Security Should Fascinating, Dynamic, and Creative. Have Fun, Be Criminal In Your Thoughts, But Not Your Actions...
I was battling scores of aliens the other day, armed with only a dull knife. I’d hack at their limbs but they’d regenerate from the tiniest leftover, which was made all the harder because their bodies had evolved as a defense mechanism to sever under moderate stress. As a final vexation, my enemies would reproduce spontaneously as their carcasses fell and were carted off.
Of course I’m talking about pulling crabgrass. Like aliens of popular movies, weeds starve indigenous horticulture of local resources, camouflaging themselves in many cases, and are insidiously fecund. It would take a super imaginative mind to come up with even a fictional organism as devious.
And yet that’s exactly what malware authors not only devise, but create and unleash on a largely well-intentioned Internet population. Now I count myself among the virtuous netizens, but I won’t lie, I’m drawn to the dark side on occasion, at least in concept. I grok the allure of the creative freedom of conceiving a xenomorphic entity and the challenge of imbuing it with traits to overcome the challenges it will face from adversaries and the agents they deploy to thwart my minion offspring. When you don a black hat, all boundaries disappear.
Now I’m not encouraging you to go rogue, break bad; and yet, channeling your evil alter ego is necessary to combat sophisticated threats. The point is to think like your adversary in order to predict the weaknesses in your own defensive posture as well as the strategy and tactics attackers may employ.
My colleague, Jack Danahy, describes why this is so important in his article on selective awareness: Watching and Seeing - The Dark Side of Our Undivided Attention. We tend to focus on what we’re already doing in security rather than try to regularly evolve our strategy. The corollary is we tend to focus on sensational threats, which by nature are spectacularly rare, instead of risks that are more common for our specific circumstance. For example, it’s perfectly rational for organizations in the critical infrastructure sector--electric, oil and gas, water and waste treatment--to react to the news of Flame’s discovery, but insurance companies generally don’t have to worry about sophisticated surveillance malware.
Yet I’d argue that providers of critical infrastructure should have been prepared before the discovery of Flame or Stuxnet or Duqu. Quick self-assessment: how many of you readers questioned whether anyone outside of Iranian nuclear facilities should worry about sophisticated surveillance malware when I mentioned it in the last paragraph? Just because Flame may have targeted a specific geography, the threat of electronic surveillance is something all countries should be concerned about and have a plan to detect and counter in their critical infrastructure.
Back around the turn of the millennium (yep, still fun to say), I had a debate with a Windows Exchange administrator who insisted on allowing inbound access from users on the Internet using the Outlook mail client. My strong recommendation was to avoid exposing Windows RPC to the Internet because of the consequences of compromise; after all, RPC stands for remote procedure call, the ability to execute code remotely, the holy grail of hacking. His argument was that there was no exploit for RPC. My response: Right--no exploit yet. Sure enough, about a year later, an exploit was released in the wild and I got to say “I told you so”, shut down the insecure access, and redesign their external mail client access.
I’d put myself in the mindset of the bad guys.
As much fun as it is to imagine all the ways an attacker might invade your network, pwn your servers, and siphon of your intellectual property, there’s a deeper level of empathy you have to employ: what’s the payoff and how much effort and resources are you, as the ersatz hacker, willing to invest in achieving it? The purpose here is to identify target assets and their value, and profile likely attackers. The qualitative value of the target asset has to line up with the motive of the attackers, which generally fall into three (3) categories: monetary, strategic, and political. To start with, ask yourself a couple of questions:
● What’s the goal? Theft of intellectual property? Destruction of a centrifuge? Extortion through DDoSing? Modification of source code? Simply a point of presence in the form of bots to use against some other target?
● Who poses the threat? Script kiddies? Organized crime syndicates? Unscrupulous competitors? Enemy states?
Once you identify the who and the why (What’s the goal is really a what and why question), you can start to define the “how” with certain constraints: what’s the expanse of your adversary and depth of their resources? Smallish attackers will tend to use existing exploits and social engineering; whereas, sovereign states, as we know from Stuxnet and Flame have practically unlimited resources. Organized crime tends to leverage existing resources, possibly with a moderate investment: use existing botnets to DDoS gambling and porn sites until they pay a ransom. Insurance companies, software startups, water cooler refill companies, and the legion other business types, all need to work this out in their own context.
The quardant on the right provides a basic, quantitative model to visualize the risk.
It should go without saying, but I will anyway to be crystal clear, that high value targets merit strong security controls. The persistence of the attacker will largely be defined by the value of their goal: are you the only organization who possesses the object of desire? If not, your efforts and budget might be best spent putting in just enough security to frustrate the attacker and get them to move on. But monitor actively; if your competitor’s security measures are as strong as yours, the attacker will likely be back for another try.
You may even be able to determine the “when”: is there a new product launch announcement on the horizon? Did your parent company just back a political candidate? Are there reports of a threat in your industry from a credible source? Brian Krebs, from Krebs on Security, advocates going on the offensive, gathering intelligence in advance by becoming part of the underground community and monitoring discussions on the latest malware, hacktivism hot buttons, and even talk of imminent attacks. No one ever won in sports by only playing defense.
Security should be a fascinating, dynamic, and creative pursuit. Too often we get wrapped up in a “security posture” or our ten million dollar strategy when the reality is that technology just ain’t cuttin’ it. I say have fun, be creative, be criminal in your thoughts, but not your actions (unless it’s penetration testing your own organization). I guarantee you that the black hats who have you in their targets are having a blast.
Related Reading: Why Teaching Kids To Hack Is a Good Thing