Scalable Infrastructure vs Large Problems, or OpenDNS vs Conficker

After seeing Dan Kaminsky's talk at Black Hat DC last month, I blogged about the benefits of DNS' ability to scale to address big problems like asset management records. I've avoid talking about Conficker (except for yesterday) since it's all over the media.

Why mention DNS and Conficker in the same post? All of the commotion about Conficker involves one variant's activation of a new domain generation algorithm on 1 April. Until today no one had publicly announced the reverse engineering of the algorithm, but right now you can download a list of 50,014 domains that one Conficker variant will select from when trying to phone home starting 1 April. Some of the domains appear to be pre-empted:

$ whois aadqnggvc.com.ua
% This is the Ukrainian Whois query server #B.
% Rights restricted by copyright.
%

% % .UA whois
% Domain Record:
% =============
domain:     aadqnggvc.com.ua
admin-c:    CCTLD-UANIC
tech-c:     CCTLD-UANIC
status:     FROZEN-OK-UNTIL 20090701000000
dom-public: NO
mnt-by:     UARR109-UANIC (ua.admin)
remark:     blocked according to administrator decision
changed:    CCTLD-UANIC 20090320144409
source:     UANIC

Others appear ready for registration:

~$ whois aafkegx.co.uk

    No match for "aafkegx.co.uk".

    This domain name has not been registered.

    WHOIS lookup made at 00:56:31 31-Mar-2009

Keep in mind that another 50,000 domains will be generated on 2 April, and so on. With such a big problem, what could we do to contain this malware?

OpenDNS is a possible answer:

OpenDNS has kept our users safe from Conficker for the past several months by blocking the domains it uses to phone home...

The latest variant of Conficker is now churning through 50,000 domains per day in an attempt to thwart blocking attempts. Consider this: at any given time we have filters that hold well over 1,000,000 domains (when you combine our phishing and domain tagging filters). 50,000 domains a day isn’t going to rock the boat.

So here’s our update: OpenDNS will continue to identify the domains, all 50,000, and block them from resolving for all OpenDNS users. This means even if the virus has penetrated machines on your network, its rendered useless because it cannot connect back to the botnet.

That's one advantage of outsourcing your Internet DNS to a third party. They have the resources to integrate the latest threat intelligence and the position to do something to protect users.

This is a great example of scalable infrastructure (DNS) vs large problems (Conficker).

Finally, you've probably heard about the Conficker Know Your Enemy paper and associated upgraded scanning tools, like Nmap 4.85BETA5 and the newest Nessus check. I can't wait to see the results of tools like this. It could mark one of the first times we could fairly easily generate a statistic for the percentage of total assets compromised, similar to steps 8 and 9 from my 2007 post Controls Are Not the Solution to Our Problem. In other words, you can scan for Conficker and determine one score of the game -- the percentage of hosts compromised by one or more Conficker variants. The question is, how long until those controlling Conficker update the code to resist these remote, unauthenticated scans?

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

Read More

NSM vs The Cloud

A blog reader posted the following comment to my post Network Security Monitoring Lives:

How do you use NSM to monitor the growing population of remote, intermittently connect mobile computing devices? What happens when those same computers access corporate resource hosted by a 3rd party such as corporate SaaS applications or storage in the cloud?

This is a great question. The good news is we are already facing this problem today. The answer to the question can be found in a few old principles I will describe below.

• Something is better than nothing. I've written about this elsewhere: computer professionals tend to think in binary terms, i.e., all or nothing. A large number of people I encounter think 'if I can't get it all, I don't want anything." That thinking flies in the face of reality. There are no absolutes in digital security, or analog security for that matter. I already own multiple assets that do not strictly reside on any single network that I control. In my office I see my laptop and Blackberry as two examples.
  
  Each could indeed have severe problems that started when they were connected to some foreign network, like a hotel or elsewhere. However, when the obtain Internet access in my office, I can watch them. Sure, a really clever intruder could program his malware to be dormant on my systems when I am connected to "home." How often will that be the case? It depends on my adversary, and his deployment model. (Consider malware that never executes on VMs. Hello, malware-proof hosts that only operate on VMs!)
  
  The point is that my devices spend enough time on a sufficiently monitored network for me to have some sense that I could observe indicators of problems. Of course I may not know what those indicators could be a priori; cue retrospective security analysis.


• What is the purpose of monitoring? Don't just monitor for the sake of monitoring. What is the goal? If you are trying to identify suspicious or malicious activity to high priority servers, does it make sense to try to watch clients? Perhaps you would be better off monitoring closer to the servers? This is where adversary simulation plays a role. Devise scenarios that emulate activity you expect an opponent to perform. Execute the mission, then see if you caught the red team. If you did not, or if your coverage was less than what you think you need, devise a new resistance and detection strategy.


• Build visibility in. When you are planning how to use cloud services, build visibility in the requirements. This will not make you popular with the server and network teams that want to migrate to VMs in the sky or MPLS circuits that evade your NSM platforms. However, if you have an enterprise visibility architect, you can build requirements for the sort of data you need from your third parties and cloud providers. This can be a real differentiator for those vendors. Visibility is really a prerequisite for "security," anyway. If you can't tell what's happening to your data in the cloud via visibility, how are you supposed to validate that it is "secure"?

I will say that I am worried about attack and command and control channels that might reside within encrypted, "expected" mechanisms, like updates from the Blackberry server and the like. I deal with that issue by not handling the most sensitive data on my Blackberry. There's nothing novel about that.

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

Read More

Response to 60 Minutes Story "The Internet Is Infected"

I just watched the 60 Minutes story The Internet Is Infected. I have mixed feelings about this story, but I think you can still encourage others to watch and/or read it. Overall I think the effect will be positive, because it often takes a story from a major and fairly respected news source to grab the attention of those who do not operationally defend networks.

I'd like to outline the negative and positive aspects of the story, in my humble point of view.

The negative aspects are as follows:

1. I detest the term "infected." Computers in 2009 are not "infected." They are compromised by malware operated by a human with an objective. The malware is a tool; it is not the end goal. In the late 1990s I enjoyed defending networks because the activity I monitored was caused by a human, live on the Internet, whose very keystrokes I could watch. At the beginning of this decade I despaired as human action was drowned in a sea of malware that basically propagated but did little otherwise. Since the middle of the decade we have had the worst of both worlds; when I see malware I know there is a human acting through it for malicious purposes. I detest "infection" because the term implies we can apply some antiseptic to the wound to "clean it." In reality the malware's operator will fight back, resist "cleaning," and maintain persistence.


2. Cue the "teenage hacker." I thought we were collectively making progress away from the pasty-faced teenager in the parental basement. It seems the popular consciousness has now moved to the pasty-faced teenager in Russia, courtesy of 14-year-old "Tempest" in the 60 Minutes video. Never mind the organized crime, foreign intelligence, and economic espionage angles. Two other groups are definitely going to be upset by this: Chinese hackers and insider threats. Actually, not hearing a word about the latter makes me feel happy inside.


3. "I thought I had a good enough firewall." GROAN. Hearing people talk about their firewalls and anti-virus was disheartening. I almost thought Vint Cerf was going to spill the beans on the easiest way to avoid Conficker when he said the following:
   
   I’ve been on the Net ever since the Net started, and I haven’t had any of the bad problems that you’ve described," Cerf replied...
   
   Because I don't use Windows! Say it Vint! Oh well.

The positive aspects are as follows:

1. Hello security awareness. Stories like this wake people up to the problems we face every day. Sure Conficker is just the latest piece of malware, definitely not "one of the most dangerous threats ever," as said on TV. At the very least this story should enable a conversation between management and security operations.


2. Client-side exploitation via socially-engineered and social network attacks were demonstrated. Good for Symantec to show that Morley Safer owns Leslie Stahl via Facebook. Better yet, 60 Minutes even used the term "owned"!


3. Real consequences were demonstrated. I am very glad that Symantec showed just what an intruder can do to an owned computer. Keystroke logging, screen scraping, sensitive informatiomn retrieval, the works. They didn't even mention opening and closing the CD tray or activating the Webcam. That would have been cool, though.

Expect a few questions about this tomorrow at work!

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

Read More

Network Security Monitoring Lives

Every once in a while I will post examples of why Network Security Monitoring works in a world where Webbed, Virtual, Fluffy Clouds abound and people who pay attention to network traffic are considered stupid network security geeks.

One of the best posts I've seen on the worm-of-the-week, Conficker, is Risk, Group Think and the Conficker Worm by the Verizon Security Blog. The post says:

With the exception of new customers who have engaged our Incident Response team specifically in response to a Conficker infection, Verizon Business customers have reported only isolated or anecdotal Conficker infections with little or no broad impact on operations. A very large proportion of systems we have studied, which were infected with Conficker in enterprises, were “unknown or unmanaged” devices. Infected systems were not part of those enterprise’s configuration, maintenance, or patch processes.

In one study a large proportion of infected machines were simply discarded because a current user of the machines did not exist. This corroborates data from our DBIR which showed that a significant majority of large impact data breaches also involved “unknown, unknown” network, systems, or data.

This my friends is the reality for anyone who defends a live network, rather than those who break them, dream up new applications for them, or simply talks about them. If a "very large proportion of systems" that are compromised are beyond the reach of the IT team to even know about them, what can be done? The answer is fairly straightforward: watch the network for them. How can you do that? Use NSM.

Generate and collect alert, statistical, session, and full content data. I've also started using the term transaction data to mean data which is application-specific but captured from the network, like DNS requests and replies, HTTP requests and replies, and so on. These five forms of data can tell you what systems live on the network and what they are doing. It is low-cost compared to the variety of alternatives (manual, physical asset control; network access control; scanning; etc.). Once a sensor is deployed in the proper place you can perform self-reliant (i.e., without the interference of other groups) NSM, on a persistent and consistent basis.

Where should you monitor? Watch at your trust boundaries. The best place to start is where you connect to the Internet. Make sure you can see the true source IP (e.g., a desktop's real IP address) and the true destination IP (e.g., a botnet C&C server). If that requires tapping two locations, do it. If you can approximate one or the other location using logs (proxy, NAT, firewall, whatever), consider that, but don't rely only on logs.

NSM lives, and it is working right now.

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

Read More

NSM on Cisco AXP?

Last year I wrote Run Apps on Cisco ISR Routers. That was two weeks after our April Fool's joke that the Sguil Project Was Acquired by Cisco.

I am wondering if any TaoSecurity Blog readers are using Cisco AXP in production? Looking at the data sheet for the modules, they appear too underpowered for NSM applications, especially at the price point Cisco is advertising.

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. Early Las Vegas registration ends 1 May.

Read More

Association of Former Information Warriors

In response to my TaoSecurity Blog post titled Buck Surdu and Greg Conti Ask "Is It Time for a Cyberwarfare Branch?", I decided to create the Association of Former Information Warriors. I set up a LinkedIn Group with the following description:

The Association of Former Information Warriors is a professional networking group for those who once served as military members in information operations (IO) or warfare (IW) units. The mission of the AOFIW is to propose, promote, and debate policies and strategies to preserve, protect, and defend digital national security interests. Candidate members must be referred by current members. Those no longer in military service are candidates for full membership; those currently serving in uniform are candidates for associate membership.

In other words, to join AOFIW you need to know an existing member. This weekend I am going to try kickstarting the membership process by inviting those I personally know and trust to meet these criteria. You must be a LinkedIn user to join the group, since that is the mechanism we will use to vet and accept members.

I'll be posting about AOFIW at the AOIFW Blog, which will offer thoughts from other AOFIW members as we grow the group.

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.

Read More

More PowerPoint Woes

Last year I attended The Best Single Day Class Ever, taught by Prof. Tufte. He changed my outlook on PowerPoint for ever. Today in FCW magazine I found a pointer to 8 PowerPoint Train Wrecks, like the slide Bill Gates is presenting at left. While following some of the linked presentations, I came across this line from the shmula blog:

While at Amazon, we were all told by Divine Fiat that ALL presentations — regardless of kind, cannot ever be on Powerpoint. Period. Bezos prefers prose and actual thoughts slapped in a report — an actual paper report with paragraphs, charts, sentences, an executive summary, introduction of problem, research approach and findings (body of paper), conclusions and recommendations — not choppy, half-thoughts on a gazillion slides.

Thank goodness. I am not crazy after all.

That same blog post makes other good points, and links to an imagined Barack Obama "Yes We Can" PowerPoint deck. Hilarious.

---

Richard Bejtlich is teaching new classes in Europe and Las Vegas in 2009. Online Europe registration ends by 1 Apr, and seats are filling. "Super Early" Las Vegas registration ends 15 Mar.

Read More