TaoSecurity Blog

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking. Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses". I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary. I call the area covered by the Live Defen...

I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue only seats 20-25 students, so please keep that in mind. You can register through RegOnline immediately. Thank you. Tweet

Props to LS for pointing me to this WSJ article titled China's Threat to World Order . I found the following pertinent for the "cyber" aspect: Allegations that the Chinese government is behind the largest computer hacking operation in history will not come as a surprise to observers of recent trends in international relations. If there is one thing that China's actions across a range of fields have made clear, it is that Beijing will do whatever it takes to advance its narrowly defined economic interests, even if that requires riding roughshod over global norms... It is no longer acceptable for China to claim global leadership in some areas but then pretend it is a weak developing country and shirk its responsibilities in others. A China that leads the world in the theft of intellectual property, computer hacking and resource nationalism will prove extremely destabilizing. If it continues on this course, Beijing should not be surprised if other countries begi...

Do you remember when IDS was dead , and supposed to be replaced by "thought-leading firewalls" by 2005? Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn : About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn. During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions." Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons...

The IANS group just posted their fall forum announcement . It states I will be leading a session on the APT at their event in Boston on 20 September 2011. Kicking off the morning will be Richard’s session on “Mitigating the Advanced Persistent Threat.” IANS continually hears from our clients that APT and cyber crime is a constant, nagging concern (if not for their own company… yet, then because of headline news read by company executives), and it is the CISO’s job to deal with real, perceived, and impending APT issues. Thus, during his session Richard will provide advice and real-life use cases on what he’s seen, what’s worked, what doesn’t, and what CISOs can do to deal with APTs at their own organizations. Following the short presentation portion of the session, CISOs will collectively discuss 1) How to keep up with industry-specific threats; 2) Tactics and techniques to detect and mitigate the APT; and 3) The real implications of APT incidents This should be a great ...

If you visit www.mandiant.com/hireme you'll notice MANDIANT is looking to hire a ton of people over the next few weeks and months. We have openings all over the company, including my MCIRT business line. Basically if you're the go-to person in your organization for coding, doing, or supporting incident detection and response tools and/or techniques, you will probably find an interesting job here! The easiest way to start the process is to pick a role and submit your resume. Thank you for your consideration. Tweet

Recently an astute reader, Greg Back, submitted three corrections for typos to my first book , The Tao of Network Security Monitoring. I just uploaded these to the errata page and will submit them to the publisher now. Thanks to Greg for so closely reading the text and catching the errors! They involved miscounting bytes in two packets, and saying bytes where I should have said bits elsewhere. On a related note, I'm considering reviewing my material from the TCP/IP Weapons School (versions 1, 2, and 3) and writing a book based on the best aspects of each class. I wouldn't expect the book to arrive any earlier than late 2012, when I expect to retire the third version of TWS, currently taught in live classes. Over the last few years many of you have asked what I plan to do with the older TWS material, and I think this might be the best way to put it to good use. As I figure out what to do I will keep you informed here. Tweet

Thanks to Dark Reading and InformationWeek I will participate in the How Security Breaches Happen online virtual event on 25 August 2011. At 1330 ET I present with Nicholas J. Percoco and Kelly Jackson Higgins on "Why Bad Breaches Happen To Good Companies." I will share the enterprise/CSO perspective while Nicholas will present the adversary simulation/pen tester perspective. Kelly will moderate. Lots of other speakers will participate from 1030 ET to 1815 ET. We hope you can attend! Tweet

Thanks to Hawaiian Telcom I will be speaking at their 2011 Security Conference in Honolulu on 7 September 2011. My topic is "Putting the A, P, and T into the Advanced Persistent Threat:" Advanced Persistent Threat, or APT, is a controversial term. Just what qualifies as the APT? Who invented this term? Is it a marketing vehicle or is there a method to its use? In this keynote, Mandiant CSO Richard Bejtlich will explain the history of the APT, and what makes it Advanced, Persistent, and a Threat. He will discuss the concepts of "fighting through" an intrusion and "operating in a contested network," approaches to dealing with the APT that work in the real world. My colleague and friend Kris Harms will also attend, presenting "Network Security FTW." We hope to see you there! And no, Jeremiah Grossman, we will not be joining you to fight MMA-style. Well, maybe Harms will. Tweet

At Black Hat in Las Vegas and USENIX Security in San Francisco I taught three TCP/IP Weapons School 3.0 classes. I think my weekday class at Black Hat set a personal record student count, and I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues! I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming class. Currently I'm scheduled to teach at Black Hat Abu Dhabi on 12-13 December. The only other possibilities for training this year include a class in northern VA in either September or October, and a class the weekend before USENIX LISA in Boston on 3-4 December 2011. Next year I will likely return to Las Vegas again in the summer (21-24 July) and DC in the fall (30-31 Oct) but beyond that I am not sure how much training I might do in 2012. Student feedback from TWS3 included: I've been to a lot of training sessions and this was by far the best. The dis...

My final book in this batch is Android Forensics by Andrew Hoog. Due to the nature of Android and the author's experience with it, this book has a lot of great content. (In contrast, on page xiii, the author thanks iPhone and iOS Forensics co-author Katie Strzempka "for generally taking care of that other book." Hmm, maybe I should have known that before trying to assess that "other book?") My only real concern with this book is that it might lack the focus required by a normal investigator. I'm sure many investigators simply want to know where to find key data (email, Web history, etc.) and then retrieve and analyze it in a forensically sound manner. It's the "so what" question that hangs over many forensics books. I would have liked a case study focusing on that sort of material to show how an investigator would make sense of the data and structures unearthed by the author throughout the book. Tweet

The third forensics book in this batch is iPhone and iOS Forensics (IAIF) by Andrew Hoog and Katie Strzempka. This book is similar to iOS Forensic Analysis: for iPhone, iPad, and iPod touch by Sean Morrissey, in the sense that neither book is as strong as I might have hoped. Oddly enough, the aspects of Morrissey's book that were most compelling (like his overview of the various i-devices and attention to each of them) are weaker in IAIF. I found IAIF to be a little confusing in its approach, with lack of rigor around discussing iPhone vs other platforms. I felt the authors should have either focused on one platform or given all of them equal attention. I also disliked mixing of what seemed to be jailbroken and non-jailbroken content. I prefer for forensics books to avoid using jailbreak techniques where possible, but it would have been helpful for the authors to be very clear where and why they use such methods. Chapter 4 was supposed to cover security, but it was o...

Next is Xbox 360 Forensics (X3F) by Steven Bolt. This book offers a lot of technical detail, but it seems to read more like a coroner's report than a guide for those doing forensics on the Xbox 360 platform. The author spends a lot of time documenting his analysis of the Xbox 360, but after perusing the book I took myself out of the role of scientist and into that of investigator. An investigator (such as a law enforcement person) is likely to say "that's all nice, but can I read the suspect's email? Can I review his Web browsing history? Can I inspect the content of his instant messaging? How do I do that?" These are practical questions that do not really appear in X3F. Sure, the author tears apart the platform and its file system, but I don't see a way for an investigator to easily move from the current text to answering fundamental investigation questions. Tweet

For my fourth impressions post, I'll turn to the digital forensics world for Digital Forensics with Open Source Tools (DFWOST) by Cory Altheide and Harlan Carvey. I took a lot of notes but didn't read closely enough in my opinion to merit a full review. I didn't like the way this book started. I can't tell if the authors expect the reader to be familiar with open source software or not. The book needed to start in chapter 2 with something like "let's start by selecting Ubuntu for our operating system. We like it for the following reasons..." In contrast, the reader suddenly finds himself in the "Working with Images" section trying to use losetup, mmls, doing math, etc. That's too fast! Many reading this book are going to get lost on page 23 between "sudo apt-get install libfuse-dev libexpat1-dev" and advice to use "a simple ./configure..." Beyond the rough start, however, I thought the rest of the book was ...

The third book for which I'd like to share my impressions is The Shellcoder's Handbook, 2nd Ed (TSH2E) by Chris Ainley, John Heasman, FX, and Gerardo Richarte. I liked TSH2E, but I could tell that the collaboration among four authors caused some issues that could have been addressed by better editing. For example, early parts of the book use both Intel and AT&T assembly syntax, but the reader doesn't get an explanation of either until chapter 7. For me, the best aspect of TSH2E was the integration of real-world obstacles to exploiting victims. The book (although published in 2008) expertly addressed various defenses introduced in operating systems over the past decade. The authors usually start with simple concepts, promising to address tougher challenges later -- and they deliver. One item early in the text caught my attention though. The book includes the following code to demonstrate spawning a shell: int main(){ char *name[2]; name...

I took a lot of notes while reading Reversing: Secrets of Reverse Engineering (RSORE) by Eldad Eilam, but I didn't read enough of the book to qualify in my opinion to write a true review. What I did read, though, was awesome. RSORE is very well written, clear, interesting, and features high production value and quality. Although Wiley published the book in 2005, I believe it's as relevant now as it was six years ago. In fact, I recommend pairing it with IDA Pro, 2nd Ed for a one-two RE punch. The introduction part provided sound foundations, great coverage of low-level concepts, a helpful overview of the Win32 environment (albeit with a 32 bit focus) and a quick tools discussion. The applied engineering part includes hunting for undocumented (as of 2005) native Windows APIs, analyzing the file format of an encryption program, auditing the vulnerability in idq.dll exploited by Code Red, and reversing a backdoor that communicates via IRC. The cracking part featured...

What better way to start my new book impressions technique than The IDA Pro Book, 2nd Ed (TIDP2E) by Chris Eagle. I didn't read the entire book because I am not a reverse engineer, nor am I an IDA Pro user. However, I find the field, the tools, and the people who do reverse engineering to be interesting. My overall impression is that TIDP2E is an excellent book. Chris Eagle appears to have written an incredibly detailed and current text on IDA Pro. I noticed he cited material from RECon 2011, which happened earlier this year! Besides teaching how to use IDA Pro, TIDP2E appears to teach programming and operating system concepts. The book compares various ways to disassemble code (primarily linear sweep vs recursive descent) as well as complementary tools. I like the regular use of footnotes and external references, and the production quality was very high. Take a look at TIDB2E if you need a modern reference to this powerful tool suite. Tweet

I've been reading and reviewing technical books at Amazon.com since 1999, and trying to meet reading goals since 2000. Most of you know that I only review books that I read, unlike some of the people who post "reviews" at Amazon.com. I personally don't care to read "reviews" by people who don't read the books. What's the point? However, I believe there is room for commentary on books, where I explicitly state that my reactions are based mainly on impressions and not thorough reading. After looking at my personal reading list several months ago, I decided to not read some books thoroughly enough to merit a full review. One of the techniques I adopted was to take a book on a cross-country trip (IAD to LAX, for example) and read as much as I could, or as much as interested me, during those 4 to 6 hours. During that time I would record notes, just as I do when writing book reviews. Unless I complete the book, I will not turn those notes ...