Monday, August 06, 2007

Black Hat Final Thoughts

Based on my summaries of the talks I saw on day one and two of Black Hat USA 2007, some of you have called me "depressed" or "negative." I call it realistic and largely historic. Nothing I described was brand new the day I saw it. Most if not all of everything I saw was already discussed in public forums or private groups. Sometimes it takes a live explanation by a real expert to synthesize and demonstrate the technique to make it come to life and help attendees connect the dots. This was certainly the case for me and I expect other people too.

I've spent almost my whole career watching defenses fail and then trying to contain and remove the mess. The fact that nothing has reduce my workload during the last decade indicates our approach to this problem is not working. I attend Black Hat so I can get semi-clued-in to attack techniques, and I recommend everyone else who cares about how they are already being abused attend or ask someone who attended to summarize what he or she learned.

The fact that you do not know you are being compromised does not mean it is not happening. This is a fundamental problem with digital security. Consider the analog world.

  • If a house is robbed by amateurs while the owner is away, upon return even the most ignorant person will likely notice the breach.

  • If a house is bugged by professionals while the owner is away, upon return even the most vigilant person will likely miss the breach.

Consider the digital equivalent.

  • If a digital asset is compromised by amateurs while the owner is away, upon return the ignorant person will definitely not notice the breach, and a vigilant person might notice the breach.

  • If a digital asset is compromised by professionals while the owner is away, upon return even the most vigilant person will be hard pressed to notice the breach. Everyone else is hopeless.

Observe a key element of these observations is vigilance. I liked Tate Hansen's post Attackers will win so what can you do? because it alludes to this thought. Here are my three recommendations.

  1. Monitor everything you can, within the bounds of legal, political, and technical means. The absolute first priority for any digital security operation is to know what is happening. Bruce Schneier was so right in 2001 when he wrote Monitoring First. If you think I am hopeless but you believe in Bruce, then read what he wrote. It's as relevant today as ever.

    Monitoring is to the digital world as accounting is to the financial world. How can any company expect to stay in business if its bleeding money? Similarly, how can any enterprise preserve confidentiality, integrity, and availability of digital assets if the state of those assets is unknown?

    When I talk of monitoring, keep in mind three data sources; these are terms I'm using from here forward.

    • First order monitoring observes the attack as it happens. It's difficult if not impossible to accomplish this. Because you can't stop what you can't see, preventing intrusions is increasingly impossible for all or most cases.

    • Second order monitoring observes continuation of the incident. These are signs following compromise, like installation and use of a back door, command-and-control, exfiltration of data, and the like. This is difficult to detect but potentially not as difficult as the first order case.

    • Third order monitoring observes consequences of the incident. This includes discovery of your company's IPs in botnet command-and-control channels or Web sites, finding sensitive company documents on p2p networks, the release by your competitor of a new product based on your design, and related events. These are easier to detect but usually difficult to tie to a specific incident.

    My final comment on monitoring is this: monitoring helps prioritize resources. If you instrument your platforms, OS, applications, and data, you can see how they are being abused. Then you direct resources to mitigate the most pressing problems.

    Consider the 2002 CERT advisory on SNMP vulnerabilities. At the time it looked like the end of the world because everyone was vulnerable. My clients basically didn't care, because I was watching for any SNMP traffic to or from their sites. Guess what -- I hardly saw anything (and SNMP is easy to see if you're wondering.) Because I didn't see recon or exploitation, I advised my clients to concentrate on problems I did see being probed or attacked.

    It's the same situation a battlefield commander faces. Without on-scene situational awareness, how do you know if you need to reinforce your flank or commit your reserves to defending the center? If you have no clue and you guess wrong, you lose. Let's manage by fact instead of belief if we want to win.

  2. Force vendors to ship feature-disabled applications by default. I don't want my Flash viewer to initiate sockets to hosts on my internal network. Alternatively, let my security team, IT department, or PC vendor decide how my machine should be configured, then let me make changes if I decide I do want Flash to initiate connections. Let's face it: the Web browser is the new operating system. Securing the OS is great but it's all about the features and configuration of your Web browser and its embedded rich media content rendering applications. Reducing our application exposure will limit the risk.

  3. Force our governments to focus on the threat. Techies like technical solutions. This is not working. We have to take the fight to the enemy by removing the threat, not countering their tools.

    We cannot code, block, or patch our way out of this situation. We have to deter, investigate, apprehend, prosecute, and incarcerate threats. It's the only approach that has ever had a chance to work in the real world. As the digital world continues to resemble and in some ways surpass the analog world, why do we think we are smart enough to reject 3,000 years of human history and rely on technical means to solve this problem?

    If you don't believe me, please read my next post.