TaoSecurity

Best Book Bejtlich Read in 2011

2012-01-09T21:40:00.000-05:00

It's time to name the winner of the Best Book Bejtlich Read award for 2011!

I've been reading and reviewing digital security books seriously since 2000. This is the 6th time I've formally announced a winner; see my bestbook label for previous winners.

Compared to 2010 (31 books), 2011 saw a decrease to 22 books. Remember all reading is neither equal nor fast. When I review a book, I am sure to read it and not just skim it. For 10 books last year, I chose not to read them but to instead post impressions. Posts called "impressions" provide my sense of the book but I do not publish them in my Amazon.com reviews.

My ratings for 2011 can be summarized as follows:

5 stars: 10 books

4 stars: 7 books

3 stars: 4 books

2 stars: 1 book

1 stars: 0 books

Please remember that I try to avoid reading bad books. If I read a book and I give it a lower rating (generally 3 or less stars), it's because I had higher hopes.

Here's my overall ranking of the five star reviews; this means all of the following are excellent books. The links point to my reviews.

10. pfSense by Jim Pingle; Reed Media Services.

9. Beginning Visual C++ 2010 by Ivor Horton; Wrox

8. Windows System Programming, 4th Ed by Johnson M. Hart; Addison-Wesley.

7. Beginning C, 4th Ed by Ivor Horton; Apress

6. Robust Control System Networks by Ralph Langner; Momentum Press.

5. Managed Code Rootkits by Erez Metula; Syngress.

4. Ghost in the Wires by Kevin Mitnick and William L. Simon; Little, Brown and Company.

3. America the Vulnerable by Joel Brenner; Penguin Press HC.

2. Windows Internals, 5th Ed by Mark Russinovich, David A. Solomon, and Alex Ionescu; Microsoft Press.

And, the winner of the Best Book Bejtlich Read in 2011 award is...

Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson; No Starch. My review said in part:

Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft.

Looking at publishers, for the first year I can remember no publisher won more than one title. No Starch breaks the string of 3 straight previous BBBR victories held by Syngress.

Thank you to all publishers who sent me books in 2011. I have plenty more to read in 2012.

Congratulations to all the authors who wrote great books in 2011, and who are publishing titles in 2012!

Telling a Security Story with Charts

2012-01-08T17:10:00.000-05:00

The image at left appeared in the 31 December 2011 edition of The Economist magazine in the article Economics focus -- How to get a date: The year when the Chinese economy will truly eclipse America’s is in sight. It depicts 15 measurements of the US and Chinese economies, with historical and projected data. There is a version available at this page with more statistics comparing the two nations.

The Economist presents these charts for the following reason:

In the spring of 2011 the Pew Global Attitudes Survey asked thousands of people worldwide which country they thought was the leading economic power. Half of the Chinese polled reckoned that America remains number one, twice as many as said “China”. Americans are no longer sure: 43% of US respondents answered “China”; only 38% thought America was still the top dog. The answer depends on which measure you pick. (emphasis added)

The reason I like these charts is that they remind me of how many security practitioners think about "being secure." Managers likely often ask security staff "Are we secure?" The truth is there is no single number, so anyone selling you a "risk" number is wasting your time (and probably your money). However, it would be much more useful to display a chart like that created by the Economist. The security staff could choose a dozen or more simple metrics to paint a picture, and let the viewer interpret the answer using his or her own emphasis and bias.

Another reason I like the Economist chart is that the magazine built it using specified assumptions of future activity, listed in the article. If you disagree with these assumptions you can visit the second link I posted to devise your own charts. Although not shown here, what would be even more useful is showing these charts as a time series, with snapshots for January, then February, and so on. This "small multiples" approach (promoted by Tufte) capitalizes on the skill of the human eye and brain to observe and observe differences in similar objects.

If you had to pick a dozen or so indicators of security for a chart, what would you depict? The two I consider non-negotiable are 1) incidents per unit time and 2) time to containment for incidents.

Happy 9th Birthday TaoSecurity Blog

2012-01-08T16:07:00.002-05:00

Today, 8 January 2012, is the 9th birthday of TaoSecurity Blog. I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2843 posts later, I am still blogging. Looking at all 9 years of blogging, I averaged 315 per year, but in the age of Twitter (2009-2011) I averaged only 171 blog posts per year.

I plan to continue blogging, but I expect around the same number as last year -- somewhere in the 60 to 100 post range. I spend a lot more time expressing my views to the press and market researchers and analysts, so I'm often less inclined to do more of that in my free time through this blog. I plan to devote any decent chunks of free time to more traditional writing. I love to use Twitter for quick commentary. Thanks for joining me these 9 years -- I hope to have a 10 year post in 2013!

If you're a security blogger, and you like this blog, please consider voting for me via the 2012 Social Security Bloggers Awards. I'm nominated for "Most Educational Security Blog" and the Hall of Fame. Thank you again!

Don't forget -- today is Elvis Presley's birthday. Coincidence? You decide.

The image shows Elvis training with Ed Parker, founder of American Kenpo. As I like to tell my students, Elvis' stance is so wide it would take him a week to react to an attack. Then again, he's Elvis.

I studied Kenpo in San Antonio, TX but I'm going to try Tai Chi again, something I first practiced about 16 years ago in Billerica, MA during grad school.

Mandiant Webinar Wednesday; Help Us Break a Record!

2011-12-06T22:06:00.003-05:00

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011.

Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.

If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.

Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"

2011-12-06T21:52:00.003-05:00

I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.

David Spark asked for my "security tip for 2012," which I listed as:

Improve your incident detection and response program by answering two critical questions:

1. How many systems have been compromised in any given time period; and

2. How much time elapsed between incident identification and containment for each system?

Use the answers to improve and guide your overall security program.

Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.

Become a Hunter

2011-12-05T16:44:00.003-05:00

Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter":

IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.

Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider
the “self-defending network” concept to be marketing at best and counter-productive at worst. If technology and engineering aren’t the answer to security’s woes, then what is?

Download and read my article starting on page 19 for the answer! July-August 2011 issue (.pdf)

National Public Radio Talks Chinese Digital Espionage

2011-11-29T19:34:00.008-05:00

When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening (.mp3) or reading time.

Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies.

If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology."

James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here, e.g.:

In 1986, to meet the global challenges of new technology revolution and competition, four Chinese scientists, WANG Daheng, WANG Ganchang, YANG Jiachi, and CHEN Fangyun, jointly proposed to accelerate China’s high-tech development. With strategic vision and resolution, the late Chinese leader Mr. DENG Xiaoping personally approved the National High-tech R&D Program, namely the 863 Program.

Implemented during three successive Five-year Plans, the program has boosted China’s overall high-tech development, R&D capacity, socio-economic development, and national security.

In April 2001, the Chinese State Council approved continued implementation of the program in the 10th Five-year Plan. As one of the national S&T program trilogy in the 10th Five-year Plan, 863 Program continues to play its important role.

1. Orientation and Objectives

Objectives of this program during the 10th Five-year Plan period are to boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena; to strive to achieve breakthroughs in key technical fields that concern the national economic lifeline and national security; and to achieve “leap-frog” development in key high-tech fields in which China enjoys relative advantages or should take strategic positions in order to provide high-tech support to fulfill strategic objectives in the implementation of the third step of our modernization process.

There's more to read, but that gives you a sense of what the "letter" involves.

I hope this NPR story helps some of you realize that the China threat is not "hype." Consider Dr Lieberthal in relation to Chairman Rogers and Jim Lewis. You can decide to try to refute their positions by saying that the Chairman has "an agenda," and Mr Lewis is essentially too distant from the problem. I personally think Chairman Rogers is right on the money, but I sometimes question where Mr Lewis gets his information.

Dr Lieberthal, however, is one of the world's finest minds regarding China (Wikipedia entry), and he served in the Clinton administration. He even wrote a book on how to achieve corporate success in China (Managing the China Challenge: How to Achieve Corporate Success in the People's Republic). He is not a "China hawk" trying to start some kind of "war" with the Chinese, yet he takes the threat seriously enough to discuss the countermeasures he takes when visiting China ten times a year. Do those who doubt the China threat still believe it's all "hype"?

Dustin Webber Creates Network Security Monitoring with Siri

2011-11-26T14:43:00.006-05:00

Dustin Webber just posted a really cool video called Network Security Monitoring with Siri. He shows how he uses his iPhone 4S and SiriProxy to interact with his Snorby Network Security Monitoring platform.

The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering.

Later he asks Siri to tell him about "incident 15":

Near the end Dustin asks Siri if she likes Network Security Monitoring:

This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing!

Trying NetworkMiner Professional 1.2

2011-11-26T12:26:00.006-05:00

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008.

NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0. I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory.

The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4.

Notice that in addition to summarizing information about traffic to and from the host, in terms of packets or sessions, we also see what NetworkMiner knows about the host, like Queried NetBIOS names, Web Browser User Agents, and so on.

The following screen capture shows the Files tab. This displays all the content that NetworkMiner extracted from the traffic to the analysis workstation hard drive (or in my case, the NetworkMiner USB thumb drive).

I think NetworkMiner is pretty cool, especially given what you can do with the free version. My primary recommendation for improvement would be an interface that allows the user to easily pivot from one piece of information to the next. With the current environment, the analyst seems confined to the tab at hand. I would like to see a way to right click on an element of the displayed information and then execute a query based on my selection. It would also be helpful to be able to right click and open associated data in another traffic analysis program like Wireshark.

Thank you to Erik Hjelmvik for the opportunity to take another look at NetworkMiner!

Thoughts on 2011 ONCIX Report

2011-11-23T19:47:00.005-05:00

Many of you have probably seen coverage of the 2011 ONCIX Reports to Congress: Foreign Economic and Industrial Espionage. I recommend every security professional read the latest edition (.pdf). I'd like to highlight the key findings of the 2011 version:

Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

What's so significant about that section? The ONCIX is naming names right from the start, and concentrating squarely on China and Russia.

Contrast the 2011 approach with the 2008 report. If you search for "China" in the 2008 edition, you'll see only these sections in the main body of the report:

China and Russia accounted for a considerable portion of foreign visits to DOE facilities during FY 2008.

China continues to be a leading competitor in the race for clean coal technology.

The DNI Open Source Center (OSC) contributes to the CI community’s effort against
China by monitoring foreign-language publications and Web sites for indications of
threats and sharing this information with appropriate agencies, including law
enforcement.

That's very different from the direct approach taken in 2011. However, if you check "Appendix B: Selected Arrests and Convictions for Economic Collection and Industrial Espionage Cases in FY 2008," in the 2008 report, you find China listed as the perpetrator of 7 of the 23 cases! So, although China has been an active threat for many years, only now is the ONCIX shining the spotlight on that country (along with Russia) as primary threats to US secrets and intellectual property.

Tao of Network Security Monitoring, Kindle Edition

2011-11-23T13:01:00.005-05:00

I just noticed there is now a Kindle edition of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection, published in July 2004. Check out what I wrote in the first paragraphs now available online.

Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion -- a real compromise, not a simple Web page defacement -- you'll realize the security principles and systems outlined here are both necessary and relevant.

This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision.

Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail.

I wrote that eight years ago, and thankfully my concept that "prevention eventually fails" (which I coined in that book) is finally gaining ground.

Why DIARMF, "Continuous Monitoring," and other FISMA-isms Fail

2011-11-22T19:29:00.006-05:00

I've posted about twenty FISMA stories over the years on this blog, but I haven't said anything for the last year and a half. After reading Goodbye DIACAP, Hello DIARMF by Len Marzigliano, however, I thought it time to reiterate why the newly "improved" FISMA is still a colossal failure.

First, a disclaimer: it's easy to be a cynic and a curmudgeon when the government and security are involved. However, I think it is important for me to discuss this subject because it represents an incredible divergence between security people. On one side of the divide we have "input-centric," "control-compliant," "we-can-prevent-the-threat" folks, and on the other side we have "output-centric," "field-assessed," "prevention eventually fails" folks. FISMA fans are the former and I am the latter.

So what's the problem with FISMA? In his article Len expertly discusses the new DoD Information Assurance Risk Management Framework (DIARMF) in comparison to the older DoD Information Assurance Certification and Accreditation Process (DIACAP). DIARMF is a result of the "new FISMA" emphasis on "continuous monitoring" which I've discussed before.

Len writes "DIARMF represents DoD adoption of the NIST Risk Management Framework process" and provides the diagram at left with the caption "The six major steps of Risk Management Framework aligned with the five phases of a System Development Lifecycle (SDLC)."

Does anything seem to be missing in that diagram? I immediately key on the "MONITOR Security Controls" box. As I reminded readers in Thoughts on New OMB FISMA Memo, control monitoring is not threat monitoring. The key to the "new" FISMA and "continuous monitoring" as seen in DIARMF is the following, described by Len:

Equally profound within DIARMF is the increased requirements for Continuous Monitoring activities. Each control (and control enhancement) will be attributed with a refresh rate (daily, weekly, monthly, yearly) and requisite updates on the status of each control will be packaged into a standardized XML format and uploaded into the CyberScope system where analysis, risk management, and correlation activities will be performed on the aggregate data.

Rather than checking on the security posture every three years or whatever insane interval that the old FISMA used, the new FISMA checks security posture more regularly, and centralizes posture reporting.

Wait, isn't that a good idea? Yes, it's a great idea -- but it's still control monitoring. I can't stress this enough; under the new system, a box can be totally owned but appear "green" on the FISMA dashboard because it's compliant with controls. Why? There is no emphasis on threat monitoring -- incident detection and response -- which is the only hope we have against any real adversary.

Think I'm wrong? Read Len's words on CyberScope:

CyberScope is akin to a giant federal-wide SEIM system, where high-level incident management teams can quickly pull queries or drill down into system details to add analysis on system defenses and vulnerabilities to the available intelligence on an attack. CyberScope data will also be used to track trends, make risk management decisions, and determine where help is needed to improve security posture.

If you're still not accepting the point, consider this football analogy.

Under the old system, you measured the height, weight, 40 yard dash, and other "combine" results on a player when he joined the team. You checked again three years later. You kept data on all your players but had no idea what the score of the game was.

Under the new system, you measure the height, weight, 40 yard dash, and other "combine" results on a player when he joins the team. You check again more regularly -- maybe even every hour, and store the data in a central location with a fancy Web UI. You keep data on all your players but still have no idea what the score of the game is.

Until DoD, NIST, and the other control-compliant cheerleaders figure out that this approach is a failure, the nation's computers will remain compromised.

Note: There are other problems with DIARMF -- read the section where Len says "This shakes out to easily over a hundred different possible control sets that can be attributed to systems" to see what I mean.

SEC Guidance Emphasizes Materiality for Cyber Incidents

2011-11-19T16:02:00.005-05:00

Senator Jay Rockefeller and Secretary Michael Chertoff wrote the best article I've seen yet on the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC last month in their article A new line of defense in cybersecurity, with help from the SEC:

Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility...

Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.

Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years.

This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as the significant loss of a company’s intellectual property — will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.

The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among other things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how the value of intellectual property is measured; whether appropriate defenses are in place around that property; and whether risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage. (emphasis added)

Make no mistake: this is a big deal. Until now "disclosure" laws have aimed at protecting consumers by making their PII the important aspect of a digital incident.

With the SEC guidance, we have a new audience for "disclosure" -- shareholders. The SEC is telling publicly traded companies that they have to disclose material cyber security incidents. Now the battle to define materiality will begin.

MANDIANT Webinar Friday

2011-10-26T06:15:00.002-04:00

Join me and Lucas Zaichkowsky on Friday at 2 pm eastern as we talk about what happened at our annual MANDIANT conference, MIRCon! Registration is free and I expect you'll enjoy the discussion! We plan to review what we saw and heard, and how those lessons will help your security program.

Review of America the Vulnerable Posted

2011-10-23T23:02:00.002-04:00

Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below.

I've added bold in some places to emphasize certain areas.

America the Vulnerable (ATV) is one of the best "big picture" books I've read in a long while. The author is a former NSA senior counsel and inspector general, and was the National Counterintelligence Executive (NCIX). In these roles he could "watch the fireworks" (not his phrase, but one popular in the intel community) while the nation suffered massive data exfiltration to overseas adversaries. ATV explains the problem in terms suitable for those familiar with security issues and those learning about these challenges. By writing ATV, Joel Brenner accurately and succinctly frames the problems facing the US and the West in cyberspace.

In this review I'd like to highlight some of Mr Brenner's insights and commentary.

On pp 65-7 he discusses "China's Long View... China had the world's largest economy for eighteen of the past twenty centuries. The two exceptions were those of America's youth and rise to power.... Like India, China does not regard Western domination as normal, and it does not suffer from an inferiority complex. China's chief national strategic objectives are to lift its population out of poverty and reestablish its place in the international order."

On pp 68-71 he explains the problem with the binary thinking of Westerners regarding war. China does not see war as a binary issue, where one is either at peace OR at war. "This kind of ambiguity is difficult for Americans to digest. We are direct and aboveboard, and we like to think others are like us -- or would be if given half a chance... [W]e suffer from a Western misconception in our law, religion, and policy that 'peace' and 'war' are opposites that cannot occur at the same time... Many Americans cling to this view, even though war has not been declared on the planet since 1945, while there have been hundreds of organized, violent, and militarized struggles in the interim."

On pp 71-3 he reiterates my point that the consequences of digital assault from China are indeed new, as well as the assault itself. "Our companies are under constant, withering attack. After the Google heist, companies [all emphasis is original] started asking the government for help in defending themselves against nations. This was unprecedented. We are now in uncharted territory... the boundary between economic security and national security has completely disappeared... While the scope of and intensity of economic espionage have assumed startling proportions, the 'traditional' espionage assault on our national defense establishment dwarfs anything we have ever before experienced."

On pp 75-77 Mr Brenner describes instances of espionage and consequences. "[Chi Mak] is the first spy (that we know of) through whom we lost critical military secrets and who was not a government employee. He will not be the last. If further proof were required, the case thus illustrates how thoroughly the functional boundary between the private sector and the government has dissolved... In essence, the PRC is leveraging the Pentagon's R&D budget in support of its own war-making capability."

Mr Brenner focuses on Chinese espionage in ATV; the following from p 78 is a good summary: "In contrast to the Russians, who are highly professional, the PRC often enlists amateurs from among a huge pool of sympathizers."

In the middle of the book Mr Brenner concentrates on the China threat by correctly identifying that the Chinese do not want a shooting war with the US. Rather (quoting Chinese military thinkers on p 118) "the objective in warfare would not be killing or occupying territory, but rather paralyzing the enemy's military and financial computer networks and its telecommunications. How? By taking out the enemy's power system. Control, not bloodshed, would be the goal... [Continuing on pp 126-7,] The Prussian Carl von Clausewitz, and Mao after him, had called war 'politics by other means.' [Strategists] Qiao and Wang seemed to be saying the reverse: Politics -- and economics and communications and everything else -- was war by other means. And while Clausewitz had preached the doctrine of the decisive battle, Qiao and Wang said there would be no more decisive battles."

Ch 9, "Thinking About Intelligence," is one of my favorite chapters because Mr Brenner examines the role of information and intelligence agencies in the modern world. On p 196 he makes a fascinating point: "To understand the future of the private sector's role in intelligence, we don't need a crystal ball. We can just as well look backward as forward, because we are experiencing a return to a historical norm." He then argues that the private sector is developing intel capabilities rivaling the government, which was the case prior to the creation of national agencies in the 20th century. On p 209 he recommends the following: "[T]he best way to run an intelligence agency is to focus tightly on the parts of the business that are really secret and separate them from the rest. You spend more money on open-source collection and analysis, and let them happen in controlled but unclassified space. You beef up counterintelligence. And you pay much more attention to the electronic handling and dissemination of information."

In the final chapter he offers some recommendations for improvement. I liked this statement on p 216: "If you wait for the incoming danger to reach you, you won't be able to defend against it. CYBERCOM solves this problem by letting the general in charge of defending national security networks use offensive tools outside his networks in order to know what's coming. To be blunt, espionage is an essential aspect of defense. To know what's coming, we must be living inside our adversaries' networks before they launch attacks against us." Note that is the traditional role of espionage, a model which the Chinese shatter by living inside our companies' networks, solely to steal our intellectual property.

I only found one small typo on p 194: The Yom Kippur War happened in 1973, not 2003.

Overall, I really enjoyed ATV. While I don't think the suggestions for improvement in the last chapter are sufficient to mitigate the threat, several of them are a good start. I highly recommend reading ATV at your earliest opportunity!

Republican Presidential Candidates on China

2011-10-13T21:38:00.003-04:00

(Photo: Business Insider)

This is not a political blog, so I'm not here to endorse candidates. However, I do want to point out another example of high-level policymakers discussing ongoing activities by China against the US and other developed economies.

First, the Washington Post published an editorial by Mitt Romney which included the following:

China seeks advantage through systematic exploitation of other economies. It misappropriates intellectual property by coercing “technology transfers” as a condition of market access; enables theft of intellectual property, including patents, designs and know-how; hacks into foreign commercial and government computers...

The result is that China sells high-quality products to the United States at low prices. But too often the source of that high quality is American innovations stolen by Chinese companies.

I missed this in August, but former ambassador to China Jon Huntsman said the following during a debate:

Huntsman Jr. pointed to China as a culprit in what he described as “the new war field” — cyber-intrusion as a way to steal corporate and government secrets. “Not only have government institutions been hacked into, but private individuals have been hacked, too. It’s gone beyond the pale,” Huntsman said.

The third candidate in the photo, Rick Perry, is also involved in the China debate. He's currently defending Texas' relationship with Huawei.

I'm going to be fairly strict regarding comment publishing for this post, so please be civil, nonpolitical, and relevant. Again, my point is to show that Chinese cyber campaigns are now a hot topic in political campaigns.

Bejtlich in "The expanding cyber industrial complex"

2011-10-11T22:49:00.003-04:00

Christopher Booker interviewed me and several other policy-oriented security people for his video Financial Times story The expanding cyber industrial complex. This was a different experience for me for two reasons. First, Christopher conducted the interviews via Skype. Second, you can see what appear to be the home offices of several of the contributors, including me.

One technical note on the video: I had some trouble getting it to play. To get it working I selected another video then went back to this one.

Thank you again to Christopher Booker for the opportunity to offer my opinions.

(Bonus points to anyone who can identify the box on the shelf over my right shoulder, on the lower left side of the photo.)

Computer Incident Response Team Organizational Survey, 2011

2011-10-11T22:38:00.002-04:00

Today at MIRCon I mentioned that one of my colleagues, Jeff Yeutter, had updated the somewhat famous CERT/CC study of CIRT characteristics as part of his degree program. Jeff posted the survey online as Computer Incident Response Team Organizational Survey, 2011 with this description:

In 2003, the CERT CSIRT Development Team (www.CERT.org) released a study on the state of international computer security incident response teams with the goal of providing "better insight into various CSIRT organizational structures and best practices" for new and existing members of the CSIRT community (Killcrece, Kossakowski, Ruefle, & Zajicek, 2003). The attached survey, a modified form of the original, will be used to update the 2003 study with a greater focus on the methods of organization used by American and international CIRTs, the tools that they employ, and how these vary across organizations of different sizes and industries.

This research is being conducted, and is independently funded, by Jeff Yeutter, Technical Sales Executive at Mandiant, as the final project for his Master's in Information Systems with a concentration in Computer Security Management at Strayer University. This survey will also be distributed to members of the Forum of Incident Response and Security Teams (www.FIRST.org) with the assistance of Richard Bejtlich, Chief Security Officer and VP, MCIRT, at Mandiant.

No identifying information is required to complete this survey. Participants may include such information if they are interested in immediately being notified of the results of the study once it is complete, or if they would like to make themselves available for follow-up questions. Any and all identifying personal or professional identifying information offered by participants will be held in strict confidence. The results of this study, minus any identifying information, may be included in a future, cost-free whitepaper.

The original CERT study from 2003 can be found at: www.cert.org/archive/pdf/03tr001.pdf

The time to complete this survey is approximately 10-15 minutes.

If you're a CIRT member and want to contribute, please consider completing the survey at Computer Incident Response Team Organizational Survey, 2011. Thank you!

Interview with One of My Three Wise Men

2011-10-07T23:36:00.004-04:00

Tony Sager from the NSA is one of my Three Wise Men. (Dan Geer and Ross Anderson are the other two.) Eric Parizo from SearchSecurity.com interviewed Tony this week and posted the video online.

Tony notes that the escalation in threat activity during the last few years is real. He is in a position to know, given he has worked at NSA since the 1970s. Tony says the threat activity is getting people's attention now, especially at more senior levels of the government and industry. Now targeted organizations are thinking beyond the question "does this affect my company" to "does this affect my industry?"

Tony explains that a generational effect may account for the change in awareness. More senior leaders grew up with technology, so they know how to think about it. There is also more public reporting on serious security incidents today.

My favorite quote was:

"If you're not a little concerned, you haven't been paying attention."

Since Tony is Mr Reasonable, I think that's a significant statement!

Eric asked Tony for his opinion on APT, and he replied that APT isn't that useful a concept for his line of work. That's possibly because his agency uses the original intrusion set names to manage threat intelligence, rather than an unclassified, "umbrella" term for discussing threat actors in private industry. Tony did explain that the "advanced" aspect for him means conducting operations in multiple "domains," e.g., escalating to physical, non-digital attacks when necessary.

Russia v China -- Sound Familiar?

2011-10-07T07:27:00.004-04:00

Thanks to a source who wishes to remain anonymous, I read Chinese spy mania sweeps the world, an article not from a Western publication. Rather, it's from Voice of Russia. Does any of this sound familiar?

[T]his is the most powerful secret service based on the principle of attracting all ethnic Chinese, wherever they may live. An adherent of the “total espionage” strategy, Beijing even encourages emigration in the hope that its citizens will remain loyal to and useful for their historical homeland after moving to another country...

"The history of China’s espionage activities on Russian armaments is not only limited to one precedent or one type of weapons. One of the top Chinese priorities is to produce complete replicas of Russia’s best machines and weapons, from the Sukhoi Su-33 fighter jet to missiles, aircraft carriers and so on.

This is a truly purpose-oriented strategy of a large country - snatch anything you can and reproduce it domestically," ["IT expert"] Andrei Masalovich points out.

Cynics will point out that perhaps this article is trying to deflect attention from Russia's own espionage activities. However, you can't deny that even the Russians have issues with Chinese operations.

For an example of the sorts of problems Russia is having, see this ABC News story China Still Spies the Old Fashioned Way, Russia Says:

Russia's secretive spy agency, the Federal Security Service (FSB), issued a rare statement Wednesday claiming the state had arrested a Chinese citizen who, posing as a translator for official delegations, was working under the direction of the Chinese government in an attempt to buy state secrets from Russians about Russia's S-300 missile system.

It's All About the Engines

2011-10-06T22:49:00.006-04:00

(Photo credit: AINOnline)

I just read Big New Chinese Order for Russian Fighter Engines at China Defense Blog, which quoted AINOnline:

China has placed additional orders for Russian AL-31-series fighter engines. State arms trade agency Rosoboronexport clinched two big contracts earlier this year...

To serve them, Salut has established partnerships with Limin Corp. and Tyan Li company in Chengdu on deliveries and manufacturing of spare parts for both the AL-31F and the AL-31FN. Russia has also agreed to provide all necessary maintenance and repair documentation to the Chinese partners.

To see China treats or will treat Western aircraft and aircraft engine makers, look no further than Russia.

The comments in the CDB post pointed me to this engine comparison for the J-20, which I sometimes mention in my classes. Essentially the Chinese appear to be testing two engines on the J-20, because they are not sure if they will use a Russian-made engine (or copy) or an "indigenous" engine (which is probably a copy of someone else's technology).

House Cybersecurity Task Force Report Released

2011-10-06T10:24:00.003-04:00

The House Cybersecurity Task Force released its report (.pdf) today. NextGov offers a good summary in their story House GOP Cyber Task Force Touts Industry Leadership by Jessica Herrera-Flanigan.

The report includes the following recommendation:

Companies, including Internet Service Providers (ISPs) and security and software vendors, are already conducting active operations to mitigate cybersecurity attacks. However, these are largely done independently according to their individual business interests and priorities. Congress should facilitate an organization outside of government to act as a clearing house of information and intelligence sharing between the government and critical infrastructure to improve security and disseminate real-time information designed to help target and defeat malicious cyber activity.

I would like something bolder, like the National Digital Security Board I proposed in 2006. Still, such a "clearing house" could evolve into an organization with the authority to investigate incidents, or at least contract an organization to conduct investigations, and then publish anonymized lessons and results.

I would find leading that organization to be a great challenge!

C-SPAN Posts Video of Tuesday Hearing

2011-10-06T09:41:00.003-04:00

You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN.

Some people are already asking "what's new" about this. For me, what's new is that the chairman of the HPSCI is pointing his finger straight at the threat, and letting the world know in an open hearing that the adversary's actions are unacceptable and will not be tolerated. This is exactly the sort of attention and action that the threat deserves and I applaud the Chairman and HPSCI for pursuing this course.

Remember that the HPSCI is more likely to hold closed hearings than open hearings due to the nature of its classified intelligence oversight work. By conducting an open hearing, Chairman Rogers wanted to send a clear message to victims, the public, and the adversary.

Inside a Congressional Hearing on Digital Threats

2011-10-04T20:51:00.005-04:00

Today I was fortunate to attend a hearing of the US House Permanent Select Committee on Intelligence (HPSCI). That's me on the far left of the photo, seated behind our MANDIANT CEO Kevin Mandia. I'd like to share a few thoughts on the experience.

First, I was impressed by the attitudes of all those involved with HPSCI, from the staffers to the Representatives themselves. They were all courteous and wanted to hear the opinions of Kevin and the other two witnesses (Art Coviello from RSA and Michael Hayden from the Chertoff Group), whether before, during, or after the hearing.

Second, I thought Reps Mike Rogers (R-MI, HPSCI Chairman) and C.A. Dutch Ruppersberger (D-MD, HPSCI Ranking Member) offered compelling opening statements. Rep Rogers squarely pointed the finger at our overseas adversaries. As reported by PCWorld in U.S. Lawmakers Point to China as Cause of Cyberattacks, Rep Rogers said:

"I don't believe that there is a precedent in history for such a massive and sustained intelligence effort by a government to blatantly steal commercial data and intellectual property...

China's economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy."

You can watch all of Rep Rogers' statement on YouTube as Rep. Mike Rogers criticizes Chinese economic cyber-espionage (currently 21 views -- let's increase that!)

General Hayden reinforced Rep Rogers' sentiment with this quote:

"As a professional intelligence officer, I step back in awe of the breadth, the depth, the sophistication, the persistence of the Chinese espionage effort against the United States of America."

Third, I was very pleased that this hearing was conducted in an open forum, and not behind closed doors. While I haven't found the whole hearing online or on TV yet (aside from Rep Rogers' statement and that of Rep Myrick (R-NC)), I encourage as much discussion as possible about this issue.

One of General Hayden's points was that we are not having a debate about how to address digital threats because no one agrees what the facts are. If you work counter-intrusion operations every day, or participate in the intelligence community, you know what's happening. Outside that world, you likely think "APT" and the like are false concepts. We can really only build a national approach to countering the threat if enough people know what is happening.

As more information becomes available I will likely publish it via my @taosecurity Twitter account.

Chinese Espionage in Five Minutes

2011-09-28T23:47:00.003-04:00

This evening I watched last week's episode of This Week in Defense News with Vago Muradian. Vago's last guest was David Wise, author of Tiger Trap. If you want to learn as much as possible about Chinese espionage in a five minute interview, I recommend watching History of China spying on U.S.. I hope this book encourages attention at the highest levels of the US government and industry.

Review of Robust Control System Networks Posted

2011-09-25T22:11:00.001-04:00

Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner. From the review:

I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment.

Impressions: The Art of Software Security Testing

2011-09-25T20:46:00.002-04:00

I'll be honest -- on the same trip on which I took The Art of Software Security Assessment, I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance.

TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA.

Impressions: The Art of Software Security Assessment

2011-09-25T20:33:00.002-04:00

I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book.

One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters.

In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and 1.1.2, each trying to fix a bug caused by the previous change.

Another amazing aspect of TAOSSA is its coverage of subtle differences between different Unix-like systems, e.g. FreeBSD, NetBSD, OpenBSD, Solaris, and Linux. I really appreciated such careful attention to detail.

Probably the strongest aspect of TAOSSA was the overall methodology, which I define as 1) show how the technology works; 2) show vulnerabilities in code; 3) show how to fix the code (usually all with real examples).

My only criticism is more philosophical, because the authors recycle the flawed Microsoft "threat modeling" paradigm. This approach results in weird sentences like "threat identification is the process of determining an application's security exposure based on your knowledge of the system" (p 59). Fortunately the authors use the proper term "attack trees" rather than "threat trees," presumably because they recognize that Bruce Schneier was right when he promoted the "attack tree" approach!

Overall, the book is very well written, with great consistency despite three authors and hundreds of pages. If you can find a software developer who honestly read the entire TAOSSA and integrated its wisdom into his or her coding, hire that person!

Impressions: Tiger Trap

2011-09-18T22:55:00.004-04:00

I just finished reading Tiger Trap by David Wise. I read the whole book (so my "impressions" label isn't really accurate, because I use that for books I didn't fully read). I don't feel like writing an entire review but I wanted to capture a few thoughts.

First, if you know nothing about Chinese espionage against the United States, read Tiger Trap. I didn't think Tiger Trap was the easiest book to read about the subject, but I haven't seen any other source cover so much history in one volume.

Second, it seems the Chinese prefer to use human resources to steal classified information, mainly because accessing classified networks is tougher than accessing unclassified networks. Still, there are plenty of cases where humans physically stole unclassified but sensitive information. Most of these predate the Web however.

Third, the Chinese like to "get good people to do bad things," as I Tweeted last week (citing page 16). In other words, China appeals to its overseas ethnic community to steal information because China "is a poor country," and it "needs to develop." (Oddly enough I have read these exact words in articles by various people who brush off reports of espionage.) While some spies act out of greed or revenge or a need to feel important, it seems plenty of other spies think they are really doing the right thing, leveling the playing field, or even helping both sides!

If anyone can provide the names of other resources describing Chinese espionage, I would appreciate the comment.

Bejtlich Cited in Chinese Article on APT

2011-09-16T21:05:00.002-04:00

I found it ironic to see the names Richard Bejtlich and MANDIANT appearing in the article How to reduce the losses caused by APT attack? The reason this is funny is that the article appears in a Chinese-language story, published by a site operating in Beijing!

You can read the Google Translation if you can't read the original.

According to Tianji Media Group:

Established in January 1997, ChinaByte was the first IT news website in China.

So, welcome to the APT coverage!

Classic Chinese Defensive Propaganda

2011-09-13T22:51:00.004-04:00

Thanks to the sharp eye of a colleague from a mailing list, I learned of the article Is China Really Cyberdragon? in the English-language China Daily newspaper. The article is by Tang Lan, deputy director of the Institute of Information and Social Development Studies, China Institutes of Contemporary International Relations (a state-directed research institute). His writing displays all of the class elements of what I call Chinese defensive propaganda, in this case specifically addressing APT intrusions.

I'll cite a few examples so you know what I mean.

Hacking poses a threat to both China and Western countries and politicizing the problem will be detrimental to all.

The beginning of the article introduces the reader to the concept that China is just as much a victim of hacking as the West. This is the first invocation of "the victim card," which is a constant aspect of Chinese self-identity and international relations.

Tang Lan then dismisses accusations that the Chinese hack Western organizations, naming a few companies specifically. Then we read:

This is not the first time China has been the victim of such accusations. In fact, it was also accused of having instigated several previous systemic long-term intrusions, namely Operation Titan Rain, Night Dragon and Operation Aurora.

Again we see the victim card, using the actual word "victim." I think this section is counter-productive, because it reminds the reader that the Chinese have been publicly active against Western targets since 2003 (i.e., the mention of Titan Rain).

Western governments and media would have people believe that China has become a "cyberdragon", able to infiltrate the computer systems of countries and companies seemingly at will.

It may be tough for the author to appreciate this statement, but it's fairly true.

Besides, it is simply untrue to say that China is not a victim of cyber attacks. China was hit by nearly 493,000 cyber attacks last year, about half of which originated from foreign countries, including 14.7 percent from the US and 8 percent from India, according to a report issued on Tuesday by the Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT/CC), the country's primary computer security monitoring network.

Notice the third use of the victim card. More interestingly, who said "China is not a victim of cyber attacks?" Tang Lan introduces a red herring (pun intended) to divert our attention, and then uses statistics from CNCERT to show an argument (made by no one) is false.

Hacking poses a great threat to both China and Western countries and should be considered a common enemy. It is irresponsible to accuse any other country without ample evidence, and politicizing the problem will only prove detrimental to the interests of all.

As a responsible country, China has long held the principle of strengthening supervision of the Internet, and encourages all countries to cooperate for the common good.

We also hope other countries can hear China's voice, and understand China's efforts in defending the security of all.

In this amusing conclusion to the article, there are three points. First, we have a fourth invocation of the victim card. Second, we read of "irresponsible" and "responsible" countries. The US is "irresponsible" because its private, non-state-owned security firms are pointing the finger at China. China is "responsible" because it promotes "supervision of the Internet" (obviously via the Great Firewall of China). Third, China is supposedly encouraging "all countries to cooperate for the common good" and "defending the security of all." How is that happening, exactly?

I thought it was telling that someone in the Party decided to commission a response via an institutional speaker. The double-speak in the article shows China craves being seen as "responsible," which gives the West a strategy for diplomatic pressure against APT intrusions. I also expect to see the victim strategy used by China as a constant justification for whatever activity they pursue.

On a slightly humorous note, one of the responses to this article that I read on a mailing list asked the following question:

Given that the Chinese PLA assaults Chinese Web sites from compromised IP addresses in the United States (reported in Slip-Up in Chinese Military TV Show Reveals More Than Intended), what would the statistics look like if they removed all their self-inflicted attacks?

Government Takeover of Compromised Digital Infrastructure Provider

2011-09-05T15:03:00.002-04:00

The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports:

DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.

But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations. The government also is trying to shift over to other companies that act as digital notaries, he said.

As you can see I highlighted two points.

Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?"

Regarding the second, I can't remember a time where a government assumed control of a private company in order to implement digital security measures. (Can anyone recall a similar event at another time?) This could be a wake-up call to governments that one of the foundations of digital security is a commercial arrangement whereby the fall of any of 600 or more certificate authorities puts the entire system in danger.

Watch National Geographic Channel's The Liquid Bomb Plot

2011-09-03T23:17:00.002-04:00

Over the last week I've been watching a new National Geographic Channel documentary titled The Liquid Bomb Plot. It explains how British intelligence detected and thwarted an AQ operation to destroy at least seven aircraft flying from the UK to the US in August 2006. The show is excellent and features first-hand accounts, including key US personnel like Secretary Chertoff and General Hayden.

I recommend watching this show because it demonstrates the tensions between the law enforcement and intelligence communities. The content also touches on the question of whether counter-AQ operations are legal affairs or military affairs.

After the show you will be less likely to doubt the value of US and UK intelligence operations (and those of our allies), even after the demise of UBL.

Furthermore, you can probably imagine how this sort of intel-centric operation is similar to the new sorts of wars we're fighting else -- i.e., in the digital domain.

TaoSecurity Security Effectiveness Model

2011-08-29T23:51:00.005-04:00

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.

Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".

I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.

I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."

The various intersections produce some interesting effects. For example:

If you're in the lower center area titled "Incorrect, defended, compromise possible," and your defenses hold, you're just plain lucky. You didn't anticipate the adversary attacking you, but somehow you had a live defense covering it.

If you're near the left middle area titled "Correct, undefended, compromised," this means you knew what to expect but you couldn't execute. You didn't have any live defenses in place.

If you're in the area just below the previous space, titled "Incorrect, undefended, compromised," you totally missed the boat. You didn't expect the adversary to target that resource, and you didn't happen to have any live defenses protecting it.

If you're in the very center, called "Correct, defended, compromise possible," congratulations -- this is where you expected your security program to operate, you deployed defenses that were live, but the result depends on how much effort the adversary applies to compromising you. This is supposed to be "security Nirvana" but your success depends more on the threat than on your defenses.

The top-most part titled "Incorrect, undefended, compromise avoided" shows a waste of planning effort, but not wasted live defenses. That's a mental worry region only.

The right-most part titled "Incorrect, defended, compromise avoided" shows a waste of defensive effort, which you didn't even plan. You could probably retire all the security programs and tools in that area.

The area near the top titled "Incorrect, defended, compromise avoided" shows you were able to execute on your vision but the adversary didn't bother attacking those resources. That's also waste, but less so since you at least planned for it.

What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.

TCP/IP Weapons School 3.0 in McLean, VA 26-27 Oct

2011-08-28T22:47:00.002-04:00

I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue only seats 20-25 students, so please keep that in mind. You can register through RegOnline immediately. Thank you.

Jaime Metzl Describes "China's Threat to World Order"

2011-08-19T22:03:00.003-04:00

Props to LS for pointing me to this WSJ article titled China's Threat to World Order. I found the following pertinent for the "cyber" aspect:

Allegations that the Chinese government is behind the largest computer hacking operation in history will not come as a surprise to observers of recent trends in international relations. If there is one thing that China's actions across a range of fields have made clear, it is that Beijing will do whatever it takes to advance its narrowly defined economic interests, even if that requires riding roughshod over global norms...

It is no longer acceptable for China to claim global leadership in some areas but then pretend it is a weak developing country and shirk its responsibilities in others. A China that leads the world in the theft of intellectual property, computer hacking and resource nationalism will prove extremely destabilizing. If it continues on this course, Beijing should not be surprised if other countries begin to band together to collectively counter some of the more harmful implications of China's rise.

I think contrasting China with Russia may be helpful here. We tend to have more cooperation with Russia, even in areas of digital security; for example, see the work of the EastWest Institute.

After publishing the WSJ article, Jaime then summarized open reporting on China's activities over the last few years and published the result at China and Cyber-Espionage.

Expect to Hear "IDS Is Dead" (Again)

2011-08-18T15:41:00.003-04:00

Do you remember when IDS was dead, and supposed to be replaced by "thought-leading firewalls" by 2005?

Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn:

About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn.

During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions."

Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons system designs, source code and other intellectual property.

"This kind of cyber exploitation does not have the dramatic impact of a conventional military attack," Lynn said. "But over the long term, it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy."

Foreign intruders have extracted terabytes of data from defense companies, he added.

This sort of story is likely to lead to the same arguments I heard eight years ago regarding "Intrusion Detection Systems" vs "Intrusion Prevention Systems," namely:

If you can detect it, why can't you prevent it?

This is a broad topic, so rather than try to answer everything here and now, I'll likely work on it over the coming weeks in individual posts.

Bejtlich Leading Session at IANS

2011-08-17T22:36:00.004-04:00

The IANS group just posted their fall forum announcement. It states I will be leading a session on the APT at their event in Boston on 20 September 2011.

Kicking off the morning will be Richard’s session on “Mitigating the Advanced Persistent Threat.” IANS continually hears from our clients that APT and cyber crime is a constant, nagging concern (if not for their own company… yet, then because of headline news read by company executives), and it is the CISO’s job to deal with real, perceived, and impending APT issues.

Thus, during his session Richard will provide advice and real-life use cases on what he’s seen, what’s worked, what doesn’t, and what CISOs can do to deal with APTs at their own organizations.

Following the short presentation portion of the session, CISOs will collectively discuss 1) How to keep up with industry-specific threats; 2) Tactics and techniques to detect and mitigate the APT; and 3) The real implications of APT incidents

This should be a great event, because the afternoon session also features Grady Summers, my old boss from GE (who was the CISO there). Grady will:

lead CISO participants through a follow-on discussion on managing cyber security at a board level. With today's threats consistently making front-page news, even the most traditional boards are starting to ask about cyber security.

To be prepared for such an event, Grady will walk participants through varying scenarios on handling: 1) What works and what’s not effective with regard to board communication on information security; 2) What audit committee chairs at some of the world's biggest companies are saying about security; and 3) Why you might not be doing your job if you're trying to "speak the language of the business" to your board.

I think this will be a great event, without death by PowerPoint. Please visit the announcement for registration information. Thank you.

Check Out MANDIANT Job Postings

2011-08-15T22:45:00.003-04:00

If you visit www.mandiant.com/hireme you'll notice MANDIANT is looking to hire a ton of people over the next few weeks and months. We have openings all over the company, including my MCIRT business line. Basically if you're the go-to person in your organization for coding, doing, or supporting incident detection and response tools and/or techniques, you will probably find an interesting job here!

The easiest way to start the process is to pick a role and submit your resume. Thank you for your consideration.

Tao of NSM Errata and Possible Book Plans

2011-08-15T21:57:00.002-04:00

Recently an astute reader, Greg Back, submitted three corrections for typos to my first book, The Tao of Network Security Monitoring. I just uploaded these to the errata page and will submit them to the publisher now. Thanks to Greg for so closely reading the text and catching the errors! They involved miscounting bytes in two packets, and saying bytes where I should have said bits elsewhere.

On a related note, I'm considering reviewing my material from the TCP/IP Weapons School (versions 1, 2, and 3) and writing a book based on the best aspects of each class. I wouldn't expect the book to arrive any earlier than late 2012, when I expect to retire the third version of TWS, currently taught in live classes. Over the last few years many of you have asked what I plan to do with the older TWS material, and I think this might be the best way to put it to good use. As I figure out what to do I will keep you informed here.

Bejtlich Webinar for Dark Reading and InformationWeek

2011-08-15T21:46:00.003-04:00

Thanks to Dark Reading and InformationWeek I will participate in the How Security Breaches Happen online virtual event on 25 August 2011. At 1330 ET I present with Nicholas J. Percoco and Kelly Jackson Higgins on "Why Bad Breaches Happen To Good Companies."

I will share the enterprise/CSO perspective while Nicholas will present the adversary simulation/pen tester perspective. Kelly will moderate. Lots of other speakers will participate from 1030 ET to 1815 ET.

We hope you can attend!

Bejtlich Keynote at Hawaiian Telcom Conference

2011-08-15T21:36:00.004-04:00

Thanks to Hawaiian Telcom I will be speaking at their 2011 Security Conference in Honolulu on 7 September 2011.

My topic is "Putting the A, P, and T into the Advanced Persistent Threat:"

Advanced Persistent Threat, or APT, is a controversial term. Just what qualifies as the APT? Who invented this term? Is it a marketing vehicle or is there a method to its use? In this keynote, Mandiant CSO Richard Bejtlich will explain the history of the APT, and what makes it Advanced, Persistent, and a Threat. He will discuss the concepts of "fighting through" an intrusion and "operating in a contested network," approaches to dealing with the APT that work in the real world.

My colleague and friend Kris Harms will also attend, presenting "Network Security FTW."

We hope to see you there! And no, Jeremiah Grossman, we will not be joining you to fight MMA-style. Well, maybe Harms will.

Feedback from Latest TCP/IP Weapons School 3.0 Class

2011-08-15T21:08:00.004-04:00

At Black Hat in Las Vegas and USENIX Security in San Francisco I taught three TCP/IP Weapons School 3.0 classes. I think my weekday class at Black Hat set a personal record student count, and I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues!

I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming class. Currently I'm scheduled to teach at Black Hat Abu Dhabi on 12-13 December. The only other possibilities for training this year include a class in northern VA in either September or October, and a class the weekend before USENIX LISA in Boston on 3-4 December 2011. Next year I will likely return to Las Vegas again in the summer (21-24 July) and DC in the fall (30-31 Oct) but beyond that I am not sure how much training I might do in 2012.

Student feedback from TWS3 included:

I've been to a lot of training sessions and this was by far the best. The discussions were useful and practical. The labs were well done enough to repeat and follow them later.

Excellent speaker, well-prepared and extremely engaging. Perfect balance of real world scenarios and information.

Great course! More lab-based and little [i.e., fewer] PowerPoints is a recipe for success. Will recommend to others.

This is the best Black Hat Training class I've ever taken. The techniques and information Richard taught are instantly usable in my day-to-day security analyst work. Well worth the time and money.

Richard worked hard to answer our questions and tailor the class to our needs.

Discussion-based training without PowerPoint was a great experience -- much more rewarding than death by .ppt!

Richard does an excellent job presenting material in an engaging way.

Excellent job handling diverse student population with very different skill levels.

I would take another security course taught by Richard as well as recommend this course to others.

The students who attend to learn how to collect and analyze network- and log-centric artifacts and data in order to detect and respond to intrusions tend to like the class best.

Thank you to the students from all three classes for your participation!

Impressions: Android Forensics

2011-08-14T18:20:00.003-04:00

My final book in this batch is Android Forensics by Andrew Hoog. Due to the nature of Android and the author's experience with it, this book has a lot of great content. (In contrast, on page xiii, the author thanks iPhone and iOS Forensics co-author Katie Strzempka "for generally taking care of that other book." Hmm, maybe I should have known that before trying to assess that "other book?")

My only real concern with this book is that it might lack the focus required by a normal investigator. I'm sure many investigators simply want to know where to find key data (email, Web history, etc.) and then retrieve and analyze it in a forensically sound manner. It's the "so what" question that hangs over many forensics books. I would have liked a case study focusing on that sort of material to show how an investigator would make sense of the data and structures unearthed by the author throughout the book.

Impressions: iPhone and iOS Forensics

2011-08-14T17:36:00.003-04:00

The third forensics book in this batch is iPhone and iOS Forensics (IAIF) by Andrew Hoog and Katie Strzempka. This book is similar to iOS Forensic Analysis: for iPhone, iPad, and iPod touch by Sean Morrissey, in the sense that neither book is as strong as I might have hoped. Oddly enough, the aspects of Morrissey's book that were most compelling (like his overview of the various i-devices and attention to each of them) are weaker in IAIF.

I found IAIF to be a little confusing in its approach, with lack of rigor around discussing iPhone vs other platforms. I felt the authors should have either focused on one platform or given all of them equal attention. I also disliked mixing of what seemed to be jailbroken and non-jailbroken content. I prefer for forensics books to avoid using jailbreak techniques where possible, but it would have been helpful for the authors to be very clear where and why they use such methods.

Chapter 4 was supposed to cover security, but it was overall very disappointing. Chapter 6 probably has the core data of interest to a forensic investigator, namely where to find certain types of evidence (email, Web history, etc.) and how to get it. This is the sort of data missing from the Xbox book I just addressed.

I liked the material on downgrading iOS on a phone, but didn't like reading about basic Linux information in chapter 1. That should have been in an appendix.

Impressions: XBox 360 Forensics

2011-08-14T17:28:00.004-04:00

Next is Xbox 360 Forensics (X3F) by Steven Bolt. This book offers a lot of technical detail, but it seems to read more like a coroner's report than a guide for those doing forensics on the Xbox 360 platform. The author spends a lot of time documenting his analysis of the Xbox 360, but after perusing the book I took myself out of the role of scientist and into that of investigator.

An investigator (such as a law enforcement person) is likely to say "that's all nice, but can I read the suspect's email? Can I review his Web browsing history? Can I inspect the content of his instant messaging? How do I do that?" These are practical questions that do not really appear in X3F. Sure, the author tears apart the platform and its file system, but I don't see a way for an investigator to easily move from the current text to answering fundamental investigation questions.

Impressions: Digital Forensics with Open Source Tools

2011-08-14T17:15:00.003-04:00

For my fourth impressions post, I'll turn to the digital forensics world for Digital Forensics with Open Source Tools (DFWOST) by Cory Altheide and Harlan Carvey. I took a lot of notes but didn't read closely enough in my opinion to merit a full review.

I didn't like the way this book started. I can't tell if the authors expect the reader to be familiar with open source software or not. The book needed to start in chapter 2 with something like "let's start by selecting Ubuntu for our operating system. We like it for the following reasons..." In contrast, the reader suddenly finds himself in the "Working with Images" section trying to use losetup, mmls, doing math, etc. That's too fast! Many reading this book are going to get lost on page 23 between "sudo apt-get install libfuse-dev libexpat1-dev" and advice to use "a simple ./configure..."

Beyond the rough start, however, I thought the rest of the book was interesting. I liked reading about a variety of tools, especially trying to accomplish the same task on Linux and Windows. I enjoyed reading about hidden Windows Event Logs in ch 4 and about hachoir in ch 8. The book made great use of public evidence sources, like the Digital Corpora.

Near the end of the book (ch 9) I read a reference to Rob Lee's SIFT platform, so I wondered by the book didn't use it throughout? I also would have liked to have read more about log2timeline in ch 9.

One note for a second edition: some figures in the book feature resolutions so high that the text is not legible given the size of the screen captures.

I think you will like DFWOST, but I bet the second edition will be stronger.

Impressions: The Shellcoder's Handbook, 2nd Ed

2011-08-14T16:57:00.004-04:00

The third book for which I'd like to share my impressions is The Shellcoder's Handbook, 2nd Ed (TSH2E) by Chris Ainley, John Heasman, FX, and Gerardo Richarte. I liked TSH2E, but I could tell that the collaboration among four authors caused some issues that could have been addressed by better editing. For example, early parts of the book use both Intel and AT&T assembly syntax, but the reader doesn't get an explanation of either until chapter 7.

For me, the best aspect of TSH2E was the integration of real-world obstacles to exploiting victims. The book (although published in 2008) expertly addressed various defenses introduced in operating systems over the past decade. The authors usually start with simple concepts, promising to address tougher challenges later -- and they deliver.

One item early in the text caught my attention though. The book includes the following code to demonstrate spawning a shell:


int main(){

        char *name[2];



        name[0] = "/bin/sh";

        name[1] = 0x0;

        execve(name[0], name, 0x0);

        exit(0);

}

Then they show the following:


[jack@0day local]$ gcc shell.c -o shell

[jack@0day local]$ ./shell

sh-2.05b#

This looks like a section left over from the first edition by Jack Koziol. Why does the prompt change to a root shell? Should it not be a user shell, since user "jack" appears to have been running with user privileges? Maybe not?

Regardless, TSH2E is a very strong book with practical lessons and examples for anyone writing offensive code.

Impressions: Reversing: Secrets of Reverse Engineering

2011-08-14T16:38:00.003-04:00

I took a lot of notes while reading Reversing: Secrets of Reverse Engineering (RSORE) by Eldad Eilam, but I didn't read enough of the book to qualify in my opinion to write a true review. What I did read, though, was awesome. RSORE is very well written, clear, interesting, and features high production value and quality. Although Wiley published the book in 2005, I believe it's as relevant now as it was six years ago. In fact, I recommend pairing it with IDA Pro, 2nd Ed for a one-two RE punch.

The introduction part provided sound foundations, great coverage of low-level concepts, a helpful overview of the Win32 environment (albeit with a 32 bit focus) and a quick tools discussion.

The applied engineering part includes hunting for undocumented (as of 2005) native Windows APIs, analyzing the file format of an encryption program, auditing the vulnerability in idq.dll exploited by Code Red, and reversing a backdoor that communicates via IRC.

The cracking part featured solid references to legal precedents, academic papers, and books, then discussed copy protection, DRM, and anti-piracy concepts, followed by anti-reversing measures and cracking learning-tool "crackmes."

The final part described reversing .NET and decompilation.

Overall the book appears very strong and I recommend it based on the material I did read.

Impressions: The IDA Pro Book, 2nd Ed

2011-08-14T16:31:00.003-04:00

What better way to start my new book impressions technique than The IDA Pro Book, 2nd Ed (TIDP2E) by Chris Eagle. I didn't read the entire book because I am not a reverse engineer, nor am I an IDA Pro user. However, I find the field, the tools, and the people who do reverse engineering to be interesting.

My overall impression is that TIDP2E is an excellent book. Chris Eagle appears to have written an incredibly detailed and current text on IDA Pro. I noticed he cited material from RECon 2011, which happened earlier this year!

Besides teaching how to use IDA Pro, TIDP2E appears to teach programming and operating system concepts. The book compares various ways to disassemble code (primarily linear sweep vs recursive descent) as well as complementary tools. I like the regular use of footnotes and external references, and the production quality was very high.

Take a look at TIDB2E if you need a modern reference to this powerful tool suite.

Book Reviews vs Impressions

2011-08-14T12:43:00.004-04:00

I've been reading and reviewing technical books at Amazon.com since 1999, and trying to meet reading goals since 2000. Most of you know that I only review books that I read, unlike some of the people who post "reviews" at Amazon.com. I personally don't care to read "reviews" by people who don't read the books. What's the point?

However, I believe there is room for commentary on books, where I explicitly state that my reactions are based mainly on impressions and not thorough reading.

After looking at my personal reading list several months ago, I decided to not read some books thoroughly enough to merit a full review. One of the techniques I adopted was to take a book on a cross-country trip (IAD to LAX, for example) and read as much as I could, or as much as interested me, during those 4 to 6 hours.

During that time I would record notes, just as I do when writing book reviews. Unless I complete the book, I will not turn those notes into a proper Amazon.com book review.

Instead, I will post a new category of description, impressions, to this blog. These impressions will let you know what I think of a book based on paying attention to the areas that I find intriguing (if any).

I plan to use this approach with books outside my core areas of interest. For books within my core areas of interest, I will read and review them per normal.

None of these impressions candidates will qualify for my annual Best Book Bejtlich Read award.

For those not familiar with my reading approach, these reading posts might be helpful.

Review of Metasploit: The Penetration Tester's Guide Posted

2011-07-28T23:22:00.002-04:00

Amazon.com just posted my four star review of Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni. From the review:

Metasploit: The Penetration Tester's Guide (MTPTG), is a great book about the Metasploit Framework. I first tried MSF in April 2004 (noted in one of my blog posts) and have since used it to test detection mechanisms, as well as simulate activity by certain threat groups. I've read MSF coverage in a few other books, but MTPTG really outdoes the competition. While I see areas for improvement to be addressed in a second edition, if you have any interest in Metasploit you should check out this book.

Review of Hacking: The Art of Exploitation, 2nd Ed Posted

2011-07-28T23:19:00.003-04:00

Amazon.com just posted my five star review of Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson. From the review:

This is the last in a recent collection of reviews on "hacking" books. Jon Erickson's Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft.

Review of Gray Hat Hacking, 3rd Ed Posted

2011-07-28T23:14:00.003-04:00

Amazon.com just posted my three star review of Gray Hat Hacking, 3rd Ed by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams. From the review:

Critical reviews are my least favorite aspect of my Amazon experience, but I believe readers expect me to be honest with them. Gray Hat Hacking, 3rd Ed (GHH3E) has a lot of potential, but it needs a reboot and a ruthless editor. I read and reviewed the original edition 6 1/2 years ago but skipped the 2nd Ed. This 3rd Ed (published in Jan 2011) features several exceptionally talented authors (such as Allen Harper and Chris Eagle), so my expectations remained high. Unfortunately, after finishing the book I had collected a pile of notes that I will try to transform into constructive commentary for a 4th Ed, which I would enjoy seeing!

Review of Ninja Hacking Posted

2011-07-28T23:12:00.001-04:00

Amazon.com just posted my four star review of Ninja Hacking by Thomas Wilhelm and Jason Andress. From the review:

Ninja Hacking is not a typical digital security book. When I saw the title I expected the use of "Ninja" to be a reference to a style of digital attack. While this is true to a certain extent, Ninja Hacking is about actual Ninja concepts applied to the digital world. The book is an introduction to Ninja history and techniques, applied to the modern digital security context. That was not at all what I expected, but I found the result intriguing.

Review of Managed Code Rootkits Posted

2011-07-28T23:09:00.002-04:00

Amazon.com just posted my five star review of Managed Code Rootkits by Erez Matula. From the review:

Managed Code Rootkits (MCR) is one of the best books I've read in 2011. MCR is a one-man tour-de-force through the world of malicious software that leverages managed code for its runtime. Prior to reading the book I was only vaguely aware of the concept and implementation. After reading MCR, I am wondering when we might see more of this technique in the wild. Author Erez Metula does almost everything right in MCR, and I strongly recommend reading it.

Review of Buffer Overflow Attacks Posted

2011-07-28T23:07:00.002-04:00

Amazon.com just posted my two star review of Buffer Overflow Attacks, by James C. Foster, et al. From the review:

I read "Buffer Overflow Attacks" as part of a collection of books on writing exploit code (reviewed separately). I have to give credit to the author team for writing one of the first books on this subject; Syngress published BOA in 2005, when the subject received less published coverage. However, better books are available now if you want to learn the sort of material found in BOA.

Risk Modeling, not "Threat Modeling"

2011-07-28T21:50:00.005-04:00

Thanks to the great new book Metasploit (review pending), I learned of the Penetration Testing Execution Standard. According to the site, "It is a new standard designed to provide both businesses and security service providers with a common language and scope for performing penetration testing (i.e. security evaluations)." I think this project has a lot of promise given the people involved.

I wanted to provide one comment through my blog, since this topic is one I've covered previously. One of the goals of the standard is to name and explain the steps performed in a penetration test. One of them is currently called "threat modeling," and is partly explained using this diagram:

When I saw elements called "business assets," "threat agents," "business process," and so on, I realized this is more of a risk model, not just a "threat model."

I just tagged a few older posts as discussing threat model vs risk model linguistics, so they might help explain my thinking. This issue isn't life or death, but I think it would be more accurate to call this part of the PTES "Risk Modeling."

Noah Shachtman’s Pirates of the ISPs

2011-07-27T18:23:00.003-04:00

Two posts in one day? I'm on fire! It's easy to blog when something interesting happens, and I can talk about it.

I wanted to mention the publication of Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs by Noah Shachtman, acting in his capacity as a Nonresident Fellow for Foreign Policy in the 21st Century Defense Initiative at The Brookings Institution. I read and commented on an earlier draft, and I think you will find Noah's paper interesting. From the introduction:

Cybercrime today seems like a nearly insoluble problem, much like piracy was centuries ago. There are steps, however, that can be taken to curb cybercrime’s growth—and perhaps begin to marginalize the people behind it.

Some of the methods used to sideline piracy provide a useful, if incomplete, template for how to get it done. Shutting down the markets for stolen treasure cut off the pirates’ financial lifeblood; similar pushes could be made against the companies that support online criminals.

Piracy was eventually brought to heel when nations took responsibility for what went on within its borders. Based on this precedent, cybercrime will only begin to be curbed when greater authority—and accountability—is exercised over the networks that form the sea on which these modern pirates sail.

I agree with this. My original comments to Noah emphasized that not all malicious activity on the Internet is crime, nor is it conducted by criminals. For example, I wince whenever I see the term APT in the same sentence as crime or criminals (never mind seeing the "cyber" prefix). As long as you keep Noah's emphasis on true crime in mind while you read the paper, I think you will find it compelling. Great work Noah!

SQL Injection Challenge and Time-Based Security

2011-07-27T07:29:00.002-04:00

Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challenge.

As stated on the challenge site, the goal is "To successful execute SQLi against the scanning vendor demo websites and to try and evade the OWASP ModSecurity CRS." The contestants need to identify a SQL injection vector within one of four demo websites, then enumerate certain information from the target.

As also stated on the challenge page, "Winners of this level will be anyone who is able to enumerate the data listed above for each demo app without triggering an Inbound ModSecurity Alert. If ModSecurity sees any inbound attacks or outbound application defects/info leakages, it will prepend a warning banner to the top of the page."

This is interesting, but what caught my attention is the time-based security metrics describing the results of Level II of the challenge. I'll reproduce the relevant section here:

Hacking Resistance (Time-to-Hack)

Many people wrongly assume that installing a Web Application Firewall will make their sites "Hack Proof." Sadly, this is not reality. The real goal of using a web application firewall should be to gain visibility and to make your web applications more difficult to hack meaning that it should take attackers significantly more time to hack a vulnerable web site with a WAF in front in blocking mode vs. if the WAF was not present at all.

The idea is to substantially increase the "Time-to-Hack" metric associated with compromising a site in order allow for operational security to identify the threat and take appropriate actions...

With this in mind, we analyzed how long it took for each Level II winner to develop a working evasion for the CRS v2.2.0. We are basing this off of the correlated IP address in the logs that was tied to the final evasion payloads submitted to the ModSecurity team. We also saw that many Level II winners actually tested their payloads using the CRS Demo page so we had to correlate test payloads there as well.

Avg. # of Requests to find an evasion: 433
Avg. Duration (Time to find an evasion): 72 hrs
Shortest # of Requests to find an evasion: 118
Shortest Duration (Time to find an evasion): 10 hrs

This data shows that having active monitoring and response capabilities of ongoing web attacks is paramount as it may only a matter of hours before a determined attacker finds a way through your defenses.

I [Ed: Ryan, not Richard] realize that there are a multitude of variables and conditions involved where people can say that these numbers are off (either too high or too low) depending on your defenses and attacker skill level. Keep in mind that this metric was obtained from the ModSecurity WAF using mainly a negative security model ruleset. The point of presenting this data, however, is to have some form of metric available for active web application monitoring and defense discussions related to exploitation timelines.

What a great use of empirical data to make a point about security! Like Ryan says, you can argue about the rating of the intruder (does 10 hours really reflect a skilled intruder?) or the defenses (is ModSecurity really sufficient?). I'd answer that they those aspects of the challenge are sound enough to use as benchmarks for a certain portion of the threat community and state-of-the-practice for defenses.

Ten hours, then, represents the window of time between when an intruder would first start trying to compromise the Web app, and when he succeeded. That means the IR team has no more than 10 hours to detect the activity and take action to close the window of vulnerability. That's a tall order, but we have a metric now based on more than hand-waving that we can use to start a discussion of capabilities.

On a related note, this is the sort of activity that a red team could undertake to simulate threat action and identify IR team effectiveness.

Bejtlich Teaching in Abu Dhabi in December

2011-07-05T18:36:00.001-04:00

I'm pleased to announce that on December 12-13 at Black Hat Abu Dhabi I will teach a special two-day edition of TCP/IP Weapons School 3.0.

This class is designed for junior and intermediate security analysts. The "sweet spot" for the potential student is someone working in a security operations center (SOC) or computer incident response team (CIRT), or someone trying to establish one of those organizations. The class is very hands-on, and focuses on labs and discussions. There are less than 10 slides at the very beginning of the class, and I build the flow of the class based on what you want to hear.

If you would like details on the class, please see the linked site. You may also find my announcement for my Black Hat sessions on 30-31 July and 1-2 August to be helpful too. I'm looking forward to seeing you learn the investigative mindset needed to detect and respond to digital intrusions!

Black Hat has four remaining price points and deadlines for registration.

"Best" ends 15 August

"Early" ends 17 August

"Late" ends 12 December

Onsite starts at the conference

Seats are filling -- it pays to register early!

On a related note, we're almost one month away from my 8-9 August TCP/IP Weapons School 3.0 in San Francisco at USENIX Security 2011. Seats are filling in that class too!

I'm also still working on the details for a northern VA TCP/IP Weapons School 3.0 class. When I have them ready I will post them. Thank you.

Why Business Methods Are as Important as IP to China

2011-06-28T22:19:00.003-04:00

Courtesy of China Defense Blog, I just read a fascinating (if you like aircraft) report on China's capability to natively produce jet engines produced by China SignPost titled Jet Engine Development in China: Indigenous high-performance turbofans are a final step toward fully independent fighter production (pdf).

It's common to see open source reports describing how the APT seeks intellectual property (IP), which many people read as plans, designs, and related mechanical and scientific information. What some miss, however, is that China needs business know-how as well as technical know-how in order to achieve its economic and security goals. The report includes examples of this:

What China must achieve, however, is a methodology akin to Six Sigma or Total Quality Management (TQM) to ensure quality control and sufficient organizational honesty to ensure that actual problems are reported and that figures are not doctored.

Otherwise, standardization and integration may be the one in which the costs of China’s ad hoc, eclectic approach to strategic technology development truly manifest themselves.

The Soviet defense industrial base failed in precisely this area: talented designers and technicians presided over balkanized design bureaus and irregularly-linked production facilities; lack of standardization and quality control rendered it “less than the sum of the parts.”

If there's anything you need to know about the Chinese government, it's that it seeks to avoid mistakes made by others. The Chinese government does not want to repeat the Soviet failure, and it knows that technology isn't the only component when trying to build jet engines. Expect to more open and hidden actions by Chinese actors to gain the resources they need to indigenously create this core military and civilian capability.

With "Cyber" Attacks, Effects Matter More Than Means

2011-06-25T09:50:00.003-04:00

I enjoyed reading Stuxnet Poses Interesting International Cyber Law Issues by Rick Aldrich in IAnewsletter Vol 14 No 2 (pdf). I've known the author since my days in the USAF and he's very clued-in as a CS grad from USAFA and a lawyer who worked for AFOSI. I'd like to share a few excerpts. Please try to avoid fixation on Stuxnet if that topic bothers you. Stuxnet is not the core of Alrich's argument.

Article 51 of the United Nations (UN) charter states in pertinent part, “Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations.” [8]

So can a cyber attack, such as that evidenced by Stuxnet, constitute an “armed attack?”

Clearly at the time Article 51 was written, in August of 1945, such an attack was never envisioned. Traditionally the term “armed attack” has connoted a kinetic attack – missiles, bombs, bullets and the like – but it has never been definitively defined.

Incidents like the cyber attacks against Estonia in 2007 and against Georgia in 2008 have prompted renewed interest in defining if or when a cyber attack can also constitute an “armed attack.”

International legal scholars are increasingly moving away from the means of attack and instead looking to the effects.

The test would be whether the effects of the attack are similar to those of a kinetic attack.

Cyber attacks that result in physical damage, such as the destroyed centrifuges in the case of Stuxnet, may be pulled under the rubric of an armed attack, though this approach does not rule out attacks resulting in non-physical effects if the harm is substantial.

This is fascinating, because it makes "cyber" less relevant and requires judgement regarding the consequences of an event. Clearly physical harm takes precedence here, but the underlined portion shows that even digital events without physical harm could still be considered attacks, in the eyes of legal experts.

The article raises other interesting points, such as options for Iran, but I wanted to emphasize the points I listed above.

THEY DID IT

2011-06-15T23:09:00.001-04:00

Security Conference Recommendations

2011-06-04T16:39:00.003-04:00

After my post Bejtlich Teaching at USENIX Security in San Francisco 8-9 Aug a reader asked the following:

Richard,

I was curious if you could suggest other security conferences that either you have attended or have heard are better than average?

It seems as though everyone and their brother sponsor some sort of security conference and it is difficult to tell how educational they will be just by reading the website.

Perhaps you could provide some insight into how you determine which conferences you would actually pay to attend? Thanks!

Great question. The answer that follows is just my opinion, and I'm sure others feel differently. For me, I like these conferences:

Black Hat offers the best combination of training plus briefings per unit time, on a consistent basis. In other words, I believe attendees will learn more in two days of Black Hat Training plus two days of Black Hat Briefings compared to any alternatives, every year. The content is uniformly high, regardless of whether you attend in DC, Barcelona, Las Vegas, Tokyo, or Abu Dhabi. This is why I will be teaching two TCP/IP Weapons School 3.0 classes this summer and staying for the two days of Briefings that follow.

My next favorite event is probably the SANS What Works in Forensics and Incident Response Summit organized each year by Rob Lee. His Summit connects me with the sorts of people who do the same work that I do. The event is a mix of panels and briefings by interesting people.

In terms of value per dollar spent, you can't beat Security B-Sides. Why is that? Well, your travel cost will likely be almost nothing, since B-Sides events happen all over the world. Registration is free. Content quality is mixed, but when you throw a lot of local security people into a room in a non-traditional format, the output is surprisingly good!

If you want more of an academic approach, I recommend any of the USENIX conferences. They are also a mix of training, "Refereed Papers" (see what I mean), and Invited Talks. I tend to see more college students talking about "solutions" more or less detached from the real world, but the diversity of specialized events means you're likely to find something of value that meets your direct needs, especially regarding system administration. After a multi-year break, I'm returning to teach TCP/IP Weapons School 3.0 in San Francisco at USENIX Security in August.

Returning to the incident response world, you might also like FIRST conferences. I think every CIRT should become a FIRST member, and attending a conference or other FIRST event every other year or so is a nice way to stay in touch with a very globalized security community.

If you qualify to attend, you might also enjoy the DoD Cybercrime or GFIRST conferences. As you can tell they cater to the .gov and .mil communities, but their focus tends to involve more interesting problem sets.

I should also give CanSecWest an honorable mention, although it's been years since I've attended. I could say the same for BSDCan and ShmooCon.

Speaking of Shmoo, the logistics are the main reason I stopped going. At least with my old job, it was a hassle to commute to DC for only a Friday evening, then again for a full day Saturday, and again for only a few hours on Sunday morning. I don't like weekend events since I'd rather spend the time with my family, and the ratio of travel-to-conference for Friday evening and Sunday morning was just too high!

Regarding how I pick conferences, I primarily want to learn something and see people whom I may not have seen recently. I prefer to avoid any conferences where keynotes are given to sponsors based on their sponsorship alone. I also try to attend conferences where I expect new material to be presented.

What conferences do you like to attend, and why?

China's View Is More Important Than Yours

2011-06-03T21:38:00.004-04:00

In my post Review of Dragon Bytes Posted I wrote the following to summarize analysis of Chinese thoughts on cyberwar, as translated from original Chinese publications:

The Chinese military sees Western culture, particularly American culture, as an assault on China, saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries...

Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a "frontier" that has extended beyond American shores into the Chinese mainland.

The Chinese therefore consider control of information to be paramount, since they do not trust their population to "correctly" interpret American messaging (hence the "Great Firewall of China"). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.

Today's Reuters article China PLA officers call Internet key battleground elaborated on these ideas:

The essay by two PLA scholars, Senior Colonel Ye Zheng and his colleague Zhao Baoxian, in the China Youth Daily nonetheless stressed that Beijing is focused on honing its cyber-warfare skills, and sees an unfettered Internet as a threat to its Communist Party-run state.

"Just as nuclear warfare was the strategic war of the industrial era, cyber-warfare has become the strategic war of the information era, and this has become a form of battle that is massively destructive and concerns the life and death of nations," they wrote in the Party-run paper...

"Cyberware [sic] is an entirely new mode of battle that is invisible and silent, and it is active not only in wars and conflicts, but also flares in the everyday political, economic, military, cultural and scientific activities."

The first highlight makes me think the Chinese see the current cyberwar as being similar to the Cold War. During the Cold War, nuclear warfare (or avoiding it) was the strategic form of war. During the current "Electronic War" (my term, not sure I like it), cyberwar is the strategic form of war.

The second highlight shows that the Chinese see cyberwar as being active right now, and "not only in wars and conflicts." By "wars and conflicts" they mean physical combat.

The AP article China Calls US Culprit in Global 'Internet War' contained a few more choice quotes:

Writing in the Communist Party-controlled China Youth Daily newspaper, the scholars did not mention Google's claims, but said recent computer attacks and incidents employing the Internet to promote regime change in Arab nations appeared to have originated with the U.S. government.

"Of late, an Internet tornado has swept across the world ... massively impacting and shocking the globe. Behind all this lies the shadow of America," said the article, signed by Ye Zheng and Zhao Baoxian, identified as scholars with the Academy of Military Sciences.

"Faced with this warmup for an Internet war, every nation and military can't be passive but is making preparations to fight the Internet war," it said...

China needs to "express to the world its principled stance of maintaining an 'Internet border' and protecting its 'Internet sovereignty,' unite all advanced forces to dive into the raging torrent of the age of peaceful use of the Internet, and return to the Internet world a healthy, orderly environment," the article said.

As you can see, the Chinese think an information war is already being waged. The US started it, and the US continues it (in the Chinese view) as demonstrated by turbulence in the Middle East.

China's view is more important than yours, because China is acting on its view while too many in the West and the US in particular argue about whether or not a cyberwar is happening. The Chinese believe cyberwar is ongoing, and that the US started it. From what I can tell, the Chinese intend to win it.

Five Qualities of Real Leadership

2011-05-21T09:43:00.006-04:00

I've noticed coverage of "leadership" in IT magazines recently, but I'm not comfortable with the approach they take. For example, this editorial in CIO Magazine titled Leadership Isn't a Fairy Tale After All has "Personal attention and hands-on involvement can make good IT managers great IT leaders" as the subtitle. The text then says:

Our story spells out detailed tactics and practical ideas that CIOs can use to turn good IT managers into potentially great IT leaders...

You’ll notice a strong thread of personal attention and hands-on involvement from the very top at the companies developing a strong bench of future leaders.

At REDACTED, for example, the CEO walks the walk on one-to-one leadership development by holding regular career conversations with his senior leadership team. His CIO, REDACTED, then makes sure that style of direct communication flows downward to the IT team. “If you don’t take time to talk to people about their professional development,” REDACTED notes, “it just doesn’t get done.”

REDACTED is another bright light in this realm with a program called The Lab, which fosters leadership development across various business units by bringing together 30 of them at a time to form strategic problem-solving teams.

And at REDACTED, CIO REDACTED connects on a more personal level, emailing coffee-talk questions to her global staff every two weeks to get conversations going on everything from personal dreams to world views.

In my opinion, "regular career conversations" are a form of coaching, not leadership. Forming "strategic problem-solving teams" is management, not leadership. Finally, "emailing coffee-talk questions" is banter, not leadership.

So what are the five qualities of leadership, at least in my experience?

Leaders develop and execute a vision; they do not follow trends set by others.

Leaders embody strong core values and do not sacrifice those core values in order to advance their personal careers.

Leaders' actions demonstrate a focus on their people, not themselves, and that focus on the people takes care of the mission.

Leaders work to "make their people look good," rather than making the boss or themselves look good.

In the darkest hours, leaders put themselves personally at risk for the good of their team.

Notice the contrast between these five principles and the previous guidance. My focus is on actions, whereas the other ideas focus on communication. I do not discount the value of communication, but with leadership the deeds matter far more than the words. It is helpful to have coaching, mentoring, managing, and so forth, but these concepts are separate from leadership.

If you're wondering about the image for this post, I wanted to show a picture from the movie We Were Soldiers, based on the book by Lt Gen Hal Moore and Joe Galloway. Then Lt Col Moore (portrayed by Mel Gibson) always landed with his air cavalry troops, in the first helicopter, and was the first person to step foot on adversary soil. He was also the last person to leave. As he wrote:

When we step on the battlefield, I will be The First Boots On and the Last Boots Off.

And he didn't just say it, he did it. That's a leader.

CIO Magazine Realizes "IT Alignment" Is Dead

2011-05-21T08:35:00.003-04:00

I took a look at the newest print edition of CIO Magazine and saw the story IT Value Is Dead. Long Live Business Value. (Registration is needed for the whole article, but you don't need it.) The article includes these gems:

The end of IT-business alignment is nigh. And no one is happier about it than the business-focused CIO.

“If you stand in front of an audience of CIOs and start talking about IT-business alignment, at best you get eye rolls, and at worst you get people walking out of the room...”

[A]lignment, it turns out, is not the ultimate end for corporate IT. In fact, says Dave Aron, vice president and fellow in Gartner’s CIO Research group, the language of IT-business alignment—encouraged and endorsed for more than a decade by industry analysts, consultants and, for a time, this magazine—is now dangerously counterproductive, setting IT apart from the enterprise even as technology itself becomes more inextricably entrenched in it.

You heard it here already! For example in this Tweet:

I reject the notion that companies have "business" elements to which the "non-business" must align. There's only one business, or should be.

I'm pleased to see organizations like CIO and Gartner connect with reality. Now we have to see how long it takes to banish "IT alignment" talk from the mindshare of other publishers, speakers, and so-called thought leaders.

Bejtlich Teaching at USENIX Security in San Francisco 8-9 Aug

2011-05-18T18:00:00.002-04:00

For the first time in four years, I will teach for the USENIX organization! I'm pleased to announce that on August 8-9 at USENIX Security 2011 in San Francisco, I will teach a special two-day edition of TCP/IP Weapons School 3.0.

This class is designed for junior and intermediate security analysts. The "sweet spot" for the potential student is someone working in a security operations center (SOC) or computer incident response team (CIRT), or someone trying to establish one of those organizations. The class is very hands-on, and focuses on labs and discussions. There are less than 10 slides at the very beginning of the class, and I build the flow of the class based on what you want to hear.

If you would like details on the class, please see the linked site. You may also find my announcement for my Black Hat sessions on 30-31 July and 1-2 August to be helpful too. It will be a busy few weeks this summer but I'm looking forward to seeing you learn the investigative mindset needed to detect and respond to digital intrusions!

On a related note, I received a very positive response regarding a possible class in the northern VA area this fall. I will work out the details on that and try to post information as soon as I figure it out. Thank you.

America the Vulnerable Arrives This Fall

2011-05-18T16:42:00.003-04:00

Today I attended a talk by Joel Brenner, formerly national counterintelligence executive (NCIX) and now a lawyer with Cooley LLP. He talked about the threat to national and economic security posed by our overseas friends. I was most excited to learn that he has a new book arriving this fall titled America the Vulnerable: New Technology and the Next Theat to National Security. Given his experience as NCIX, his former role at NSA, and his current role with intellectual property defense at Cooley, I am looking forward to reading this book!

Early Review of Ghost in the Wires

2011-04-30T22:09:00.005-04:00

Kevin Mitnick was kind enough to send me a galley copy of his upcoming autobiography Ghost in the Wires. Amazon.com won't let me post a review yet, so I'll write what I would have supplied to the site.

In 2002 I reviewed Kevin Mitnick's first book, The Art of Deception. In 2005 I reviewed his second book, The Art of Intrusion. I gave both books four stars. Mitnick's newest book, however, with long-time co-author Bill Simon, is a cut above their previous collaborations and earns five stars.

As far as I can tell (and I am no Mitnick expert, despite reading almost all previous texts mentioning him), this is the real deal. Mitnick addresses just about everything you might want to know about. For me, the factor that made the book very unique was the authors' attention to detail. This sounds like it might have been a point of contention between the co-authors, but I found the methodical explanation of the social engineering and technical attacks to be relevant and interesting. Mitnick just doesn't say he social engineered a target; rather, he walks you through every step of the event! It's amazing, audacious, and in many cases beyond the pale.

One surprise for me was the amount of technical hacking Mitnick describes. He wasn't just crafty with a phone; he spent a lot of time at the keyboard executing technical exploitation of Unix variants. Interestingly, this may or may not include the so-called "Mitnick attack" whereby Tsutomu Shimomura's computer suffered the only documented TCP blind spoofing incident. In Ghost in the Wires, Mitnick says an Israeli hacker nicknamed JSZ wrote the code to implement the attack, and JSZ executed the Christmas Day 1994 exploitation of Shimomura's computer (p 326). Later on p 334, however, Mitnick notes the same attack worked against a different target (blackhole dot inmet dot com), so he may have executed that previously undocumented incident himself?

Ghost in the Wires also shares the human side of Mitnick's story. His description of solitary confinement and his anxiety of returning to those conditions seemed very real. They appear ever more relevant given recent treatment of Bradley Manning. One has to wonder about "cruel and unusual punishment" of those who are not convicted, such that they will sign plea deals just to avoid solitary confinement. Beyond prison issues, Mitnick's love for his family (especially his mother and grandmother) were clear throughout the book.

I very much enjoyed reading Ghost in the Wires, and I believe the majority of the computer security community would too.

Update: I posted this to Amazon.com.

Review of Windows Internals, 5th Ed Posted

2011-04-30T22:07:00.002-04:00

Amazon.com just posted my five star review of Windows Internals, 5th Ed by Mark Russinovich and David Solomon, with Alex Ionescu. Microsoft Press provided a free review copy. From the review:

Windows Internals, 5th Ed (WI5E) by Mark Russinovich and David Solomon, with Alex Ionescu, is a remarkable technical achievement. I read the book to better understand Windows to improve my security knowledge. I am not a Windows programmer, but I thought WI5E would provide context for some of the exploit and vulnerability information I occasionally encounter. I absorbed as much of WI5E as I could, but quickly found the scope and depth of the material to be incredible. While there is no substitute for reading source code, the explanations in WI5E come close! So many aspects of Windows are described, to such a deep level, that you might find yourself wanting to use Windows just to see WI5E's descriptions at work.

Review of Windows System Programming, 4th Ed Posted

2011-04-30T22:04:00.002-04:00

Amazon.com just posted my five star review of Windows System Programming, 4th Ed by Johnson M. Hart. Addison-Wesley provided a free review copy. From the review:

I read Windows System Programming, 4th Ed (WSP4E) by Johnson M. Hart after finishing Windows via C/C++, 5th Ed (WVCP5E) by Richter and Nasarre. While I liked WVCP5E, I found WSP4E to be the better book for the sort of understanding I was trying to achieve. I'm not a professional Windows programmer, but I wanted to learn more about how Windows works. Hart's book did the trick, especially for a person like me with more of a Unix background. If you want to better know how to program on Windows, and specifically recognize differences among using the C libraries, the Windows API, and Windows "convenience functions," WSP4E is the book for you too.

Review of Windows via C/C++, 5th Ed Posted

2011-04-30T22:01:00.002-04:00

Amazon.com just posted my four star review of Windows via C/C++, 5th Ed by Jeffrey M. Richter and Christophe Nasarre. Microsoft Press provided a free review copy. From the review:

I will admit right away that I am probably not the target audience for this book, because I am not a professional Windows programmer. However, I am very interested in learning how Windows works, and Windows via C/C++, 5th Ed (WVCP5E) is one of the books that will help develop that expertise. Had I not also read Windows System Programming, 4th Ed (WSP4E) by Hart, I would have given WVCP5E 5 stars. Both are strong books, but WSP4E received 5 stars in a separate review. Still, I very strongly believe that WVCP5E by Richter and Nasarre is a must-read for anyone who wants to know more about Windows applications.

Review of Beginning Visual C++ 2010 Posted

2011-04-30T21:59:00.002-04:00

Amazon.com just posted my five star review of Beginning Visual C++ 2010 by Ivor Horton. Wrox provided a free review copy. From the review:

I read Ivor Horton's Beginning Visual C++ 2010 (BVCP2) to gain some familiarity with the C++ programming language. Prior to this book I read Mr Horton's Beginning C book. Between the two books, I hoped to learn enough about C and C++ to prepare me to read a third book titled Windows via C/C++, 5th Ed by Richter and Nasarre. As a security professional, being able to grasp the essence of C and C++ as they are used in Windows helps me understand security advisories and related discussion of vulnerabilities in exploits. BVCP2 is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C++ for Windows programmer. I highly recommend it to both sorts of readers.

Review of Beginning C Posted

2011-04-30T21:57:00.002-04:00

Amazon.com just posted my five star review of Beginning C by Ivor Horton. Apress provided a free review copy. From the review:

I read Ivor Horton's Beginning C to gain some familiarity with the C programming language. As a security professional, being able to grasp the essence of C helps me understand security advisories and related discussion of vulnerabilities in exploits. Beginning C is a great book for a person like me, but it also appears to be the right book for someone who wants to become a legitimate C programmer. I highly recommend it to both sorts of readers.

Review of Programming Amazon EC2 Posted

2011-04-30T21:54:00.002-04:00

Amazon.com just posted my four star review of Programming Amazon EC2 by Jurg van Vliet and Flavia Paganelli. O'Reilly provided a free review copy. From the review:

Because this is a short book, I'll write a short review. Programming Amazon EC2 (PAE) explains how to use certain elements of Amazon Web Services to deploy applications in Amazon's cloud infrastructure. The discussion centers on the authors' experiences deploying live, production Web sites (like Kulitzer) using AWS. I found this approach refreshing and novel, because it reads like a playbook for recreating similar infrastructure for the reader's own purposes.

UBM Cancels GTEC, Bejtlich Considers Alternatives

2011-04-13T20:55:00.005-04:00

I received word this week that the venue hosting my special session of TCP/IP Weapons School 3.0 was cancelled! That means no GTEC and no extra DC class.

I'm sad to hear this because I'm receiving word from students wondering what happened.

As best I understand it, the current Federal budget situation made hosting this conference a tough prospect for the DC crowd.

At this point I'm evaluating options, including hosting a class myself. If you would be interested in attending a group class of TCP/IP Weapons School 3.0 in northern VA this year, please email training [at] taosecurity [dot] com. I think a class late in the year, hopefully during FY 2012 (so 1 Oct or later), might be the best option for Federal workers enduring budget woes.

I'd rather teach within another venue, like Black Hat, but if there's enough demand from the cancelled GTEC event I'll see what it takes to offer a solo class.

As noted on my Training site, I am teaching Two Sessions of TWS3 at Black Hat USA in Las Vegas this summer. That is another option for those who will miss the GTEC class.

I'm also still working out details to offer training at USENIX Security 2011 in San Francisco in August. I expect word from USENIX on that before the end of the month. Thank you.

Cooking the Cuckoo's Egg

2011-04-13T14:57:00.003-04:00

In February I spoke at the DoJ Cybersecurity Conference. My abstract for the talk was the following:

In 1989 Berkeley astronomer Cliff Stoll wrote the most important book in the history of computer incident response, The Cuckoo's Egg. Twenty years after first reading the book, Richard Bejtlich, [then] Director of Incident Response for General Electric, re-read The Cuckoo's Egg in search of lessons for his Computer Incident Response Team (GE-CIRT). In the first ten pages, Bejtlich identified seven lessons for his team, and in the next twenty pages, ten more lessons. By the time he finished re-reading the book, Bejtlich identified dozens of lessons that are key to the incident response process, whether it's 1990, 2000, 2010, or beyond. In this presentation, Bejtlich will share the keys to professional incident response, originally documented by an unintentional computer pioneer.

Since several of you asked for the slides, I uploaded them here (.pdf, 60 slides). I don't usually use slides like this, but I told a story using screen captures from the really old NOVA episode about Cliff Stoll.

APT Drives Up Bomber Cost

2011-04-12T09:49:00.002-04:00

Bill Sweetman wrote a good article on the new Air Force bomber program titled USAF Bomber Gets Tight Numbers. I found the following paragraph interesting:

One factor will drive up the cost of the bomber’s R&D: its status as a SAP [Special Access Program]. SAP status — whether the program is an acknowledged SAP, as the bomber is likely to be, or completely black — incurs large costs. All personnel have to be vetted before they are read into the program. Information within the program is compartmentalized, reducing efficiency. SAP status has been estimated to add 20% to a program’s cost.

Security for SAP isn't cheap! Sweetman elaborates:

The most likely reason for this measure is the sensitivity of ELO [extreme low-observable] technology, combined with the fact that the U.S. is the target of what may be the most extensive and successful espionage program in history — China’s Advanced Persistent Threat.

How much is the new bomber supposed to cost?

The magic numbers for the bomber are a fleet size of 80-100 and a flyaway cost of $500 million.

So, that's $50 billion, assuming 100 aircraft at $500 million each? Let's assume that cost includes SAP fees. If SAP protection adds 20%, that means without SAP the cost would be roughly $42 billion.

That means, for this program alone, the APT costs the US taxpayer $8 billion.

I find this sort of article really interesting because it demonstrates a real-world cost due to ongoing computer intrusions perpetrated by the APT.

Aviation Week on China's Military Capabilities

2011-04-04T22:32:00.003-04:00

Today Richard D. Fisher, Jr. and Bill Sweetman published an online article for Aviation Week titled Sizing Up China's Military Capabilities. Of interest to my readers might be the following:

It is no secret that long-term U.S. Air Force and Navy planning is focused on China...

A decade ago, many U.S. analysts were unimpressed by the People’s Liberation Army (PLA)... By 2011, such hubris has given way to palpable concern...

The elements of this capability include:

Information attack. In the mid-2000s, U.S. intelligence agencies identified the Advanced Persistent Threat (APT), a pattern of cyberespionage largely traceable to China and aimed mainly at the U.S. defense industry and armed forces...

I really like to see organizations that are not selling digital security, but who are still defense experts, discuss APT!

Some of you probably think Aviation Week is part of the "create a new bogey man" strategy as we draw down forces in Iraq. Surely APT is just "yellow peril"? Think again:

In the Soviet era, it was commonplace for U.S. intelligence agencies to exaggerate Soviet capabilities and predict that new systems would enter service sooner and in larger numbers than actually happened. A consistent trend in analysis of China’s military capabilities is to do the reverse...

So how does the US military tend to think about the Chinese threat?

U.S. officials have tended to view this increasing A2/AD [“anti-access” or “area denial”] force through the prism of a potential conflict over the future of Taiwan or a contest for dominance in the Western Pacific.

In the event of a conflict, it is assumed the PLA would launch cyberstrikes against regional U.S. and allied military facilities and U.S. political and military leadership, while directing air, naval and special forces strikes against nearby American facilities in Okinawa and Guam.

Should Washington refuse to sue for peace, and deploy forces into the theater, the PLA would fashion joint missile, air and submarine strikes to deter or defeat naval and air forces.

I know the whole US military does not think solely in terms of Taiwan, but clearly the limited characterization of APT as "only" "espionage," and the "prism" of Taiwan show that too many people don't see the big picture.

On a related note, I look forward to reading this document:

China's National Defense in 2010.

Answering Questions on Reading Tips

2011-04-01T20:46:00.005-04:00

A few of you asked questions via Twitter or comments on my All Reading Is Not Equal or Fast post, so I'll try answering them here.

When you review a book that was less than perfect or heck even one that was perfect could you also suggest some alternatives?

I'll be honest. That could be more work than I'm willing to do in a free forum like Amazon.com and this blog. Sometimes I mention alternatives because they're fresh in my mind and I like the other options. Always mentioning alternatives can be a real chore. If I wrote reviews for formal publication I would do that. Otherwise, I recommend subscribing to my Amazon.com review RSS feed and staying current with my reviews.

Where do you find the time to read the books? After family-time, work time and sleep-time..at what time of the day do u read and how much time do you invest? I keep trying to read books but I read 2-3 pages per day at night...thanks!

When work is really busy, I probably read the most when on the road. I try to get to airports early, so I could have 30 to 60 minutes at the gate. On the flight I hardly ever watch the movie(s) or work on a computer. I pretty much always read a technical book or read The Economist. Planes are especially good for concentrating my attention because I have no alternative and no distractions!

When I don't travel, I like to make some time early Saturday and Sunday mornings. I might also read a little at night, when my wife does the same.

Also, be prepared to read. Think one book will keep you busy on a trip? Take two. What if you're stuck at the airport, etc.? Whenever I take mass transit, I take something to read with me. The same goes for any time I expect to wait somewhere, like a doctor's office, before a meeting, and so on. This little stretches of time add up. And, if you face an unexpected delay, the little stretch becomes a reading-productive big stretch.

How do you maintain your list of books to read throughout the year? Do you look at upcoming books from specific publishers, books referenced in conferences and presentations, does Amazon offer pre-order recommendations and reviewer copies? How do you prioritize such a list?

Every once in a while I access this Amazon.com search page and do a keyword search for computer security terms, ordered by publication date.

I review the results and concentrate on titles from the mainstream publishers like Pearson imprints (Addison-Wesley, etc., including Cisco Press), No Starch, Wiley, Osborne/McGraw-Hill, Apress, O'Reilly (including Microsoft Press), Wrox, and Syngress. I never read Auerbach (sorry guys). I pretty much avoid everything else. You have to publish something extraordinary to catch my attention otherwise. Examples include books on FreeBSD or other BSD topics.

This method usually catches all books I care about in the next 9-15 months. I am rarely surprised, but that can happen! As a backup I subscribe to the blogs of major publishers who provide feeds on upcoming books (hint to publishers who do not do this -- you should!)

If I know and like the author already, I'll add the book to my Amazon.com Wish List immediately. I assign a priority based on how many months until the book will be published. I use Highest for published books and Lowest for books the farthest in the future.

Next I add books to my formal reading list. I usually have a queue stretching 9-12 months. My goal since probably 2000 or 2001 was to finish a calendar year having read all books available on my list, but it's never happened! (Will this be the year??)

My current list is more or less grouped by themes. I order the books based on the knowledge or familiarity I expect to need in order to understand the book. Hence, my current list shows books on C and Windows prior to books on exploitation develop and debugging Windows.

If a book seems really interesting, I'll put it on my schedule when the book is expected to be published. That may require rescheduling my reading. Not meeting my schedule can also force me to change the list.

The toughest part of my process involves seeing a book with an interesting title and subject written unknown author. Sometimes I'll take a leap of faith and add the book to my Wish List and reading schedule. Other times I'll wait until I can flip through it in the store. I always keep my Wish List and reading schedule synchronized, so you won't see me Wishing a book but not having it planned for a certain month.

How do you tackle/review books that are only distributed digitally?

I have yet to encounter this problem but I expect to at some point in 2012. I imagine by that time I'll just read the new book on an iPad or similar. I'll probably rely on note-taking on a separate piece of paper.

Thank you for your questions!

Review of Web Application Obfuscation Posted

2011-04-01T20:42:00.002-04:00

Amazon.com just published my four star review of Web Application Obfuscation by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay. From the review:

I had really no idea what to expect when I started reading Web Application Obfuscation (WAO). I hoped it would address attacks on Web technologies, perhaps including evasion methods, but beyond that I didn't even really know how to think about whatever problem this book might address. After finishing WAO, it's only appropriate to say "wow." In short, I had no idea that Web browsers (often called "user agents" in WAO) are so universally broken. Web browser developers would probably reply that they're just trying to handle as much broken HTML as possible, but the WAO authors show this approach makes Web "security" basically impossible. I recommend reading WAO to learn just how crazy one can be when interacting with Web apps.

All Reading Is Not Equal or Fast

2011-03-31T23:20:00.004-04:00

Four years ago I posted Reading Tips, where I offered some ideas on how to read technical books.

Recently I've received emails and questions via Twitter on the same subject.

In this post I'd like to offer another perspective. Here I will introduce different "types of reading." In other words, I don't see all reading as equal, and what some people might call "reading," I don't consider to be reading at all!

After reading this post you may find you can adopt one or more (or really all) methods in your own knowledge journey.

The key to this post is to recognize that different types of reading exist, and you have to decide how you are going to approach a book, article, or other printed resource.

My list follows.

Proofreading is a very intense activity where the reader scrutinizes every aspect of a book. The reader pays attention to technical accuracy, grammar, production value (quality of screen captures, etc.) and all other customer-facing elements. This is usually a paid activity because it can be very demanding and time-consuming!

I doubt most people find themselves in this situation, but I have been hired in the past to do this sort of work.

Reading for correctness is a subset of proofreading where the reader focuses on the accuracy of the written material.

For example, is the author correct when he says the TCP three way handshake (TWH) is SYN ACK -> SYN ACK -> ACK? Wrong! (True story.) Here the reader is trying to see if the author knows what he is talking about. I usually enter this mode when I smell blood in the water. In other words, when I encountered the wrong TWH in a book years ago, I continued hunting errors until I was mentally exhausted.

This is an unpleasant form of reading reserved for error-prone books. Once an author proves he or she knows the material I usually don't enter this mode. I only read for correctness as preparation to write a book review of a technically inaccurate book.

Memorization is another intense reading form, usually reserved for academic classes. If you've had to study for a biology test, you've probably read for memorization purposes. If reading for memorization, I will likely heavily mark the text and create independent, supplementary materials like flash cards. Yes, on real index cards! The act of writing the material helps activate other areas of the brain to memorize information.

Thankfully I haven't had to do this sort of reading in years, or at least not regularly. I have had to memorize information for amateur radio license tests, and I like creating flash cards for that information.

Reading for learning is one of my common modes. With this approach I mark up a text (generally underlining or bracketing key terms and sections) and add comments or questions in margins.

You might think the previous (and possibly the subsequent) reading modes are all about learning too, but simple learning for me is a more relaxed endeavor compared to memorization or correctness.

The goal of learning is to be able to remember a subject, preferably well enough to at least describe it (but not teach it) to a third party.

Reading for learning is as fast as you are able to absorb material.

Reading for practice is closely related to learning, but it involves material that has an operational aspect. For example, reading a programming book for practice, for me, involves trying the code examples, and even better trying the sample exercises.

Practice is a more active form compared to learning. With learning I might be able to explain a pointer, but with practice I could write a program using one.

Due to the hands-on manner, this is a slow form of reading.

Reading for familiarization is another one of my more common reading forms. Here I am just trying to understand the author without necessarily planning to implement his or her concepts in real life. For example, I plan to read a book on Windows internals in April, but I do not plan to become a Windows kernel programmer.

Reading for familiarization is probably the fastest way to read a technical book and still derive value from it. I may or may not mark up a book for familiarization purposes.

Reading for reference starts to enter the gray area of possible "fake reading." If you only read a few sections or chapters of a book, have you really "read it?" For example, I've relied on the massive book Unix Power Tools, but because I've only referenced parts of it, I've never formally reviewed it.

In my opinion, unless you heavily reference a book over time, you're not really reading at the level the warrants a review.

Sampling is not reading. Top Amazon book reviewer frauds, this means you. Looking at the front cover, back cover, index, table of contents, and a few sample pages doesn't make you qualified to write a book review. The sorts of people who write more than a few book reviews per day are the fakers who consider "sampling" to be "reading."

Reading for entertainment is not generally an approach I take with technical books! Sure, I enjoy them, but it's not like reading a classic fiction book. When reading a nontechnical work, I tend to devour pages. I'm not sure if that's good or bad, but it's exceptionally fast since the emotional component engages additional brain components that would allow me to later describe the content should I wish to do so.

How does reading for reviews fit in? In my view, as long as you're not "sampling" or reading for reference, any of the methods above qualify for writing a review. I suggest adding one component to your reading process to assist with review writing: keep a separate notebook and take notes as you read. Be very specific, e.g., "p 121 had this quote... etc." The more notes you take, the easier your review will be to write.

So what does this mean if you want to know "how does Bejtlich read so many books?" The answer is to decide just how you want to read a book. When I read a book on C or Windows Internals in April, I will likely be reading for familiarization. I don't plan to be a C coder or Windows developer, but I do want to be conversant in certain topics. If I get really motivated I will turn to my PC and try some examples. (In fact, I'll probably do that for a book on coding for Windows, since I've never done that before.)

What this means is that I, reading for familiarization, will probably read faster than someone else reading for practice, or memorization, or another time-consuming purpose. It all depends on your goal! On another day I may be reading for practice because I really want to know more about a topic, and then I'll be slower and more engaged.

Incidentally, the more you read, the faster you will likely become. I don't think improving your reading is limited to children, either (although my daughters are pretty scary in terms of speed).

Don't overdo it though. I would not be surprised to learn that chemical reactions are involved with reading, especially the more intense learning modes. In some cases I can feel my ability to absorb material shutting down, and at that point there is really no reason to continue. Take a break.

I also advise against reading in bed, although this is a truly personal opinion. For some people, it works great. I don't make it past five minutes!

If you have questions on this post, please comment here. I have to moderate everything so it may take me a while to notice them. Thank you.

Review of Hacking Exposed: Web Applications, 3rd Ed

2011-03-31T21:48:00.002-04:00

Amazon.com just published my four star review of Hacking Exposed: Web Applications, 3rd Ed by Joel Scambray, Vincient Liu, and Caleb Sima. From the review:

This is the third Hacking Exposed: Web Applications (HE:WA) book I've reviewed, having reviewed the second edition in 2006 and the first edition in 2002. While I gave the earlier editions each five stars, I don't think HE:WA3E quite meets my expectations of a five star web application security book -- at least not one bearing the Hacking Exposed (HE) series name.

In my opinion, the winning formula for a good HE book was set by the first in the series, back in 1999: 1) explain a technology of interest; 2) show exactly how to exploit it; 3) recommend countermeasures. For me, these three steps MUST be followed, and any book with HE in the title that fails to follow this recipe is likely to fall flat. The reason I like this approach is simple; in many cases, defenders first encounter a new technology only after a researcher or intruder has broken it! In other words, the offensive side is usually far ahead of the defensive side, because offenders often specialize in a promising new area and pursue it relentlessly until they break it. Good HE books help redress this imbalance by getting the defender up to speed on a new technology, showing how to break it, and then suggesting defensive measures.

Review of iOS Forensic Analysis Posted

2011-03-31T21:21:00.001-04:00

Amazon.com just posted my three star review of iOS Forensic Analysis by Sean Morrissey. From the review:

I've read many forensics books over the last decade and written one as well. I believe that iOS Forensic Analysis (IFA) offers some useful information, but the manner in which the author presents it is not as effective as it could be. If the author were to write a second edition that structures the material in the way I recommend, I believe it would merit a four or five star review.

Review of Computer Incident Response and Product Security Posted

2011-03-31T09:03:00.002-04:00

Amazon.com just published my three star review of Computer Incident Response and Product Security by Damir Rajnovic. From the review:

When I first learned that Cisco Press was publishing a book about product security (Computer Incident Response and Product Security, or CIRAPS), I was excited to see what they might create. Cisco's Product Security Incident Response Team (PSIRT) is one of the best in the industry, with a long history and mature processes. Furthermore, no published book currently provides extensive coverage for companies trying to design, build, and run their own PSIRT. Rather than focusing on this topic and thoroughly examining it, however, CIRAPS spends only 100 pages out of a 215 page book talking about PSIRT issues. While there are parts of CIRAPS that I found interesting, I don't think they justify reading the whole book.

Review of pfSense: The Definitive Guide Posted

2011-03-31T08:36:00.002-04:00

Amazon.com just posted my five star review of pfSense: The Definitive Guide by Christopher M. Buechler and Jim Pingle and published by Reed Media. From the review:

I have to admit that pfSense: The Definitive Guide (pTDG) caught me off guard. I expected the book to mainly discuss installing and using the pfSense firewall appliance, which would have been enough for me to enjoy the book. However, I was pleased to see coverage of many issues related to network security and firewall design and operation. For me, these features elevated the entire book to five star status. If you're interested in learning how pfSense can help your organization, and what it means to deploy firewalls, pTDG is the right book.

Mini-Review of The Book of Pf Posted

2011-03-31T08:07:00.003-04:00

Because I wrote a three star review of the first edition of The Book of Pf by Peter N.M. Hansteen, Amazon.com won't allow me to write a review of the second edition. So, I added the following comment to my old review indicating that I think the second edition deserves four out of five stars:

Amazon won't allow me to write a review of the second edition of this book, so I'm adding this comment. I'm pleased to say that I believe the author accepted much of the feedback in my first review as well as feedback from other reviewers. He's improved the book so much that I think it warrants 4 out of 5 stars. He spends more time explaining key concepts rather than simply including them in the text. For example, the author introduces features like macros (p 18) whereas in the first edition he just started using them. The book is also fairly up-to-date, with coverage of OpenBSD 4.8, FreeBSD 8.1, and NetBSD 5.0. Reading how to use Pf on all three platforms was very helpful. One request for a future edition is to include more "tips and tricks" that an experienced firewall administrator is sure to have. For example, when working remotely on a firewall ruleset, what methods does the author use to test configurations and ensure that if he makes a mistake he isn't locked out of the system? Finally, I think this book is a fine companion to PfSense: The Definitive Guide by Buechler and Pingle.

Review of Kingpin Posted

2011-03-25T22:00:00.002-04:00

Amazon.com just posted my four star review of Kingpin by Kevin Poulsen. I read this book by checking it out of my library! From the review:

I've read and reviewed almost all of the non-fiction computer crime and espionage books written since the 1980s. Kingpin by Kevin Poulsen is one of my favorites. I will recommend this book to fellow digital security professionals and those who would like insights into our world. Kingpin's coverage of Max Ray Butler's (MRB) constant entanglement with the dark side is a lesson for anyone contemplating using their skills for evil.

On a related note, in late 2007 I posted Max Ray Butler in Trouble Again and followed that in 2010 with Max Ray Butler Sentenced (Again).

Report on Declarations of War

2011-03-24T13:24:00.003-04:00

Similar to my post Report on Instances of US Forces Abroad, I again thank Steven Aftergood for his post No-Fly Zones: Considerations for Congress. He points to a new report titled Declarations of War and Authorizations for the Use of Military Force: Historical Background and Legal Implications (.pdf). This is a good resource for those trying to determine what is war, what isn't war, and what happens in each situation. From the report summary:

From the Washington Administration to the present, Congress and the President have enacted 11 separate formal declarations of war against foreign nations in five different wars. Each declaration has been preceded by a presidential request either in writing or in person before a joint session of Congress. The reasons cited in justification for the requests have included armed attacks on United States territory or its citizens and threats to United States rights or interests as a
sovereign nation.

Congress and the President have also enacted authorizations for the use of force rather than formal declarations of war. Such measures have generally authorized the use of force against either a named country or unnamed hostile nations in a given region. In most cases, the President has requested the authority, but Congress has sometimes given the President less than what he asked for.

Not all authorizations for the use of force have resulted in actual combat. Both declarations and authorizations require the signature of the President in order to become law. In contrast to an authorization, a declaration of war in itself creates a state of war under international law and legitimates the killing of enemy combatants, the seizure of enemy property, and the apprehension of enemy aliens.

While a formal declaration was once deemed a necessary legal prerequisite to war and was thought to terminate diplomatic and commercial relations and most treaties between the combatants, declarations have fallen into disuse since World War II.

The laws of war, such as the Hague and Geneva Conventions, apply to circumstances of armed conflict whether or not a formal declaration or authorization was issued. With respect to domestic law, a declaration of war automatically triggers many standby statutory authorities conferring special powers on the President with respect to the military, foreign trade, transportation, communications, manufacturing, alien enemies, etc. In contrast, no standby authorities appear to be triggered automatically by an authorization for the use of force, although the executive branch has argued, with varying success, that the authorization to use force in response to the terrorist attacks of 2001 provided a statutory exception to certain statutory prohibitions.

Most statutory standby authorities do not expressly require a declaration of war to be actualized but can be triggered by a declaration of national emergency or simply by the existence of a state of war; however, courts have sometimes construed the word “war” in a statute as implying a formal declaration, leading Congress to enact clarifying amendments in two cases.

Declarations of war and authorizations for the use of force waive the time limitations otherwise applicable to the use of force imposed by the War Powers Resolution.

This report provides historical background on the enactment of declarations of war and authorizations for the use of force and analyzes their legal effects under international and domestic law. It also sets forth their texts in two appendices.

The report includes an extensive listing and summary of statutes that are triggered by a declaration of war, a declaration of national emergency, and/or the existence of a state of war. The report concludes with a summary of the congressional procedures applicable to the enactment of a declaration of war or authorization for the use of force and to measures under the War Powers Resolution.

Requesting Comments on Open Information Security Foundation

2011-03-18T15:00:00.004-04:00

Thank you to anyone who voted for me to join the board of the Open Information Security Foundation. They are most famous for their Suricata intrusion detection engine, but I expect additional outputs as time passes. I appreciate those of you who supported my goal to join their board. I will try to provide fair and useful input to the project.

I believe we will have our first board phone call next week. Are there any issues you would like me to raise, or consider for future meetings?

I am personally interested in OISF because I think they bring a level of enthusiasm, openness, and innovation to the open source network security monitoring space, alongside tools like Bro and Snort and others I mentioned in my January post Seven Cool Open Source Projects for Defenders.

OISF is also a US nonprofit, a 501c(3) group, so I like the idea of helping that sort of organization.

Initial Thoughts on RSA "APT" Announcement

2011-03-17T21:29:00.003-04:00

Today RSA's Art Coviello announced the following:

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA...

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT).

Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products.

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack...

This is one of the problems with debates over terminology. If we all accepted the actual definition of APT as created by the Air Force in 2006, we would know what Mr Coviello is describing. Without that clarity we're left wondering if he means any threat on the planet that he and RSA choose to describe as "APT."

Without knowing anything more than what is printed in the RSA announcement, I can offer the following opinion. It is not outside the realm of APT methodology and targeting to attack RSA in order to access internal details on their authentication technology. We know APT actors have attacked other technology companies to steal their intellectual property, ranging from software to algorithms to private keys, all to better infiltrate other targets.

As I Tweeted on March 10th, it's public knowledge that validated APT actors have targeted public key infrastructure for several years. Besides PKI, enterprises of all types rely heavily on two-factor systems such as those created by RSA. Stealing technology and examining it for weaknesses, or identifying ways to exploit the supply chain, or otherwise gain an advantage over RSA users are all valid APT interests.

Hopefully we will learn more about this issue as time passes.

Bejtlich Joining MANDIANT as CSO and Security Services Architect

2011-03-17T09:40:00.003-04:00

In June 2007 I posted that I was joining General Electric as Director of Incident Response. Since then I helped build and lead GE-CIRT from an "army of one" into a team of 40 analysts. It was an honor and a privilege to work with my team, but today I am announcing that I've accepted a new challenge.

Effective 1 April I will be Chief Security Officer and Security Services Architect for MANDIANT, where I will build teams, tools, and capabilities to provide managed detection and response services. You can read the press release at the MANDIANT Web site or Businesswire if you're so inclined, as well as a MANDIANT blog post.

I am really looking forward to this new opportunity. I worked for Kevin Mandia in 2002-2004 with Foundstone and for Travis Reese in 2004-2005 at ManTech International Corp.'s CFIA division. When I left ManTech to concentrate 100% on TaoSecurity, the first consulting I did was for Red Cliff, the precursor to MANDIANT. I also know many current members of the MANDIANT team from those three roles and subsequent relationships.

I believe in MANDIANT's mission and vision, which is important to me. While I enjoyed defending one enterprise with my old team, at MANDIANT I will be able to assist multiple organizations. As a member of the MANDIANT executive team I will also help set the direction for the company and will be able to work with the product, consulting, training, and managed services groups.

While many of you are familiar with MANDIANT's famous incident response consulting force, you may not be aware that the company continues to build a managed services team to provide dedicated, long-term detection and response options. By the end of the second quarter I expect my colleagues and I in the security services group to be announcing new job opportunities for those who enjoy hunting digital intruders. MANDIANT is already hiring aggressively for security talent, so keep your eyes on the job site for more information.

As you might expect, I plan to continue writing TaoSecurity Blog and sending TaoSecurity Tweets. I will still provide training such as TCP/IP Weapons School, but I expect to keep the same low number of classes as was the case with my previous employer. Currently I will be teaching at GTEC in DC on 31 May - 1 June, and then at Black Hat USA 30-31 July and again on 1-2 August. Two classes for USENIX this summer are still in coordination.

I enjoyed interacting with all of you over the last four years wearing my old hat, and I look forward to staying in touch via social media and at conferences in my new role! Thank you.

Report on Instances of US Forces Abroad

2011-03-16T09:45:00.003-04:00

Thanks to Steven Aftergood's post Instances of US Forces Abroad I learned of a new Congressional Research Service report of the same name -- Instances of Use of United States Armed Forces Abroad, 1798-2010 (pdf). From the introduction:

Eleven times in its history the U.S. has formally declared war against foreign nations. These eleven U.S. war declarations encompassed five separate wars: the war with Great Britain declared in 1812; the war with Mexico declared in 1846; the war with Spain declared in 1898; the First World War, during which the U.S. declared war with Germany and with Austria-Hungary during 1917; and World War II, during which the U.S. declared war against Japan, Germany, and Italy in 1941, and against Bulgaria, Hungary, and Rumania in 1942.

Some of the instances were extended military engagements that might be considered undeclared wars. These include the Undeclared Naval War with France from 1798 to 1800; the First Barbary War from 1801 to 1805; the Second Barbary War of 1815; the Korean War of 1950-1953; the Vietnam War from 1964 to 1973; the Persian Gulf War of 1991; global actions against foreign terrorists after the September 11, 2001, attacks on the United States; and the war with Iraq in 2003. With the exception of the Korean War, all of these conflicts received Congressional authorization in some form short of a formal declaration of war. Other, more recent instances often involve deployment of U.S. military forces as part of a multinational operation associated with NATO or the United Nations.

The majority of the instances listed prior to World War II were brief Marine or Navy actions to protect U.S. citizens or promote U.S. interests. A number were actions against pirates or bandits. Covert actions, disaster relief, and routine alliance stationing and training exercises are not included here, nor are the Civil and Revolutionary Wars and the continual use of U.S. military units in the exploration, settlement, and pacification of the western part of the United States.

The report includes 28 pages (!) summarizing over 200 years of US military activities on foreign soil. It's quite a read. For example, the first entry for China reads:

1843: China. Sailors and marines from the St. Louis were landed after a clash between Americans and Chinese at the trading post in Canton.

The first entry for Russia is:

1818: Oregon. The U.S.S. Ontario, dispatched from Washington, landed at the Columbia River and in August took possession of Oregon territory. Britain had conceded sovereignty but Russia and Spain asserted claims to the area.

This is a good resource for military historians.

Bejtlich Teaching Special Session of TCP/IP Weapons School at GTEC DC

2011-03-09T09:04:00.003-05:00

Through a custom arrangement with Black Hat I am pleased to announce that I will teach a special session of TCP/IP Weapons School 3.0 at the Government Technology Expo & Conference (GTEC) on Tuesday 31 May and Wednesday 1 June 2011 in Washington, DC.

The conference organizers set the price for my class at $2200. I am not sure if the price increases as we get closer to the class date. This is a good opportunity for people in the DC area to attend my TWS 3 class without having to pay for travel to Las Vegas, where I will teach two sessions of TWS 3 at Black Hat USA this summer. I recommend registering soon because I expect this class to fill quickly due to the DC location.

Please let me know if you have any questions by posting a comment or sending email to training [at] taosecurity [dot] com. Thank you.

Experts Talk US-China Security Issues, Part 2

2011-03-07T20:52:00.003-05:00

Several weeks ago I attended an outstanding one day conference by the Jamestown Foundation titled China Defense & Security 2011. The conference consisted of a series of speakers discussing various aspects of US-China national defense and security.

Only one speaker concentrated on digital (or "cyber," love that word) items. The rest dealt with a wide range of topics.

I took several pages of notes that I thought my benefit those not in attendance. I did not take notes on the one session that was considered "off the record."

In this post I will summarize my second page of notes.

Please see Experts Talk US-China Security Issues, Part 1 if you want to see what I discussed prior to this post.

Tai Ming Chung discussed Chinese innovation, specifically the nation's maturation from "imitation to innovation," specifically "architectural defense innovations." He described three models present in China:
- Techno-nationalist "strategic mobilization," such as the Chinese lunar landing program
- "Shanzhai," or "guerilla innovation," in the form of pirating/copying and reverse engineering
- "Collaborative modularity," meaning the "absorption" and integration of foreign technology in joint ventures with the West

James Mulvenon was the resident digital security expert. I knew him from another China-centric forum I try to attend. He is really sharp and was incidentally the most entertaining speaker. Mr Mulvenon noted the Chinese and Russians are comfortable using digital means to exploit US weaknesses, while relying on plausible deniability to shield their activities. In contrast, the US can't even begin to have a public conversation about offensive digital activities.

The Chinese see digital attacks differently than US planners. Chinese military planners saw one of the weaknesses of Saddam Hussein's "defense" of Iraq in the first Gulf War as his reluctance to strike US forces during their six month build-up in the desert. Chinese planners instead plan to deny and degrade US capabilities by attacking logistics trains prior to actual physical combat. Chinese planners also see "cyber" as a "bolt out of the blue" attack, on its own, and not as a "force multiplier" as US planners do.

The Chinese sometimes launch attacks with hop points within the US so as to confuse US incident responders and to rely on US law to frustrate investigations.

Mr Mulvenon advised attendees (some of whom wore uniforms of US and allied countries) to "look beyond the intrusion set." He said to play the Chinese "long game," which focuses on attacks against the US supply chain. Assume the adversary is already in our "core networks" and plans to stay. Disregard promises by Chinese vendors to allow inspection of their hardware. The Chinese will "ship clean" and then introduce malicious software via upgrades, maintenance, and other post-buy actions.

Beyond the supply chain problem, Mr Mulvenon described a "longer game" whereby the Chinese seek to minimize US influence over Internet governance. They want to shift decision making from largely private bodies to government-controlled ones, i.e., from ICANN to the UN ITU. The Chinese want to remove inputs from non-governmental players and transition to a state-centric influence model where China excels at buying national votes.

Unlike the US, China is executing a "coordinated national strategy" to achieve its ends.

I found this comment very interesting: There is a huge disconnect between cleared and uncleared data sources on the Chinese military. In other words, if you're on the "outside," you're likely in the dark! This is dangerous for policymakers who rely on uncleared advisors.

Dean Cheng explained China's goal to become a "full space power." He started by discussing the Chinese idea of deterrence, which is not just disuasion (the US view) but also coercion by imposing a cost-benefit decision upon the adversary. China recognizes that information dominance requires space dominance, and it must hold at risk what the US values while challenging the US' ability to operate as it sees fit.

Mr Cheng wondered how well the PLA executes on its strategy compared to its writings, especially since the Chinese military hasn't fought a shooting war since 1979.

Mr Cheng noted the Chinese are becoming more vulnerable in space (like the US) as the transition from regional power projection to expeditionary and global power projection. James Mulvenon interjected that he doesn't think the Chinese recognize how vulnerable they are becoming.

Kurt Campbell explained how the US hosted Chinese military visitors in the 1996-1998 timeframe. US officials took a "Texas approach," basically showing how powerful the US military was. Initially the Chinese reacted with shock and awe, then as they finished each visit the US delegates could sense the Chinese had decided to respond by growing their own might. In other words, by saying "look how powerful we are; don't mess with us," the US had convinced the Chinese it was time to strengthen the PLA.

China tends to rely more on hiding its strengths and shielding capabilities, following an "unpredictability" strategy. The PLA says "you don't know how strong we are" until they feel ready to provide a show of force, like destroying a satellite or testing a stealth fighter. Mr Campbell emphasized the need for "agreed areas of predictability" rather than "trust-building."

Dennis Blasko discussed the PLA. He described how "20-30%" of PLA training time is occupied by "political education." Crucially, 40% of a recruit's training time is spent listening to political education! (What a waste; good for us, bad for them.) In a nod to the Soviet model, Chinese units have two commanders; a military leader, and a "political commissar." The PLA also hosts a "uniformed civilian cadre" that sounds like a cross between US reservists and government civilians.

Ken Allen described the PLA Air Force. They operate decent technology but their people, culture, training, and operations are weak. For example, they rely on O-6s and O-5s to serve as air traffic controllers -- jobs done by enlisted people in the US. The PLAAF operates over 100 "air force academies." ("But none so fair that they can compare to the Air Academy." Sorry, my brainwashing came through. Yes, I know it's a stolen Army jody.)

A few other people spoke, but the notes I summarized here and in my previous post captured the most compelling comments I heard.

Experts Talk US-China Security Issues, Part 1

2011-03-07T17:36:00.003-05:00

Several weeks ago I attended an outstanding one day conference by the Jamestown Foundation titled China Defense & Security 2011. The conference consisted of a series of speakers discussing various aspects of US-China national defense and security.

Only one speaker concentrated on digital (or "cyber," love that word) items. The rest dealt with a wide range of topics.

I took two pages of notes that I thought my benefit those not in attendance. I did not take notes on the one session that was considered "off the record."

In this post I will summarize one page of notes.

For the second page please see Experts Talk US-China Security Issues, Part 2.

Arthur Waldron cited three ways to view events in China: 1) nothing new is happening; 2) something is happening, but if we had an "expert" in the White House we would be able to deal with it better; or 3) something is happening, but because we're not sure exactly what, it doesn't matter who is in charge. Mr Waldron advocated option 3. He emphasized that China sees itself as "country #1. China has no concept of 'equal states.'" When talking with Chinese leaders one will hear them mention "those little countries" like Indonesia (population 230 million)! China likes to use "disciplinary action" with its neighbors, and usually creates "an environment" for action with "statements, complaints, etc., followed by instantaneously decisive force." In fact, China has a "highly optimistic view of using force," meaning they act when they believe victory is guaranteed.

Willy Lam noted China saw the global economic crisis as "a strategic window of opportunity" to assert Chinese values and power. He cited a number of Chinese leaders and thinkers.
- Yuan Peng says "China wants to change the rules of the game" of global interactions.
- Liu Jiahua says "As America shrinks, China expands." The US increasingly needs China as the US' ability to "contain" China decreases.
- Dai Bingguo says China must "maintain socialism, national security, government and territorial integrity, and sustain economic and social development."
- Han Xudong recommends only "advertising" national interests and capabilities as the Chinese military develops their ability to defend them.
- General Yang Yi sees a "zero sum game in the military sphere." This helps explain why the Chinese see no value in military-to-military relationships with the West.
Xi Jinping (the next president) has closer ties to the PLA than his predecessors. The PLA, in fact, is the power base of the "Gang of Princelings" gaining power in China. Mr Lam worried that Chinese development interests remind him of pre-war Germany's "lebensraum," with Chinese interests stated as ranging from the South China Sea to the Yellow Sea, and even into outer space (i.e., mineral development on other planets.) Mr Lam also noted China's tendency to play countries and regions against each other (e.g., the US vs the EU), to pit companies against each other (e.g., Boeing vs Airbus), and increasing use of "rare earth diplomacy" (e.g., with Japan) in order to get its way. Mr Lam dismissed notions that President Hu was ignorant of the J-20 stealth fighter test, partly because he is one of the 12 members of China's Central Military Commission.

Michael Green discussed international relations. China has been surprised in 2010 to learn that "Asia has an appetite for a balance of power." Mr Green said 2010 was the "worst year in Chinese diplomacy since 1989." In fact, Japan started the year with its new government trying to cozy up to China, only to end the end closer to the US after numerous debacles. South Korea was similarly upset after China failed to condemn North Korea's shelling of Southern territory and killing of Southern citizens. The ASEAN forum transformed from an exceptionally boring event (minus the dress-ups and skits) to a complaint shop against China. Even outside Asia, China is seen as dangerous: more Europeans than Americans feel threatened!

Mr Green is worried about the rise of the PLA. He said it operates without oversight, very differently than the US military. Chinese civilian leaders don't see what the Chinese military does at sea or in the air. Mr Green concluded by noting Asia's growing trade dependency on China and security dependence on the United States. He recommend a rebalancing act led by US-Asia trade.

Shuai Hua-Ming, Legislator, Foreign Affairs and Defense Committee, Republic of China (Taiwan) could not get his .pdf slide presentation to work. It kept crashing Acrobat 9 on Windows XP. Yes, you know what I'm thinking. On the policy front, he advocated the US holding the Chinese government accountable for PLA actions. He was not optimistic about US-Chinese military discussions, calling them a "secondary tool."

In my next post I'll summarize my second page of notes.

Review of Cyber Attacks Posted

2011-03-07T11:22:00.002-05:00

Amazon.com just posted my three star review of Cyber Attacks by Edward Amoroso. From the review:

Writing a book isn't easy, especially when you're trying to develop a framework and solutions that apply to a topic as vast as protecting national infrastructure. I applaud Dr Amoroso's efforts in Cyber Attacks, but I fear he is solving yesterday's problems with yesterday's answers. This book might have been more relevant in 2006 when one could have plausibly pointed to botnets as "clearly the most important security issue on the Internet today" as Dr Amoroso oddly says on p 12. Unfortunately for readers, Cyber Attacks does not have the perspective needed to provide workable solutions to modern problems.

Bejtlich Teaching Two Sessions at Black Hat USA 2011

2011-03-05T14:57:00.004-05:00

In January I taught the first TCP/IP Weapons School 3.0 class at Black Hat DC 2011. This is a completely new class written from the ground up. I'm very pleased with how it has developed and the students enjoyed the new content. For example, one of the feedback comments was the following:

"I felt that the pace and level of difficulty was well managed, and the defense-then-offense aspect was a great way to learn!"

I'm happy to announce that registration for TCP/IP Weapons School 3.0 at Black Hat USA 2011 is now open. I will teach two sessions, on 30-31 July and 1-2 August in Las Vegas.

Black Hat has four remaining price points and deadlines for registration.

Early ends 30 April

Regular ends 15 June

Late ends 29 July

Onsite starts at the conference

Seats are filling -- it pays to register early!

While keeping the distinctions from other offerings that I described last year, I've extended this third version of the class to include explicit offensive and defensive portions. Students will receive two VMs, one running a modified version of Doug Burks' SecurityOnion distro as an attack/monitor platform, and the second running a Windows workstation as a victim platform.

The purpose of this class is to develop the investigative mindset needed by digital security professionals. Junior- to intermediate-level security and information technology (IT) staff are the intended audience. The class is a balance of discussion and hands-on labs.

Defensive aspects of the labs emphasize how to discover suspicious and malicious activity in network and log evidence. Offensive aspects of the labs offer the student a chance to do the same sorts of actions that caused the suspicious and malicious activity in the labs. I encourage students to keep an open mind and feel free to expand their interaction with the labs beyond the required material. Take advantage of this time away from the office to enjoy defensive and offensive aspects of the digital security arena!

I do not have any other classes scheduled, although my training page lists a few other possibilities.