tag:blogger.com,1999:blog-4088979.post1993271637682260292..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Response for Daily DaveRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-76264036088975052852009-05-28T22:41:26.476-04:002009-05-28T22:41:26.476-04:00Matthew, I don't think you are considering the sco...Matthew, I don't think you are considering the scope of the problem I'm addressing. I'm talking about adversaries who employ dedicated, specialized teams that operate well outside normal pen testing boundaries and survive despite months of intense removal activity.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-26636249951296549982009-05-28T22:33:57.383-04:002009-05-28T22:33:57.383-04:00Richard,
I usually work with fortune 100 compani...Richard, <br /><br />I usually work with fortune 100 companies and/or large government agencies. If they aren't sufficiently large to concern you then I'm a bit baffled. Likewise, in that time frame I've generally established a strong foothold to ensure continued access to the network, and have access to critical system (email, employee data, customer databases, PDC). <br /><br />I like to think I'm a fair pen tester, but similar results are typical of an assessment done by most quality firms.Matthew Wollenweberhttps://www.blogger.com/profile/08462281652941920773noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49256590727611318642009-05-26T19:51:51.244-04:002009-05-26T19:51:51.244-04:00Richard,
I agree with your conclusions, and expla...Richard,<br /><br />I agree with your conclusions, and explanation. I have a somewhat different lens that first strikes me when I hear things like this, though.<br /><br />Our position as analysts is part of a larger function which is risk management, not risk elimination. If we base our efforts around the latter, we will never be effective at the former. By forcing the adversaries into an arms race, as Dave insinuates, we force sophistication on their part and reduce the threat space that is effective at compromising our security. This means we can apply more expensive and sophisticated techniques to the remaining problem which would not be possible on a larger scale. Is this situation "winnable" for the defender? Probably not, but then again neither is vulnerability management for the very same reasons. Does that mean we should ease up efforts to reduce the problem? Of course not.<br /><br />National security makes for a good, if incomplete, analogue. Can we guarantee the security of our country from foreign adversaries? Of course not. We must sometimes engage in arms races to mitigate a possible attack when diplomacy is ineffective - the cold war is a good example. And just like in national security, the best strategic solution to the problem is in policy - conflict is often a symptom of ideology that can in many cases be addressed through diplomacy and legal frameworks. This has not yet been recognized by policymakers or lawmakers to also apply to information security, thus we are left in a difficult arms race to mitigate conditions in which we are no longer secure.<br /><br />I feel proponents of this somewhat defeatist attitude reveal a lack of appreciation for that important distinction between risk management and risk elimination which is a guiding principle behind our decisions every day.<br /><br />-MikeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-9903559891423300832009-05-26T11:09:56.142-04:002009-05-26T11:09:56.142-04:00Memory forensics is also about baselining your sys...Memory forensics is also about baselining your system so you can detect when the system is operating outside the norms.<br /><br />We do a lot of things in security that have a low probability of detecting an attack, but the fact is that the more sources you have, the more likely you are to detect the attack.Rickhttps://www.blogger.com/profile/04461893686101337545noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49017968814167468122009-05-26T10:54:21.705-04:002009-05-26T10:54:21.705-04:00Matthew,
I wrote this post
http://taosecurity.bl...Matthew,<br /><br />I wrote this post<br /><br />http://taosecurity.blogspot.com/2009/05/defenders-dilemma-and-intruders-dilemma.html<br /><br />for people who need more details.<br /><br />If you can accomplish your objective in the amount of time you cite, your objective is far narrower than that of the sorts of intruders who really scare me, or the networks involved are too small to concern me.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74949490960546831452009-05-26T10:41:41.211-04:002009-05-26T10:41:41.211-04:00I'm going with Dave on this one. Having used CANVA...I'm going with Dave on this one. Having used CANVAS on numerous real-world pen tests I've never had it detected by IDS. <br /><br />Your argument appears to make sense, but it's an untenable position. Given enough time, the probability of detection goes to 1. However, by that time it's too late. Even in a short week long pen test, an experience tester has already cracked passwords, created users, installed keyloggers, gotten your most critical data, and has 2-3 boxes sitting idle so that if you detect a noisier box I still have some place to go. <br /><br />At that point detection doesn't really matter. You can't get rid of the attacker as your only real advantage is physical access to machines -- which is dubious in many global enterprise environments. The attacker already has the most valuable data and at that point is probably just letting the assets idle.Matthew Wollenweberhttps://www.blogger.com/profile/08462281652941920773noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-81396741002355999352009-05-24T07:32:30.455-04:002009-05-24T07:32:30.455-04:00I'm 100% with Richard on this...at some point, the...I'm 100% with Richard on this...at some point, the intruder has to do something, and their presence will be revealed to someone with the right visibility and right skills.<br /><br />This is well-known in the military. At some point, that sniper or those Marines in an LP/OP position (listening/observation post) are going to succumb to human needs, or they're going to have to send data back to higher headquarters...if they don't, what's the point? The most stealthy sniper needs to move or maybe even take a shot.<br /><br />The point is that something, somewhere will be revealed. I don't run across many "professional defenders" and more often than not I deal with customers lacking even the most basic visibility, or rudimentary training...but the fact is that there is something, somewhere...muddy bootprints on the carpet, or something more subtle, like a bent twig or some turned-up stones...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com