Sabtu, 24 Desember 2011

Tutorial Geek wishes you a Merry Christmas!

I want to wish everyone a Merry Christmas! I love this time of year and hope that everyone is finding joy and happiness!

On my personal blog, I just wrote about the true meaning of Christmas from a different perspective (in China). You can read it here if you would like.

Minggu, 18 Desember 2011

One liners for retrieving Windows TCP/IP and IP Address information

One liners for retrieving Windows IP Address information from Powershell v3.0:
  • gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}}
  • gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}} | fl *
  • gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input | Select -ea 0 IP,DHCP,DNS,WINS}}
  • gwmi -class Win32_NetworkAdapter |  % {If ($_.NetEnabled) {$input | Select Caption, Name, Speed, TimeOflastReset,Net*}}
  • gwmi -class Win32_NetworkAdapterConfiguration | % {If ($_.IPAddress -ne $null) {write "$($_.caption) $($_.IPAddress) $($_.SettingID)"}}
  • gwmi -class Win32_PerfRawData_Tcpip_NetworkInterface | % {if ($_.BytesReceivedPersec -ne 0) {write "$($_.Name) $($_.BytesReceivedPersec) $($_.BytesSentPersec)"} }
and a function for retrieve 'PropertySets' of IP information for a list of computers; provided that you can make remote Powershell connectivity work:


function Global:Show-IPinfo {
[CmdletBinding()]
    Param(
        [Parameter(ValueFromPipeline=$true)]
        [array]$HostList=@("localhost"),
[array]$PropertySets=@("IP","DHCP","DNS")
)
$HostList | % {

$HostIP=gwmi -computer $input -class Win32_NetworkAdapterConfiguration | 
% {if ($_.IPAddress -ne $null) {$input}}

$PropertySets | 
% {foreach ($i in ($HostIP.$input).ReferencedPropertyNames) {write "$($i) : $($HostIP.$i)"}}

}
}

Kamis, 15 Desember 2011

One of the many reasons I love Google




This is a picture of my bathroom here in China. Nothing special really (other than the fact that I moved into a really nasty apartment with a nasty bathroom). Nothing special I thought.
This is why Google is so cool.

I recently upgraded Picasa to the newest version. I decided to go through and use Picasa to organize some of my contacts with faces. It was when I was doing this that Picasa brought up this photo for me to tag. My initial response was that Picasa was crazy, but after looking at the smaller thumbnail, I realized it totally does look like a face.


I love you Google. 

Sabtu, 10 Desember 2011

FileVersionInfo Part II

# Powershell v3.0 code
#
Recurses current directory to gather file version information of a boolean property
#
Returns number of Debug,Patched,PreRelease,Private,Special builds
#
Creates csv of those properties in current directory
#
Takes up to three arguments:
#
[mandatory]$filename (e.g. *.dll),$exportflag (e.g. "0" to output csv;default is off), $filetime (default is now)

function Global:Get-fileinfo {
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$true)]
[object]$filename,
[bool]$exportflag=1,
$filetime=[DateTime]::Now.ToFileTime()
)

$Files=ls -Filter $filename -recurse -File
## $Files=ls -ea 0 -Filter $filename -recurse #remove '-File' to create 2.0 code. Add '-ea 0' as desired.

$FileInfo=$Files |
% {[System.Diagnostics.FileVersionInfo]::GetVersionInfo("$(($_.DirectoryName)+"\"+($_.Name))")}


$Global:DebugBuild=$FileInfo | % {if ($_.IsDebug) {$_}}
$Global:PatchedBuild=$FileInfo | % {if ($_.IsPatched) {$_}}
$Global:PrereleaseBuild=$FileInfo | % {if ($_.IsPreRelease) {$_}}
$Global:PrivateBuild=$FileInfo | % {if ($_.IsPrivateBuild) {$_}}
$Global:SpecialBuild=$FileInfo | % {if ($_.IsSpecialBuild) {$_}}

[hashtable]$Global:Report=@{
"DebugBuild" = '$DebugBuild';
"PatchedBuild" = '$PatchedBuild';
"PrereleaseBuild" = '$PrereleaseBuild';
"PrivateBuild" = '$PrivateBuild';
"SpecialBuild" = '$SpecialBuild' }

if ($exportflag -eq 0)
{
[array]$hasharray=foreach ($i in $Report){$i.Values}
foreach ($i in $hasharray) {invoke-expression $($i.trimEnd("$")) | Export-Csv -ea 0 -Path $filetime$i.csv }
}

write "Total files: $(($Files).count)"
write "Marked Debug: $(($DebugBuild).count)"
write "Marked Patched: $(($PatchedBuild).count)"
write "Marked Prerelease: $(($PrereleaseBuild).count)"
write "Marked Private: $(($PrivateBuild).count)"
write "Marked Special: $(($SpecialBuild).count)"
}

FileVersionInfo Part I

Retrieving FileVersionInfo in Powershell involves calling [System.Diagnostics.FileVersionInfo]::GetVersionInfo(). "ls ' or 'Get-childitem' has a scriptproperty named "VersionInfo" that can be used for this:



PS C:\ps1> $a=ls -recurse | % {$_.VersionInfo}


TypeName   : System.IO.FileInfo
Name       : VersionInfo
MemberType : ScriptProperty
Definition : System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVersionInfo($this.FullName);}


System.Diagnostics.FileVersionInfo contains five boolean properties for Debug,Patched,PreRelease,Private,Special builds:


PS C:\ps1> $a | gm




   TypeName: System.Diagnostics.FileVersionInfo


Name               MemberType Definition
----               ---------- ----------
Equals             Method     bool Equals(System.Object obj)
GetHashCode        Method     int GetHashCode()
GetType            Method     type GetType()
ToString           Method     string ToString()
Comments           Property   System.String Comments {get;}
CompanyName        Property   System.String CompanyName {get;}
FileBuildPart      Property   System.Int32 FileBuildPart {get;}
FileDescription    Property   System.String FileDescription {get;}
FileMajorPart      Property   System.Int32 FileMajorPart {get;}
FileMinorPart      Property   System.Int32 FileMinorPart {get;}
FileName           Property   System.String FileName {get;}
FilePrivatePart    Property   System.Int32 FilePrivatePart {get;}
FileVersion        Property   System.String FileVersion {get;}
InternalName       Property   System.String InternalName {get;}
IsDebug            Property   System.Boolean IsDebug {get;}
IsPatched          Property   System.Boolean IsPatched {get;}
IsPreRelease       Property   System.Boolean IsPreRelease {get;}
IsPrivateBuild     Property   System.Boolean IsPrivateBuild {get;}
IsSpecialBuild     Property   System.Boolean IsSpecialBuild {get;}
Language           Property   System.String Language {get;}
LegalCopyright     Property   System.String LegalCopyright {get;}
LegalTrademarks    Property   System.String LegalTrademarks {get;}
OriginalFilename   Property   System.String OriginalFilename {get;}
PrivateBuild       Property   System.String PrivateBuild {get;}
ProductBuildPart   Property   System.Int32 ProductBuildPart {get;}
ProductMajorPart   Property   System.Int32 ProductMajorPart {get;}
ProductMinorPart   Property   System.Int32 ProductMinorPart {get;}
ProductName        Property   System.String ProductName {get;}
ProductPrivatePart Property   System.Int32 ProductPrivatePart {get;}
ProductVersion     Property   System.String ProductVersion {get;}
SpecialBuild       Property   System.String SpecialBuild {get;}


We can select for these booleans easy enough:


PS C:\ps1> $a | Select Filename,Is* | fl *| more
{ls -recurse | % {$_.VersionInfo} | Select Filename,Is* | fl *| more}


FileName       : C:\ps1\CTPv3\app.config
IsDebug        : False
IsPatched      : False
IsPrivateBuild : False
IsPreRelease   : False
IsSpecialBuild : False


FileName       : C:\ps1\CTPv3\AssemblyInfo.cs
IsDebug        : False
IsPatched      : False
IsPrivateBuild : False
IsPreRelease   : False
IsSpecialBuild : False


...



Selasa, 06 Desember 2011

Mandiant Webinar Wednesday; Help Us Break a Record!

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011.

Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.

If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.

Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"

I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.

David Spark asked for my "security tip for 2012," which I listed as:

Improve your incident detection and response program by answering two critical questions:

1. How many systems have been compromised in any given time period; and

2. How much time elapsed between incident identification and containment for each system?

Use the answers to improve and guide your overall security program.


Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.

Senin, 05 Desember 2011

Become a Hunter

Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter":

IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.

Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider
the “self-defending network” concept to be marketing at best and counter-productive at worst. If technology and engineering aren’t the answer to security’s woes, then what is?


Download and read my article starting on page 19 for the answer! July-August 2011 issue (.pdf)

Selasa, 29 November 2011

National Public Radio Talks Chinese Digital Espionage

When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening (.mp3) or reading time.

Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies.

If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology."

James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here, e.g.:

In 1986, to meet the global challenges of new technology revolution and competition, four Chinese scientists, WANG Daheng, WANG Ganchang, YANG Jiachi, and CHEN Fangyun, jointly proposed to accelerate China’s high-tech development. With strategic vision and resolution, the late Chinese leader Mr. DENG Xiaoping personally approved the National High-tech R&D Program, namely the 863 Program.

Implemented during three successive Five-year Plans, the program has boosted China’s overall high-tech development, R&D capacity, socio-economic development, and national security.

In April 2001, the Chinese State Council approved continued implementation of the program in the 10th Five-year Plan. As one of the national S&T program trilogy in the 10th Five-year Plan, 863 Program continues to play its important role.

1. Orientation and Objectives

Objectives of this program during the 10th Five-year Plan period are to boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena; to strive to achieve breakthroughs in key technical fields that concern the national economic lifeline and national security; and to achieve “leap-frog” development in key high-tech fields in which China enjoys relative advantages or should take strategic positions in order to provide high-tech support to fulfill strategic objectives in the implementation of the third step of our modernization process.


There's more to read, but that gives you a sense of what the "letter" involves.

I hope this NPR story helps some of you realize that the China threat is not "hype." Consider Dr Lieberthal in relation to Chairman Rogers and Jim Lewis. You can decide to try to refute their positions by saying that the Chairman has "an agenda," and Mr Lewis is essentially too distant from the problem. I personally think Chairman Rogers is right on the money, but I sometimes question where Mr Lewis gets his information.

Dr Lieberthal, however, is one of the world's finest minds regarding China (Wikipedia entry), and he served in the Clinton administration. He even wrote a book on how to achieve corporate success in China (Managing the China Challenge: How to Achieve Corporate Success in the People's Republic). He is not a "China hawk" trying to start some kind of "war" with the Chinese, yet he takes the threat seriously enough to discuss the countermeasures he takes when visiting China ten times a year. Do those who doubt the China threat still believe it's all "hype"?

Sabtu, 26 November 2011

Dustin Webber Creates Network Security Monitoring with Siri

Dustin Webber just posted a really cool video called Network Security Monitoring with Siri. He shows how he uses his iPhone 4S and SiriProxy to interact with his Snorby Network Security Monitoring platform.

The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering.



Later he asks Siri to tell him about "incident 15":



Near the end Dustin asks Siri if she likes Network Security Monitoring:



This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing!

Trying NetworkMiner Professional 1.2

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008.

NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0. I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory.

The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4.



Notice that in addition to summarizing information about traffic to and from the host, in terms of packets or sessions, we also see what NetworkMiner knows about the host, like Queried NetBIOS names, Web Browser User Agents, and so on.

The following screen capture shows the Files tab. This displays all the content that NetworkMiner extracted from the traffic to the analysis workstation hard drive (or in my case, the NetworkMiner USB thumb drive).



I think NetworkMiner is pretty cool, especially given what you can do with the free version. My primary recommendation for improvement would be an interface that allows the user to easily pivot from one piece of information to the next. With the current environment, the analyst seems confined to the tab at hand. I would like to see a way to right click on an element of the displayed information and then execute a query based on my selection. It would also be helpful to be able to right click and open associated data in another traffic analysis program like Wireshark.

Thank you to Erik Hjelmvik for the opportunity to take another look at NetworkMiner!

Rabu, 23 November 2011

Thoughts on 2011 ONCIX Report

Many of you have probably seen coverage of the 2011 ONCIX Reports to Congress: Foreign Economic and Industrial Espionage. I recommend every security professional read the latest edition (.pdf). I'd like to highlight the key findings of the 2011 version:

Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.


What's so significant about that section? The ONCIX is naming names right from the start, and concentrating squarely on China and Russia.

Contrast the 2011 approach with the 2008 report. If you search for "China" in the 2008 edition, you'll see only these sections in the main body of the report:


  • China and Russia accounted for a considerable portion of foreign visits to DOE facilities during FY 2008.

  • China continues to be a leading competitor in the race for clean coal technology.

  • The DNI Open Source Center (OSC) contributes to the CI community’s effort against
    China by monitoring foreign-language publications and Web sites for indications of
    threats and sharing this information with appropriate agencies, including law
    enforcement.



That's very different from the direct approach taken in 2011. However, if you check "Appendix B: Selected Arrests and Convictions for Economic Collection and Industrial Espionage Cases in FY 2008," in the 2008 report, you find China listed as the perpetrator of 7 of the 23 cases! So, although China has been an active threat for many years, only now is the ONCIX shining the spotlight on that country (along with Russia) as primary threats to US secrets and intellectual property.

Tao of Network Security Monitoring, Kindle Edition

I just noticed there is now a Kindle edition of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection, published in July 2004. Check out what I wrote in the first paragraphs now available online.


Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion -- a real compromise, not a simple Web page defacement -- you'll realize the security principles and systems outlined here are both necessary and relevant.

This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision.

Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail.


I wrote that eight years ago, and thankfully my concept that "prevention eventually fails" (which I coined in that book) is finally gaining ground.

Selasa, 22 November 2011

Why DIARMF, "Continuous Monitoring," and other FISMA-isms Fail

I've posted about twenty FISMA stories over the years on this blog, but I haven't said anything for the last year and a half. After reading Goodbye DIACAP, Hello DIARMF by Len Marzigliano, however, I thought it time to reiterate why the newly "improved" FISMA is still a colossal failure.

First, a disclaimer: it's easy to be a cynic and a curmudgeon when the government and security are involved. However, I think it is important for me to discuss this subject because it represents an incredible divergence between security people. On one side of the divide we have "input-centric," "control-compliant," "we-can-prevent-the-threat" folks, and on the other side we have "output-centric," "field-assessed," "prevention eventually fails" folks. FISMA fans are the former and I am the latter.

So what's the problem with FISMA? In his article Len expertly discusses the new DoD Information Assurance Risk Management Framework (DIARMF) in comparison to the older DoD Information Assurance Certification and Accreditation Process (DIACAP). DIARMF is a result of the "new FISMA" emphasis on "continuous monitoring" which I've discussed before.

Len writes "DIARMF represents DoD adoption of the NIST Risk Management Framework process" and provides the diagram at left with the caption "The six major steps of Risk Management Framework aligned with the five phases of a System Development Lifecycle (SDLC)."

Does anything seem to be missing in that diagram? I immediately key on the "MONITOR Security Controls" box. As I reminded readers in Thoughts on New OMB FISMA Memo, control monitoring is not threat monitoring. The key to the "new" FISMA and "continuous monitoring" as seen in DIARMF is the following, described by Len:

Equally profound within DIARMF is the increased requirements for Continuous Monitoring activities. Each control (and control enhancement) will be attributed with a refresh rate (daily, weekly, monthly, yearly) and requisite updates on the status of each control will be packaged into a standardized XML format and uploaded into the CyberScope system where analysis, risk management, and correlation activities will be performed on the aggregate data.

Rather than checking on the security posture every three years or whatever insane interval that the old FISMA used, the new FISMA checks security posture more regularly, and centralizes posture reporting.

Wait, isn't that a good idea? Yes, it's a great idea -- but it's still control monitoring. I can't stress this enough; under the new system, a box can be totally owned but appear "green" on the FISMA dashboard because it's compliant with controls. Why? There is no emphasis on threat monitoring -- incident detection and response -- which is the only hope we have against any real adversary.

Think I'm wrong? Read Len's words on CyberScope:

CyberScope is akin to a giant federal-wide SEIM system, where high-level incident management teams can quickly pull queries or drill down into system details to add analysis on system defenses and vulnerabilities to the available intelligence on an attack. CyberScope data will also be used to track trends, make risk management decisions, and determine where help is needed to improve security posture.

If you're still not accepting the point, consider this football analogy.

Under the old system, you measured the height, weight, 40 yard dash, and other "combine" results on a player when he joined the team. You checked again three years later. You kept data on all your players but had no idea what the score of the game was.

Under the new system, you measure the height, weight, 40 yard dash, and other "combine" results on a player when he joins the team. You check again more regularly -- maybe even every hour, and store the data in a central location with a fancy Web UI. You keep data on all your players but still have no idea what the score of the game is.

Until DoD, NIST, and the other control-compliant cheerleaders figure out that this approach is a failure, the nation's computers will remain compromised.

Note: There are other problems with DIARMF -- read the section where Len says "This shakes out to easily over a hundred different possible control sets that can be attributed to systems" to see what I mean.

Sabtu, 19 November 2011

SEC Guidance Emphasizes Materiality for Cyber Incidents

Senator Jay Rockefeller and Secretary Michael Chertoff wrote the best article I've seen yet on the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC last month in their article A new line of defense in cybersecurity, with help from the SEC:

Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility...

Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.

Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years.

This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as the significant loss of a company’s intellectual property — will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.

The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among other things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how the value of intellectual property is measured; whether appropriate defenses are in place around that property; and whether risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage.
(emphasis added)

Make no mistake: this is a big deal. Until now "disclosure" laws have aimed at protecting consumers by making their PII the important aspect of a digital incident.

With the SEC guidance, we have a new audience for "disclosure" -- shareholders. The SEC is telling publicly traded companies that they have to disclose material cyber security incidents. Now the battle to define materiality will begin.

Rabu, 26 Oktober 2011

MANDIANT Webinar Friday

Join me and Lucas Zaichkowsky on Friday at 2 pm eastern as we talk about what happened at our annual MANDIANT conference, MIRCon! Registration is free and I expect you'll enjoy the discussion! We plan to review what we saw and heard, and how those lessons will help your security program.

Minggu, 23 Oktober 2011

Review of America the Vulnerable Posted

Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below.

I've added bold in some places to emphasize certain areas.




America the Vulnerable (ATV) is one of the best "big picture" books I've read in a long while. The author is a former NSA senior counsel and inspector general, and was the National Counterintelligence Executive (NCIX). In these roles he could "watch the fireworks" (not his phrase, but one popular in the intel community) while the nation suffered massive data exfiltration to overseas adversaries. ATV explains the problem in terms suitable for those familiar with security issues and those learning about these challenges. By writing ATV, Joel Brenner accurately and succinctly frames the problems facing the US and the West in cyberspace.

In this review I'd like to highlight some of Mr Brenner's insights and commentary.

On pp 65-7 he discusses "China's Long View... China had the world's largest economy for eighteen of the past twenty centuries. The two exceptions were those of America's youth and rise to power.... Like India, China does not regard Western domination as normal, and it does not suffer from an inferiority complex. China's chief national strategic objectives are to lift its population out of poverty and reestablish its place in the international order."

On pp 68-71 he explains the problem with the binary thinking of Westerners regarding war. China does not see war as a binary issue, where one is either at peace OR at war. "This kind of ambiguity is difficult for Americans to digest. We are direct and aboveboard, and we like to think others are like us -- or would be if given half a chance... [W]e suffer from a Western misconception in our law, religion, and policy that 'peace' and 'war' are opposites that cannot occur at the same time... Many Americans cling to this view, even though war has not been declared on the planet since 1945, while there have been hundreds of organized, violent, and militarized struggles in the interim."

On pp 71-3 he reiterates my point that the consequences of digital assault from China are indeed new, as well as the assault itself. "Our companies are under constant, withering attack. After the Google heist, companies [all emphasis is original] started asking the government for help in defending themselves against nations. This was unprecedented. We are now in uncharted territory... the boundary between economic security and national security has completely disappeared... While the scope of and intensity of economic espionage have assumed startling proportions, the 'traditional' espionage assault on our national defense establishment dwarfs anything we have ever before experienced."

On pp 75-77 Mr Brenner describes instances of espionage and consequences. "[Chi Mak] is the first spy (that we know of) through whom we lost critical military secrets and who was not a government employee. He will not be the last. If further proof were required, the case thus illustrates how thoroughly the functional boundary between the private sector and the government has dissolved... In essence, the PRC is leveraging the Pentagon's R&D budget in support of its own war-making capability."

Mr Brenner focuses on Chinese espionage in ATV; the following from p 78 is a good summary: "In contrast to the Russians, who are highly professional, the PRC often enlists amateurs from among a huge pool of sympathizers."

In the middle of the book Mr Brenner concentrates on the China threat by correctly identifying that the Chinese do not want a shooting war with the US. Rather (quoting Chinese military thinkers on p 118) "the objective in warfare would not be killing or occupying territory, but rather paralyzing the enemy's military and financial computer networks and its telecommunications. How? By taking out the enemy's power system. Control, not bloodshed, would be the goal... [Continuing on pp 126-7,] The Prussian Carl von Clausewitz, and Mao after him, had called war 'politics by other means.' [Strategists] Qiao and Wang seemed to be saying the reverse: Politics -- and economics and communications and everything else -- was war by other means. And while Clausewitz had preached the doctrine of the decisive battle, Qiao and Wang said there would be no more decisive battles."

Ch 9, "Thinking About Intelligence," is one of my favorite chapters because Mr Brenner examines the role of information and intelligence agencies in the modern world. On p 196 he makes a fascinating point: "To understand the future of the private sector's role in intelligence, we don't need a crystal ball. We can just as well look backward as forward, because we are experiencing a return to a historical norm." He then argues that the private sector is developing intel capabilities rivaling the government, which was the case prior to the creation of national agencies in the 20th century. On p 209 he recommends the following: "[T]he best way to run an intelligence agency is to focus tightly on the parts of the business that are really secret and separate them from the rest. You spend more money on open-source collection and analysis, and let them happen in controlled but unclassified space. You beef up counterintelligence. And you pay much more attention to the electronic handling and dissemination of information."

In the final chapter he offers some recommendations for improvement. I liked this statement on p 216: "If you wait for the incoming danger to reach you, you won't be able to defend against it. CYBERCOM solves this problem by letting the general in charge of defending national security networks use offensive tools outside his networks in order to know what's coming. To be blunt, espionage is an essential aspect of defense. To know what's coming, we must be living inside our adversaries' networks before they launch attacks against us." Note that is the traditional role of espionage, a model which the Chinese shatter by living inside our companies' networks, solely to steal our intellectual property.

I only found one small typo on p 194: The Yom Kippur War happened in 1973, not 2003.

Overall, I really enjoyed ATV. While I don't think the suggestions for improvement in the last chapter are sufficient to mitigate the threat, several of them are a good start. I highly recommend reading ATV at your earliest opportunity!

Kamis, 13 Oktober 2011

Republican Presidential Candidates on China

(Photo: Business Insider)

This is not a political blog, so I'm not here to endorse candidates. However, I do want to point out another example of high-level policymakers discussing ongoing activities by China against the US and other developed economies.

First, the Washington Post published an editorial by Mitt Romney which included the following:

China seeks advantage through systematic exploitation of other economies. It misappropriates intellectual property by coercing “technology transfers” as a condition of market access; enables theft of intellectual property, including patents, designs and know-how; hacks into foreign commercial and government computers...

The result is that China sells high-quality products to the United States at low prices. But too often the source of that high quality is American innovations stolen by Chinese companies.


I missed this in August, but former ambassador to China Jon Huntsman said the following during a debate:

Huntsman Jr. pointed to China as a culprit in what he described as “the new war field” — cyber-intrusion as a way to steal corporate and government secrets. “Not only have government institutions been hacked into, but private individuals have been hacked, too. It’s gone beyond the pale,” Huntsman said.

The third candidate in the photo, Rick Perry, is also involved in the China debate. He's currently defending Texas' relationship with Huawei.

I'm going to be fairly strict regarding comment publishing for this post, so please be civil, nonpolitical, and relevant. Again, my point is to show that Chinese cyber campaigns are now a hot topic in political campaigns.

Selasa, 11 Oktober 2011

Bejtlich in "The expanding cyber industrial complex"

Christopher Booker interviewed me and several other policy-oriented security people for his video Financial Times story The expanding cyber industrial complex. This was a different experience for me for two reasons. First, Christopher conducted the interviews via Skype. Second, you can see what appear to be the home offices of several of the contributors, including me.

One technical note on the video: I had some trouble getting it to play. To get it working I selected another video then went back to this one.

Thank you again to Christopher Booker for the opportunity to offer my opinions.

(Bonus points to anyone who can identify the box on the shelf over my right shoulder, on the lower left side of the photo.)

Computer Incident Response Team Organizational Survey, 2011

Today at MIRCon I mentioned that one of my colleagues, Jeff Yeutter, had updated the somewhat famous CERT/CC study of CIRT characteristics as part of his degree program. Jeff posted the survey online as Computer Incident Response Team Organizational Survey, 2011 with this description:

In 2003, the CERT CSIRT Development Team (www.CERT.org) released a study on the state of international computer security incident response teams with the goal of providing "better insight into various CSIRT organizational structures and best practices" for new and existing members of the CSIRT community (Killcrece, Kossakowski, Ruefle, & Zajicek, 2003). The attached survey, a modified form of the original, will be used to update the 2003 study with a greater focus on the methods of organization used by American and international CIRTs, the tools that they employ, and how these vary across organizations of different sizes and industries.

This research is being conducted, and is independently funded, by Jeff Yeutter, Technical Sales Executive at Mandiant, as the final project for his Master's in Information Systems with a concentration in Computer Security Management at Strayer University. This survey will also be distributed to members of the Forum of Incident Response and Security Teams (www.FIRST.org) with the assistance of Richard Bejtlich, Chief Security Officer and VP, MCIRT, at Mandiant.

No identifying information is required to complete this survey. Participants may include such information if they are interested in immediately being notified of the results of the study once it is complete, or if they would like to make themselves available for follow-up questions. Any and all identifying personal or professional identifying information offered by participants will be held in strict confidence. The results of this study, minus any identifying information, may be included in a future, cost-free whitepaper.

The original CERT study from 2003 can be found at: www.cert.org/archive/pdf/03tr001.pdf

The time to complete this survey is approximately 10-15 minutes.


If you're a CIRT member and want to contribute, please consider completing the survey at Computer Incident Response Team Organizational Survey, 2011. Thank you!

Jumat, 07 Oktober 2011

Interview with One of My Three Wise Men

Tony Sager from the NSA is one of my Three Wise Men. (Dan Geer and Ross Anderson are the other two.) Eric Parizo from SearchSecurity.com interviewed Tony this week and posted the video online.

Tony notes that the escalation in threat activity during the last few years is real. He is in a position to know, given he has worked at NSA since the 1970s. Tony says the threat activity is getting people's attention now, especially at more senior levels of the government and industry. Now targeted organizations are thinking beyond the question "does this affect my company" to "does this affect my industry?"

Tony explains that a generational effect may account for the change in awareness. More senior leaders grew up with technology, so they know how to think about it. There is also more public reporting on serious security incidents today.

My favorite quote was:

"If you're not a little concerned, you haven't been paying attention."

Since Tony is Mr Reasonable, I think that's a significant statement!

Eric asked Tony for his opinion on APT, and he replied that APT isn't that useful a concept for his line of work. That's possibly because his agency uses the original intrusion set names to manage threat intelligence, rather than an unclassified, "umbrella" term for discussing threat actors in private industry. Tony did explain that the "advanced" aspect for him means conducting operations in multiple "domains," e.g., escalating to physical, non-digital attacks when necessary.

Russia v China -- Sound Familiar?

Thanks to a source who wishes to remain anonymous, I read Chinese spy mania sweeps the world, an article not from a Western publication. Rather, it's from Voice of Russia. Does any of this sound familiar?

[T]his is the most powerful secret service based on the principle of attracting all ethnic Chinese, wherever they may live. An adherent of the “total espionage” strategy, Beijing even encourages emigration in the hope that its citizens will remain loyal to and useful for their historical homeland after moving to another country...

"The history of China’s espionage activities on Russian armaments is not only limited to one precedent or one type of weapons. One of the top Chinese priorities is to produce complete replicas of Russia’s best machines and weapons, from the Sukhoi Su-33 fighter jet to missiles, aircraft carriers and so on.

This is a truly purpose-oriented strategy of a large country - snatch anything you can and reproduce it domestically," ["IT expert"] Andrei Masalovich points out.


Cynics will point out that perhaps this article is trying to deflect attention from Russia's own espionage activities. However, you can't deny that even the Russians have issues with Chinese operations.

For an example of the sorts of problems Russia is having, see this ABC News story China Still Spies the Old Fashioned Way, Russia Says:

Russia's secretive spy agency, the Federal Security Service (FSB), issued a rare statement Wednesday claiming the state had arrested a Chinese citizen who, posing as a translator for official delegations, was working under the direction of the Chinese government in an attempt to buy state secrets from Russians about Russia's S-300 missile system.

Kamis, 06 Oktober 2011

It's All About the Engines

(Photo credit: AINOnline)

I just read Big New Chinese Order for Russian Fighter Engines at China Defense Blog, which quoted AINOnline:

China has placed additional orders for Russian AL-31-series fighter engines. State arms trade agency Rosoboronexport clinched two big contracts earlier this year...

To serve them, Salut has established partnerships with Limin Corp. and Tyan Li company in Chengdu on deliveries and manufacturing of spare parts for both the AL-31F and the AL-31FN. Russia has also agreed to provide all necessary maintenance and repair documentation to the Chinese partners.


To see China treats or will treat Western aircraft and aircraft engine makers, look no further than Russia.

The comments in the CDB post pointed me to this engine comparison for the J-20, which I sometimes mention in my classes. Essentially the Chinese appear to be testing two engines on the J-20, because they are not sure if they will use a Russian-made engine (or copy) or an "indigenous" engine (which is probably a copy of someone else's technology).

House Cybersecurity Task Force Report Released

The House Cybersecurity Task Force released its report (.pdf) today. NextGov offers a good summary in their story House GOP Cyber Task Force Touts Industry Leadership by Jessica Herrera-Flanigan.

The report includes the following recommendation:

Companies, including Internet Service Providers (ISPs) and security and software vendors, are already conducting active operations to mitigate cybersecurity attacks. However, these are largely done independently according to their individual business interests and priorities. Congress should facilitate an organization outside of government to act as a clearing house of information and intelligence sharing between the government and critical infrastructure to improve security and disseminate real-time information designed to help target and defeat malicious cyber activity.

I would like something bolder, like the National Digital Security Board I proposed in 2006. Still, such a "clearing house" could evolve into an organization with the authority to investigate incidents, or at least contract an organization to conduct investigations, and then publish anonymized lessons and results.

I would find leading that organization to be a great challenge!

C-SPAN Posts Video of Tuesday Hearing

You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN.

Some people are already asking "what's new" about this. For me, what's new is that the chairman of the HPSCI is pointing his finger straight at the threat, and letting the world know in an open hearing that the adversary's actions are unacceptable and will not be tolerated. This is exactly the sort of attention and action that the threat deserves and I applaud the Chairman and HPSCI for pursuing this course.

Remember that the HPSCI is more likely to hold closed hearings than open hearings due to the nature of its classified intelligence oversight work. By conducting an open hearing, Chairman Rogers wanted to send a clear message to victims, the public, and the adversary.

Selasa, 04 Oktober 2011

Inside a Congressional Hearing on Digital Threats

Today I was fortunate to attend a hearing of the US House Permanent Select Committee on Intelligence (HPSCI). That's me on the far left of the photo, seated behind our MANDIANT CEO Kevin Mandia. I'd like to share a few thoughts on the experience.

First, I was impressed by the attitudes of all those involved with HPSCI, from the staffers to the Representatives themselves. They were all courteous and wanted to hear the opinions of Kevin and the other two witnesses (Art Coviello from RSA and Michael Hayden from the Chertoff Group), whether before, during, or after the hearing.

Second, I thought Reps Mike Rogers (R-MI, HPSCI Chairman) and C.A. Dutch Ruppersberger (D-MD, HPSCI Ranking Member) offered compelling opening statements. Rep Rogers squarely pointed the finger at our overseas adversaries. As reported by PCWorld in U.S. Lawmakers Point to China as Cause of Cyberattacks, Rep Rogers said:

"I don't believe that there is a precedent in history for such a massive and sustained intelligence effort by a government to blatantly steal commercial data and intellectual property...

China's economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy."


You can watch all of Rep Rogers' statement on YouTube as Rep. Mike Rogers criticizes Chinese economic cyber-espionage (currently 21 views -- let's increase that!)

General Hayden reinforced Rep Rogers' sentiment with this quote:

"As a professional intelligence officer, I step back in awe of the breadth, the depth, the sophistication, the persistence of the Chinese espionage effort against the United States of America."

Third, I was very pleased that this hearing was conducted in an open forum, and not behind closed doors. While I haven't found the whole hearing online or on TV yet (aside from Rep Rogers' statement and that of Rep Myrick (R-NC)), I encourage as much discussion as possible about this issue.

One of General Hayden's points was that we are not having a debate about how to address digital threats because no one agrees what the facts are. If you work counter-intrusion operations every day, or participate in the intelligence community, you know what's happening. Outside that world, you likely think "APT" and the like are false concepts. We can really only build a national approach to countering the threat if enough people know what is happening.

As more information becomes available I will likely publish it via my @taosecurity Twitter account.

Rabu, 28 September 2011

Chinese Espionage in Five Minutes

This evening I watched last week's episode of This Week in Defense News with Vago Muradian. Vago's last guest was David Wise, author of Tiger Trap. If you want to learn as much as possible about Chinese espionage in a five minute interview, I recommend watching History of China spying on U.S.. I hope this book encourages attention at the highest levels of the US government and industry.

Selasa, 27 September 2011

The Best VPN Solution

As you may, know, TutorialGeek has been all but dead for the past couple months. This is due to the fact that I have been in China and getting on Blogger has been difficult at best. I have been spending the better part of a month looking for a good VPN solution so that I can resume my blogging, but most VPN options have been annoying or frustrating.

Well; I am hoping all that will change. I have tried a few VPN services that are decent, but I soon hope to try out USAIP. Once I have tested this out, I will do a full evaluation. Hopefully it will finally provide a working solution, and I can return to posting some more Geeky posts.

Update:

Wow. Getting the Internet to work well in China is not fun or easy. I have not had any success with any free VPN.

Minggu, 25 September 2011

Review of Robust Control System Networks Posted

Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner. From the review:

I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment.

Impressions: The Art of Software Security Testing

I'll be honest -- on the same trip on which I took The Art of Software Security Assessment, I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance.

TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA.