Five Blog Posts You Should Read
I found the following five posts to be very interesting. You might too:
The first four are more conceptual, dealing with the need to collapse security measures around data instead of hosts. The fifth is a report of an incident with some decent details.
- Playing for Keeps Across the Board
- Andre Durand -- Firewall This
- Information Security Must Evolve
- Data Protection -- It's More Than A + B + C
- Team Evil: Incident 2
The first four are more conceptual, dealing with the need to collapse security measures around data instead of hosts. The fifth is a report of an incident with some decent details.
Comments
I've read through the SecuriTeam PDFs twice today, and I'm a little confused...the more I dig, the less meat I find.
For example, the first document says twice on pg. 8 how there was an active, on-going battle between the bad guys and the IR team...but the rest of the document didn't really mention anything about that "battle". Pages 9 - 11 provided 12 steps that the IR staff followed, but there wasn't really any mention of the IR staff being blocked or stymied by active attacks from the bad guys.
Also, there seemed to be some odd significance of "SIMBAR" in the user-agent portion of the web logs. The write-ups provided no support for why the authors assumed that the remote system was infected with adware, nor was any real significance attached to this info. From the second PDF, yes, it *could* indicate that the same system was being used to attack, but adware is by it's very nature pervasive, so is that really a good indicator (ie, that two entries with "SIMBAR" in the user-agent field indicates that the same system was used)?
While I applaud the author's efforts, I was hoping for more, I suppose.
"A battle is an instance of combat in warfare between two or more parties wherein each group will seek to defeat the others". Steps 10 and 11 in the document talk about having the IR team and the attackers on the same machine - one trying to defend and one trying to attack, this is the battle. The race to conquer the server. Both sides armed with the same weapons, trying to block each other ips and gain domination on the server.
The SIMBAR, well - http://vil.nai.com/vil/content/v_131206.htm
And as I said it doesn't really matter what added the "SIMBAR Enabled" to the user-agent. The idea is that the attacker user-agent contained a string that helped to pinpoint his traffic in the logs. Finding SIMBAR in the second incident may have been coincidence, but once again it helped us to mark the intruder's activity.
Further more it was mentioned that there were a few computers involved in both incidence. The "Simbar" computer was involved in the initial attack and uploaded some tools in both of the incidence. It is possible to think that if you see in two attacks on your machine from same hacking group, the same special user agent doing that same actions, that it might be the same attacker. One can't prove it's him, yet it won't be an unsupported assumptions.
Sorry, my friend, but I still don't see that. Step 10 says that there was a user on the system attempting to run an exploit, but mentions nothing whatsoever about a "battle" that occurred between the responders and the user. Was the user deleting stuff as the responders watched? How was there a battle? I get the impression that it's being left to the imagination of the reader. Step 11 lists further responder actions, but none of them is listed in relation to what the attacker was doing.
Both sides armed with the same weapons, trying to block each other ips and gain domination on the server.
Now, it would have been cool if you'd said that. Instead, there's nothing that mentions anything about trying to block each others IPs.
...it doesn't really matter what added the "SIMBAR Enabled" to the user-agent.
Agreed. However, the assumption that the system was infected with adware was prominent in both reports. Perhaps it would've been better had the authors stuck solely to the issue of using the string to track activity...that's a useful technique that can be incorporated by responders who are reading the document(s).
...there were a few computers involved in both incidence[sic]
...and...
It is possible to think that if you see in two attacks on your machine from same hacking group...
Yes, but that's an assumption nonetheless, regardless of how accurate it is in the final analysis. You said it yourself...SIMBAR could be related to adware. By it's very nature, adware is pervasive. Wouldn't it also be possible that two individuals in the same "hacking group" had gone to the same web site and been infected with the adware?
Look, don't get me wrong...I'm not trying to bust your chops here. I think that what the authors provided is a great start...really, I do. People love to read this kind of thing. However, there were a lot of statements made about the documents that I feel, in the end, were left to the imagination of the reader to fill in the blanks. Richard mentioned "focus and rigor" in another post on his blog...I see on an almost daily basis how assumptions can focus the direction and actions of responders.
Again, I applaud the authors for their efforts.