack vectors, vulnerabilities, or exposures used by the malware; nor does it describe the danger or effectiveness of the various malware samples. Maybe there is only one piece of malware and it’s 75 million varieties are all harmless. 75 million is now a very large number signifying nothing.

However, it does matter as a relative value showing the number of unique samples over time. For example, in 2007 unique malware samples rose 565% from the previous year [from A Brief History of Malware]. The velocity of unique malware samples detected in the wild (or the slope of the line if you prefer) is clearly increasing.

Why? It means that malware authors and operators are exploiting the primary network defense practice: default allow all – the black list. Defenders are still stuck in the “allow all” mind-set to trust everything except code which does not pass certain tests or follows certain behavior. To exploit this mind-set an adversary only has to change their malware enough to bypass these filters (e.g. AntiVirus). As defenders update their blacklists/AntiVirus/firewalls, the malware authors make a small change or re-pack and re-deploy the malware bypassing the new rules/filters/etc.

For an adversary, changing their capability slightly and re-deploying is a relatively inexpensive operation – particularly with pervasive exploit kits such as BlackHole. Whereas the cost for the defender to find the new malware, develop a signature, and deploy that signature is relatively costly leaving the security accounting on the side of the adversary.

To win this battle, the defender must switch to a known-good model, or “deny all with exceptions.” Also known as the white list. However, as we have seen – this simply adds a new target for the adversary: the white list itself.

Powered by WordPress & Theme by Anders Norén