Wednesday, August 27, 2008

Security Religion

An audience I once sat in was challenged during a presentation by a co-worker to "develop your own personal security religion" if you haven't already done so as the consequences of not having one are too great. I assumed he was speaking to everyone but me.

Nonetheless I jotted this challenge down in my moleskin. I've not yet systematically wrapped my head around my own mindset or 'religion' to speak to it. But this article on OODA loops highlights some of my thoughts on how to develop a team-based mindset of security religion.

In many respects, the goal for a response team is to have the quickest OODA loop around as well as the independence to carry out rapid response. But the three elements the author lists as required for a maneuverable company resonated with me: mutual trust, clear sense of mission, and focus.

Make no mistake, those three items are done through proper leadership.

On Malware Investigations

I was recently asked how to investigate malware that has owned a particular windows host. This post will address some of the elements, methods, and goals of such an analysis but I will avoid any discussion of tools.

Elements of the whole

A holistic approach is needed but you must understand each element to gain the most value. These elements contain the evidence needed in order to gain insight into what happened. Not all are needed, but the more there are the more likely a validation of the dataset can be done.

The first element is at the network layer. This is your most trusted source of information as there are no questions regarding the integrity of the data. These sources include netflows (or any session data), any full packet captures, proxy logs, authentication logs (AD Domain Controllers, RADIUS, etc). The ideal situation would be a full packet capture during the initial infection as well as continually to track network activity. This also, barring encryption, confirms or denies if any information leakage occurred.

Additionally we have the operating system layer. This consists of items such as full memory dumps or process lists, services, eventlogs, application logs (such as antivirus, HIPS, IIS, SQL, etc). All this information may be suspect if the malware did gain complete ownership of the host. Because of this integrity question, any operating system information gained should be validated against either the file system or network layers. The operating system layer is much less obvious than the network layer and requires a lot of small items which may build into a builder picture.

The final element is the file system layer. The file system should be inspected through either a bootable CD or mounted in another system. This prevents integrity issues from rootkits. Important starting points include the Internet Cache, modified or creation times, prefetch, as well as AV quarantine directories.

Proper Methods

Mindset and minute details should always be front of mind. A simple spyware infection could turn into a full blown data loss fiasco. Collection of as much evidence as can be obtained should be done quickly but more importantly in sound practice to prevent any spoliation. It will slow things down, but it will preserve any sort of case that may need to be developed.

Once collected, a copy of the data set is then used for analysis. This analysis typically ends up with lots of tree branches going out in different directions. Most of those branches will end up as a dead end. The ones that do not should all collaborate with each other. If they don't, you are missing something. A single piece of data is uninteresting if you don't have at least one other source that gives validation.

The Goal

The goal in such an intrusion is to discover precisely "what" the malware does. This will allow you to answer the more important questions of the who, why, and how. The who will allow you to watch for future threats. The why will define the attack's motive which will clarify the potential and/or residual risk. The how will show where weaknesses are and allow for remediation of said weaknesses.

None of this is particularly new, perhaps some slant from my experiences but certainly not my ideas. Two heavy influences: Richard Bejtlich and Harlan Carvey.

Thursday, August 21, 2008

Client vs Server Models

Twelve or thirteen years ago I told my family one day all their data would be accessible on the Internet and computers themselves wouldn't matter so much. They told me nobody would turn over their privacy like that so therefore it would never happen.
Every few years somebody tries to blow my mind by explaining how we're either going back to the mainframe model, client/server model, or peer model of computation and how ironic that really is in today's world. Cloud computing buzzwords have helped the occurrence of such conversations lately.

My twist on these computing models: it's not about whether input/output is centralized or decentralized but what effect is has on information. The tendency over time isn't about architecture necessarily but that is has continually evolved into creating higher degrees of complexity, mobility, and abstraction of the information.

Nothing groundbreaking, just food for thought.

Tuesday, August 19, 2008

On Cyberwar

I've only skimmed a dozen or so articles on the Georgian/Russian (so-called) Cyberwar. In my humble opinion the event is rather non-interesting as is being reported. It wasn't a cyberwar, it doesn't even appear to be a means of signals intelligence. So far all reports show that it was simply attacking the communications infrastructure to further cause confusion. No news on whether they attacked radio or cell phone signals.

The more interesting story is the use of civilians. I believe a similar tactic was used as protests from Chinese hackers during the Tibet riots earlier in the year. State sponsorship at it's best.

And while that may be interesting, the more important story is the actual war. Cyber or not, the entire event is going to unfold for some time. If a pullout does eventually occur, Georgia will still be heavily influenced by Russia politics. A concept they thought died along with the cold war.

Here, here,, and here for great analysis.

Fun Reading for Tuesday

Saturday, August 16, 2008

Practicing Security in Hard Economic Times

Some interesting turns of events in the financial markets lately. This will have a lasting affect on companies big and small for the next few years. So how does that affect security?
"Ease of business vs Security". This is the typical trade-off security practitioners and businesses need to make. Arguably when times are rough financially that dictates a serious of actions by the business which includes a bigger magnifying glass on expenditures in order to control money flow. Depending on the level of pressure exerted on the company a higher degree of reactivity vs proactivity will occur as business works on meeting the needs of today vs long term. Did I mention I'm not an economist?
A few points:

  • The economy has changed how security shops will do business for the near term. This should be obvious but that doesn't mean we won't learn it the hard way.
  • Expect to think more short term as opposed to long term. (But not at the expense of the long term).
  • Invest in raising security levels in the existing infrastructure as opposed to add-on solutions.
  • Business changes rapidly during sporatic times. Be on your toes and slow your capital initiatives. Make sure you're ready to react when the business needs you. This will show that you're not a waste of money or time and, indeed, understand business.

Thoughts are still hazy on this for me, but I feel those will clear up as time goes on.

Fun Reading for Saturday

OPEN SOURCE WARFARE: Cyberwar from Global Guerrillas
August 2008 Microsoft patch Release from Verizon Business Security Blog
Police nab Shadow creators, force botnet to commit suicide from ArsTechnica: Security Content
Cognitive Waste from John Robb's Weblog

Thursday, August 7, 2008

Name That Unmarked Vehicle.

I've always had the habit of scanning traffic while driving to spot unmarked police vehicles. Not particularly because I'm speeding but for the same reasons I am aware of surveillance cameras nearby.
Maybe it's a game I play to keep my mind from wondering. On the way in to work this morning I counted 9 tells that I typically use to spot an unmarked car that is behind me.

One of the tells even signals if it's a state or federal owned, which is handy if you're wanted by the FBI.

Monday, August 4, 2008

Clausewitz - "On War"

One of my long term books I've began reading is "On War". The first 68 pages consist of several forwards and introductions. It's heavy but good (I'm on page 19). I'm not a big quote person but my first favorite quote so far:

The conduct of war resembles the workings of an intricate machine with tremendous friction, so that combinations which are easily planned on paper can be executed only with great effort. Consequently the commander's free will and intelligence find themselves hampered at every turn, and remarkable strength of mind and spirit are needed to overcome this resistance. Even then many good ideas are destroyed by friction, and we must carry out more simply and modestly what in more complicated form would have given greater results