As Long as Attackers are Organized and We’re not, We’re Losing an Asymmetric War.
To effectively defend yourself against an enemy, you have to think like your adversary. Put yourself in their mind, their shoes. What’s the motive? Monetary gain? Vandalism or hacktivism? Surveillance or warfare? Are they willing to martyr themselves or are they stealthy and patient? How determined are they? Will they stop at a well-hardened network perimeter or move on to other tactics, including social engineering?
We, the white hats, need to engage in intelligence gathering. One way is to conduct our own surveillance, but in a cyber analog of the espionage techniques used in traditional conflict. Perhaps by covertly ingraining ourselves in the attackers’ social network to determine what tools they’re developing and employing, the newest vulnerabilities they’ve discovered and the associated attack techniques they’re in the middle of perfecting, and who the current targets are, both in terms of technology and named entities.
I realize that not every organization has the skill or time to hire out mercenary grey hats. That species of intelligence gathering is largely the purview of research agencies, open projects, law enforcement, and government; however, there are other ways to move from a position of constant and reactive defense to a state of preparedness: sharing our individual experiences. The bad guys are already organized and collaborating effectively on how to compromise our systems; we need to start sharing, and sharing openly.
What we need is more full disclosure. I understand that companies don’t want to be embarrassed with the details of how they were compromised, but look folks, it’s going to be exposed eventually anyway, so why not just cough up the how’s, what’s, where’s, and when’s right up front? In the end it helps everyone. So now we know that RSA was compromised through a spear-phishing scheme containing a zero-day Excel vulnerability. But knowing that RSA was compromised is only useful to warn the rest of us that the black hats are targeting big game and that none of us is immune. Without the details of the attack, we’re left the knowledge that we need to do something, but not what. It’s all very reminiscent of the old DHS warning system: great, we’re at condition medium ochre, but what should I do? I have no idea what to do with that shed full of duct tape, batteries, and water if a terrorist attack does hit.
To head off any critics who latch on to the “full disclosure” moniker, this is different from vulnerability full disclosure. There’s an argument to be made that the bad guys will start amping up spear-phishing and embedded malware attacks, but that’s different than saying there’s a vulnerability in BIND and, oh, here’s some code to use as a weapon, kiddies. Certainly it would be useful to have the exploit utility to pen-test our own BIND servers, but what’s more useful to the white hat community is the solution; what kill bit should I set? What BIND configuration do I need to modify? Is there a firewall rule I can apply or a Snort signature available?
My suspicion is that corporate reputation is only part of the equation. Most organizations simply don’t collect and centralize the information necessary to perform effective and timely root cause analysis of the compromise. Security standards, regulations, and compliance frameworks get organizations part of the way there; however, they’re often focused on one facet, such as cardholder data for PCI DSS. And because most log management solutions have historically been purchased for compliance, there’s often a big gap in forensic data. The good news is that I’m hearing more and more customer talking about the need for total visibility, real security intelligence, instead of just ticking the compliance check box.
To perform a real forensic investigation, you need to have all the information you can get your hands on. Logs from operating systems, applications, firewalls, IDS/IPSes, authentication servers, databases, printers, you name it. Vulnerability scanning, sure. Network activity? You bet. If all you can get is NetFlow, fine; however, better if you can do full packet capture at least at strategic points. And for the love of all that’s secure, don’t pre-filter data: you never know what may be useful because you don’t know what systems and tactics the next attack will exploit. Sure, filter out as white noise for correlation if you have a SIEM, but don’t toss the data.
Keeping all this information will eventually fill up your log manager or SAN like the piles of newspapers and garbage bags in a hoarder’s house. You’ll have to make some business decisions about retention and risk, but please make sure you have a loud voice at the table and that the GRC folks, lawyers, and storage management team don’t drive the entire conversation. You have to think ahead to the inevitable incidents, whether they’re a botnet infection, inadvertent exposure of PII, or corporate espionage from a desperate competitor or hostile nation.
Once you suffer a breach, how do you share your analysis? There are excellent information sharing channels in the form of FIRST.org, the SANS Internet Storm Center, Infragard, and various breach reports. These are all excellent resources, but not as widely publicized as necessary to alert the entire law abiding internet community. This is going to sound off the wall, but one information dissemination channel that works particularly well is the media. As soon as a company announces it’s been hacked, everyone in the industry knows about it. We all knew that Google was hacked within hours, but not how. The same with RSA, Sony, Nasdaq.
So I say tell all and say it loud. Add to our collective knowledge and help us move the battle lines outward from the boundaries of our individual perimeters. You were compromised a few hours ago because a user opened a tasty attachment? I can work with that. And in all actuality I’ll respect you more for it, and I believe a majority of the industry will, too. Let’s face it, we all nod our heads and acknowledge that even many of our own users would’ve fallen for the old “click here for pictures of a nude celebrity” trick, but now I know there’s a new Adobe Acrobat vulnerability.
We simply can’t afford to each learn the same lesson as the guy in the building next door and the lady in Copenhagen and the administrator in Tokyo. As long as the attackers are organized and we’re not, we’re losing an asymmetric war. It’s time to stop being Emperors with no clothes and join forces for better security intelligence.
Related Reading: Threat Sharing - A Necessary Defense Strategy