Two Dimensional Thinking and APT

I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan's tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says:He is intelligent, but not experienced. His pattern indicates two-dimensional thinking. I though this quote could describe many of the advanced persistent...

Read More

Example of Threat-Centric Security

In my last post I mentioned the need to take threat-centric approaches to advanced persistent threat. No sooner than I had posted those thoughts do I read this:Beijing 'strongly indignant' about U.S.-Taiwan arms saleThe Obama administration announced the sale Friday of $6 billion worth of Patriot anti-missile systems, helicopters, mine-sweeping ships and communications equipment to Taiwan in a long-expected move that sparked an angry protest from...

Read More

Mandiant M-Trends on APT

If you want to read a concise yet informative and clue-backed report on advanced persistent threat, I recommend completing this form to receive the first Mandiant M-Trends report. Mandiant occupies a unique position with respect to this problem because they are one of only two security service companies with substantial counter-APT consulting experience. You may read blog posts and commentary from other security service providers who either 1)...

Read More

Review of Professional Penetration Testing Posted

Amazon.com just posted my three star review of Professional Penetration Testing by Thomas Wilhelm. From the review:I had fairly high hopes for Professional Penetration Testing (PPT). The book looks very well organized, and it is published in the new Syngress style that is a big improvement over previous years. Unfortunately, PPT should be called "Professional Pen Testing Project Management." The vast majority of this book is about non-technical...

Read More

Energy Sector v China

The aftershocks of Google v China continue to rumble as more companies are linked to the advanced persistent threat. Mark Clayton from the Christian Science Monitor wrote a story titled US oil industry hit by cyberattacks: Was China involved? I found these excerpts interesting.At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new...

Read More

Look Beyond the Exploit

The post One Exploit Should Not Ruin Your Day by Dino Dai Zovi made me think:Finally, the larger problem is that it only took one exploit to compromise these organizations. One exploit should never ruin you day. [sic]No, that is wrong. The larger problem is not that it "only took one exploit to compromise these organizations." I see this mindset in many shops who aren't defending enterprises on a daily basis. This point of view incorrectly focuses...

Read More

Review of Network Maintenance and Troubleshooting Guide, 2nd Ed Posted

Amazon.com just posted my 5 star review of Network Maintenance and Troubleshooting Guide, 2nd Ed by Neal Allen. From the review:Good network troubleshooting books are rare. TCP/IP Analysis and Troubleshooting Toolkit by Kevin Burns (2003), Troubleshooting Campus Networks by Priscilla Oppenheimer and Joseph Bardwell (2002), and Network Analysis and Troubleshooting by Scott Haugdahl (1999) come to mind. Network Maintenance and Troubleshooting Guide...

Read More

Submit Questions for OWASP Podcast

Jim Manico invited me to speak on the OWASP Podcast. If you'd like me to try answering specific questions, please email them to podcast at owasp.org. When the show is posted I will let everyone know here. Thank y...

Read More

Sguil 0.7.0 on Ubuntu 9.10

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubleshoot, explained below.First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10.richard@janney:~$ dpkg --list | grep -i tclii tcl8.4 8.4.19-3 Tcl (the Tool Command Language) v8.4 - run-tii tk8.4 8.4.19-3...

Read More

Attribution Using 20 Characteristics

My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post. Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack.Timing. What is the timing of the attack, i.e., fast, slow, in groups,...

Read More

Help Bro Project with Short Survey

I've written about Bro before, and I noticed the following mailing list post titled Poll: Bro deployments:Hello Sites Using Bro,We'd like to ask for your help. We're in the process of preparing a major funding proposal for improving Bro, focused on: improving the end-user experience (things like comprehensive documentation, polishing rough edges, fixing bugs); and improving performance.This looks like a potentially excellent opportunity. However,...

Read More

Attribution Is Not Just Malware Analysis

In a recent Tweet I recommended reading Joe Stewart's insightful analysis of malware involved in Google v China. Joe's work is stellar as always, but I am reading more and more commentary that shows many people don't have the right frame of reference to understand this problem. In brief, too many people are focusing on the malware alone. This is probably due to the fact that the people making these comments have little to no experience with the...

Read More

Is APT After You?

Jeremiah Grossman made the following request via Twitter today:@taosecurity blog post request. Signs that an individual or organization is or may be an APT target. + other threat naming conventionsTough but great questions. I better answer, or Jeremiah will find me and apply Brazilian Jiu Jitsu until I do. Let me take the second question first.As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the popular term for one "intrusion...

Read More

Review of Inside Cyber Warfare Posted

Amazon.com just posted my three star review of Jeff Carr's Inside Cyber Warfare. From the review:Jeff Carr is a great digital security intelligence analyst and I've been fortunate to hear him speak several times. We've also separately discussed the issues he covers in Inside Cyber Warfare (ICW). While I find Jeff's insights very interesting and valuable, I think his first book could have been more coherent and therefore more readable. I believe...

Read More

Bejtlich Teaching at Black Hat EU 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. After Black Hat DC comes Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I will be teaching TCP/IP Weapons School 2.0. Registration is now open. Black Hat set five price points and deadlines for registration.Super early ends 1 FebEarly ends 1 MarRegular ends 1 AprLate ends 11 AprOnsite starts at the...

Read More

What Is APT and What Does It Want?

This has been the week to discuss the advanced persistent threat, although some people are already telling me Google v China with respect to APT is "silly," or that the attack vectors were what everyone has been talking about for years, and were somewhat sloppily orchestrated at that. I think many of these critics are missing the point. As is often the case with sensitive issues, 1) those who know often can't say and 2) those who say often don't...

Read More

Why Google v China is Different

I've been reading various comments on the Google v China issue. One caught my eye:Security experts say Google cyber-attack was routine "This wasn't in my opinion ground-breaking as an attack. We see this fairly regularly," said Mikko Hypponen, of security firm F-Secure."Most companies just never go public," he added.In some ways this comment is true, and in other ways I think it can mislead some readers. I believe it is true in the sense that many...

Read More

Security Team Permissions

Every so often I receive questions from blog readers. The latest centered on the following question:What level and extent should a security team and investigators be allowed to operate without having to ask for permission?This is an excellent question, and as with most issues of authority it depends on the organization, its history, culture, purpose, and people. From the perspective of the security team, I tend to want as much access as is required...

Read More

Friday is Last Day to Register for Black Hat DC at Reduced Rate

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0. Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left.Regular ends 15 JanLate ends 30 JanOnsite starts at the conferenceSeats...

Read More

Why Would APT Exploit Adobe?

After reading this statement from Adobe, they seem to be using the same language that described the Google v China incident:Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident.Let's assume, due to language and news timing, that it's...

Read More

Has China Crossed a Line?

I'm wondering if China has crossed a line with its Google hack. It's relatively easy for the Obama administration to pretend that nothing's amiss when it's playing politics with the Chinese government. But when an American company that was just named "word of the decade" proclaims to the world that it is being exploited by Chinese intruders, can the President turn a blind eye to that? This could be the first publicity-driven incident (i.e., something...

Read More

Mechagodzilla v Godzilla

After posting Google v China I realized this is a showdown like no other. In my experience, no one "ejects" the advanced persistent threat. If you think they are gone, it's either 1) because they decided to leave or 2) you can't find them. Now we hear Google is the latest victim. Google is supposed to be a place where IT is so awesome and employees so smart that servers basically run themselves, and Google's HR has to leave some of the other...

Read More

Google v China

It's been a few months since I mentioned China in a blog post, but this one can't be ignored. Thanks to SW for passing me this one:Google Blog: A New Approach to ChinaIn mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google...First, this attack was not just on Google. As part of our investigation we have discovered...

Read More

Happy 7th Birthday TaoSecurity Blog

Today, 8 January 2010, is the 7th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2542 posts (averaging 363 per year) later, I am still blogging. I don't have any changes planned here. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, and FreeBSD when appropriate. I especially...

Read More

Excerpts from Randy George's "Dark Side of DLP"

Randy George wrote a good article for InformationWeek titled The Dark Side of Data Loss Prevention. I thought he made several good points that are worth repeating and expanding.[T]here's an ugly truth that DLP vendors don't like to talk about: Managing DLP on a large scale can drag your staff under like a concrete block tied to their ankles.This is important, and Randy explains why in the rest of the article.Before you fire off your first scan to...

Read More