Showing posts from January, 2010

Two Dimensional Thinking and APT

I expect many readers will recognize the image at left as representing part of the final space battle in Star Trek II: The Wrath of Khan. During this battle, Kirk and Spock realize Khan's tactics are limited. Khan is treating the battle like it is occuring on the open seas, not in space. Spock says: He is intelligent, but not experienced. His pattern indicates two-dimensional thinking. I though this quote could describe many of the advanced persistent threat critics, particularly those who claim "it's just espionage" or "there's nothing new about this." Consider this one last argument to change your mind. (Ha, like that will happen. For everyone else, this is how I arrive at my conclusions.) I think the problem is APT critics are thinking in one or two dimensions at most, when really this issue has at least five. When you only consider one or two dimensions, of course the problem looks like nothing new. When you take a more complete look, it'

Example of Threat-Centric Security

In my last post I mentioned the need to take threat-centric approaches to advanced persistent threat . No sooner than I had posted those thoughts do I read this: Beijing 'strongly indignant' about U.S.-Taiwan arms sale The Obama administration announced the sale Friday of $6 billion worth of Patriot anti-missile systems, helicopters, mine-sweeping ships and communications equipment to Taiwan in a long-expected move that sparked an angry protest from China. In a strongly worded statement on Saturday, China's Defense Ministry suspended military exchanges with the United States and summoned the U.S. defense attache to lodge a "solemn protest" over the sale, the official Xinhua news agency reported. "Considering the severe harm and odious effect of U.S. arms sales to Taiwan, the Chinese side has decided to suspend planned mutual military visits," Xinhua quoted the ministry as saying. The Foreign Ministry said China also would put sanctions on U.S. compani

Mandiant M-Trends on APT

If you want to read a concise yet informative and clue-backed report on advanced persistent threat , I recommend completing this form to receive the first Mandiant M-Trends report. Mandiant occupies a unique position with respect to this problem because they are one of only two security service companies with substantial counter-APT consulting experience. You may read blog posts and commentary from other security service providers who either 1) suddenly claim counter-APT expertise or 2) deride "APT" as just a marketing term, or FUD, or some other term to hide their inexperience with this problem. The fact remains that, when organizations meet in closed forums to do real work on this problem, the names and faces are fairly constant. They don't include those trying to make an APT "splash" or those pretending APT is not a real problem. Mandiant finishes its report with the following statement: [T]his is a war of attrition against an enemy with extensive resour

Review of Professional Penetration Testing Posted

Image just posted my three star review of Professional Penetration Testing by Thomas Wilhelm. From the review : I had fairly high hopes for Professional Penetration Testing (PPT). The book looks very well organized, and it is published in the new Syngress style that is a big improvement over previous years. Unfortunately, PPT should be called "Professional Pen Testing Project Management." The vast majority of this book is about non-technical aspects of pen testing, with the remainder being the briefest overview of a few tools and techniques. You might find this book useful if you either 1) know nothing about the field or 2) are a pen testing project manager who wants to better understand how to manage projects. Those looking for technical content would clearly enjoy a book like Professional Pen Testing for Web Applications by Andres Andreu, even though that book is 3 years older and focused on Web apps. This is my 300th book review . I wish I had planned t

Energy Sector v China

The aftershocks of Google v China continue to rumble as more companies are linked to the advanced persistent threat . Mark Clayton from the Christian Science Monitor wrote a story titled US oil industry hit by cyberattacks: Was China involved? I found these excerpts interesting. At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage. The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide... The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in ear

Look Beyond the Exploit

The post One Exploit Should Not Ruin Your Day by Dino Dai Zovi made me think: Finally, the larger problem is that it only took one exploit to compromise these organizations. One exploit should never ruin you day. [sic] No, that is wrong. The larger problem is not that it "only took one exploit to compromise these organizations." I see this mindset in many shops who aren't defending enterprises on a daily basis. This point of view incorrectly focuses on exploitation as a point-in-time, "skirmish" event, disconnected from the larger battle or the ultimate campaign. The real "larger problem" is that the exploit is only part of a campaign, where the intruder never gives up. In other words, comprehensive threat removal is the problem. There is no "cleaning," or "disinfecting," or "recovery" at the battle or campaign level. You might restore individual assets to a semi-trustworthy state, but the advanced persistent th

Review of Network Maintenance and Troubleshooting Guide, 2nd Ed Posted

Image just posted my 5 star review of Network Maintenance and Troubleshooting Guide, 2nd Ed by Neal Allen. From the review : Good network troubleshooting books are rare. TCP/IP Analysis and Troubleshooting Toolkit by Kevin Burns (2003), Troubleshooting Campus Networks by Priscilla Oppenheimer and Joseph Bardwell (2002), and Network Analysis and Troubleshooting by Scott Haugdahl (1999) come to mind. Network Maintenance and Troubleshooting Guide (NMATG) brings a whole new dimension to network analysis, particularly at the lowest levels of the OSI model. I found topics covered in NMATG that were never discussed in other books. While not for every networking person, NMATG is a singular reference that belongs on a network professional's shelf.

Submit Questions for OWASP Podcast

Jim Manico invited me to speak on the OWASP Podcast . If you'd like me to try answering specific questions, please email them to podcast at When the show is posted I will let everyone know here. Thank you.

Sguil 0.7.0 on Ubuntu 9.10

Today I installed a Sguil client on a fresh installation of Ubuntu 9.10. It was really easy with the exception of one issue I had to troubleshoot, explained below. First notice that tcl8.4 and tk8.4 is already installed on Ubuntu 9.10. richard@janney:~$ dpkg --list | grep -i tcl ii tcl8.4 8.4.19-3 Tcl (the Tool Command Language) v8.4 - run-t ii tk8.4 8.4.19-3 Tk toolkit for Tcl and X11, v8.4 - run-time richard@janney:~$ sudo apt-get install tclx8.4 tcllib iwidgets4 tcl-tlsReading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: itcl3 itk3 Suggested packages: itcl3-doc itk3-doc iwidgets4-doc tclx8.4-doc The following NEW packages will be installed: itcl3 itk3 iwidgets4 tcl-tls tcllib tclx8.4 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get

Attribution Using 20 Characteristics

My post Attribution Is Not Just Malware Analysis raised some questions that I will try to address here. I'd like to cite Mike Cloppert as inspiration for some of this post. Attribution means identifying the threat, meaning the party perpetrating the attack. Attribution is not just malware analysis. There are multiple factors that can be evaluated to try to attribute an attack. Timing. What is the timing of the attack, i.e., fast, slow, in groups, isolated, etc.? Victims or targets. Who is being attacked? Attack source. What is the technical source of the attack, i.e., source IP addresses, etc.? Delivery mechanism. How is the attack delivered? Vulnerability or exposure. What service, application, or other aspect of business is attacked? Exploit or payload. What exploit is used to attack the vulnerability or exposure? Weaponization technique. How was the exploit created? Post-exploitation activity. What does the intruder do next? Command and control method. How does th

Help Bro Project with Short Survey

I've written about Bro before, and I noticed the following mailing list post titled Poll: Bro deployments : Hello Sites Using Bro, We'd like to ask for your help. We're in the process of preparing a major funding proposal for improving Bro, focused on: improving the end-user experience (things like comprehensive documentation, polishing rough edges, fixing bugs); and improving performance. This looks like a potentially excellent opportunity. However, a major element of winning the funding is convincingly demonstrating to the funders that Bro is already well-established across a large & diverse user community. To develop that framing, we'd like to ask as many of you folks as possible to fill out the small questionaire below. Please send the replies to Robin personally, not to the list (just replying to this mail should do the right thing). Assuming sufficient feedback, we'll post an anonymized summary to the list. (Of course we already know about many of you, bu

Attribution Is Not Just Malware Analysis

In a recent Tweet I recommended reading Joe Stewart's insightful analysis of malware involved in Google v China . Joe's work is stellar as always, but I am reading more and more commentary that shows many people don't have the right frame of reference to understand this problem. In brief, too many people are focusing on the malware alone. This is probably due to the fact that the people making these comments have little to no experience with the broader problems caused by advanced persistent threat. It's enough for them to look at the malware and then move to the next sample, or devise their next exploit, and so on. Those of us responsible for defending an enterprise can't just look at the problem from a malware, or even a technical, perspective. I was reminded of this imperative when I read Waziristan: The Last Frontier in a recent Economist magazine. [I]t is tempting to think Waziristan has hardly changed since those colonial days... Mostly, [the Pakista

Is APT After You?

Jeremiah Grossman made the following request via Twitter today: @taosecurity blog post request. Signs that an individual or organization is or may be an APT target. + other threat naming conventions Tough but great questions. I better answer, or Jeremiah will find me and apply Brazilian Jiu Jitsu until I do. Let me take the second question first. As I mentioned in Real Threat Reporting in 2005, "Titan Rain" became the popular term for one "intrusion set" involving certain actors. DoD applies various codewords to intrusion sets, and Titan Rain became popular with the publication of the Time article I referenced. If you read the Time article again you'll see at least one other reference, but I won't cite that here. Some of you may remember "Solar Sunrise" from 1998 and "Moonlight Maze" from 1998-1999. Open reporting links the former to Russia and the latter to an Israeli named Ehud Tenenbaum . These are other examples of "intru

Review of Inside Cyber Warfare Posted

Image just posted my three star review of Jeff Carr's Inside Cyber Warfare . From the review : Jeff Carr is a great digital security intelligence analyst and I've been fortunate to hear him speak several times. We've also separately discussed the issues he covers in Inside Cyber Warfare (ICW). While I find Jeff's insights very interesting and valuable, I think his first book could have been more coherent and therefore more readable. I believe Jeff should write a second edition that is more focused and perhaps more inclusive.

Bejtlich Teaching at Black Hat EU 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. After Black Hat DC comes Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I will be teaching TCP/IP Weapons School 2.0 . Registration is now open. Black Hat set five price points and deadlines for registration. Super early ends 1 Feb Early ends 1 Mar Regular ends 1 Apr Late ends 11 Apr Onsite starts at the conference Seats are filling -- it pays to register early! If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint

What Is APT and What Does It Want?

This has been the week to discuss the advanced persistent threat , although some people are already telling me Google v China with respect to APT is "silly," or that the attack vectors were what everyone has been talking about for years, and were somewhat sloppily orchestrated at that. I think many of these critics are missing the point. As is often the case with sensitive issues, 1) those who know often can't say and 2) those who say often don't know. There are some exceptions worth noting! One company that occupies a unique position with respect to this problem is Mandiant. Keep an eye on the APT tag of their M-unition blog . Mandiant's role as a consulting firm to many APT victims helps them talk about what they see without naming any particular victim. I also recommend following Mike Cloppert's posts . He is a deep thinker with respect to counter-APT operations. Incidentally I agree with Mike that the US Air Force invented the term "advanced

Why Google v China is Different

I've been reading various comments on the Google v China issue. One caught my eye: Security experts say Google cyber-attack was routine "This wasn't in my opinion ground-breaking as an attack. We see this fairly regularly," said Mikko Hypponen, of security firm F-Secure. "Most companies just never go public," he added. In some ways this comment is true, and in other ways I think it can mislead some readers. I believe it is true in the sense that many organizations are dealing with advanced persistent threats . However, I believe this comment leads some readers to focus incorrectly on two rather insignificant aspects of the Google incident: vulnerabilities and malware. On the vulnerability front, we have a zero-day in Internet Explorer . I agree that this is completely routine, in a really disappointing way. On the malware front, we have code submitted to Wepawet . I agree that this is also not particularly interesting, although I would like to know ho

Security Team Permissions

Every so often I receive questions from blog readers. The latest centered on the following question: What level and extent should a security team and investigators be allowed to operate without having to ask for permission? This is an excellent question, and as with most issues of authority it depends on the organization, its history, culture, purpose, and people. From the perspective of the security team, I tend to want as much access as is required to determine the security state of an asset. That translates into being able to access or discover evidence as quickly and independently as possible, preferably in a way that involves no human intervention aside from the query by the security team . When the security analyst can retrieve the information needed to make a decision without asking for human permission or assistance, I call that self-reliant security operations . Anything short of that situation is suboptimal but not uncommon. Simultaneously, I want the least amount of ac

Friday is Last Day to Register for Black Hat DC at Reduced Rate

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0 . Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left. Regular ends 15 Jan Late ends 30 Jan Onsite starts at the conference Seats are filling -- it pays to register early! If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide p

Why Would APT Exploit Adobe?

After reading this statement from Adobe , they seem to be using the same language that described the Google v China incident: Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. Let's assume, due to language and news timing, that it's also APT. Would would APT exploit Adobe? Am I giving Adobe too much credit if I hypothesize that APT wanted to know more about Adobe's product security plans, in order to continue exploiting Adobe's products? If that is the case, who else might APT infiltrate? Should we start looking for similar announcements from other software vendors?

Has China Crossed a Line?

I'm wondering if China has crossed a line with its Google hack . It's relatively easy for the Obama administration to pretend that nothing's amiss when it's playing politics with the Chinese government. But when an American company that was just named "word of the decade" proclaims to the world that it is being exploited by Chinese intruders, can the President turn a blind eye to that? This could be the first publicity-driven incident (i.e., something that comes from public sources) that the new Cyber Czar will have to address, if not higher officials. Oh, and expect China to issue a statement saying that it strongly denies official involvement, and that it prosecutes "hackers" to the fullest extent of its laws. That's nice.

Mechagodzilla v Godzilla

After posting Google v China I realized this is a showdown like no other. In my experience, no one "ejects" the advanced persistent threat. If you think they are gone, it's either 1) because they decided to leave or 2) you can't find them. Now we hear Google is the latest victim. Google is supposed to be a place where IT is so awesome and employees so smart that servers basically run themselves, and Google's HR has to leave some of the other smart people "in place" to help the rest of us cope with life. Could Google be the first company to remove APT despite APT desire to remain persistent? Google v China could be Mechagodzilla v Godzilla. No one without inside knowledge will know how this battle concludes, and it probably will not conclude until one of the combatants is gone.

Google v China

It's been a few months since I mentioned China in a blog post, but this one can't be ignored. Thanks to SW for passing me this one: Google Blog: A New Approach to China In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google... First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted... These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on, and so over the next fe

Happy 7th Birthday TaoSecurity Blog

Today, 8 January 2010, is the 7th birthday of TaoSecurity Blog . I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. 2542 posts (averaging 363 per year) later, I am still blogging. I don't have any changes planned here. I plan to continue blogging, especially with respect to network security monitoring, incident detection and response, network forensics, and FreeBSD when appropriate. I especially enjoy reading your comments and engaging in informed dialogues. Thanks for joining me these 7 years -- I hope to have a ten year post in 2013! Don't forget -- today is Elvis Presley 's birthday. Coincidence? You decide. The image shows Elvis training with Ed Parker , founder of American Kenpo . As I like to tell my students, Elvis' stance is so wide it would take him a week to react to an attack. Then again, he's Elvis . I studied Kenpo in San Antonio, TX and would like to return to practicing, along with ice

Excerpts from Randy George's "Dark Side of DLP"

Randy George wrote a good article for InformationWeek titled The Dark Side of Data Loss Prevention . I thought he made several good points that are worth repeating and expanding. [T]here's an ugly truth that DLP vendors don't like to talk about: Managing DLP on a large scale can drag your staff under like a concrete block tied to their ankles. This is important, and Randy explains why in the rest of the article. Before you fire off your first scan to see just how much sensitive data is floating around the network, you'll need to create the policies that define appropriate use of corporate information. This is a huge issue. Who is to say just what activity is "authorized" or "not authorized" (i.e., "business activity" vs "information security incident")? I have seen a wide variety of activities that scream "intrusion!" only to hear, "well, we have a business partner in East Slobovistan who can only accept data sent