Tuesday, July 19, 2011

British are comming

What is it about attacks that makes us forget the lessons history has taught us? I remember being in middleschool/highschool and talking about the American Revoluton. There was a particular long winded speech in HighSchool that still stands out in my mind today. The gist of it was that the British we the formal military power. They had all the money, training, weapons, technology, and they were THE DOMINANAT SUPERPOWER. The worst part about that is that “WE” (America), a band of ragtag farm boys paired up with a few educated HEROES, were being oppressed by the controls of British. The British were invading our privacy, taking our hard earned money for poor quality goods, and even forcing us into a state of servitude. This went on until every man, woman, and child was profoundly affected by their torment. When that moment came the farmers and heroes united and became one. This newly formed cadre of rebels were blessed as freedom fighters and fight they did.

We all know the “STORY” that goes along, but the part that really stuck with me was the reasons we WON the fights. It’s fascinating to look at a time in history where a MASSIVE army was trounced over and over again because of technique and not technology. As the British marched in formal lines and fired only when commanded, they strutted in majestic red coats down the road like a true POWER. Every measured action was accounted for. From the battalion leaders to the common soldier, they were stuffed full of battle tactics and plans. Commands ran through their minds like a modern day quarterback and they went into every fight KNOWING they were going to win. With all that practice, All that Planning, All the tactics, all the strategy, all the measure and approach, ALL OF THE METRICS VIEWED AND COMPENSATED FOR…. They got mauled. The streets ran red with blood. Outnumbered and fueled with the nervous rage of exercising their “LAST OPTION BEFORE BEING SLAVES” the newly found group of “AMERICANS” hid in the bushes and waited for the right moment. In battles that were often 2-3 to 1 or more…. This group of poorly trained farmers were tearing through one of the most powerful forces on earth. WHY???? Its all about technique.

The Americans did not play by “the rules.” They did not just wait in lines and fire at each other. They did not wait for the trumpets to sound or the gallop of their leader “requesting” them to FIRE. They did what animals do when backed into a corner… they fought. There were no rules or style that had to be followed. It was WIN or DIE. Failure was not an option. It was not on the battle plan. They used the element of surprise and guerrilla warfare to totally dominate the better funded, trained, planned, and universally educated opponent.

My question to all this was WHY did the Brits lose? Thought they were trained? I thought they studied war? Didn’t they have war colleges and schools and mock scenarios? Didn’t they practice for YEARS on end in the sea and on land to fight ALL enemies as they pursued global domination? Why didn’t the “standards of war” and formal protection/detection/attack/defense mechanisms work for them?

I actually asked my teacher about this and was EDUCATED on the spot. He looked me straight in the face and said “Remember how we talked about the Fall of Rome?” I nodded as he proceeded “The GAULS completely abused the Roman army with the same techniques the Americans used in the war. The super power that was England was so focused on the rules they were making and the history they were writing that they forgot about the lessons the past taught them. They began to study “new” ways of war and threw the history books aside. Kinda like some people I know.” I laughed as he made a squeaky voice “ HISTORY IS BOORING!” The class was floored. He stirred the pot even more (ps. He was my favorite teacher I have EVER had in a history class or just about any class for that matter). He said, “Did you ever think that HISTORY is the only thing that could destroy or save a country as Powerful as America… or England… or Rome or the many tribes before???” just as the class jock chimed in with … “No one can ever beat us! We have the most powerful military on the planet” he responded. “Perfect!!!! Let’s write some musings * what he called our undefined papers that we had to think on paper about a scenario that has historical relevance* tonight about America and war. Let me give you an example. And he wrote one of the most profound things I had ever seen in a history class.

America = Vietnamese
vs. vs.
British = America

I don’t know how many of us got it… but those that did were physically different. HOLY $#@%. We fought in conventional war methods just like the British. We were invading someone’s homeland. We got mauled in so many battles we had to come home.

AND

Let’s not forget the Vietnamese. They fought an unconventional war. They attacked from all angles and at any time. They had no rules. They played it to the bone and gave the world’s greatest super power a run for their money.

Sounds a bit like what we are experiencing with the recent attacks doesn’t it? From the guerrilla warfare tactics of opportunistic attack to the mass difference in force, the attacks of today are nothing more than mirrors of a battle strategy that has worked for thousands of years. The “Surprise” and “Random” nature of these attacks go a long way in effectiveness. Now, I am not saying they are random choices by the attacker, I think they are highly guided, but they are random in their execution. Take for instance the ability to scan shodan or google for a specific vulnerability. You are left with thousands of hosts and one of them may be your target. This is much different than going after a specific IP address or range for that matter. The attackers are using intelligence to their advantage and they know the rules.

When should you attack a massive army? On Christmas, when they are all partying and have a “night off.”

Where should you attack a network with millions of dollars of defense and monitoring equipment? Where ever the opportunity presents itself.


In the infosec world we tend to hold too much weight on our crusted perimeter and have a bit of a challenge when it comes to looking at the bigger picture. Not all of us can relate to war and its intricacies but we can ALL relate to Offense and Defense in some way. If our environments were all in the shape of a house, we would have a massive and fortified roof. When the rain came, we would feel safe and sound that the roof was protecting us, until the drips began. Even then, we would see them as a “small issue” or something we could just “patch.” The water on the other hand, would just find another way in. Being a homeowner, I have had this problem more times than I care to remember and it still happens today. Just last week, we had this torrential downpour in Colorado. Wind, rain and hail put my weekend patchwork to the test. As I came home from work that day I ran up to the attic to see if my efforts paid off. “YEAH!!!!” was echoed through the house as I cheerfully wiped the cobwebs off the caulked and patched over leak areas. I win….. right?

Well, I did as far as the roof was concerned…

But, then I was on the way downstairs and walked through my office. My heart sank as I could see the sagging wooden blinds. “Really?!?” Yeah, really. The window was open the entire time of the storm. The carpet was soaked, the windowsill and baseboards were trashed, the blinds were irreparable and better yet a TON of computer hardware was sitting in a nice neat container FILLED with water. But the roof was good. Actually, the roof was so good that the rain was pouring right off it into the window.

So, we do the root cause analysis (aka figure out who/what to blame) and see that my wife left the window open. *she claims that I did…. Weeks before… but that is another story* At the end of the day it was User error, better yet… it wasn’t even error. It was the daily operational tasks of my house. If it is hot, open a window. If that doesn’t work, turn on the AC. If that doesn’t work... call a tech to fix the problems. Amazing how similar that is to the IT world huh?
The part that gets me is that even if I blame her or me for leaving the window open, the real culprit is the design. Thinking of it that way I had to go into infosec mode:

If my threat was water, I should have identified what its capabilities are.

Knowing its capabilities, I could try to plan for a defense that matched.

Once implemented, I could test with water, hose, pressure washer, etc…. and replicate the threat in same capability that the threat can naturally execute.

After that, I can identify gaps and remediate or plan accordingly for ones I simply have no control over.

This is the one that allows people to get lazy. Anyone can say, “I’ll leave a hole in the roof because if it damages anything, insurance will pay for it” But as anyone who has had insurance claims knows….. it won’t REALLY pay for everything, and some things can’t ever be replaced. There are some folks on the other side as well. They respond “Well I will just waterproof my house.” I can’t say I have ever seen it done successfully, but people sure do try. It is just the nature of houses, they leak. It’s not always the end of the world but it does happen. It’s part of life and we ALL deal with it.

However, let’s not forget the people who are really “smart.” They smirk and answer the water dilemma with an over the top solution. “We will make everything in our house waterproof! Even if the roof leaks, nothing will ever get damaged.” It sounds great in theory but after a look into the cost and sideffects of its “protection” people tend to shy away from that one. They would rather just tell someone “SHUT THE WINDOW STUPID…IT’S RAINING!!!” than spend $1,000,000 waterproofing the room with the window in it.

This is where I REALLY laugh about our industry…

When we are attacked, we are begged to do MORE of the same thing. Just MORE of it. Its totally absurd.

The happy powerful British march down the road and are ambushed. They are sacked quickly by the surprise fury of the attack. So, what do they do? Walk the same road with 3x the number of soldiers. Stupid.

We get attacked on our corporate networks because vulnerability existed in a technology we implemented. So we implement MORE technologies to fix it? Ridiculous

Yet.. if our house has rain wash in through a window we have the good sense to close the window, move the items that are underneath it so that they are not damaged again and we make a policy that says “If it is raining, shut all windows. Also, don’t put things near a window that can get damaged by water or other things outside the window.” What a BRILLIANT concept. Figure out what the issue is and actually try and avoid it.

Attackers are watching you! They know that you are too big or too busy to see them. They know that you, like everyone else, is human and will mess up. They also know that when you do, you will likely give them even more things to attack with your path of resolution.

All they have to do is wait for the right moment to attack.


Ok… enough doom and gloom… what do we do?

This is my favorite part. It is usually the reason that people will write on reviews after a talk “want more info on how to fix or what to do” or “Was entertaining but did not provide answers.” And so on… I love them because it highlights the issue at hand in its most pure form. We want a solution. We want a magic bullet. We want an applicance!!!!

“Here we have the Anti-lulz UTM DLP GRC Pro Advanced Platinum NextGen 3000. The ALUDGPAPNG 3k for short. This device uses the latest deep packet inspection technology combined with an advanced heuristic detection that makes lulz a thing of the past. No longer do you need 40 devices to deal with the issue of hackers making fun of you for poorly securing your network. This device combines the entire OSI into one wirespeed appliance that protects you from every single attack vector INCLUDING THINGS THAT HAVE NOT EVEN BEEN DISCOVERED YET!!!!”

Throw 500k at Gartner to put it in the magic quadrant, and I bet a million of those puppies will magically sell! Better yet, PROVE it works. Show demos of how you can replicate a sqli attack that lulz uses and show it crushing it with ease. Show how it can torch the clientside emails and detect that they have malicious attachments before any mail ever hits a user. Heck, show them some 0-day *maybe a juicy buffer overflow* that gives you GOD access to any device on the interweb but the ALUDGPAPNG 3k nals it on a signature AND heuristic drop rule. Do all that and EVERYONE will have to get it. If they don’t, they will be treated like a toothless hillbilly and shunned from the RSA cool kid dinners. OOOH even better…. After you do all that, and other people copy its design, and you build a “market” called ALA (Anti-lulz Appliances) get a bunch of lobbists to stuff it into a Compliance standard.

Awesome huh? Just remember to send me some $$ when you are rich from that one. Because everyone else who has used that method is rolling in cash. Yet NON of them actually protect us.

OMFG WHAT?!?!?

Yea, think about it. If have 1 device with 1 port open I have a limited number of attacks. If I protect that device with another device that has 1 port open, my number of attacks has at least doubled. Even if it is a firewall or UTM or even the insanely secure ALUDGPAPNG 3k! It is still another vector for attack that was not present before. Just like the AV on your box, It may protect against some viruses but it poens new holes for your machine to be compromised from. Look at how many boxes have been paved by a AV update, or hacked because of the AV companies flawed command and control architecture.

If we can’t add more stuff what do we do?


“Complexity reduces security. The more simple the more secure”

This is something that proves true generation after generation. The designs that last, are the most durable, most secure, and most efficient are the ones that are the simplest.

Want to defeat an internet attacker? Don’t connect to the internet. Want to be safe from adobe 0-day? Uninstall all adobe products/code. The answer is actually quite easy. The hard part is where it impacts us. We can’t all run around and turn off all of our pc’s. They make our business run. We can streamline though. We can leverage the ability to work smarter and not harder.

Lets look a few of these approaches:

Firewall rules:

We don’t NEED every port open. Pair it down to only what is essential. After that, try to trim it another 20% after you thing you are as lean as you can get.

User rights:

No one needs to be an Administrator unless they ARE the administrator. If they need that level of privilege, maybe they should investigate a career in IT Admin? If they HAVE to have it, let em have it in an area where they can’t damage/touch things that are sensitive to the business. Options are awesome, especially when both work in the favor of security and increase simplicity.

Overall protection:

We don’t need to protect everything! If the perimeter has holes that you can’t fix, throw some of that tech at it. Inspect it harder than the things you know you can protect against. Instead of blame…try education. When a user leaves a window open, let em know the damage it causes and teach em how to close it. It really isn’t that hard. They are not our biggest problem they are our biggest asset.

Effectiveness:

How do you know all that “stuff” you bought is working? TEST IT!!!! You don’t know if it works or if any of your training/policy work until you test it?!?

Can we survive an attack:

Hire someone to attack you. No I am not talking about shopping out a bid for the coolest looking penetration testing deliverable. I am talking about an ATTACK. Figure out who the top 5 adversaries of the business and how they may attack you. THEN…. Have people attack you that way. Having a pentester attack you the way they know how just doesn’t cut it. With the cut rate budget pentesting shops out there and all the tool usage, those tests are damned near worthless. Do yourself a favor and make goals and tests that replicate a real world attack…and see if your “real world” defenses can handle it. Most environments are built to survive the attack of an auditor/pentester… not of a real attacker. How can you tell? Well, an attacker reads mail spools, harvestes accounts, uses valid forms of access, doesn’t remain in interactive shells, and overall has a low to minimal footprint. Auditors have HUGE footprints, leave tools and detectable items running, use commercial or opensource binaries, run scanners, and love interactive shells like mosdef, meterpreter, and core shell.

4 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. haha... thanks.... this one went out before a spellcheck had a chance to make me look smarter. Fixed

    ReplyDelete
  3. Loving this blog, subbed.

    I'm looking to get into the Security Industry, got some ideas and try to see what everyone else is doing.

    My brand is simplicity, thinking outside the box.

    ReplyDelete