Saturday, October 06, 2007

Intruders Continue to Be Unpredictable

One of my three basic security principles is advanced intruders are unpredictable. Believing you can predict what intruders are going to do next results in soccer-goal security. As I said in Pescatore on Security Trends, advanced attackers are digital innovators. I think I will start calling advanced intruders intrupreneurs.

I just read and watched great examples of this principle in action courtesy of pdp at CITRIX: Owning the Legitimate Backdoor. I recommend reading the post and watching the two videos. If you are practicing Network Security Monitoring I recommend querying your session data for all incoming Citrix traffic, for as far back as you have stored, for unusual or unexpected activity. If you are not practicing NSM already I suggest beginning emergency NSM to watch your Citrix servers.

It's important to realize that you may not even know you have certain Citrix servers active on your network. The flip side of the intruders are unpredictable principle is that your network is probably unpredictable too! In other words, you could be happy thinking "we have no Citrix servers," but after looking via NSM you find you do. It's probable a bad guy found them before you did, but courtesy of NSM you have data about what happened. More often than not, that's the best you can do with your time and resources.


Marcin said...

I would love to see a realistic comparison of a cost of project to roll out, and maintain, vpn-only access to the corporate network vs. the estimated cost of handling a citrix server compromise.

On the other hand, given the amount of hand waving visible in any discussion on the "cost of compromise" or "our _threat_ model", I do not think that that is feasible. It's a shame, and a nasty reminder of how immature is current corporate ITSec practice.

Tomas said...

I found the following at Citrix Systems Inc.'s web page:

Citrix’s passion is to simplify information access for everyone. As the only enterprise software company 100% focused on access, this is also our unique passion.

... Higher Productivity—Users need access to be invisible. They want easy, on-demand access from wherever they are, using any device and network.

So Citrix wants to simplify information access for everyone and make it invisible.

MTS said...

Most network intruders are not stupid. It takes a great deal of skill to circumvent network boundary defenses. Sure, there are script kiddies and automated bots, but when the network defenses are complex, so too are the intruders.