Monday, August 29, 2011

TaoSecurity Security Effectiveness Model

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.

Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".

I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.

I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."

The various intersections produce some interesting effects. For example:

  1. If you're in the lower center area titled "Incorrect, defended, compromise possible," and your defenses hold, you're just plain lucky. You didn't anticipate the adversary attacking you, but somehow you had a live defense covering it.

  2. If you're near the left middle area titled "Correct, undefended, compromised," this means you knew what to expect but you couldn't execute. You didn't have any live defenses in place.

  3. If you're in the area just below the previous space, titled "Incorrect, undefended, compromised," you totally missed the boat. You didn't expect the adversary to target that resource, and you didn't happen to have any live defenses protecting it.

  4. If you're in the very center, called "Correct, defended, compromise possible," congratulations -- this is where you expected your security program to operate, you deployed defenses that were live, but the result depends on how much effort the adversary applies to compromising you. This is supposed to be "security Nirvana" but your success depends more on the threat than on your defenses.

  5. The top-most part titled "Incorrect, undefended, compromise avoided" shows a waste of planning effort, but not wasted live defenses. That's a mental worry region only.

  6. The right-most part titled "Incorrect, defended, compromise avoided" shows a waste of defensive effort, which you didn't even plan. You could probably retire all the security programs and tools in that area.

  7. The area near the top titled "Incorrect, defended, compromise avoided" shows you were able to execute on your vision but the adversary didn't bother attacking those resources. That's also waste, but less so since you at least planned for it.

What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.

Sunday, August 28, 2011

TCP/IP Weapons School 3.0 in McLean, VA 26-27 Oct

I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue only seats 20-25 students, so please keep that in mind. You can register through RegOnline immediately. Thank you.

Friday, August 19, 2011

Jaime Metzl Describes "China's Threat to World Order"

Props to LS for pointing me to this WSJ article titled China's Threat to World Order. I found the following pertinent for the "cyber" aspect:

Allegations that the Chinese government is behind the largest computer hacking operation in history will not come as a surprise to observers of recent trends in international relations. If there is one thing that China's actions across a range of fields have made clear, it is that Beijing will do whatever it takes to advance its narrowly defined economic interests, even if that requires riding roughshod over global norms...

It is no longer acceptable for China to claim global leadership in some areas but then pretend it is a weak developing country and shirk its responsibilities in others. A China that leads the world in the theft of intellectual property, computer hacking and resource nationalism will prove extremely destabilizing. If it continues on this course, Beijing should not be surprised if other countries begin to band together to collectively counter some of the more harmful implications of China's rise.

I think contrasting China with Russia may be helpful here. We tend to have more cooperation with Russia, even in areas of digital security; for example, see the work of the EastWest Institute.

After publishing the WSJ article, Jaime then summarized open reporting on China's activities over the last few years and published the result at China and Cyber-Espionage.

Thursday, August 18, 2011

Expect to Hear "IDS Is Dead" (Again)

Do you remember when IDS was dead, and supposed to be replaced by "thought-leading firewalls" by 2005?

Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn:

About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn.

During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions."

Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons system designs, source code and other intellectual property.

"This kind of cyber exploitation does not have the dramatic impact of a conventional military attack," Lynn said. "But over the long term, it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy."

Foreign intruders have extracted terabytes of data from defense companies, he added.

This sort of story is likely to lead to the same arguments I heard eight years ago regarding "Intrusion Detection Systems" vs "Intrusion Prevention Systems," namely:

If you can detect it, why can't you prevent it?

This is a broad topic, so rather than try to answer everything here and now, I'll likely work on it over the coming weeks in individual posts.

Wednesday, August 17, 2011

Bejtlich Leading Session at IANS

The IANS group just posted their fall forum announcement. It states I will be leading a session on the APT at their event in Boston on 20 September 2011.

Kicking off the morning will be Richard’s session on “Mitigating the Advanced Persistent Threat.” IANS continually hears from our clients that APT and cyber crime is a constant, nagging concern (if not for their own company… yet, then because of headline news read by company executives), and it is the CISO’s job to deal with real, perceived, and impending APT issues.

Thus, during his session Richard will provide advice and real-life use cases on what he’s seen, what’s worked, what doesn’t, and what CISOs can do to deal with APTs at their own organizations.

Following the short presentation portion of the session, CISOs will collectively discuss 1) How to keep up with industry-specific threats; 2) Tactics and techniques to detect and mitigate the APT; and 3) The real implications of APT incidents

This should be a great event, because the afternoon session also features Grady Summers, my old boss from GE (who was the CISO there). Grady will:

lead CISO participants through a follow-on discussion on managing cyber security at a board level. With today's threats consistently making front-page news, even the most traditional boards are starting to ask about cyber security.

To be prepared for such an event, Grady will walk participants through varying scenarios on handling: 1) What works and what’s not effective with regard to board communication on information security; 2) What audit committee chairs at some of the world's biggest companies are saying about security; and 3) Why you might not be doing your job if you're trying to "speak the language of the business" to your board.

I think this will be a great event, without death by PowerPoint. Please visit the announcement for registration information. Thank you.

Monday, August 15, 2011

Check Out MANDIANT Job Postings

If you visit you'll notice MANDIANT is looking to hire a ton of people over the next few weeks and months. We have openings all over the company, including my MCIRT business line. Basically if you're the go-to person in your organization for coding, doing, or supporting incident detection and response tools and/or techniques, you will probably find an interesting job here!

The easiest way to start the process is to pick a role and submit your resume. Thank you for your consideration.

Tao of NSM Errata and Possible Book Plans

Recently an astute reader, Greg Back, submitted three corrections for typos to my first book, The Tao of Network Security Monitoring. I just uploaded these to the errata page and will submit them to the publisher now. Thanks to Greg for so closely reading the text and catching the errors! They involved miscounting bytes in two packets, and saying bytes where I should have said bits elsewhere.

On a related note, I'm considering reviewing my material from the TCP/IP Weapons School (versions 1, 2, and 3) and writing a book based on the best aspects of each class. I wouldn't expect the book to arrive any earlier than late 2012, when I expect to retire the third version of TWS, currently taught in live classes. Over the last few years many of you have asked what I plan to do with the older TWS material, and I think this might be the best way to put it to good use. As I figure out what to do I will keep you informed here.

Bejtlich Webinar for Dark Reading and InformationWeek

Thanks to Dark Reading and InformationWeek I will participate in the How Security Breaches Happen online virtual event on 25 August 2011. At 1330 ET I present with Nicholas J. Percoco and Kelly Jackson Higgins on "Why Bad Breaches Happen To Good Companies."

I will share the enterprise/CSO perspective while Nicholas will present the adversary simulation/pen tester perspective. Kelly will moderate. Lots of other speakers will participate from 1030 ET to 1815 ET.

We hope you can attend!

Bejtlich Keynote at Hawaiian Telcom Conference

Thanks to Hawaiian Telcom I will be speaking at their 2011 Security Conference in Honolulu on 7 September 2011.

My topic is "Putting the A, P, and T into the Advanced Persistent Threat:"

Advanced Persistent Threat, or APT, is a controversial term. Just what qualifies as the APT? Who invented this term? Is it a marketing vehicle or is there a method to its use? In this keynote, Mandiant CSO Richard Bejtlich will explain the history of the APT, and what makes it Advanced, Persistent, and a Threat. He will discuss the concepts of "fighting through" an intrusion and "operating in a contested network," approaches to dealing with the APT that work in the real world.

My colleague and friend Kris Harms will also attend, presenting "Network Security FTW."

We hope to see you there! And no, Jeremiah Grossman, we will not be joining you to fight MMA-style. Well, maybe Harms will.

Feedback from Latest TCP/IP Weapons School 3.0 Class

At Black Hat in Las Vegas and USENIX Security in San Francisco I taught three TCP/IP Weapons School 3.0 classes. I think my weekday class at Black Hat set a personal record student count, and I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues!

I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming class. Currently I'm scheduled to teach at Black Hat Abu Dhabi on 12-13 December. The only other possibilities for training this year include a class in northern VA in either September or October, and a class the weekend before USENIX LISA in Boston on 3-4 December 2011. Next year I will likely return to Las Vegas again in the summer (21-24 July) and DC in the fall (30-31 Oct) but beyond that I am not sure how much training I might do in 2012.

Student feedback from TWS3 included:

  • I've been to a lot of training sessions and this was by far the best. The discussions were useful and practical. The labs were well done enough to repeat and follow them later.

  • Excellent speaker, well-prepared and extremely engaging. Perfect balance of real world scenarios and information.

  • Great course! More lab-based and little [i.e., fewer] PowerPoints is a recipe for success. Will recommend to others.

  • This is the best Black Hat Training class I've ever taken. The techniques and information Richard taught are instantly usable in my day-to-day security analyst work. Well worth the time and money.

  • Richard worked hard to answer our questions and tailor the class to our needs.

  • Discussion-based training without PowerPoint was a great experience -- much more rewarding than death by .ppt!

  • Richard does an excellent job presenting material in an engaging way.

  • Excellent job handling diverse student population with very different skill levels.

  • I would take another security course taught by Richard as well as recommend this course to others.

The students who attend to learn how to collect and analyze network- and log-centric artifacts and data in order to detect and respond to intrusions tend to like the class best.

Thank you to the students from all three classes for your participation!

Sunday, August 14, 2011

Impressions: Android Forensics

My final book in this batch is Android Forensics by Andrew Hoog. Due to the nature of Android and the author's experience with it, this book has a lot of great content. (In contrast, on page xiii, the author thanks iPhone and iOS Forensics co-author Katie Strzempka "for generally taking care of that other book." Hmm, maybe I should have known that before trying to assess that "other book?")

My only real concern with this book is that it might lack the focus required by a normal investigator. I'm sure many investigators simply want to know where to find key data (email, Web history, etc.) and then retrieve and analyze it in a forensically sound manner. It's the "so what" question that hangs over many forensics books. I would have liked a case study focusing on that sort of material to show how an investigator would make sense of the data and structures unearthed by the author throughout the book.

Impressions: iPhone and iOS Forensics

The third forensics book in this batch is iPhone and iOS Forensics (IAIF) by Andrew Hoog and Katie Strzempka. This book is similar to iOS Forensic Analysis: for iPhone, iPad, and iPod touch by Sean Morrissey, in the sense that neither book is as strong as I might have hoped. Oddly enough, the aspects of Morrissey's book that were most compelling (like his overview of the various i-devices and attention to each of them) are weaker in IAIF.

I found IAIF to be a little confusing in its approach, with lack of rigor around discussing iPhone vs other platforms. I felt the authors should have either focused on one platform or given all of them equal attention. I also disliked mixing of what seemed to be jailbroken and non-jailbroken content. I prefer for forensics books to avoid using jailbreak techniques where possible, but it would have been helpful for the authors to be very clear where and why they use such methods.

Chapter 4 was supposed to cover security, but it was overall very disappointing. Chapter 6 probably has the core data of interest to a forensic investigator, namely where to find certain types of evidence (email, Web history, etc.) and how to get it. This is the sort of data missing from the Xbox book I just addressed.

I liked the material on downgrading iOS on a phone, but didn't like reading about basic Linux information in chapter 1. That should have been in an appendix.

Impressions: XBox 360 Forensics

Next is Xbox 360 Forensics (X3F) by Steven Bolt. This book offers a lot of technical detail, but it seems to read more like a coroner's report than a guide for those doing forensics on the Xbox 360 platform. The author spends a lot of time documenting his analysis of the Xbox 360, but after perusing the book I took myself out of the role of scientist and into that of investigator.

An investigator (such as a law enforcement person) is likely to say "that's all nice, but can I read the suspect's email? Can I review his Web browsing history? Can I inspect the content of his instant messaging? How do I do that?" These are practical questions that do not really appear in X3F. Sure, the author tears apart the platform and its file system, but I don't see a way for an investigator to easily move from the current text to answering fundamental investigation questions.

Impressions: Digital Forensics with Open Source Tools

For my fourth impressions post, I'll turn to the digital forensics world for Digital Forensics with Open Source Tools (DFWOST) by Cory Altheide and Harlan Carvey. I took a lot of notes but didn't read closely enough in my opinion to merit a full review.

I didn't like the way this book started. I can't tell if the authors expect the reader to be familiar with open source software or not. The book needed to start in chapter 2 with something like "let's start by selecting Ubuntu for our operating system. We like it for the following reasons..." In contrast, the reader suddenly finds himself in the "Working with Images" section trying to use losetup, mmls, doing math, etc. That's too fast! Many reading this book are going to get lost on page 23 between "sudo apt-get install libfuse-dev libexpat1-dev" and advice to use "a simple ./configure..."

Beyond the rough start, however, I thought the rest of the book was interesting. I liked reading about a variety of tools, especially trying to accomplish the same task on Linux and Windows. I enjoyed reading about hidden Windows Event Logs in ch 4 and about hachoir in ch 8. The book made great use of public evidence sources, like the Digital Corpora.

Near the end of the book (ch 9) I read a reference to Rob Lee's SIFT platform, so I wondered by the book didn't use it throughout? I also would have liked to have read more about log2timeline in ch 9.

One note for a second edition: some figures in the book feature resolutions so high that the text is not legible given the size of the screen captures.

I think you will like DFWOST, but I bet the second edition will be stronger.

Impressions: The Shellcoder's Handbook, 2nd Ed

The third book for which I'd like to share my impressions is The Shellcoder's Handbook, 2nd Ed (TSH2E) by Chris Ainley, John Heasman, FX, and Gerardo Richarte. I liked TSH2E, but I could tell that the collaboration among four authors caused some issues that could have been addressed by better editing. For example, early parts of the book use both Intel and AT&T assembly syntax, but the reader doesn't get an explanation of either until chapter 7.

For me, the best aspect of TSH2E was the integration of real-world obstacles to exploiting victims. The book (although published in 2008) expertly addressed various defenses introduced in operating systems over the past decade. The authors usually start with simple concepts, promising to address tougher challenges later -- and they deliver.

One item early in the text caught my attention though. The book includes the following code to demonstrate spawning a shell:

int main(){
char *name[2];

name[0] = "/bin/sh";
name[1] = 0x0;
execve(name[0], name, 0x0);

Then they show the following:

[jack@0day local]$ gcc shell.c -o shell
[jack@0day local]$ ./shell

This looks like a section left over from the first edition by Jack Koziol. Why does the prompt change to a root shell? Should it not be a user shell, since user "jack" appears to have been running with user privileges? Maybe not?

Regardless, TSH2E is a very strong book with practical lessons and examples for anyone writing offensive code.

Impressions: Reversing: Secrets of Reverse Engineering

I took a lot of notes while reading Reversing: Secrets of Reverse Engineering (RSORE) by Eldad Eilam, but I didn't read enough of the book to qualify in my opinion to write a true review. What I did read, though, was awesome. RSORE is very well written, clear, interesting, and features high production value and quality. Although Wiley published the book in 2005, I believe it's as relevant now as it was six years ago. In fact, I recommend pairing it with IDA Pro, 2nd Ed for a one-two RE punch.

The introduction part provided sound foundations, great coverage of low-level concepts, a helpful overview of the Win32 environment (albeit with a 32 bit focus) and a quick tools discussion.

The applied engineering part includes hunting for undocumented (as of 2005) native Windows APIs, analyzing the file format of an encryption program, auditing the vulnerability in idq.dll exploited by Code Red, and reversing a backdoor that communicates via IRC.

The cracking part featured solid references to legal precedents, academic papers, and books, then discussed copy protection, DRM, and anti-piracy concepts, followed by anti-reversing measures and cracking learning-tool "crackmes."

The final part described reversing .NET and decompilation.

Overall the book appears very strong and I recommend it based on the material I did read.

Impressions: The IDA Pro Book, 2nd Ed

What better way to start my new book impressions technique than The IDA Pro Book, 2nd Ed (TIDP2E) by Chris Eagle. I didn't read the entire book because I am not a reverse engineer, nor am I an IDA Pro user. However, I find the field, the tools, and the people who do reverse engineering to be interesting.

My overall impression is that TIDP2E is an excellent book. Chris Eagle appears to have written an incredibly detailed and current text on IDA Pro. I noticed he cited material from RECon 2011, which happened earlier this year!

Besides teaching how to use IDA Pro, TIDP2E appears to teach programming and operating system concepts. The book compares various ways to disassemble code (primarily linear sweep vs recursive descent) as well as complementary tools. I like the regular use of footnotes and external references, and the production quality was very high.

Take a look at TIDB2E if you need a modern reference to this powerful tool suite.

Book Reviews vs Impressions

I've been reading and reviewing technical books at since 1999, and trying to meet reading goals since 2000. Most of you know that I only review books that I read, unlike some of the people who post "reviews" at I personally don't care to read "reviews" by people who don't read the books. What's the point?

However, I believe there is room for commentary on books, where I explicitly state that my reactions are based mainly on impressions and not thorough reading.

After looking at my personal reading list several months ago, I decided to not read some books thoroughly enough to merit a full review. One of the techniques I adopted was to take a book on a cross-country trip (IAD to LAX, for example) and read as much as I could, or as much as interested me, during those 4 to 6 hours.

During that time I would record notes, just as I do when writing book reviews. Unless I complete the book, I will not turn those notes into a proper book review.

Instead, I will post a new category of description, impressions, to this blog. These impressions will let you know what I think of a book based on paying attention to the areas that I find intriguing (if any).

I plan to use this approach with books outside my core areas of interest. For books within my core areas of interest, I will read and review them per normal.

None of these impressions candidates will qualify for my annual Best Book Bejtlich Read award.

For those not familiar with my reading approach, these reading posts might be helpful.