TaoSecurity Blog

In today's SANS ISC journal, the story IP Address Range Search with libpcap wonders how to accomplish the following: ...how to find SYN packets directed to natted addresses where an attempt was made to connect or scan a service natted to an internal resource. I used this filter for addresses located in the range 192.168.25.6 to 192.168.25.35. The proposed answer is this: tcpdump -nr file '((ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] > 0x06)\ and (ip[16:2] = 0xc0a8 and ip[18] = 0x19 and ip[19] I am sure it's clear to everyone what that means! Given my low success rate in getting comments posted to the SANS ISC blog, I figured I would reply here. Last fall I wrote Using Wireshark and Tshark display filters for troubleshooting . Wireshark display filters make writing such complex Berkeley Packet Filter syntax a thing of the past. Using Wireshark display filters, a mere mortal could write the following: tshark -nr file 'tcp.flags.syn and (ip.dst > 192.168.25.6 ...

Yesterday I mentioned a speech by my CEO, Jeff Immelt. Charlie Rose also interviewed Mr Immelt last week. In both scenarios Mr Immelt talked about preserving long-term competitiveness. Two of his themes were funding research and development and ensuring the native capability to perform technical tasks. It occurred to me that digital security is reflected in both themes. In Crisis 0: Game Over I asked I'm sure some savvy reader knows of some corporate espionage case that ended badly for the victim, i.e., bankruptcy or the like? I got a few interesting cases, but I believe the net result is that it is difficult to find examples where an intrusion or breach was so devastating that it ended up destroying the victim organization. This makes sense once you reflect on it. Why would a mature, thoughtful intruder seek to destroy his victim, if the purpose of his mission is to conduct espionage on behalf of a competitor or intelligence service? Destroying the victim renders it us...

I'm not a big fan of just publishing links to other people's stories, but there's a few that I really like this week. Please consider checking these out: Nate Richmond wrote Building an IR Team: People and Building an IR Team: Organization . These posts are gold for anyone trying to build an IR team on their own, or trying to benchmark against an expert's recommendation. Keep writing Nate! Alec Waters caught my attention with his post Prevention Eventually Fails, part one . Anyone who read my first book recognizes my catchphrase "Prevention eventually fails." Alec's posts look interesting! My CEO delivered a great speech this week, viewable at American Renewal: Immelt addresses Detroit Econ Club and readable at Text of Immelt's Speech . This caught my eye: In some areas, we have outsourced too much. We plan to "insource" capabilities like aviation component manufacturing and software development . These are the things we will be work...

Earlier this month I wondered How much to spend on digital security . I'd like to put that question in a different light by imagining what a black hat could do with a $1 million budget. The ideas in this post are rough approximations. They certainly aren't a black hat business plan. I don't recommend anyone follow through on this, although I am sure there are shops our there who do this work already. Let's start by defining the mission of this organization, called Project Intrusion (PI). PI is in "business" to steal intellectual property from organizations and sell it to the highest bidders. In the course of accomplishing that mission, PI may develop tools and techniques that it could sell down the food chain, once PI determines their utility to PI has sufficiently decreased. With $1 million in funding, let's allocate some resources. Staff. Without people, this business goes nowhere. We allocate $750,000 of our budget to salaries and benefits to hi...

After my last post, some of you are probably thinking that it's easy to be a critic, but what would I suggest instead? The answer is simple to name but difficult to implement. Operate a defensible network architecture . Hardly anyone does. I don't need to explain all of the reasons why here; they could occupy a series of posts, or maybe even a book. Once the DNA is operating, detect and respond to failures. The nice aspect of operating a DNA is that the number of failures should be lower but of higher complexity. Unfortunately at the moment almost all of the world's detection and response teams have to deal with the entire spectrum of security incidents. These range from the most mundane to the most complex. Too often the mundane hide the complex, or at the very least divert resources and attention. Use the knowledge learned from failures (either caused by adversaries or adversary simulation) to guide the next version of the DNA. Since most enterprises are not...

I read Anton Chuvakin's post MUST READ: Best Chapter From “Beautiful Security” Downloadable! with some interest. He linked to a post by Mark Curphey pointing out that Mark's chapter from O'Reilly's new book Beautiful Security was available free for download in .pdf format. O'Reilly had been kind enough to send me a copy of the book, so I decided to read Mark's chapter today. I found the following excerpts interesting. Builders Versus Breakers Security people fall into two main categories: Builders usually represent the glass as half full. While recognizing the seriousness of vulnerabilities and dangers in current practice, they are generally optimistic people who believe that by advancing the state they can change the world for the better. Breakers usually represent the glass as half empty, and are often so pessimistic that you wonder, when listening to some of them, why the Internet hasn’t totally collapsed already and why any of us have money left unpilfe...

The agenda for the second SANS WhatWorks Summit in Forensics and Incident Response has been posted. I am really happy to see I am speaking on Tuesday, because I will not be available Wednesday. Day 1 appears mainly technical, and day 2 is mainly legal. Please consider registering for the two-day conference. It's the best incident response event in the US this year! Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Today is an historic day for our profession, and for my American readers, our country. As reported in The Washington Post and by several of you, today Secretary Gates ordered the creation of U.S. Cyber Command, a subordinate unified command under U.S. Strategic Command . The NSA Director will be dual-hatted as DIRNSA and CYBERCOM Commander, with Title 10 authority, and will be promoted to a four-star position. Initial Operational Capability for CYBERCOM is October 2009 with Full Operational Capability planned for October 2010. Prior to CYBERCOM achieving FOC, the Joint Task Force - Global Network Operations (JTF-GNO) and the Joint Task Force - Network Warfare (JTF-NW) will be "disestablished." As one of my friends said: "Step one to your Cyber Service -- what will the uniforms look like?" Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Karolina at BSD Magazine wanted me to let you know that she has posted a free .pdf issue online . I mentioned this issue last year and its focus is OpenBSD. Check it out, along with Hakin9 ! Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

Automation is often cited as a way to "do more with less." The theory is that if you can automate aspects of security, then you can free resources. This is true up to a point. The problem with automation is this: Automated defenses are the easiest for an intruder to penetrate, because the intruder can repeatedly and reliably test attacks until he determines they will be successfully and potentially undetectable. I hope no one is shocked by this. In a previous life I worked in a lab that tested intrusion detection products. Our tests were successful when an attack passed by the detection system with as little fuss as possible. That's not just an indictment of "IDS"; that approach works for any defensive technology you can buy or deploy off-the-shelf, from anti-malware to host IPS to anything that impedes an intruder's progress. Customization and localization helps make automation more effective, but that tends to cost resources. So, automation by itsel...

You know you're an important when someone announces a "Month of Bugs" project for you. July will be the Month of Twitter Bugs , brought to my attention in this story by Robert Westervelt . The current project is led by a participant in the Month of Browser Bugs from three years ago named Avi Raff. I don't see projects like that as being irresponsible. What would be more irresponsible is selling the vulnerabilities to the underground. Would the critics prefer that? In many cases, "Month of" projects are the result of running into resistance from developers or managers are not taking vulnerabilities seriously. In many cases the vulnerabilities are already being exploited. Sure, packaging all of the vulnerabilities into a "Month of" project gains attention, but isn't that the point? Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

In my last post I described how a Red Team can improve defense. I wanted to expand on the idea briefly. First, I believe the modern enterprise is too complex for any individual or group to thoroughly understand how it can be compromised. There are so many links in the chain that even knowing they exist, let alone how they connect, can be impossible. To flip that on its end, in a complementary way, the modern enterprise is too complex for any individual or group to thoroughly understand how its defenses can fail. The fact that vendors exist to reduce firewall rule sets down to something intelligible by mere mortals is a testament to the apocalyptic fail exhibited by digital defenses. Furthermore, it is highly likely that hardly anyone cares about attack models until they have been demonstrated . We seen this repeatedly with respect to software vulnerabilities. It can be difficult for someone to take a flaw seriously until a proof of concept is shown to exploit a victim. L0pht...

If you've listened to anyone talking about the Top 20 list called the Consensus Audit Guidelines recently, you've probably heard the phrase "offense informing defense." In other words, talk to your Red Team / penetration testers to learn how they can compromise your enterprise in order to better defend yourself from real adversaries. I think this is a great idea, but there isn't anything revolutionary about it. It's really just one step above the previous pervasive mindset for digital security, namely identifying vulnerabilities. In fact, this neatly maps into my Digital Situational Awareness ranking. However, if you spend most of your time writing policy and legal documents, and not really having to deal with intrusions, this idea probably looks like a bolt of lightning! And speaking of the Consensus Audit Guidelines: hey CAG! It's the year 2000 and the SANS Top 20 List wants to talk to you! The SANS/FBI Top Twenty list is valuable because the m...

One of you asked me to comment on Pete Herzog's "Möbius Defense" . I like Lego blocks, but I don't find the presentation to be especially compelling. Pete seems to believe that NSA developed "defense in depth" (DiD) as a strategy to defend DoD networks after some sort of catastrophic compromise in the 1970s. DiD as a strategy has existed for thousands of years. DiD was applied to military information well before computers existed, and to the computers of the time before the 1970s as well. Pete says DiD is "all about delaying rather than preventing the advance of an attacker... buying time and causing additional casualties by yielding space... DiD relies on an attacker to lose momentum over time or spread out and thin its massive numbers as it needs to traverse a large area... All the while, various units are positioned to harm the attacker and either cause enough losses in resources to force a retreat or capture individual soldiers as a means of thin...

A blog reader recently asked the following question: I recently accepted a position and was shocked to learn, I know this shouldn't have happened, that Information Security/Warfare is largely an afterthought even though this organization has had numerous break ins. Many of my peers have held their position for one or even two decades and are great people yet they are not proactively preparing for modern threat/attack vectors. I believe the main difference is that they are satisfied with the status quo and I am not. I have written a five-year strategic plan for IT security which I am now following with a tactical plan on how to get there. with respect to the tactical plan I was wondering what percentage of the IT budget you think an organization should allocate for their InfoSec programs? It would seem that, using Google, many people advocate somewhere between ten and twenty percent of the IT budget. I have no knowledge of our overall IT budget but I do know we aren't anywhere...

As a follow-up to my post Digital Situational Awareness Methods , I wanted to expand on the idea of conducting counterintelligence operations, strictly within the digital security realm. I focus almost exclusively on counter-criminal operations, as opposed to actions against nation-states or individuals. Those of you who provide security intelligence services (SIS), or subscribe to those services, may recognize some or all of these. By SIS I am not talking about vulnerability notices repackaged from other sources. Note that some of these approaches can really only be accomplished by law enforcement, or by collaboration with law enforcement. Even taking a step into the underground can be considered suspicious. Therefore, I warn blog readers to not try implementing these approaches unless you are an experienced professional with the proper associations. The idea behind this post is to explain what could be done to determine what one sort of adversary (primarily the criminal underg...

A veteran security pro just sent me an email on my post Extending the Information Security Incident Classification with Crisis Levels . He suggested a Crisis beyond Crisis 1 -- "organization collapses." That is a real Game Over -- Crisis 0. In other words, the cost of dealing with the crisis bankrupts the victim organization, or the organization is ordered to shut down, or any other consequence that removes the organization as a "going concern," to use some accountant-speak. I guess the hunt is on now to discover example organizations which have ceased to exist as a result of information security breaches. The rough part of that exercise is connecting all the dots. Who can say that, as a result of stealing intellectual property, a competitor gained persistent economic advantage over the victim and drove it to bankruptcy? These are the sorts of consequences whose timeline is likely to evade just about everyone. Putting on my historian's hat, I remember t...

Last week I tweaked my Information Security Incident Classification chart. Given recent events I might consider extending it to include Crisis 3, 2, and 1 levels. Perhaps they would look like this. I previously alluded to "11" in my original post. Crisis 3 . 11 / Intruder has publicized data loss via online or mainstream media. Crisis 2 . 12 / Data loss prompts government or regulatory investigation with fines or other legal consequences. Crisis 1 . 13 / Data loss results in physical harm or loss of life. I thought about these situations because of the latest Crisis 3 , now affecting T-Mobile, as posted to Full-disclosure yesterday: From: pwnmobile_at_Safe-mail.net Date: Sat, 6 Jun 2009 15:18:06 -0400 Hello world, The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers. Like Checkpoint[,] Tm...

A friend of mine from DoD is trying to hire clueful digital security practitioners. He is looking for people to accept positions with DoD-wide and/or service-specific responsibilities. Skillsets needed include reverse engineering, incident response and analysis, penetration testing, and security engineering. The most important characteristic of the candidate is a desire to see DoD achieve its missions successfully. The next requirement is intense interest in the sorts of subjects discussed in this blog. A SECRET clearance is a minimum requirement but TS is preferred. Please email cyberjobs2009 [at] hotmail [dot] com if interested. I have no other information -- email the point of contact with all questions. Thank you. Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

I've written about digital situational awareness before, but I wanted to expand on the topic as I continue my series of posts on various aspects of incident detection and response. Here I would like to describe ways that an enterprise can achieve digital situational awareness, or a better understanding of their security posture. What is interesting about these methods is that they do not exclude each other. In fact, a mature enterprise should pursue all of them, to the extent possible allowed by technical and legal factors. External notification is the most primitive means of learning the state of the enterprise's security posture. If all you do is wait until law enforcement or the military knock at your door, you're basically neglecting your responsibilities to your organization and customers. Vulnerability assessment identifies vulnerabilities and exposures in assets. This is necessary but not sufficient, because VA (done by a blue team) typically cannot unearth th...

This is the second in a series of "mindset" posts where I'd like to outline how I've been thinking of various aspects of incident detection and response. My primary focus for these discussions will be intrusions. I'd like to discuss incident detection paradigms . These are ways that security people tend to think when they are trying to identify intrusions. I'm going to list the three attitudes I've encountered. Detection is futile. This school of thought says that some intruders are so crafty that it is not possible to detect them. I consider this paradigm short-sighted and defeatist. If you read the intruder's dilemma you'll know that it is generally not possible for intruders to hide themselves perfectly, continuously, perpetually. True, as the intruder's persistence time decreases, and as the amount of data exfiltrated decreases, it becomes more difficult to detect the intruder. However, both conditions are good for the defense. The...

This is the first in a series of "mindset" posts where I'd like to outline how I've been thinking of various aspects of incident detection and response. My primary focus for these discussions will be intrusions. First I'd like to discuss phases of compromise , again primarily designed for intrusions. They can be extended to other scenarios, but as with other recent posts I'm focusing on advanced persistent threats who operate beyond the norms of regular intruders. I've listed the phases elsewhere but they are relevant here; I've also expanded the last phase. I list the information security incident classification for each where appropriate. Reconnaissance. Identify target assets and vulnerabilities, indirectly or directly. Cat 6. Exploitation. Abuse, subvert, or break a system by attacking vulnerabilities or exposures. If the intruder does not seek to maintain persistence, then this could be the end of the compromise. Cat 2 or 1. Reinforcement...

Thank you to those who commented on my previous post on this subject. I've had a few people ask to use this chart, but I wanted to clarify a few items now that there has been some good public and private discussion about it. My intention with this chart is to help classify an incident involving compromise of an individual system. There are plenty of other sorts of information security incidents, but at the moment this is the biggest problem I deal with on a daily basis. I need a way to talk about the state of an individual compromised asset. I found the traditional DoD Category system wasn't sufficient, especially in the post-Cat 1 world. I still like those Categories but I needed to go further (post-exploitation) and for one of my constituents, backwards (to when a system is just vulnerable, but no one is yet interested in it -- as far as we can tell). I decided to call this updated chart a "classification" rather than a "rating," and to remove the la...

The article Obama's likely pick for cybersecurity head remains murky by Doug Beizer and Alice Lipowicz in FCW caught me off guard: There is surprisingly little buzz circulating about who President Barack Obama might choose to lead cybersecurity policy. Although a number of analysts have ideas about the qualities the person filling the position might need, no one is naming names of likely contenders yet — partly because it remains unclear what the eventual appointee will actually do... Rohyt Belani, co-founder and managing partner of computer security firm Intrepidus Group, said the ideal candidate would combine qualities from three people: security consultant Bruce Schneier; Richard Bejtlich, director of incident response at General Electric; and Chris Eagle, a senior lecturer and associate chairman of the Computer Science Department at the Naval Postgraduate School. Belani said Schneier has “an ability to focus on what matters and call out silly bureaucratic processes that do lit...