You are here: Home / BLOG

DropSmack: Using Dropbox Maliciously

Posted by on April 22, 2013Leave a Comment

I found an interesting article on TechRepublic, “DropSmack: Using Dropbox to steal files and deliver malware.

Given that 50 million people are using DropBox, it surely looks like an inviting attack vector for cyber adversaries. Jacob Williams (@MalwareJake) seems to have developed malware, DropSmack, to embed in a Word file already synchronized by DropBox to infect an internal endpoint and provide Command & Control communications.

What technical control do you have in place that would detect and block DropSmack? A network security product would have to be able to decode application files such as Word, Excel, PowerPoint, PDF, and then detect the malware and/or anomalies embedded in the document.

Can you prevent DropBox from being used in your organization? Should you? What about other file sharing applications?

Filed Under: blog Tagged With: , ,

The Real Value of a Positive Control Model

Posted by on April 4, 2013Leave a Comment

During the last several years I’ve written a lot about the fact that Palo Alto Networks enables you to re-establish a network-based Positive Control Model from the network layer up through the application layer. But I never spent much time on why it’s important.

Today, I will reference a blog post by Jack Whitsitt, Avoiding Strategic Cyber Security Loss and the Unacceptable Offensive Advantage (Post 2/2), to help explain the value of implementing a Positive Control Model.

TL;DR: All information breaches result from human error. The human error rate per unit of information technology is fairly constant. However, because IT is always expanding (more applications and more functions per application), the actual number of human errors resulting in Vulnerabilities (used in the most general sense of the word) per time period is always increasing. Unfortunately, the information security team has limited resources (Defensive Capability) and cannot cope with the users’ ever increasing number of errors. This has created an ever growing “Offensive Advantage (Vulnerabilities – Defensive Capability).”  However, implementing a Positive Control Model to influence/control human behavior will reduce the number of user errors per time interval, which will reduce the Offensive Advantage to a manageable size.

On the network side Palo Alto Networks’ Next Generation Firewall monitors and controls traffic by user and application across all 65,535 TCP and UDP ports, all of the time, at specified speeds. Granular policies based on any combination of application, user, security zone, IP address, port, URL, and/or Threat Protection profiles are created with a single unified interface that enables the infosec team to respond quickly to new business requirements.

On the endpoint side, Trusteer provides a behavioral type of whitelisting that prevents device compromise and confidential data exfiltration. It requires little to no administrative configuration effort. Thousands of agents can be deployed in days. When implemented on already deployed Windows and Mac devices, Trusteer will detect compromised devices that traditional signature-based anti-virus products miss.

Let’s start with Jack’s basic truths about the relationships between technology, people’s behavior, and infosec resources. Cyber security is a problem that occurs over unbounded time. So it’s a rate problem driven by the ever increasing number of human errors per unit of time. While the number of human errors per unit of time per “unit of information technology” is steady, complexity, in the form of new applications and added functions to existing applications, is constantly increasing. Therefore the number of human errors per unit of time is constantly increasing.

Unfortunately, information security resources (technical and administrative controls) are limited. Therefore the organization’s Defense Capability cannot keep up with the increasing number of Vulnerabilities. Since the number of human errors increases at a faster rate than limited resource Defense Capacity, an Unacceptable Offensive Advantage is created. Here is a diagram that shows this.

offensiveadvantage1

What’s even worse, most Defensive controls cannot significantly shrink the gap between the Vulnerability curve and the Defense curve because they do not bend the vulnerability curve, as this graph shows.

offensiveadvantage2

So the only real hope of reducing organizational cyber security risk, i.e. the adversaries’ Offensive Advantage is to bend the Vulnerability curve as this graph shows.

offensiveadvantage3

Once you do that, you can apply additional controls to further shrink the gap between Vulnerability and Defense curves as this graph shows.

offensiveadvantage4

The question is how to do this. Perhaps Security Awareness Training can have some impact.

I recommend implementing network and host-based technical controls that can establish a Positive Control Model. In other words, only by defining what people are allowed to do and denying everything else can you actually bend the Vulnerability curve, i.e. reduce human errors, both unintentional and intentional.

Implementing a Positive Control Model does not happen instantly, i.e. it’s also is a rate problem. But if you don’t have the technical controls in place, no amount of process is going to improve the organization’s security posture.

This is why firewalls are such a critical network technical control. They are placed at critical choke points in the network, between subnets of different trust levels, with the express purpose of implementing a Positive Control Model.

Firewalls first became popular in the mid 1990s. At that time, when a new application was built, it was assigned a port number. For example, the mail protocol, SMTP was assigned port 25, and the HTTP protocol was assigned to port 80. At that time, (1) protocol and application meant the same thing, and (2) all applications “behaved,” i.e. they ran only on their assigned ports. Given this environment, all a firewall had to do was use the port numbers (and IP addresses) to control traffic. Hence the popularity of port-based stateful inspection firewalls.

Unfortunately, starting in the early 2000s, developers began writing applications to bypass the port-based stateful inspection firewall in order to get their applications deployed quickly in organizations without waiting for the security teams to make changes in policies. Also different applications were developed that could share a port like port 80 because it was always open to give people access to the Internet. Other techniques like port-hopping and encryption were used to bypass the port-based, stateful inspection firewall.

Security teams started deploying additional network security controls like URL Filtering to complement firewalls. This increase in complexity created new problems such as (1) policy coordination between URL Filtering and the firewalls, (2) performance issues, and (3) since URL Filtering products were mostly proxy based, they would break some of the newer applications frustrating users trying to do their jobs.

By 2005 it was obvious to some people that the application technology had obsoleted port-based firewalls and their helpers. A completely new approach to firewall architecture was needed that (1)  classified traffic by application first regardless of port, and (2) was backwardly compatible with port-based firewalls to enable the conversion process. This is exactly what the Palo Alto Networks team did, releasing their first “Next Generation” Firewall in 2007.

Palo Alto Networks classifies traffic at the beginning of the policy process by application. It monitors all 65,535 TCP and UDP for all applications, all of the time, at specified speeds. This enables organizations to re-establish the Positive Control Model which bends the “Vulnerability” curve and allows an infosec team with limited resources to reduce, what Jack Whitsitt calls, the adversaries’ “Offensive Advantage.”

On the endpoint side, Trusteer provides a type of Positive Control Model / whitelisting whereby highly targeted applications like browsers, Java, Adobe Flash, PDF, and Microsoft Office applications are automatically protected behaviorally. The Trusteer agent understands the memory state – file I/O relationship to the degree that it knows the difference between good I/O and malicious I/O behavior. Trusteer then blocks the malicious I/O before any damage can be done.

Thus human errors resulting from social engineering such as clicking on links to malicious web pages or opening documents containing malicious code are automatically blocked. This is all done with no policy configuration efforts on the part of the infosec team. The policies are updated by Trusteer periodically. There are no policies to configure. Furthermore, thousands of agents can be deployed in days. Finally, when implemented to deployed Windows and Mac endpoints, it will detect already compromised devices.

Trusteer, founded in 2006, has over 40 million agents deployed across the banking industry to protect online banking users. So their agent technology has been battle tested.

In closing then, only by implementing technical controls which establish a Positive Control Model to reduce human errors, can an organization bend the Vulnerability Curve sufficiently to reduce the adversaries’ Offensive Advantage to an acceptable level.

Filed Under: blog Tagged With: , , , ,

What is Trusteer Apex and How is it Different?

Posted by on March 25, 2013Leave a Comment

Trusteer slide picture1

Trusteer Apex applies a new approach to stop zero day application exploits and data exfiltration. By analyzing the application state and understanding what the application is doing and why it’s doing it, Trusteer Apex can automatically and accurately determine if an application action is legitimate or malicious. Trusteer’s Stateful Application Control enables automated enterprise malware protection that maximizes security while simplifying deployment and minimizing management overhead. For more details see Cymbel’s Partner page, Trusteer.

If you would like a copy of this white paper, please fill out the form on the right side of this page.

Links to Explore

Filed Under: Slides

Practical Zero Trust Principles

Posted by on March 23, 2013Leave a Comment

Cymbel has adopted Forrester’s Zero Trust Model for Information Security. Zero Trust means there are no longer “trusted” networks, devices, or users. There is no such thing as 100% Prevention, if there ever was. In light of the changes we’ve seen during the last several years, this is the only approach that makes sense. There is simply no way to prevent end points and servers from becoming compromised 100% of the time. For more details see Cymbel’s Zero Trust Principles.

Links to Explore

Filed Under: Slides

Surprising Application-Threat Analysis from Palo Alto Networks

Posted by on February 25, 2013Leave a Comment

This past week, Palo Alto Networks released its H2/2012 Application Usage and Threat Report. Actually, it’s the first time Palo Alto has integrated Application Usage and Threat Analysis. Previous reports were focused only on Application Risk. This report analyzed 12.6 petabytes of data from 3,056 networks, covering 1,395 applications. 5,307 unique threats were identified from 268 million threat logs.

Here are the four most interesting items I noted:

1. Of the 1,395 applications found, 10 were responsible for 97% of all Exploit* logs. One of these was web-browsing. This is to be expected. However, the other nine were internal applications representing 82% of the Exploit* logs!!

This proves once again that perimeter traffic security monitoring is not adequate. Internal network segmentation and threat monitoring are required.

2. Custom or Unknown UDP traffic represented only 2% of all the bandwidth analyzed, yet it accounted for 55% of the Malware* logs!!

This clearly shows the importance of minimizing unidentified application traffic. Therefore the ratio of unidentified to identified traffic is a key security performance indicator and ought to trend down over time.

3. DNS traffic total bytes was only 0.4% of traffic but 25.4% of sessions, and was 3rd for Malware* logs at 13%.

No doubt most, if not all, of this represents malicious Command & Control traffic. If you are not actively monitoring and analyzing DNS traffic, you are missing a key method of detecting compromised devices in your network.

4. 85 of the 356 applications that use SSL never use port 443.

If your firewall is not monitoring all ports for all applications all of the time, you are simply not getting complete visibility and cannot re-establish a Positive Control Model.

*If you are not familiar with Palo Alto Networks’ Threat Protection function, “Exploit” and “Malware” are the two main categories of “Threat” logs. There is a table at the top of page 4 of this AUT report that summarizes the categories and sub-categories of the 268 million Threat Logs captured and analyzed. The “Exploit” logs refer to matches against vulnerability signatures which are typical of Intrusion Prevention Systems. The “Malware” logs are for Anti-Virus and Anti-Spyware signature matches.

What is not covered in this report is Palo Alto’s cloud-based, Wildfire zero-day analysis service which analyzes files not seen before to determine if they benign or malicious. If malicious behavior is found, signatures of the appropriate types are generated in less than one hour and update Threat Protection. In addition, the appropriate IP addresses and URLs are added to their respective blacklists.

This report is well worth reading.

 

 

 

Filed Under: blog Tagged With: , , ,

CloudFlare vs Incapsula vs ModSecurity

Posted by on February 18, 2013Leave a Comment

Zero Science WAF Report v2

How much protection can a Web Application Firewall provide? Are all WAFs pretty much the same? Zero Science Lab performed a detailed comparative penetration testing analysis to answer these questions. They focused on the two leading cloud-based WAFs, CloudFlare and Incapsula, and ModSecurity, the open-source, software based WAF that is an Apache add-on. The results may surprise you because of the huge disparity in effectiveness between the two cloud-based services.

If you would like a copy of this white paper, please fill out the form on the right side of this page.

Links to Explore

Filed Under: Slides

The Impossibility of White Listing

Posted by on February 10, 2013Leave a Comment

A few days ago (Feb 7, 2013) I wrote about the Australian DSD’s top recommendation for Application Whitelisting. In it I said that it was too specific. IMHO, the recommendation should be to establish a Positive Control Model and let each organization decide for itself what the best technical controls should be. I recommended Palo Alto Networks and Bromium for network and host-based Positive Controls respectively.

The next day (Feb 8, 2013) the CTO of Bromium, Simon Crosby, went a step further saying that host-based application whitelisting is impossible:

Ultimately white-listing is no different from or better than black-listing because it is impossible for either humans or computer systems to distinguish good software from bad software.

I think it’s worth reviewing his rationale:

1. The software is good/bad decision – If the goal of host-based application whitelisting is to allow only good software, then Simon is correct. There are always going to be vulnerabilities in “allowed” software. We live in an era of Advanced Persistent Adversaries who either discover or buy zero-day vulnerabilities, and build or buy the malware to exploit them. Furthermore, most organizations simply don’t have the resources to patch all known vulnerabilities. However, holding aside good/bad, and just defining what’s allowed would surely reduce an organization’s risk. The real question is, is there a better way of implementing a host-based Positive Control Model than application whitelisting? I would say yes – Bromium.

2. The “outside world” problem – As Simon says in his post, “Every URL points to a different program, perhaps a different program every time it is invoked.” Aside from whether it is organizationally feasible to deploy URL whitelisting (most organizations I work with deploy URL Filtering in a Negative Control Model), Simon correctly points out, “Reputable sites are used more often and more successfully to distribute malware.” I am surely not saying that URL Filtering provides no value. But you do have to understand its limitations. The key point though is that Bromium’s technology is superior.

Bromium has created a technical break-through enabling task isolation at the hardware level. Simon wrote an excellent expository post, Why Task Isolation Changes Everything.

So host-based application whitelisting looks like one of those technologies that looks straightforward in theory, but is very problematic in practice. As I like to say, “In theory, there is no difference between theory and practice. But in practice, there is.

One comment on Palo Alto Networks network-based application whitelisting. The theory and practice of defining which applications are allowed and denying the rest has nothing to do with distinguishing between good and bad software. It’s really a way of reducing an enclave’s attack surface by only allowing what’s required between an untrusted and trusted zone. It’s actually the sine qua non of a firewall. Said another way, it implements the closely related concept of Least Privilege.

Finally, from a defense-in-depth perspective, I recommend both Bromium and Palo Alto Networks be deployed.

 

Filed Under: blog Tagged With: , , , , , ,

Host-based Application Whitelisting example of Positive Control Model

Posted by on February 7, 2013Leave a Comment

The Australian Defence Signals Directorate (DSD) is well known for its Top 35 Strategies to Mitigate Targeted Cyber Intrusions. Branden Williams today wrote about Foresight Consulting’s White Paper on implementing the Top 4.

The top recommendation of the Australian DSD is “Application Whitelisting of permitted/trusted programs. to prevent execution of malicious or unapproved programs.”

My concern with this recommendation is that it’s too specific.  It does not take into consideration (1) the business and cultural environment within an organization, and (2) changes/advances in technology. To put Application Whitelisting into perspective, it’s just one way of implementing a Positive Control Model, i.e. define what is allowed and deny everything else.

My view is that the top recommendation should be, implement an application-based Positive Control Model using the technology and process that works best for your organization. I have nothing against Host-based Application Whitelisting per se, but there are alternatives that ought to be considered.

One alternative would be a firewall that is capable of enforcing an application-based positive control control model. If you are familiar with my company Cymbel, you would know that we have been successfully deploying Palo Alto Networks next-generation firewalls for just this function  since 2007. Given that the key goal of a cyber intrusion is exfiltrating confidential data, a network-based approach might be a more effective way to go.

A second alternative is a relatively new technology from Bromium - a Windows-based “Micro-hypervisor” which uses hardware isolation at the task level thereby controlling each task’s and web browser tab’s access to on-host resources as well as network communications. This may be an easier and more effective approach for protecting against the main attack vectors used by adversaries – web browsing and zero-day vulnerabilities of core host-based tools like Flash, PDF, and Java.

So in closing, I completely agree that establishing a Positive Control Model is of primary importance, but the technical control(s) used should be up to the organization.

Filed Under: blog Tagged With: , , , , , ,

The story behind the Microsoft Nitol Botnet takedown

Posted by on September 13, 2012Leave a Comment

Earlier today Microsoft announced the takedown of the Nitol botnet and takeover of the 3322.org domain. However, if you are using the Damballa flow-based Detection Control, this was a non-event. Full disclosure – Cymbel partners with Damballa.

Gunter Ollman, Damballa’s CTO, today commented on Nitol and 3322.org, and the ramifications of the Microsoft takedown, which I will summarize.

First, Damballa has been tracking Nitol and the other 70 or so botnets leveraging 3322.org for quite some time. Therefore, as a Damballa user, any device on your network infected with Nitol, or the other 70 botnets leveraging 3322.org, would be identified by Damballa. Furthermore, if you were using Damballa’s blocking capabilities, those devices would be prevented from communicating with their malware’s Command & Control (C&C) servers.

Second, most of these 70+ botnets make use of “multiple C&C domain names distributed over multiple DNS providers. Botnet operators are only too aware of domain takedown orders from law enforcement, so they add a few layers of resilience to their C&C infrastructure to protect against that kind of disruption.” Therefore this takedown did not kill these botnets.

In closing, while botnet and DNS provider takedowns are interesting, they simply do not reduce an organization’s risk of data breaches. Damballa does!!

 

 

Filed Under: blog Tagged With: , , , , , , ,

Zero-day exploit trade impact on enterprises

Posted by on August 21, 2012Leave a Comment

SC Magazine’s Dan Kaplan’s on The Hypocrisy of the zero-day exploit trade shows that enterprises can no longer rely on signature-based Detection Controls to mitigate the risks of confidential data breaches resulting from compromised devices.

I am surely not saying that signature-based IPS/IDS controls are dead, as you do want to detect and block known threats. However, IPS/IDS’s are surely no longer sufficient. They must be complemented by a behavior analysis Detection Control (flow and DNS analysis) as part of a redesigned Defense-in-Depth architecture.

 

Filed Under: blog Tagged With: , , , , , ,
« Older Posts