Posts

Showing posts from 2011

Mandiant Webinar Wednesday; Help Us Break a Record!

Image
I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011 . And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011. Register now and help Kris and me beat the attendee count from last month's record-setting Webinar. If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh . Tweet

Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"

Image
I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut. David Spark asked for my "security tip for 2012," which I listed as: Improve your incident detection and response program by answering two critical questions: 1. How many systems have been compromised in any given time period; and 2. How much time elapsed between incident identification and containment for each system? Use the answers to improve and guide your overall security program. Those of you on the securitymetrics mailing list, and a few other places...

Become a Hunter

Image
Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter": IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures. Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider the “self-defending network” concept to be market...

National Public Radio Talks Chinese Digital Espionage

Image
When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening ( .mp3 ) or reading time. Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies. If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology." James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here , e.g.: In 1986, to meet the gl...

Dustin Webber Creates Network Security Monitoring with Siri

Image
Dustin Webber just posted a really cool video called Network Security Monitoring with Siri . He shows how he uses his iPhone 4S and SiriProxy to interact with his Snorby Network Security Monitoring platform. The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering. Later he asks Siri to tell him about "incident 15": Near the end Dustin asks Siri if she likes Network Security Monitoring: This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing! Tweet

Trying NetworkMiner Professional 1.2

Image
Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008 . NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0 . I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory. The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4. Notice that in addition to summarizing inf...

Thoughts on 2011 ONCIX Report

Image
Many of you have probably seen coverage of the 2011 ONCIX Reports to Congress: Foreign Economic and Industrial Espionage . I recommend every security professional read the latest edition (.pdf). I'd like to highlight the key findings of the 2011 version: Pervasive Threat from Adversaries and Partners Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries. • Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible. • Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets. • Some US allies and partners use their broad access to US institutions to acqui...

Tao of Network Security Monitoring, Kindle Edition

Image
I just noticed there is now a Kindle edition of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection , published in July 2004. Check out what I wrote in the first paragraphs now available online. Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion -- a real compromise, not a simple Web page defacement -- you'll realize the security principles and systems outlined here are both necessary and relevant. This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails . Every single network can be compromised, either ...

Why DIARMF, "Continuous Monitoring," and other FISMA-isms Fail

Image
I've posted about twenty FISMA stories over the years on this blog, but I haven't said anything for the last year and a half. After reading Goodbye DIACAP, Hello DIARMF by Len Marzigliano, however, I thought it time to reiterate why the newly "improved" FISMA is still a colossal failure. First, a disclaimer: it's easy to be a cynic and a curmudgeon when the government and security are involved. However, I think it is important for me to discuss this subject because it represents an incredible divergence between security people. On one side of the divide we have "input-centric," " control-compliant ," "we-can-prevent-the-threat" folks, and on the other side we have "output-centric," "field-assessed," "prevention eventually fails" folks. FISMA fans are the former and I am the latter. So what's the problem with FISMA? In his article Len expertly discusses the new DoD Information Assurance Risk...

SEC Guidance Emphasizes Materiality for Cyber Incidents

Image
Senator Jay Rockefeller and Secretary Michael Chertoff wrote the best article I've seen yet on the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC last month in their article A new line of defense in cybersecurity, with help from the SEC : Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility... Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events. Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty a...

MANDIANT Webinar Friday

Image
Join me and Lucas Zaichkowsky on Friday at 2 pm eastern as we talk about what happened at our annual MANDIANT conference, MIRCon! Registration is free and I expect you'll enjoy the discussion! We plan to review what we saw and heard, and how those lessons will help your security program. Tweet

Review of America the Vulnerable Posted

Image
Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below. I've added bold in some places to emphasize certain areas. America the Vulnerable (ATV) is one of the best "big picture" books I've read in a long while. The author is a former NSA senior counsel and inspector general, and was the National Counterintelligence Executive (NCIX). In these roles he could "watch the fireworks" (not his phrase, but one popular in the intel community) while the nation suffered massive data exfiltration to overseas adversaries. ATV explains the problem in terms suitable for those familiar with security issues and those learning about these challenges. By writing ATV, Joel Brenner accurately and succinctly frames the problems facing the US and the West in cyberspace. In this review I'd like to highlight some of Mr Brenner's insights and commentary. On pp 65-7 he discusses "China's Long...

Republican Presidential Candidates on China

Image
(Photo: Business Insider ) This is not a political blog, so I'm not here to endorse candidates. However, I do want to point out another example of high-level policymakers discussing ongoing activities by China against the US and other developed economies. First, the Washington Post published an editorial by Mitt Romney which included the following: China seeks advantage through systematic exploitation of other economies. It misappropriates intellectual property by coercing “technology transfers” as a condition of market access; enables theft of intellectual property, including patents, designs and know-how; hacks into foreign commercial and government computers ... The result is that China sells high-quality products to the United States at low prices. But too often the source of that high quality is American innovations stolen by Chinese companies. I missed this in August, but former ambassador to China Jon Huntsman said the following during a debate: Huntsman Jr. pointed to Ch...

Bejtlich in "The expanding cyber industrial complex"

Image
Christopher Booker interviewed me and several other policy-oriented security people for his video Financial Times story The expanding cyber industrial complex . This was a different experience for me for two reasons. First, Christopher conducted the interviews via Skype. Second, you can see what appear to be the home offices of several of the contributors, including me. One technical note on the video: I had some trouble getting it to play. To get it working I selected another video then went back to this one. Thank you again to Christopher Booker for the opportunity to offer my opinions. (Bonus points to anyone who can identify the box on the shelf over my right shoulder, on the lower left side of the photo.) Tweet

Computer Incident Response Team Organizational Survey, 2011

Image
Today at MIRCon I mentioned that one of my colleagues, Jeff Yeutter, had updated the somewhat famous CERT/CC study of CIRT characteristics as part of his degree program. Jeff posted the survey online as Computer Incident Response Team Organizational Survey, 2011 with this description: In 2003, the CERT CSIRT Development Team (www.CERT.org) released a study on the state of international computer security incident response teams with the goal of providing "better insight into various CSIRT organizational structures and best practices" for new and existing members of the CSIRT community (Killcrece, Kossakowski, Ruefle, & Zajicek, 2003). The attached survey, a modified form of the original, will be used to update the 2003 study with a greater focus on the methods of organization used by American and international CIRTs, the tools that they employ, and how these vary across organizations of different sizes and industries. This research is being conducted, and is independentl...

Interview with One of My Three Wise Men

Image
Tony Sager from the NSA is one of my Three Wise Men. (Dan Geer and Ross Anderson are the other two.) Eric Parizo from SearchSecurity.com interviewed Tony this week and posted the video online. Tony notes that the escalation in threat activity during the last few years is real. He is in a position to know, given he has worked at NSA since the 1970s. Tony says the threat activity is getting people's attention now, especially at more senior levels of the government and industry. Now targeted organizations are thinking beyond the question "does this affect my company" to "does this affect my industry?" Tony explains that a generational effect may account for the change in awareness. More senior leaders grew up with technology, so they know how to think about it. There is also more public reporting on serious security incidents today. My favorite quote was: "If you're not a little concerned, you haven't been paying attention." Since Tony is...

Russia v China -- Sound Familiar?

Image
Thanks to a source who wishes to remain anonymous, I read Chinese spy mania sweeps the world , an article not from a Western publication. Rather, it's from Voice of Russia . Does any of this sound familiar? [T]his is the most powerful secret service based on the principle of attracting all ethnic Chinese, wherever they may live. An adherent of the “total espionage” strategy, Beijing even encourages emigration in the hope that its citizens will remain loyal to and useful for their historical homeland after moving to another country... "The history of China’s espionage activities on Russian armaments is not only limited to one precedent or one type of weapons. One of the top Chinese priorities is to produce complete replicas of Russia’s best machines and weapons , from the Sukhoi Su-33 fighter jet to missiles, aircraft carriers and so on. This is a truly purpose-oriented strategy of a large country - snatch anything you can and reproduce it domestically ," ["IT exp...

It's All About the Engines

Image
(Photo credit: AINOnline ) I just read Big New Chinese Order for Russian Fighter Engines at China Defense Blog , which quoted AINOnline : China has placed additional orders for Russian AL-31-series fighter engines. State arms trade agency Rosoboronexport clinched two big contracts earlier this year... To serve them, Salut has established partnerships with Limin Corp. and Tyan Li company in Chengdu on deliveries and manufacturing of spare parts for both the AL-31F and the AL-31FN. Russia has also agreed to provide all necessary maintenance and repair documentation to the Chinese partners. To see China treats or will treat Western aircraft and aircraft engine makers, look no further than Russia. The comments in the CDB post pointed me to this engine comparison for the J-20, which I sometimes mention in my classes. Essentially the Chinese appear to be testing two engines on the J-20, because they are not sure if they will use a Russian-made engine (or copy) or an "indigenous" e...

House Cybersecurity Task Force Report Released

Image
The House Cybersecurity Task Force released its report (.pdf) today. NextGov offers a good summary in their story House GOP Cyber Task Force Touts Industry Leadership by Jessica Herrera-Flanigan. The report includes the following recommendation: Companies, including Internet Service Providers (ISPs) and security and software vendors, are already conducting active operations to mitigate cybersecurity attacks. However, these are largely done independently according to their individual business interests and priorities. Congress should facilitate an organization outside of government to act as a clearing house of information and intelligence sharing between the government and critical infrastructure to improve security and disseminate real-time information designed to help target and defeat malicious cyber activity. I would like something bolder, like the National Digital Security Board I proposed in 2006. Still, such a "clearing house" could evolve into an organization wit...

C-SPAN Posts Video of Tuesday Hearing

Image
You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN . Some people are already asking "what's new" about this. For me, what's new is that the chairman of the HPSCI is pointing his finger straight at the threat, and letting the world know in an open hearing that the adversary's actions are unacceptable and will not be tolerated. This is exactly the sort of attention and action that the threat deserves and I applaud the Chairman and HPSCI for pursuing this course. Remember that the HPSCI is more likely to hold closed hearings than open hearings due to the nature of its classified intelligence oversight work. By conducting an open hearing, Chairman Rogers wanted to send a clear message to victims, the public, and the adversary. Tweet

Inside a Congressional Hearing on Digital Threats

Image
Today I was fortunate to attend a hearing of the US House Permanent Select Committee on Intelligence (HPSCI). That's me on the far left of the photo, seated behind our MANDIANT CEO Kevin Mandia. I'd like to share a few thoughts on the experience. First, I was impressed by the attitudes of all those involved with HPSCI, from the staffers to the Representatives themselves. They were all courteous and wanted to hear the opinions of Kevin and the other two witnesses (Art Coviello from RSA and Michael Hayden from the Chertoff Group), whether before, during, or after the hearing. Second, I thought Reps Mike Rogers (R-MI, HPSCI Chairman) and C.A. Dutch Ruppersberger (D-MD, HPSCI Ranking Member) offered compelling opening statements. Rep Rogers squarely pointed the finger at our overseas adversaries. As reported by PCWorld in U.S. Lawmakers Point to China as Cause of Cyberattacks , Rep Rogers said: "I don't believe that there is a precedent in history for such a massive...

Chinese Espionage in Five Minutes

Image
This evening I watched last week's episode of This Week in Defense News with Vago Muradian. Vago's last guest was David Wise, author of Tiger Trap . If you want to learn as much as possible about Chinese espionage in a five minute interview, I recommend watching History of China spying on U.S. . I hope this book encourages attention at the highest levels of the US government and industry. Tweet

Review of Robust Control System Networks Posted

Image
Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner . From the review : I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment. Tweet

Impressions: The Art of Software Security Testing

Image
I'll be honest -- on the same trip on which I took The Art of Software Security Assessment , I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance. TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA. Tweet

Impressions: The Art of Software Security Assessment

Image
I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book. One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters. In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and...

Impressions: Tiger Trap

Image
I just finished reading Tiger Trap by David Wise. I read the whole book (so my "impressions" label isn't really accurate, because I use that for books I didn't fully read). I don't feel like writing an entire review but I wanted to capture a few thoughts. First, if you know nothing about Chinese espionage against the United States, read Tiger Trap. I didn't think Tiger Trap was the easiest book to read about the subject, but I haven't seen any other source cover so much history in one volume. Second, it seems the Chinese prefer to use human resources to steal classified information, mainly because accessing classified networks is tougher than accessing unclassified networks. Still, there are plenty of cases where humans physically stole unclassified but sensitive information. Most of these predate the Web however. Third, the Chinese like to "get good people to do bad things," as I Tweeted last week (citing page 16). In other words, China ...

Bejtlich Cited in Chinese Article on APT

Image
I found it ironic to see the names Richard Bejtlich and MANDIANT appearing in the article How to reduce the losses caused by APT attack? The reason this is funny is that the article appears in a Chinese-language story, published by a site operating in Beijing! You can read the Google Translation if you can't read the original. According to Tianji Media Group : Established in January 1997, ChinaByte was the first IT news website in China. So, welcome to the APT coverage! Tweet

Classic Chinese Defensive Propaganda

Image
Thanks to the sharp eye of a colleague from a mailing list, I learned of the article Is China Really Cyberdragon? in the English-language China Daily newspaper. The article is by Tang Lan, deputy director of the Institute of Information and Social Development Studies, China Institutes of Contemporary International Relations (a state-directed research institute). His writing displays all of the class elements of what I call Chinese defensive propaganda, in this case specifically addressing APT intrusions. I'll cite a few examples so you know what I mean. Hacking poses a threat to both China and Western countries and politicizing the problem will be detrimental to all. The beginning of the article introduces the reader to the concept that China is just as much a victim of hacking as the West. This is the first invocation of "the victim card," which is a constant aspect of Chinese self-identity and international relations. Tang Lan then dismisses accusations that the C...

Government Takeover of Compromised Digital Infrastructure Provider

Image
The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports: DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised. But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations . The government also is trying to shift over to other companies that act as digital notaries, he said. As you can see I highlighted two points. Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?" Regarding the second, I can't r...

Watch National Geographic Channel's The Liquid Bomb Plot

Image
Over the last week I've been watching a new National Geographic Channel documentary titled The Liquid Bomb Plot . It explains how British intelligence detected and thwarted an AQ operation to destroy at least seven aircraft flying from the UK to the US in August 2006. The show is excellent and features first-hand accounts, including key US personnel like Secretary Chertoff and General Hayden. I recommend watching this show because it demonstrates the tensions between the law enforcement and intelligence communities. The content also touches on the question of whether counter-AQ operations are legal affairs or military affairs. After the show you will be less likely to doubt the value of US and UK intelligence operations (and those of our allies), even after the demise of UBL. Furthermore, you can probably imagine how this sort of intel-centric operation is similar to the new sorts of wars we're fighting else -- i.e., in the digital domain. Tweet

TaoSecurity Security Effectiveness Model

Image
After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking. Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses". I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary. I call the area covered by the Live Defen...

TCP/IP Weapons School 3.0 in McLean, VA 26-27 Oct

Image
I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue only seats 20-25 students, so please keep that in mind. You can register through RegOnline immediately. Thank you. Tweet

Jaime Metzl Describes "China's Threat to World Order"

Image
Props to LS for pointing me to this WSJ article titled China's Threat to World Order . I found the following pertinent for the "cyber" aspect: Allegations that the Chinese government is behind the largest computer hacking operation in history will not come as a surprise to observers of recent trends in international relations. If there is one thing that China's actions across a range of fields have made clear, it is that Beijing will do whatever it takes to advance its narrowly defined economic interests, even if that requires riding roughshod over global norms... It is no longer acceptable for China to claim global leadership in some areas but then pretend it is a weak developing country and shirk its responsibilities in others. A China that leads the world in the theft of intellectual property, computer hacking and resource nationalism will prove extremely destabilizing. If it continues on this course, Beijing should not be surprised if other countries begi...

Expect to Hear "IDS Is Dead" (Again)

Image
Do you remember when IDS was dead , and supposed to be replaced by "thought-leading firewalls" by 2005? Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn : About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn. During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions." Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons...