Monday, May 24, 2010

More on Black Hat Costs

About a year ago I wrote Black Hat Budgeting, explaining how an offensive security team might spend $1 million. I said

"I submit that for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack."

Tonight Jeremiah Grossman asked via Twitter:

jeremiahg@taosecurity regarding black hat budgeting, does defense-in-depth exacerbate the value cost inequity for defenders http://is.gd/cnGW9

I was tempted to squeeze some sort of reply into less than 140 characters, but decided to answer here instead.


  • First, vulnerability research is not free. Funny enough the No More Free Bugs movement is about one year old now. Charlie, Dino, and Alex are right -- it costs real resources to find vulnerabilities in software, with the level depending on the target.

  • Second, exploit development is not free. It is not trivial to devise a reliable, multi-target, stealthy-if-necessary exploit for a discovered vulnerability. Projects like Metasploit have made it a little easier since the days of one-off code for every proof of concept. Still, professional exploit writers still spend a lot of time on Metasploit, commercial alternatives, or their own mechanisms.

  • Third, victim management is not free. Everyone likes to talk about "risk management." Let's flip that notion around and think from the intruder's perspective. One of the features separating amateurs from professionals is the degree to which the intruder can manage his or her presence in the victim enterprise. The greater the persistence of the intruder the more professional the intruder, almost by definition. It takes a decent amount of work to stay present and/or undetected in an enterprise, depending on the defender's capabilities.


So, black hats have a lot of costs to manage, beyond those in my original post. I can pretty confidently argue, however, that intruder costs are dwarfed by defender costs. To the extent that "defense in depth" (DiD) applies additional costs yet do not meaningfully reduce exposure and vulnerability, DiD does indeed "exacerbate the value cost inequity for defenders."

Aside: a quick way to identify ineffective DiD is to review network diagrams showing "firewall stacks." I mean, seriously, in 2010, who needs more than one "traditional" firewall on a network segment? 10 or more years ago I remember network security people thinking you needed multiple different firewalls to they would each "catch something different" or cover for errors. These days everyone lets 80 and 443 traverse the firewall so malicious traffic just uses those services. How much money is wasted on these "traditional" designs?

5 comments:

blog.psi2.de said...

What do you think about the Vulnerability Marketplace Survey UnSecurityResearch published a few days ago?
http://unsecurityresearch.com/index.php?option=com_content&view=article&id=52&Itemid=57

Anonymous said...

The firewall is still a valid tool for segmentation of your internal network and segmentation is an often overlooked, inexpensive way to secure internal networks.

Matthew Wollenweber said...

You raise a fair point in regards to firewalls - especially given the plethora of user driven attacks. However, lets say the attack has an exploit for something in the DMZ. The attacker exploits a remote service. If you follow traditional design, the DMZ won't allow a callback (EGRESS filtering - the dmz should initiate limited outbound connections). Now the attacker has to initiate an inbound connection, but only used ports are allowed through the firewall. Generally that means you have to kill a service. If that happens the admins will often notice the downtime quickly. Thus your job as an attacker is much more difficult.

There are of course other ways of getting a connection back, but the attacker would have to deliver a more complex initial payload, which can be very difficult.

Therefore, I'm not sure the money is wasted by traditional design. I'll admit that the vast majority of attacks now attack end users, but I believe that is an effect from the traditional firewall design being effective and attack patterns shifting. To quote Patton, "Fixed fortifications are monuments to man's stupidity.” I think the appropriate move is to move beyond only traditional design not because of it's failure, but because the attack has shifted.

dre said...

10 years ago, IGMP, ICMP, and ACK based backdoors could have been considered a serious problem.

Today, you are 100 percent fine running standard, non-reflexive access-control lists and/or null routes based mostly on bogons and the FATF blacklist.

Boundary filters at borders that do IP to IP are enough (because, yes, 80/443/et-al are rampant). You don't need complex exceptions management, or silly firewall forms. I suggest you comanage your existing firewalls with 2-3 managed security providers and begins projects to de-emphasize their use.

If XML traffic is 50 percent of Enterprise traffic, then maybe somebody should consider more boundary filters at this layer.

rmac said...

Although all those things are not free, I believe that the costs are in most cases going down, due to an increase in supply. It would be interesting to see a time adjusted graph of the cost of a common zero day over the last few years. I think the largest cost for the intruder continues to be post intrusion aspect... how to get the money out, or the time and resources it take to analyze and achieve results with stolen data. That being said, it is a replacement cost, you would have to be earning money or researching a technology anyway... but still a cost.