Tampilkan postingan dengan label offense. Tampilkan semua postingan
Tampilkan postingan dengan label offense. Tampilkan semua postingan

Selasa, 26 Juni 2012

More Disclosure of Vulnerabilities in Attacker Tools

16.09    No comments

Two years ago I wrote Full Disclosure for Attacker Tools, where I wrote in part:

The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's vulnerability research into Bifrost and other remote access trojans.

What's a little more interesting now is seeing Laurent Oudot releasing 13 security advisories for attacker tools. Laurent writes:

For example, we gave (some of) our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack...

In the post I addressed some of the issues involved, but a recent development involving the popular Poison Ivy (PI) remote administration tool (RAT) brought the debate back to life.

Today I became aware of Gal Badishi's Monday post Own And You Shall Be Owned. In the post he writes:

We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any computer, for that matter) to assume control of PI’s C&C server...

In light of this analysis, a Metasploit module without encryption is being prepared.

"C&C server" means "Command and Control server," or the system operated by an intruder to control the multitude of victim systems on which he installed PI.

On the surface it may seem cool that "good guys" can now attack "bad guy" infrastructure thanks to this research. However, I think it's important to weigh the pros and cons of this disclosure of vulnerabilities in attacker tools.

Reasons One Should Disclose Vulnerabilities in Attacker Tools

  1. Intruders already know about the vulnerabilities anyway.
  2. Good guys already know about the vulnerabilities anyway.
  3. Publicizing, and especially weaponizing (via Metasploit), this vulnerability gives good guys a way to strike back at bad guy infrastructure.
  4. "Information wants to be free." Trying to protect the info from disclosure is a losing game.
  5. If good guys didn't know about the vulnerabilities, they now can put them to work attacking intruder infrastructure for "active defense" and "research" purposes.
  6. There's no place to disclosure vulnerabilities in attacker tools "responsibly" anyway.
Reasons One Should Not Disclose Vulnerabilities in Attacker Tools
  1. Not all intruders know about the vulnerabilities, or perhaps none do.
  2. By publicizing the vulnerabilities, it tips the intruders to defend their infrastructure by patching.
  3. Good guys who previously had access to the infrastructure lose access once the intruders upgrade their vulnerable software.
  4. A researcher just saved intruders time and resources by providing free software security and quality assurance services.
  5. Information doesn't have to leak. Many organizations keep secrets, even without the infrastructure of classified systems.
  6. There are several private, vetted mailing lists that do a reasonably good job keeping information confidential, while providing benefit to defenders.
I tend to think it's a bad idea to publicize vulnerabilities in intruder tools for the reasons I listed, but I see the other side as well. My biggest concern is that researchers don't weigh these issues, or given them enough thought, prior to publishing their findings. What do you think?

Read More

Rabu, 27 Juli 2011

SQL Injection Challenge and Time-Based Security

04.29  ,  No comments

Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challenge.

As stated on the challenge site, the goal is "To successful execute SQLi against the scanning vendor demo websites and to try and evade the OWASP ModSecurity CRS." The contestants need to identify a SQL injection vector within one of four demo websites, then enumerate certain information from the target.

As also stated on the challenge page, "Winners of this level will be anyone who is able to enumerate the data listed above for each demo app without triggering an Inbound ModSecurity Alert. If ModSecurity sees any inbound attacks or outbound application defects/info leakages, it will prepend a warning banner to the top of the page."

This is interesting, but what caught my attention is the time-based security metrics describing the results of Level II of the challenge. I'll reproduce the relevant section here:

Hacking Resistance (Time-to-Hack)

Many people wrongly assume that installing a Web Application Firewall will make their sites "Hack Proof." Sadly, this is not reality. The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.

The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions...

With this in mind, we analyzed how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0. We are basing this off of the correlated IP address in the logs that was tied to the final evasion payloads submitted to the ModSecurity team. We also saw that many Level II winners actually tested their payloads using the CRS Demo page so we had to correlate test payloads there as well.

Avg. # of Requests to find an evasion: 433
Avg. Duration (Time to find an evasion): 72 hrs
Shortest # of Requests to find an evasion: 118
Shortest Duration (Time to find an evasion): 10 hrs

This data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses.

I [Ed: Ryan, not Richard] realize that there are a multitude of variables and conditions involved where people can say that these numbers are off (either too high or too low) depending on your defenses and attacker skill level. Keep in mind that this metric was obtained from the ModSecurity WAF using mainly a negative security model ruleset. The point of presenting this data, however, is to have some form of metric available for active web application monitoring and defense discussions related to exploitation timelines.

What a great use of empirical data to make a point about security! Like Ryan says, you can argue about the rating of the intruder (does 10 hours really reflect a skilled intruder?) or the defenses (is ModSecurity really sufficient?). I'd answer that they those aspects of the challenge are sound enough to use as benchmarks for a certain portion of the threat community and state-of-the-practice for defenses.

Ten hours, then, represents the window of time between when an intruder would first start trying to compromise the Web app, and when he succeeded. That means the IR team has no more than 10 hours to detect the activity and take action to close the window of vulnerability. That's a tall order, but we have a metric now based on more than hand-waving that we can use to start a discussion of capabilities.

On a related note, this is the sort of activity that a red team could undertake to simulate threat action and identify IR team effectiveness.

Read More

Minggu, 20 Juni 2010

Full Disclosure for Attacker Tools

19.38    No comments

The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's vulnerability research into Bifrost and other remote access trojans.

What's a little more interesting now is seeing Laurent Oudot releasing 13 security advisories for attacker tools. Laurent writes:

For example, we gave (some of) our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack...

If you're not familiar with these sorts of tools, see an example described by Brian Krebs at A Peek Inside the ‘Eleonore’ Browser Exploit Kit.

Why release these advisories?

It's time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues.

I agree with the concept, but not necessarily with releasing "advisories" for attacker tools. Laurent claims these are "0days". This would imply the developers of these attacker tools did not know about the vulnerabilities. By publishing advisories, attackers now know to fix them. Assuming "customers" heed the advisories and update their software, this process has now denied security researchers and others who conduct counter-intruder operations access to attacker sites. This is tactically counterproductive from a white hat point of view.

On the other hand, developers of these attacker tools might already know about the vulnerabilities, and might have already patched them. In this case, publishing advisories is more about creating some publicity for Laurent's new company and for his talk last week. (Did anyone see it?)

I like the idea of taking the fight to the enemy. Security researchers are already penetrating attacker systems to infiltrate botnet command and control servers and do other counter-intruder operations. These activities increase the black hat cost to conduct intrusions, and the more resources the attackers have to divert to defending their own infrastructure, the fewer resources they can direct at compromising victims.

However, disclosing details of vulnerabilities in attacker tools is likely to not work in the white hat's favor. White hats are bound by restrictions like laws and rules that black hats routinely break. Announcement of a vulnerability in the Eleonore exploit kit is not going to unleash a wave of activity against black hats like announcement of a vulnerability in Internet Explorer. It's likely that the few researchers and others wearing white hats will not learn much from a public announcement due to their independent research, while mass-targeting attackers (who historically are not great developers themselves) will disproportionately benefit from the disclosure.

What do you think? Should white hat researchers publish security advisories for black hat tools?

Read More

Minggu, 21 Juni 2009

Offense and Defense Inform Each Other

17.29  ,  No comments

If you've listened to anyone talking about the Top 20 list called the Consensus Audit Guidelines recently, you've probably heard the phrase "offense informing defense." In other words, talk to your Red Team / penetration testers to learn how they can compromise your enterprise in order to better defend yourself from real adversaries.

I think this is a great idea, but there isn't anything revolutionary about it. It's really just one step above the previous pervasive mindset for digital security, namely identifying vulnerabilities. In fact, this neatly maps into my Digital Situational Awareness ranking. However, if you spend most of your time writing policy and legal documents, and not really having to deal with intrusions, this idea probably looks like a bolt of lightning!

And speaking of the Consensus Audit Guidelines: hey CAG! It's the year 2000 and the SANS Top 20 List wants to talk to you!

The SANS/FBI Top Twenty list is valuable because the majority of successful attacks on computer systems via the Internet can be traced to exploitation of security flaws on this list...

In the past, system administrators reported that they had not corrected many of these flaws because they simply did not know which vulnerabilities were most dangerous, and they were too busy to correct them all...

The Top Twenty list is designed to help alleviate that problem by combining the knowledge of dozens of leading security experts from the most security-conscious federal agencies, the leading security software vendors and consulting firms, the top university-based security programs, and CERT/CC and the SANS Institute.

Expect at some point to hear Beltway Bandits talking about how we need to move beyond talking to the Red Team and how we need to see who is actively exploiting us. Guess what -- that's where the detection and response team lives. Perhaps at some point these "thought leaders" will figure out the best way to defend the enterprise is through counterintelligence operations, like the police use against organized crime?

For now, I wanted to depict that while it is indeed important for offense to inform defense, the opposite is just as critical. After all, how is the Red Team supposed to simulate the adversary if it doesn't know how the adversary operates? A good Red Team can exploit a target using methods known to the Red Team. A great Red Team can exploit a target using methods known to the adversary. Therefore, I created an image describing how offense and defense inform each other. This assumes a sufficiently mature, resourced, and capable set of security teams.



This post may sound sarcastic but I'm not really bitter about the situation. If we keep making progress like this, in 3-5 years the mindset of the information security community will have evolved to where it needed to be ten years ago. I'll keep my eye on the Beltway Bandits to let you know how things proceed.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Read More

Senin, 08 Juni 2009

Counterintelligence Options for Digital Security

04.20  ,  No comments

As a follow-up to my post Digital Situational Awareness Methods, I wanted to expand on the idea of conducting counterintelligence operations, strictly within the digital security realm. I focus almost exclusively on counter-criminal operations, as opposed to actions against nation-states or individuals.

Those of you who provide security intelligence services (SIS), or subscribe to those services, may recognize some or all of these. By SIS I am not talking about vulnerability notices repackaged from other sources.

Note that some of these approaches can really only be accomplished by law enforcement, or by collaboration with law enforcement. Even taking a step into the underground can be considered suspicious. Therefore, I warn blog readers to not try implementing these approaches unless you are an experienced professional with the proper associations. The idea behind this post is to explain what could be done to determine what one sort of adversary (primarily the criminal underground) knows about your organization. It obviously could be extended elsewhere but that is not the focus of this post.

  1. See who is selling or offering to sell your information or access to your information. This approach is similar to identifying places where credit cards or personally identifiable information are sold. Stepping into the underground and seeing where your company is mentioned is one way to estimate how prevalent your data might be outside your control. This is a passive approach.

  2. Solicit the underground for your organization's data or for access to your organization. By taking this step you ask if anyone would be able to provide stolen data or access to the organization. This is a dangerous step because it may motivate the underground to go looking for data. On the other hand, if your data is freely available you're simply unearthing it. This is the first of the active approaches.

  3. Penetrate adversary infrastructure. By this step I mean gaining entry or control of command-and-control channels or other mechanisms the adversary uses to exploit victim organizations. Security intelligence services do this all the time, but gaining access to a server owned by another organization is fairly aggressive.

  4. Infiltrate the adversary group. An underground organization usually functions as a team. It might be possible to infiltrate that group to learn what it knows about your organization. Acting with law enforcement would be the only real way to more or less "safely" accomplish this task.

  5. Pose as an individual underground member. In this capacity, other criminals with access to your organization's data might come to you. This is exceptionally dangerous too and would only be done in collaboration with law enforcement.


None of these steps are new; you can review success stories posted by the FBI and other organizations to know they work. However, I post them here to reinforce that asset-centric mindset and not just the vulnerability-centric mindset in digital security.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Read More

Kamis, 07 Mei 2009

Thoughts on Cyber Command

03.46  ,  No comments

I've been blogging about various cyber command proposals for a few years, but right now there is some real movement at the combatant command level. Ellen Nakashima's article Cyber-Command May Help Protect Civilian Networks offers the latest details.

The Pentagon is considering whether to create a new cyber-command that would oversee government efforts to protect the military's computer networks and would also assist in protecting the civilian government networks, the head of the National Security Agency said yesterday [Tuesday].

The new command would be headquartered at Fort Meade, the NSA's director, Lt. Gen. Keith B. Alexander, told the House Armed Services terrorism subcommittee.

Alexander, who is a front-runner to assume control of the command if it is created, said its focus would be to better protect the U.S. military's computers by marrying the offensive and defensive capabilities of the military and the NSA.

Through the command, the NSA would also provide technical support to the Department of Homeland Security, which is in charge of protecting civilian networks and helps safeguard the energy grid and other critical infrastructure from cyber-attack, Alexander said.

He stressed that the NSA does not want to run or operate the civilian networks, but help Homeland Security improve its efforts...

As proposed by the Pentagon, the command would fall under the U.S. Strategic Command, which is tasked with defending against attacks on vital interests.

The highlighted sections reinforce number 2 of my Predictions for 2008 made in December 2007. A few months prior I argued that the US Needs Cyber NORAD.

The written testimonies are posted on the U.S. House of Representatives, House Armed Services Committee Web site.

The new Cyber Command will most likely be a subordinate unified command under US Strategic Command.

I'd like to briefly respond to Robert Graham's post Why Cyber Commands Fail. He says in part:

What the military wants is a hacker squad that they can give a specific objective, and have the hackers carry out that objective within a specific timeframe. For example, they might tell hackers to take out Iran's radar at midnight so that fighter jets can enter their airspace a few minutes later to bomb their nuclear plants. That's not going to work.

What you could do is tell hackers to go after Iran and do whatever they can to disrupt their nuclear developments. One hacker might find a way to shut down safety controls and cause a nuclear meltdown, another might jam the centrifuges, another might change the firmware on measuring equipment to incorrect measure the concentration of U238.

Or, you could give the hackers six months to infiltrate Iran's computers, then come back with a list of options. Maybe disabling the radar system will be one of them, maybe not. But that's not the sort of thing the military is tasked to do - that's more an intelligence operation the CIA would be doing..

China and Russia understand this. They don't directly employ hackers or tell the hackers to accomplish certain goals. They let the hackers have free range to do whatever they want. If the hackers come across something interesting, such as plans for the Joint Strike Fighter, the government buys it, but no government official ever told the hackers specifically to steal those plans...

So how can the United States get in on this sort of asymmetric warfare action?

The first thing is that you have to stoke some sort of nationalism in the way that Russia and China do. I'm not sure this is in our character (especially under the current president), however, so we'd probably have to find some alternative. Instead of pro-USA nationalism we could instead focus on human rights activism. The government could spend a lot of time talking to the press about the sorts of human rights abuses that go on in Russia and China. Get our own USA hackers thinking about human rights as their own causus belli.

The second thing they need to do is create a climate where our own hackers can operate. I would gladly hack into Iranian computers, but I'm not sure how this fits into US law...

This would be similar to the "letters of mark and reprisal" used by governments during the 1700s. In those days, national navies were too small to patrol the entire ocean. Therefore, governments licensed privateers to prey upon a hostile nation's shipping. The privateers kept half the booty, and gave the other half to their respective government. This is essentially what China and Russia have done.

A third thing our military would need to do is train our hackers in the target language. Foreign hackers usually learn English, but American hackers rarely learn foreign languages, especially Russian, Chinese, or Farsi (Iranian). If we want to encourage our hackers to go after those countries in the same way they come after us, we need to encourage them to learn those languages...

The fourth thing our military would need to do is fix their horrid purchasing processes...

Note that I think the individuals who run our military are very, very smart. I've met several generals and colonels who understand this. The problem is that while individuals are smart, the organization is dumb as a rock. The organization crushes precisely the sort of creative thinking need to have a successful "cyber" offensive capability.

Robert has a lot of good ideas here. In Air Force Cyber Panel I talked about a clash of models between the United States and places like China. On the one hand we have a military-industrial complex supported by a vast contracting force vs a country with a true "people's army," containing uniformed military, semi-military, and pure civilians who work with the others to achieve broadly common goals.

I don't think we will ever see any official support for the privateer concept. China doesn't even recognize their own people's involvement in hacking, since they frequently repeat the line that "China doesn't support hacking."

The major benefit I see from a Cyber Command is providing a career path and organizational support for military personnel. Until that exists many people who would want to be in the military doing cyber operations will reach a point where leaving their service is their best option.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Read More

Sabtu, 13 Desember 2008

Indian Navy Demonstrates that Offense Stops Pirates

13.32  ,  No comments

Clearly the Indian Navy doesn't understand vulnerability-centric security. If they did, they wouldn't have captured 23 pirates "who tried to take over a merchant vessel in the Gulf of Aden, between the Horn of Africa and the Arabian Peninsula." They also wouldn't have "exchanged fire with a pirate "mother vessel" off the hijacking-plagued Horn of Africa, leaving the ship ablaze." Someone needs to teach these Indian sailors that the best way to stop pirates is to "build security in" when merchants construct ships!

I guess the Indians read my Offense Kills Pirates post. Maybe they decided to Take the Fight to the Enemy. Whatever the reason, good for them. Instead of commercial shippers being the only party suffering higher costs in this piracy environment (due to losses, higher insurance, increased salaries, etc.), now it's more expensive for pirates too.

Yo ho ho, pirates. We're coming for you soon. When will we take the same attitude to cyber pirates?*

*Note: I don't mean those the RIAA/MPAA calls "pirates."

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Read More

Senin, 03 November 2008

The Best Cyber-Defense...

18.32  , ,  No comments

I've previously posted Taking the Fight to the Enemy and Taking the Fight to the Enemy, Revisited. I agreed with sentiments like the following, quoted in my posts:

The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee.

“History teaches us that a purely defensive posture poses significant risks,” Cartwright told the committee. He added that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests...”

I found this idea echoed in the book Enemies: How America's Foes Steal Our Vital Secrets--and How We Let It Happen by Bill Gertz which I mentioned in Counterintelligence: Worse Than Security?. The author argues that the best way to protect a nation's intelligence from enemies is to attack the adversary's intelligence services. In other words, conduct aggressive counterintelligence to find out what the enemy knows about you. When you know what the enemy knows about you, you fight a more informed battle. You may even be able to alter his perception of you, and avoid a fight altogether.

I think Joe Stewart's latest post, Tracking Gimmiv, illustrates this point very well. Joe isn't a .mil or .gov operative, so he can't bomb anyone or put them in jail. He can conduct research operations, however, to learn the truth about the enemy's capabilities. Joe writes:

On October 23, 2008, Microsoft released an out-of-cycle emergency patch for a flaw in the Windows RPC code. The reason for this unusual occurance was the discovery of a “zero-day” exploit being used in the wild by a worm (or trojan, depending on how you look at it). The announcement of a new remote exploit for unpatched Windows systems always raises tension levels among network administrators. The fact that this one was already being used by a worm evoked flashbacks of Blaster and Sasser and other previous threats that severely impacted the networked world.

But, unlike these past worms, Gimmiv turned out to have infected scarcely any networks at all...

Because of some mistakes made by the author(s) of Gimmiv, third parties were able to download the logfiles of the Gimmiv control server. Although most of the data in the logs is AES-encrypted, we were able to find the key hardcoded in the Gimmiv binary and decrypt the data.

Although it has been reported that Gimmiv is a credential-stealing trojan, this functionality is actually not used - the gathered data is never sent. What is sent is simply basic system information, such as the Windows version, IP and MAC address, Windows install date/time and the default system locale. Using this data we were able to track exactly how many computers had been infected prior to October 23rd (after this time infection counts are somewhat skewed due to malware researchers all over the world investigating Gimmiv). As it turns out, only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008...

Additionally, a zip file left behind on one of the control servers contained Korean characters in the compressed folder name. For these two reasons, we believe Gimmiv’s author is probably from South Korea. (emphasis added)


Joe took the fight to the enemy. This is what most malware researchers do; they infiltrate the adversary's systems to figure out what is happening. This isn't a task for novices, but it does yield excellent results.

Joe's work isn't strictly counterintelligence, since he is probably not opposing a foreign intelligence service. Speaking of counterintelligence, I noticed this August article New Unit of DIA Will Take the Offensive On Counterintelligence about the Defense Counterintelligence and Human Intelligence Center:

The Defense Intelligence Agency's newly created Defense Counterintelligence and Human Intelligence Center is going to have an office authorized for the first time to carry out "strategic offensive counterintelligence operations," according to Mike Pick, who will direct the program...

In strategic offensive counterintelligence operations, a foreign intelligence officer is the target, and the main goals most often are "to gather information, to make something happen . . . to thwart what the opposition is trying to do to us and to learn more about what they're trying to get from us," [Toby] Sullivan [director of counterintelligence for James R. Clapper Jr., the Undersecretary of Defense for Intelligence] said. (emphasis added)

I found the transcript of the news conference contained this section mentioning cyber:

Q: Could you talk about the threats that you guys are sort of arrayed against? I’m thinking China has got to be high on your list. They seem to be in the news a lot for particularly defense technology, espionage. And I’m wondering where you fit into the whole cyber initiative that seems to be – so could you just talk about those and other things that you’re particularly focused on?

MR. SULLIVAN: The cyber initiative – there are other parts of the department that are responsible for protecting the IT systems of the department. The counterintelligence role in that – and we do have a role – is to provide some analysis and then, quite frankly, from an offensive capability, it provides us another venue to perhaps engage the enemy. But we don’t have a role in protecting the systems, if you will. There are other folks in the department that do that. As far as the threats, we had the Cold War threats and we have the today threats. There hadn’t been a whole lot of change over the last 20 or 30 years.

It will be interesting to (not) see how this new organization develops.

Read More

Jumat, 16 Mei 2008

Offense Kills Pirates

19.30  ,  No comments

I just finished watching a great program on my favorite channel (The History Channel) called True Caribbean Pirates. It traces the story of piracy in the Caribbean from the 16th through the early 18th centuries. I was mostly interested in learning how the great powers of the day dealt with this problem, since I blogged about modern Pirates in the Malacca Strait and 18th and 19th century pirates off the Barbary Coast.

If many modern information security practitioners had been tasked with protecting commerce in the face of piracy, they would probably have bought ever more elaborate but largely ineffective defensive measures.

Instead, the royal navies of the area decided to hunt down pirates and hang them. Sure, the pirates continued their raids for a long time, but eventually the main players (England, France, Spain, Holland) stopped warring amongst themselves and directed their offensives against the pirates.

We're not going to see any fundamental changes in information security until those we elect to protect our rights rise to the task and go on the offensive. Private companies (especially modern ones) aren't in a position to "strike back" against threats -- that's the role for the police and militaries of the world. It's time to kill some pirates, not leave "critical infrastructure protection" to the "private sector."

For related thoughts please see last year's post Taking the Fight to the Enemy Revisited.

Read More

Jumat, 11 April 2008

More Aggressive Network Self-Defense

18.38    No comments

Some of you might remember this book from my 2005 review. I thought of it after reading Security Guru Gives Hackers a Taste of Their Own Medicine. From the article:

Malicious hackers beware: Computer security expert Joel Eriksson might already own your box.

Eriksson, a researcher at the Swedish security firm Bitsec, uses reverse-engineering tools to find remotely exploitable security holes in hacking software. In particular, he targets the client-side applications intruders use to control Trojan horses from afar, finding vulnerabilities that would let him upload his own rogue software to intruders' machines.

He demoed the technique publicly for the first time at the RSA conference Friday.

You might remember a similar story from Def Con 2005:

New research released at the DefCon conference suggests that not only is it important to apply patches to fix security flaws in commonly used computer software, but that patch installation is important for the very tools hackers and security professionals frequently use to break into (or test the security of) computer networks.

According to new findings by the venerable hacker ninjas known as the Shmoo Group, some of the most popular tools used by hackers and security professionals to infiltrate and test the security of targeted networks contain serious flaws that defenders could use to turn the tables on hackers.

Three years ago in my post about ANSD I wrote:

I disagree with the strike-back idea, as I believe it steps over the line into vigilante justices.

I'm less sure about that now. In the three years that have passed, security has gotten worse, government ability to deter and/or defeat intruders has not improved, and intruders have become more sophisticated. If we continue to sit on our hands waiting for the cavalry to arrive, it will be too late. (It already is too late for most companies anyway; they're owned.)

Disruption of the command-and-control mechanisms used to control compromised hosts is not something I recommend for everyone, but it would certainly push some attackers off-balance. They would suddenly start to incur some of the same costs that defenders spend on trying to develop more secure software. I think it's time for some of us to consider these offensive techniques.

Incidentally, the ActiveResponse.org site I mentioned in 2005 appears to be collecting links to papers and studies on active response.

Read More

Minggu, 21 Oktober 2007

Counterintelligence and the Cyber Threat

16.48  , , , ,  No comments

Friday I attended an open symposium hosted by the Office of the National Counterintelligence Executive (ONCIX). It was titled Counterintelligence and the Cyber Threat and featured speakers and panels from government, law enforcement, industry, legal, and academic organizations. I attended as a representative of my company because our CSO, Frank Taylor, participated in the industry panel.

If you're not familiar with the term counterintelligence, let me reproduce a section from the OCNIX Web site:

Counterintelligence is the business of identifying and dealing with foreign intelligence threats to the United States. Its core concern is the intelligence services of foreign states and similar organizations of non-state actors, such as transnational terrorist groups. Counterintelligence has both a defensive mission — protecting the nation's secrets and assets against foreign intelligence penetration — and an offensive mission — finding out what foreign intelligence organizations are planning to better defeat their aims.

I also recommend reading the National Counterintelligence Strategy of the United States, 2007 (.pdf) which states:

Our adversaries -- foreign intelligence services, terrorists, foreign criminal enterprises and cyber intruders -- use overt, covert, and clandestine activities to exploit and undermine US national security interests. Counterintelligence is one of several instruments of national power that can thwart such activities, but its effectiveness depends in many respects on coordination with other elements of government and with the private sector.

During the Cold War, our nation's adversaries gained access to vital secrets of the most closely guarded institutions of our national security establishment and penetrated virtually all organizations of the US intelligence and defense communities. The resulting losses produced grave damage to our national security in terms of secrets compromised, intelligence sources degraded, and loves lost, and would have been catastrophic had we been at war. (emphasis added)

Minor note 1: if we were not at war during the "Cold War," then why is it called a "War"? I believe the people who died fighting would call it a war.

Minor note 2: foreign intelligence services, terrorists, and foreign criminal enterprises are all specific parties. "Cyber intruders" are more often one of those previous parties. Those who perform digital attacks but do not fall into one of those three categories are usually script kiddies or recreational hackers, and should not be explicitly mentioned as counterintelligence targets. My guess is the report considers cyber-instantiated threats to be serious enough to somehow mention explicitly, but not enough intellectual rigor was applied to this sentence (like the Cold War section).

Major note: does the section about penetrating virtually all organizations of the US intelligence and defense communities surprise you? When I attended Air Force intelligence school in 1996-1997, one of our first instructors said:

"Most, if not all of the classified material you will see in your career has already been compromised. However, we have to act as if it's not."

I remembered thinking "What?!?" With hindsight, the more I hear about spies found inside government agencies, the more I understand that statement.

I found the symposium fascinating, so I'd like to share a few thoughts. Dr. Joel Brenner, the National Counterintelligence Executive, provided plenty of noteworthy comments. He said that counterintelligence is not security.

  • A security person sees a hole in a fence and wants to patch it.

  • A CI person sees a hole in a fence and wants to understand who created it, how it is being abused, and if it can be turned into an asset to use against the adversary.


Dr. Brenner said about 140 foreign intelligence surveillance organizations currently target the United States. Three strategic issues are at play:

  1. Threats to sovereign (US) networks, especially in the cyber domain. Dr. Brenner said There is growing acceptance that we face a cyber counterintelligence problem, not a security problem. I agree with this, and will have more to say about it in a future blog entry. He stressed the alteration attack (rather than the disclosure or destrucion attacks) as being the major problem facing US networks.

  2. Acquisition risk, i.e., supply chain risks. Dr. Brenner said we need technically literate lawyers and policymakers to address these risks.

  3. Collaboration, or the lack thereof. Dr. Brenner notes that out current "cooperation model" is a function of our "classification model," resulting in an antiquated system that serves no one well.


One of the most interesting comments was this:

Industry talks risk management but they really do risk acceptance, not risk mitigation.

How true that is!

Chris Inglis, Deputy Director of the NSA and a fellow USAFA grad, used a term I liked with regard to fighting the cyber adversary. He said we need to outmaneuver the adversary, not solve security problems. I love this because it implies "security" can't be "solved," and it provides a reason to review maneuver warfare as a way to counter the adversary.

John McClurg, Vice President for security at Honeywell, described his "validated data" approach to obtaining business buy-in for security initiatives. He collects data to support a security program and presents it to managers as a means to justify his work. This sounds a lot like showing evidence that a business unit is owned or about to be owned. I like this idea and my work with NSM would help provide such data.

Scott O’Neal, Chief Computer Intrusion Section, Cyber Division, FBI, said The adversary is clearly ahead of security. This is a fact we have to accept. This echoes statements I made earlier this year and at other times. The FBI addresses intrusions through three points of view: CT (counterterrorism), CI (counterintelligence) and criminal.

I'll have more to say on this subject in the months ahead.

Read More

Rabu, 18 April 2007

Threat Advantages

11.27  , , ,  No comments

My post Fight to Your Strengths listed some of the advantages a prepared enterprise might possess when facing an intruder. I thought it helpful to list a few advantages I see for intruders.

  • Initiative: By virtue of being on the offensive, intruders have the initiative. Unless threats are being apprehended, prosecuted, and incarcerated, intruders are free to pick the victim, the time and nature of the attack, the means of command and control (if desired), and many other variables. Defenders can limit the enemy's freedom of maneuver, but the intruder retains the initiative.

  • Flexibility: Intruders have extreme flexibility. Especially on targets where stealth is not a big deal, intruders can experiment with a variety of exploitation and control tools and tactics. Defenders, on the other hand, have to take special care when applying patches, performing memory- or host-based forensics, and other administrative duties. Defenders have to conform to organizational policies and user demands. Intruders (to the degree they don't want to be noticed) are much freer.

  • Asymmetry of Interest: This may be controversial, but in my experience intruders are much more interested in gaining and retaining control (or accomplishing their mission, whatever it is) than defenders may be in stopping the attack. A dedicated attacker can inflict damage, withdraw for two weeks while defenders scramble to assess and repair, and then return when "incident fatigue" has degraded the incident response team and system administrators. Defenders usually have a lot on their plate besides incident handling, whereas intruders can be obsessively focused on attacking and controlling a target.

  • Asymmetry of Knowledge: This may also be controversial, but skilled intruders (not script kiddies) may know more about target software and applications than some of the developers who write them, never mind the administrators who deploy them. This is especially true of incident handlers, who are supposed to be "experts in everything," but are lucky to at least be "conversant" in victimized applications and systems. Often the first time security staff learn of a new service is when that service is compromised.


Notice these last two intruder strengths come from having the flexibility to decide what to attack. This is particularly true of targets of opportunity. When an incident involves a specific target, the playing field may be more level. The intruder has to exploit whatever is available, not that in which he or she may have specialized experience.

Again, comments with other ideas are appreciated.

Update: From Hackers get free reign to develop techniques says Microsoft security chief:

"Part of the picture is bleak. In the online world, cyber criminals can do their research for as long as they want in absolute security and secrecy then when they're done they can take their exploit, find a way to automate it and post it on a Web site where thousands or millions of other criminals can download it," said Scott Charney, vice president of Trustworthy Computing at Microsoft, in Redmond, Wash...

Charney, speaking at the Authentication and Online Trust Alliance Summit, said that technology and procedures for defeating online attacks and finding hackers has advanced by leaps and bounds since his days at the Department of Justice in the 1990s. But, he added that in some respects the fight against online criminals is not a fair one. The attackers have all the time in the world, the cooperation of other hackers and a virtually limitless number of potential targets. Law enforcement agents, meanwhile, are governed by strict guidelines and in many cases are hampered by a lack of available data once a crime has been committed.

Another challenge for security specialists and law enforcement is the patchwork of state and federal laws in the United States, and the lack of any cybercrime laws in a number of foreign countries. Given the global nature of cybercrime and the fact that hackers often attack systems in a number of different countries at once, these hurdles can often stop promising investigations before they really get started.

Read More

Fight to Your Strengths

06.12  , ,  No comments

Recently I mentioned the History Channel show Dogfights. One episode described air combat between fast, well-turning, lightly-armored-and-gunned Japanese Zeroes and slower, poor-turning, heavily-armored-and-gunned American F6F Hellcats. The Marine Top Gun instructor/commentator noted the only way the Hellcat could beat the Zero was to fight to its strengths and not fight the sort of battle the Zero would prefer. Often this meant head-to-head confrontations where the Hellcat's superior armor and guns would outlast and pummel the Zero.

When I studied American Kenpo in San Antonio, TX, my instructor Curtis Abernathy expressed similar sentiments. He said "Make the opponent fight your fight. Don't try to out-punch a boxer. Don't try to out-kick a kicker. Don't try to wrestle a grappler." And so on.

I thought about these concepts today waiting in another airport. I wondered what sorts of strengths network defenders might have, and if we could try forcing the adversary into fighting our fight and not theirs.

Here are some preliminary thoughts on strengths network defenders might have, and how they can work against intruders.

  • Knowledge of assets: An intruder pursuing a targeted, server-side attack will often try to locate a poorly-configured asset. The act of conducting reconnaissance to locate these assets results in the opponent fighting your fight -- if you and/or your defensive systems possess situational awareness. It is not normal for remote hosts to sweep address space for active hosts or individual hosts for listening services. Defenders who manually or automatically take defensive actions when observing such actions can implement blocks that will at least frustrate the observed source IP.

  • Knowledge of normal behavior: An intruder who compromises an asset will try to maintain control of that asset. This may take the form of an outbound IRC-based command-and-control channel, an inbound or outbound encrypted channel, or many other variations. To the extend that the intruder does not use a C&C channel that looks like normal behavior for the victim, the intruder is fighting your fight. Whenever you constrain network traffic by blocking, application-aware proxying, and throttling, you force the intruder into using lanes of control that you should architect for maximum policy enforcement and visibility.

  • Diversity: Targets running Windows systems or PHP-enabled Web applications are much more likely to be compromised and manipulated by intruders. Attack tools and exploits for these platforms are plentiful and well-understood by the enemy. If you present a different look to the intruder, you are making him fight your fight. An intruder who discovers a target running an unknown application on an unfamiliar OS is, at the very least, going to spend some time researching and probing that target for vulnerabilities. If you possess situational awareness, diversity buys time for defensive actions.

  • Situational awareness: A well-instrumented network will possess greater knowledge of the battlespace than an intruder. A network architected and operated with visibility in mind provides greater information on activity than one without access to network traffic. Unless the intruder implements his own measures to expand his visibility (compromising a switch to enable a SPAN port, controlling a router, etc.), the defender will know more about the scope of an attack than the intruder. Of course, the intruder will have absolute knowledge of his activities because he is executing them, possibly via an encrypted channel.


These are some initial ideas recorded in an airport. I may augment them as time permits.

Notice that if you don't know your assets or normal behavior, if you run the same vanilla systems as the rest of the world, and you don't pay attention to network activity, you have zero strengths in the fight beyond (hopefully) properly configured assets. We all have those, right?

At the risk of involving myself in a silly debate, I'd like to briefly mention how these factors affect the decision to run OpenSSH on a nonstandard port. Apparently several people with a lot of free time have been vigorously arguing that "security through obscurity" is bad in all its forms, period. I don't think any rational security professional would argue that relying only upon security through obscurity is a sound security policy. However, integrating security through obscurity with other measures can help force an intruder to fight your fight. Here's an example.

I'm sure you've seen many brute force login attacks against OpenSSH services over the past year or two years. I finally decided I'd seen enough of these on my systems, so I moved sshd to nonstandard ports. Is that security through obscurity? Probably. Have I seen any more brute force attacks against sshd since changing the port? Nope. As far as I'm concerned, a defensive maneuver that took literally 5 seconds per server has been well worth it. My logs are not filling with records of these attacks. I can concentrate on other issues.

Now, what happens if someone really takes an interest in one or more of my servers? In order to find sshd, he needs to port scan all 65535 TCP ports. That activity is going to make him fight my fight, because scanning is way outside the normal profile for activity involving my servers. Will he eventually find sshd? Yes, unless my systems automatically detect the scan and block it. Are there ways to make the intruder's ability to connect to sshd even more difficult? Sure -- take a look at Mike Rash's Single Packet Authorization implementations. The bottom line is that a defensive action which cost me virtually nothing has increased the amount of work the intruder must perform to attack sshd.

If I knew my action to change sshd's port could be discovered by the intruder with minimal effort (perhaps they have visibility of the change via illicit monitoring) then obscurity has been lost and the change is not worthwhile.

As a final thought, it's paramount to consider cost when making security decisions. If altering the sshd port had required buying new software licenses, hardware, personnel training, etc., it would not have been worth the effort.

I would be interested in hearing your thoughts on ways to get the intruder to fight your fight. These are all strictly defensive measures, since offense is usually beyond the rules for most of us.

Read More

Kamis, 05 April 2007

Taking the Fight to the Enemy Revisited

07.07  , , ,  No comments

I just read Bruce Schneier's essay Security Matters: Vigilantism Is a Poor Response to Cyber Attack. He's commenting on the news I discussed in Taking the Fight to the Enemy:

As reported in Federal Computer Week, Cartwright said: "History teaches us that a purely defensive posture poses significant risks," and that if "we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests..."

Of course, the general is correct. But his reasoning illustrates perfectly why peacetime and wartime are different, and why generals don't make good police chiefs.

A cyber-security policy that condones both active deterrence and retaliation -- without any judicial determination of wrongdoing -- is attractive, but it's wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment.

In warfare, the notion of counterattack is extremely powerful. Going after the enemy -- its positions, its supply lines, its factories, its infrastructure -- is an age-old military tactic. But in peacetime, we call it revenge, and consider it dangerous. Anyone accused of a crime deserves a fair trial. The accused has the right to defend himself, to face his accuser, to an attorney, and to be presumed innocent until proven guilty...

I'm glad General Cartwright thinks about offensive cyberwar; it's how generals are supposed to think. I even agree with Richard Clarke's threat of military-style reaction in the event of a cyber-attack by a foreign country or a terrorist organization. But short of an act of war, we're far safer with a legal system that respects our rights. (emphasis added)

I think Bruce is wrong on two counts. The first requires you to decide if you think the United States is currently engaged in "cyberwar." I think we are close enough to cyberwar to authorize deterrence and offensive activities. The FCW article Bruce cites also said the following:

The Stratcom commander told the committee that the United States is under widespread, daily attacks in cyberspace. He added that the country lacks dominance in the cyberdomain and that it could become “increasingly vulnerable if we do not fundamentally change how we view this battle space.” (emphasis added)

The term I highlighted is important and it may not be significant to those without .mil experience. Dominance of the battlespace is a tenet of American warfare. It's the reason we are very good at obliterating enemies (and probably less good at rebuilding them). (Note: please spare me any political responses here. I am not trying to make a political statement. I am speaking based on wearing a uniform for 11 years and the doctrine and training associated with that experience.)

For example, various states of control describe how the Air Force views warfare in the aerospace domain:

  • Air parity: control of the skies only above friendly troop positions

  • Air superiority: control whereby friendly forces can act without prohibitive interference by the opposing force

  • Air supremacy: a degree of air superiority wherein the opposing air force is incapable of effective interference


Based solely on open source threat reports (open source meaning in the press and unclassified, not OSI licensed!), the Air Force (and the entire .mil/.gov) doesn't even have "air parity." This means we are losing the battle in a domain that the Air Force, military, and national security apparatus considers crucial. The Air Force and DoD are acting because we do not even have control of our own "airspace." I'm looking forward to seeing what the Air Force Cyberspace Command does later this year when activated.

The second reason Bruce is wrong involves his excessively pacifist attitude. He says "going after the enemy... in peacetime [is] revenge." This is not true. Police forces routinely run sting operations, raid suspected crystal meth labs, and take plenty of other offensive activities to remove threats before they continue to perpetrate their crimes. Police also patrol the streets, projecting force and control and deterring crimes.

While I agree that the military is not a police force, the military is currently the only force with the ability to take the fight to the enemy. Police forces are barely able to address a limited number of defensive investigations. They have zero capability to run anything other than "to catch a predator"-type sting operations.

The bottom line is we losing the battle in cyberspace and something has to change. We cannot code, block, or patch our way out of this situation.

Read More

Jumat, 23 Maret 2007

Taking the Fight to the Enemy

18.55  , , ,  No comments

ShmooCon started today. ShmooCon leader Bruce Potter finished his opening remarks by challenging the audience to find anyone outside of the security community who cares about security. I decided to take his idea seriously and I thought about it on the Metro ride home.

It occurred to me that the digital security community fixates on vulnerabilities because that is the only aspect of the Risk Equation we can influence. Lines of business control assets, so we can't decrease risk by making assets less valuable. (That doesn't even make sense.) We do not have the power or authority to remove threats, so we can't decrease risk by lowering the attacks against our assets. (Threat mitigation is the domain of law enforcement and the military.) We can only address vulnerabilities, but unless we develop the asset ourselves we're stuck with whatever security the vendor provided.

I would like to hear if anyone can imagine another realm of human endeavor where the asset owner or agent is forced to defend his own interests, without help from law enforcement or the military. The example can be historical, fictional, or contemporary. I'm reminded of Wells Fargo stagecoaches being robbed as they crossed the West, forcing WF to hire private guards with guns to defend company assets in transit. As a fictional example, Sherlock Holmes didn't work for Scotland Yard; victims hired the Great Detective to solve crimes that the authorities were too slow or unwilling to handle.

As I've said many times before, we are wasting a lot of time and money trying to "secure" systems when we should be removing threats. I thought of this again last night while watching Chris Hansen work with law enforcement to take more child predators off the streets. Imagine if I didn't have law enforcement deterring and jailing criminals like that. I'd have to wrap my kids in some sort of personal tank when I send them to school, and they'd still probably end up in harm's way. That's the situation we face on the Internet. There's no amount of bars over windows, high fences, or other defenses that will stop determined intruders. Removing or deterring the intruders is history's lesson.

This FCW article has the right idea:

The best defense against cyberattacks on U.S. military, civil and commercial networks is to go on the offensive, said Marine Gen. James Cartwright, commander of the Strategic Command (Stratcom), said March 21 in testimony to the House Armed Services Committee.

“History teaches us that a purely defensive posture poses significant risks,” Cartwright told the committee. He added that if “we apply the principle of warfare to the cyberdomain, as we do to sea, air and land, we realize the defense of the nation is better served by capabilities enabling us to take the fight to our adversaries, when necessary, to deter actions detrimental to our interests...”

The Stratcom commander told the committee that the United States is under widespread, daily attacks in cyberspace. He added that the country lacks dominance in the cyberdomain and that it could become “increasingly vulnerable if we do not fundamentally change how we view this battle space.”

Put me in, coach. I'm ready to play, today.

Read More

Kamis, 27 April 2006

Analog Security is Threat-Centric

08.18  , ,  No comments

If you were to pass the dark alley in the image at left, I doubt you would want to enter it. You could imagine all sorts of nasty encounters that might deprive you of property, limb, or life. Yet, few people can imagine the sorts of danger they encounter when using a public PC terminal, or connecting to a wireless access point, or visiting a malicious Web site with a vulnerable browser.

This is the problem with envisaging risk that I discussed earlier this week. Furthermore, security in the analog world is much threat-centric. If I'm walking near or in a dark alley, and I see a shady character, I sense risk. I don't walk down the street checking myself for vulnerabilities, ignoring the threats watching me. ("Exposed neck? Could get hurt there. Bare hands? Might get burnt by acid." Etc...)

It seems like the digital security model is like an unarmed combatant in a war zone. Survivability is determined solely by vulnerability exposure, the attractiveness of one's assets to a threat, and any countermeasures that might disrupt threats.

In the analog world, one can employ a variety of tactics to improve survivability. Avoiding risky areas is the easiest, but let's assume one has to enter dangerous locations. A potential victim could arm himself, either using a weapon or martial arts. He could travel in groups, hire a bodyguard, or enlist the police's aid.

The term "hack-back" crops up in the digital scenario. This is really not a useful approach, because hacking the system attacking you does absolutely nothing to address the real threat -- the criminal at the keyboard.

In the analog world, consider the consequences for "hacking back." If you shoot an assailant, you'll have to explain yourself to the police or potentially a court of law. You probably can't shoot someone for simply being on your property, but you can if they threaten or try to harm you.

On a related note, we need some means to estimate threat level in a systematic, repeatable manner. When I say "threat" I mean threat, not vulnerability. Something like a system of distributed honeypots with distinct configurations might be helpful. Time-to-exploit for a given patch set might be tracked. I know the Honeynet Project periodically issues reports on how long it takes to 0wn a box, but it might be neat to see this in a regular, formal manner.

Read More

Senin, 19 Desember 2005

Defense Seldom Wins Wars

06.13  , , ,  No comments

In preparation for my career as an Air Force intelligence officer, I studied history at the US Air Force Academy. Since then I have enjoyed lectures produced by The Teaching Company, like Famous Romans. One of the lessons I have taken from this course is that defense seldom (if ever) wins wars. I was reminded of this lesson when I read Tom Ptacek's post " The Only Defense Is A Good Defense."

Tom is replying to my post where I said the following:

"I also do not agree [with SANS.edu] that 'knowledge... is the only defense to the growing threat.' The best defense is a strong offense. That means hunting down and prosecuting threats. No amount of defense can sufficient protect any moderately complex enterprise against determined intruders."

Tom disagrees and says that "Firewalls", "IT and Network Security teams", and "Vulnerability Research" have "done the most to improve security over the last 5 years." If we consider the risk equation to be something like "Risk = Threat X Vulnerability X Asset value", we must realize that Tom's points all address the vulnerability side of the equation. Applying countermeasures to the vulnerability aspect of the risk equation leaves the threat component untouched.

When the attacker is allowed freedom of maneuver, the defender will lose. The side with initiative has the superior position, unless the defenses are so unsurmountable that attack is more costly than defense. Let's return to the Famous Romans lecture for a moment. Prior to the rule of the emperor Hadrian, the Roman Empire had pursued an expansionist foreign policy. Rome had lost many battles to its neighbors, but those neighbors essentially remained on the defensive. They feared Rome would invade, conquer, and eliminate them (at worse).

When Hadrian became emperor in 117 AD, he changed Rome's foreign policy. He decided to consolidate the empire's borders. His most famous action was the building of Hadrian's Wall, separating England from Scotland. The wall was the ultimate statement of defense, as is sought to keep barbarians separated from Roman cities like London.

In some respects, this ultimate defensive maneuver was a success; London flourished. However, the building of the wall signalled weakness to Rome's enemies. Instead of being seen as a statement of strength, barbarians interpreted as a sign the Romans would not seek to conquer them. Rome looked weak, not strong. Within a century Rome would come under increasing barbarian attack, and the remaining shell of the western "empire" was formally overthrown in 476 AD.

Now, you might say that defense can prove superior to offense. You might cite trench warfare of the late 19th century, and the horror of World War I. In those cases, it is true that the weapons possessed by each side were so horribly destructive that attacks were fruitless and bloody endeavors. However, the arrival of the tank and over a million US troops changed the equation. Offensive action eventually won WWI for the allies.

A particularly clever historian might say the Cold War was won by defense. Some argue the US out-spent, or had the capability to out-spend, Soviet Russia. That is true. Another factor was President Reagan's plan to build the Strategic Defense Initiative (SDI, or "Star Wars.) SDI changed the security situation for the Soviets. The security paradigm of "mutually assured destruction" held that seeking to wipe out the enemy was a worthless action. Once the enemy detected missile launches, he could reply with his own volley. Both sets of missiles would wipe out each side's weapons, leaving neither with an advantage to leverage in a post-exchange world.

SDI altered this nuclear attack outcome. With SDI deployed, the US could potentially preserve some of its weapons for a second round of attacks. This second round gave the US superiority over its Soviet opponent. Suddenly a nuclear war became "winnable," as insane as that sounds. In this case, then, defense was important, but only to preserve the weapons of offense.

In the final analysis, what makes you feel safer -- a lack of criminals on your street, or iron bars on your windows?

Read More

Selasa, 13 Desember 2005

SANS.edu Open for Business

16.03  ,  No comments

Thanks to the latest SANS NewsBites, I learned that the SANS (TM) Institute (popularly called "SANS") has announced the opening of the SANS Technology Institute, a true .edu. SANS.edu will offer two masters of information science degrees, in (1) security management and (2) security engineering. The majority of each program involves attending SANS tracks, like SEC 504: Hacker Techniques, Exploits, and Incident Handling or MGT 524: Security Policy and Awareness.

Government Computer News and Federal Computer Weekly provide additional details.

The Knowledge for Peace motto on the logo seems a little "crunchy" to me. Here is part of an explanation:

"Cyber violence in its multiple forms at all levels of the Internet is a major problem. One large ISP averages 1,000 DDOS attacks per day. Although arrests and prosecutions for worm writers and malicious employees who harm their current or former employers' IT systems have increased, the threat level has also increased. Organized crime has been rapidly moving into phishing, the fastest growing crime segment. The path we are on does not lead to peace or security in cyberspace.

The Latin word scientia, the root of our word for science, means knowledge, which is the only defense to the growing threat. If we do not know how to harden systems, manage change, design networks and ensure that software is developed securely, we remain vulnerable to Internet predators."

I do not buy the concept of "cyber violence" in the context of attacks by intruders. (Cyber violence is a term usually reserved for attacks against children facilitated by Internet access.) I also do not agree that "knowledge... is the only defense to the growing threat." The best defense is a strong offense. That means hunting down and prosecuting threats. No amount of defense can sufficiently protect any moderately complex enterprise against determined intruders.

Does anyone plan to pursue either of the two SANS.edu degrees?

Read More

Jumat, 08 April 2005

Review of Aggressive Network Self-Defense Posted

05.33  ,  No comments

Amazon.com just posted my four star review of Aggressive Network Self-Defense. From the review:

"Aggressive Network Self-Defense (ANSD) is another innovative Syngress book. It leaps beyond the theories of digital self-defense initially proposed by Tim Mullen in 2002. Tim tried to justify using 'neutralizing agents' to disable malicious processes (like Code Red or Nimda) on infected hosts attacking one's enterprise. ANSD does not speak of neutralizing agents in the eight fictional cases the comprise the bulk of the book, but those chapters make for thought-provoking reading."

Tim Mullen's SecurityFocus.com articles on strike-back include The Right to Defend and Strikeback, Part Deux. His Defending your right to defend: Considerations of an automated strike-back technology is also online.

I disagree with the strike-back idea, as I believe it steps over the line into vigilante justices. It is telling that Tim's papers all pre-date the Welchia worm, which demonstrated how dangerous strike-back can really be. You'll remember the devastating ICMP traffic caused by Welchia as it searched for live machines for purposes of disabling the Blaster worm.

My review mentions that three of the chapters in the second part of the book are already online. In addition to Tim's works, you'll find Dan Kaminsky's MD5 To Be Considered Harmful Someday (.pdf) and Sensepost's When the tables turn A discussion paper on passive strike-back (.doc) online.

Update: The author of chapter 9 (Sergio Caltagirone) started a blog a few weeks ago -- activeresponse.org.

Read More
Langganan: Postingan (Atom)