Intruders Continue to Be Unpredictable

One of my three basic security principles is advanced intruders are unpredictable. Believing you can predict what intruders are going to do next results in soccer-goal security. As I said in Pescatore on Security Trends, advanced attackers are digital innovators. I think I will start calling advanced intruders intrupreneurs.

I just read and watched great examples of this principle in action courtesy of pdp at CITRIX: Owning the Legitimate Backdoor. I recommend reading the post and watching the two videos. If you are practicing Network Security Monitoring I recommend querying your session data for all incoming Citrix traffic, for as far back as you have stored, for unusual or unexpected activity. If you are not practicing NSM already I suggest beginning emergency NSM to watch your Citrix servers.

It's important to realize that you may not even know you have certain Citrix servers active on your network. The flip side of the intruders are unpredictable principle is that your network is probably unpredictable too! In other words, you could be happy thinking "we have no Citrix servers," but after looking via NSM you find you do. It's probable a bad guy found them before you did, but courtesy of NSM you have data about what happened. More often than not, that's the best you can do with your time and resources.

Comments

Marcin Antkiewicz said…
I would love to see a realistic comparison of a cost of project to roll out, and maintain, vpn-only access to the corporate network vs. the estimated cost of handling a citrix server compromise.

On the other hand, given the amount of hand waving visible in any discussion on the "cost of compromise" or "our _threat_ model", I do not think that that is feasible. It's a shame, and a nasty reminder of how immature is current corporate ITSec practice.
12:47 AM
Tomas said…
I found the following at Citrix Systems Inc.'s web page:

Citrix’s passion is to simplify information access for everyone. As the only enterprise software company 100% focused on access, this is also our unique passion.

... Higher Productivity—Users need access to be invisible. They want easy, on-demand access from wherever they are, using any device and network.


So Citrix wants to simplify information access for everyone and make it invisible.
4:33 AM
Anonymous said…
Most network intruders are not stupid. It takes a great deal of skill to circumvent network boundary defenses. Sure, there are script kiddies and automated bots, but when the network defenses are complex, so too are the intruders.
1:45 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more