mailing list archives
From: Andreas Lindh <andreas.lindh () isecure se>
Date: Tue, 11 Mar 2014 20:14:02 +0000
As a defender working in the *real* world, I have to say that it sounds like a lot of what Richard is saying comes from
a somewhat utopic view of what playing defense is really like and I’d like to counter some of his statements.
"He emphasizes the role of encryption to defeat many defensive tools, but ignores that security and information
technology architects regularly make deployment decisions to provide visibility in the presence of encryption.”
While this is true, what percentage of companies or organizations actually do SSL inspection? I’ll go out on a limb and
say 10%, but that is probably way too high.
"He ignores or is ignorant of technology to defeat obfuscation and encryption used by intruders.”
Again, yes this technology exists, but how many use it? It doesn’t count if nobody uses it, and in the real world not a
lot of people do.
"He says "archiving large amounts of traffic is insanely expensive and requires massive analytics to process," which is
wrong on both counts. On a shoestring budget my team deployed hundreds of open source NSM sensors across my previous
employer to capture data on gateways of up to multi-Gbps bandwidth. Had we used commercial packet capture platforms we
would have needed a much bigger budget, but open source software like Security Onion has put NSM in everyone's hands,
cheaply. Regarding "massive analytics," it's easier all the time to get what you need for solid log technology. You can
even buy awesome commercial technology to get the job done in ways you never imagined.”
First of all, how big was that team, and how big are defensive teams usually? Second, the sad truth is that not a lot
of companies are going to go for a large open source deployment. Third, it’s not just about having the technology, it’s
about having people with the skillset required to analyze all that data. A lot of defensive teams are made up of ex
network- or firewall admins, and not a lot of them have that skillset.
"Third, and this is really my biggest issue with Dave's post, is that he demonstrates the all-too-common tendency for
security professionals to constrain their thinking to the levels of tactics and tools. What do I mean? Consider this
diagram from my O'Reilly Webinar on my newest book:”
With all due respect Richard, I think I’ll pass.
To conclude, while a lot of what Richard is saying is technically true, it doesn’t mean that it is the truth for
everyone. Just because something is possible and that Richard was privileged enough to get to do it (and I’m sure he
did it well), doesn’t mean that it is possible for everyone or even most. The truth is that defense in a majority of
cases means default configured security systems that take care of themselves, with a defender taking a peak at the
console every now and then between meetings. If ever.
No one would be happier than me (well, maybe Richard) if we were actually able to do all the cool things, but
unfortunately that’s not the case. Maybe one day, but for now attackers have the upper hand.
On 11 mar 2014, at 17:09, J. Oquendo <joquendo () e-fensive net> wrote:
On Tue, 11 Mar 2014, Dave Aitel wrote:
So the thing about being advanced enough is that you don't really have
to be persistent in any normal sense of the word. Nobody has pointed out
how the first stage of the NSA shellcode (as leaked by "backgrounded by
the Constitution and definitely not at all a narcissist" Snowden) just
avoids executing anything on systems protected by HIPS. Imagine if you
were so good at your job you could ignore targets you already had
execution on if you felt even a /little bit/ queasy about their defense.
Look, Richard Beitlitch thinks I don't know anything about "Strategy"
"I never read any treatises on strategy... When we fight,
we do not take any books with us." Mao Tse-Tung
Working in an MSP/MSSP I *have* deployed defenses, working
in the malware analysis arena, I *know* about encryption
tactics used by bad actors, performing network analysis
functions for over 14 years (http://seclists.org/incidents/2000/Aug/278)
I think I can qualify myself to chip in my .02.
I will counter-argue some of Mr. Bejtlich's points.
1) Providing visibility. This all depends on the environment
sometimes an architect CANNOT decrypt traffic without red
tape (regulatory controls, HIPAA, Sox, whatever). While
we'd LIKE to decrypt, we also have to put privacy at the
forefront as well depending on where the guidance is coming
from especially when CPOs (Chief Privacy Officers) gripe
and moan about privacy.
While on the network and security scope, we'd ALWAYS love
to see what is occurring, the reality is, every network
2) "technology to defeat/decrypt obfuscation" is a moot
point. If things were so grand, we wouldn't have instances
of "advanced persistent" anything on a network for days,
weeks - wait oh look here... YEARS - on end. All we have
is what is visible. There are NOT enough resources in ANY
company to weed out the anomalies, "sic" a malware analyst,
create IOCs in real time. Not even close to "near real time"
so we oft rely on the security vendors and researchers to
tell us: "something is off with these connections, these
applications, etc." But against REALLY good threats? This
is not happening. You *WON'T* see them in your honeypots,
NSMs, IDS', IPS', ITS' (because who doesn't love Intrusion
TOLERANCE Systems). Obfuscation via way of "hiding in plain
sight" works a long way on the offensive side, which is
how, and why, groups like the "Comment Crew" likely pervaded
in orgs for so long.
3) Archiving, and analyzing network traffic is looking for
a needle in a haystack. You're playing the signature game
again. You're either ignoring the known knowns, weeding
out anomalies. You can do it modularly (deploy NSM to say
a segment, to make it easier), but its unfeasible to pretend
for a minute that you'd be able to pick a needle out of a
haystack and isolate someone INTENT and ADVANCED.
So you go out on an NSM spree, deploy hundreds, heck even
thousands of instances. Isolate the knowns, ignore them,
and look for the discrepancies. Guess what? What are you
going to do in say the case of Target where you MAY have
ignored a "known" (third party vendor). What are you going
to do in the following scenario:
Company --> data --> internet --> EBay
In this scenario, from your company, someone is visiting
the LEGITIMATE EBay site. However, an attacker decided to
shove in spliced bits of data with those connections,
because somewhere along the lines, he/she is sniffing
the connection, to compile spliced data. Think your NSM
skills are going to be able to piece that together? I can
assure you it won't.
Program Goals and "Strategies" from my perspective can be
combined since they rampantly change no matter HOW you
want to cut it. CISOs depend too much on book level nonsense
and often ignore those in the trenches. Those who see the
attacks, those who PERFORM the attacks. This is the reason
why so many companies get themselves "owned." You can
strategize all you want, and I go back to:
"Strategies too often fail because more is expected of them
than they can deliver"
Maybe I missed something on the "Drinking the Cool Aid"
thread, with "strategies" or even tools and tactics. I
read it to be some form of a starting point for counter
and defense. On Bejtlich's writings, it goes off into a
"this is what worked for me... How I strategized" which
*may* have worked for him, but should not be an umbrella
for defensive anything. I'd run circles around the entire
concept of what he perceives as defense. IN PLAIN sight.
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
Dailydave mailing list
Dailydave () lists immunityinc com
Description: Message signed with OpenPGP using GPGMail
Dailydave mailing list
Dailydave () lists immunityinc com