The industry is starting to show its age. The all-night partying and password cracking bravado are growing tiresome. Nobody likes the arrogant security guy any more. However, security still has a serious addiction to fear. But the methadone of rationality is starting to work. Everywhere I went, there were people talking about applying analysis and intelligence to security. Is information security really growing up?
Mandiant Intelligence Report
Mandiant has become the Benedict Cumberbatch of the information security community. I say that in with complete respect for them. (Cumberbatch plays the immensely fascinating Sherlock Holmes in the BBC series Sherlock and the new villain in Star Trek Into Darkness.) Mandiant produce some great tools for the community and clearly have conducted some fascinating investigations. I also respect them because they are very business-like. They do not show up in black t-shirts with the whole hacker ‘tude.
Their presentation focused on their report, released this week on the state-sponsored attacks that China is conducting through a military unit named PLA 61398. The presentation laid out the basic facts behind their case, and they were compelling. The most interesting tidbit, which really gave their data a human element was how the hackers will immediately hop on Gmail and YouTube once they take over a remote system. These two services, as well as many others, are heavily filtered in China. As such, these attackers would take over systems, and then use them to surf web sites without the rest of the Chinese army monitoring them. This is both scary and a little sad. To think these hackers have to basically evade their own government to browse the web.
The whole presentation really underlines the reality of state-sponsored hacking. This problem is really growing in complexity and prevalence. A few years ago, I was very dismissive of “cyberwar” type attacks since they seemed so sensational. Now, I am a little more realistic about that. This is a real issue.
The other tidbit that came out of this is the level of sophistication these APT attacks. These are not destructive attacks. They are squarely focuses on getting inside, maintaining a presence and taking only tiny bits of highly relevant information. These attacks are not going to delete files and corrupt systems. They are going to slowly search for useful data and take it out of the environment in the quietest and least invasive way possible.
However, I also could not help thinking how some basic defenses would stop most if not all of these attacks. Simple security measures on DNS and egress filtering on firewalls would instantly render these APT attacks useless. For all the talk about these horrible APT attacks, I have heard very little about the defense, except from vendors.
Security Culture: Figuring Out How Bad Your Company Really Is
The next session I attended was on security culture. It was really stupid. The presenter, Ira Winkler, is a well known security guy. His presentation felt unorganized and condescending. I have been studying a lot about business leadership and culture lately, and it was very clear Mr. Winkler did not understand what business culture is. I walked out after 30 minutes.
What I can say about culture is that good leaders must trust their people. And the more you can trust them, the more they will trust the organization and do the right thing. And trusting people is not synonymous with unlimited freedom. You can trust your people, but still have them limited to specific job expectations and requirements.
Keynote, Vint Cerf, Google
Mr. Cerf looks and sounds like that friendly, whacky professor you had in college. His presentation was a little unfocused. But it had plenty of humor. Honestly, I can not recall taking away much from it. It was not a bad speech, just not memorable or very inspirational.
Phillippe Courtot, Qualys and John Pescatore, SANS
Next up was Phillippe Courtot from Qualys. His speech was all business but not terribly insightful. After taking at a high level about how everything is Internet-enable, he turned the presentation over to John Pescatore formerly of Gartner and now working at SANS. John is a smart guy who can communicate well. However, he still has a lot of Gartner left in him, and it shows. He says a lot about a little and it amounts to a big “duh.” Garter has really mastered the art of making the mundane sound revolutionary. Case in point, read my UTM v NGFW article. John’s big revelation to RSA: there are a lot of Internet devices out there. Really, John, no way! I think John ate one to many Magic Quadrants back in his drum circle at Gartner University.
However, he did point out this list of 20 controls SANS has released that every organization should have. This is an excellent list. There is nothing on the list that is news to us at Anitian. We have been recommending these controls to clients for 15 years. However, having them codified into a list that SANS is behind, definitely does not hurt.
Some guy from Cisco was up next, he was boring, so off I went.
Five Most Dangerous Attack Techniques
This was a panel presentation from Allan Paller and Johannes Ullrich of SANS and Ed Skoudis from Counterhack. This was a fantastic presentation, mostly because of Skoudis’ tremendous enthusiasm and passion for security.
Skoudis first described how forensic tools and tactics are now being incorporated into hacking tools. This allows the attacker to sift through data to locate the specific file or piece of data they want. This reduces the footprint of what must be exfiltrated out of the environment, thus reducing the likelihood of being discovered. Rather than download a 20GB file, which would be easily detected, they can find the single 500K file they want, and slip that out to command and control systems.
The next concept was about malware fingerprinting. For a long time, part of the way researchers could track the origin of malware was analyzing how it was coded. Malware writers tend to code in the same way or reuse code over and over again. Now that nation-states are getting into the malware game, they do not want to be fingerprinted in this manner. As such, they are purposefully injecting flaws and markers into their malware code to deceive researchers. Not only was this a fascinating concept, it really shows how sophisticated the cat and mouse game of malware and APT has become. It also demonstrates how sophisticated nations have become at developing and deploying “cyberweapons.”
The talk then turned to the possibility of a “cyberattack” turning into a kinetic damage. That is, could a hacker cause some physical damage, such as power outages or weapons to explode. If Stuxnet proved anything, it proved that attacks can have kinetic affect.
One bit of data that got dropped at this point was the fact that 90% of attacks began with some kind of spearphishing attack. That is, the attacker fooling somebody into clicking on an email attachment or website and then infecting themselves with some type of exploit kit.
Another tactic that was discussed was reflective DNS attacks, which use an open DNS server, which allows for recursive DNS queries to redirect traffic. The sad thing about these attacks is they are fairly easy to defend against. Simply limiting DNS queries to a trusted source would make such attacks impossible. There are even great external DNS services, like OpenDNS which eliminate the possibility of reflective DNS attacks. But, organizations need to restrict outbound DNS to these authoritative sources and not allow for wide open DNS resolution.
At the end, these guys started giving some solutions to combat these dangerous attack tactics. Patching was of course the first and most important recommendation. This echoes what we always recommend at Anitian. However, what do you do about devices where the vendor will not patch? Skoudis had a simple answer – network IPS. That was music to my ears. This lead into a discussion about how to handle security vulnerabilities from third party vendors.
Paller recommended that you require third party vendors to show the results of a third-party penetration test on their product. Paller was clear to emphasize that the test must be from an independent third party. Of course, being one of those third party testers, I was delighted to hear that.
He then told a great story about a healthcare organization in Europe who put out an RFP for a big HR system. When they bought the system, the company used their own internal testers on the product and discovered thousands of vulnerabilities. When they approached the vendor about these vulnerabilities, they were unsympathetic. They reiterated that the RFP did not require the product to submit to any such testing and that their product met all the technical requirements of the RFP. The company had to spend almost twice as much as the original product to fix the security vulnerabilities.
The Industry is Catching Up to Anitian’s Message
Perhaps the most significant trend I have noticed at RSA this year is how many organizations and practitioners are finally using the language and approach we have been using at Anitian for 15 years. Rationality and pragmatism are in vogue. Companies are supporting their claims with data, not wild speculation and sensationalist language. Words like “intelligence” and “analytics” are everywhere. This is very encouraging.
There is also a palpable decrease in fear language and FUD. Although not completely gone, its being marginalized. Along with that, the companies that live and breathe FUD are also having to shift their approach. Perennial FUD spreader Symantec has shown they can break their fear addiction and bring real data and insight to the table. Even Palo Alto Networks seems to have backed down from the brink of the FUD cliff (not to be confused with the Fiscal Cliff.) Has the industry finally grown up?
I think so. This also mirrors Anitian’s maturity as a company. Now that our message is becoming the industry message, I am noticing our approach is gaining traction.
If there is a downside to all of this outbreak of rationality, it is the loss of drama. RSA is much less dramatic this year. The colors, the crowd and the content is all cooler and more matter of fact. This makes for less excitement, but more reassurance.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com