Rethinking the balance between Prevention, Detection, and Response

One of Information Security’s basic triads is Prevention, Detection, and Response. How many organizations consciously use these categories when allocating InfoSec budgets? Whether intentional or not, I have found most organizations are over-weighted to Prevention.

Perhaps spending most of the InfoSec budget on Prevention made sense in the late 90’s and the first half of the 2000’s. But the changes we’ve seen during the last five to seven years in technology, threats, and the economy have led to an inevitability of organizations experiencing successful attacks. Therefore more budget must be allocated to Detection and Response.

What’s changed during the last several years?

Technology

  • The rise of Web 2.0 applications and social networking for business use, in response to the need to improve collaboration with customers and suppliers, and among employees.
  • Higher speed networks in response to the convergence of data, voice, and video which helps organizations cut operating costs
  • Increased number of remote and mobile workers, in response to efforts to reduce real estate costs and avoid wasting time commuting. I put this under technology because without high speed, low cost Internet connections this would not be happening.

Threats

  • Attacker motives have changed from glory to profits.
  • Attackers don’t bother building fast-spreading worms like Code Red and Nimda. Now adversaries work stealthily while they steal credit card information, bank account credentials, and intellectual property.
  • The main threat vector has shifted to the application layer and what I call the “inside-out” attack vector where social engineering actions like phishing lure users out to malware-laden web pages.

Economy

  • The Great Recession of 2008-2009 and the slow growth of the last couple of years have put enormous pressure on InfoSec budgets.

Using Bejtlich’s Security Effectiveness Model, the Threat Actions have changed but, for the most part, the Defensive Plans and Live Defenses have not kept up.

Organizations cannot continue to simply add new prevention controls to respond to the new reality. More effective and lower cost prevention controls must replace obsolete ones to improve Prevention and to free up budget for Detection and Response.

 

 

 

 

Mitigating Modern Malware Risks

During the last several years we have observed dramatic changes in the identity of attackers, their goals, and methods. Today’s most dangerous attackers are cyber criminals and nation-states who are stealing money and intellectual property. Their primary attack vector is no longer the traditional “outside-in” method of directly penetrating the enterprise at the network level through open ports and exploiting operating system vulnerabilities.

The new dominant attack vector is at the application level. It starts with baiting the end-user via phishing or some other social engineering technique to click on a link which takes the unsuspecting user to a malware-laden web page. The malware is downloaded to the user’s personal device, steals the person’s credentials, establishes a back-channel out to a controlling server, and, using the person’s credentials, steals money from corporate bank accounts, credit card information, and/or intellectual property. We call this the “Inside-Out” attack vector.

Here are my recommendations for mitigating these modern malware risks:

  • Reduce the enterprise’s attack surface by limiting the web-based applications to only those that are necessary to the enterprise and controlling who has access to those applications. This requires an application-based Positive Control Model at the firewall.
  • Deploy heuristic analysis coupled with sandbox technology to block the user from downloading malware.
  • Leverage web site reputation services and blacklists.
  • Deploy effective Intrusion Prevention functionality which is rapidly updated with new signatures.
  • Segment the enterprise’s internal network to:
    • Control users’ access to internal applications and data
    • Deny unknown applications
    • Limit the damage when a user or system is compromised
  • Provide remote and mobile users with the same control and protection as itemized above
  • Monitor the network security devices’ logs in real-time on a 24x7x365 basis

Full disclosure: For the last four years my company Cymbel has partnered with Palo Alto Networks to provide much of this functionality. For the real-time 24x7x365 log monitoring, we partner with Solutionary.

Zscaler reports on ‘blackhat’ SEO numbers for December 2010

Zscaler reports on ‘blackhat’ SEO numbers for December 2010.

One of the Social Engineering risks a user must cope with is malicious web page links that show up in Google searches. Google is aware of this problem and works to weed out the “blackhat” website pages that attempt to fool Google’s algorithms.

While Google’s efforts are improving, Zscaler is reporting that in December 2010, Google flagged only 44% of the “blackhat” links that Zscaler identified.

Full disclosure – Zscaler is a Cymbel partner.

Facebook scam: Guy that lives on my street killed his girlfriend today

Facebook scam: Guy that lives in my street killed his girlfriend today.

Social Engineering creativity knows no bounds.

This one has been spreading for a couple of days, posing as a news story from one of your Facebook friends that someone who lives in their street has killed his girlfriend.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take.

Cisco 2010 Annual Security Report – Cybercrime ROI Matrix

ReadWrite Enterprise has a nice summary of the Cisco 2010 Annual Security Report. Here are some of the key points.

Cisco goes MBA-ish with a quadrant to show trends in cybercriminals’ attack methods.

Social engineering continues as a key technique. Cisco highlights the seven weaknesses social engineers exploit: sex appeal, greed, vanity, trust, sloth, compassion, and urgency. Cisco recalls the Robin Sage fiasco.

Java has become the number one target for cybercriminals replacing PDF.

And of course, Cisco acknowledges Stuxnet and the “evil” cybercrime winner.

Security alert: New Trojan Horse apps said to attack the Mac

Security alert: New Trojan Horse apps said to attack the Mac.

Some security mavens have long theorized that as the Mac becomes more popular, we’d start to see malware that would start targeting the platform. Sure enough, this morning’s crop of email blasts from PR firms included a few notices of trojans that are affecting Mac users.

Two Mac oriented security companies SecureMac and Intego are reporting attacks targeting Mac users. They both seem to be legitimate.

The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools | Darknet – The Darkside

The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools | Darknet – The Darkside.

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

Here is a list of the attack vectors SET provides:

  • Spear-Phishing Attack Vector
  • Java Applet Attack Vector
  • Metasploit Browser Exploit Method
  • Credential Harvester Attack Method
  • Tabnabbing Attack Method
  • Man Left in the Middle Attack Method
  • Web Jacking Attack Method
  • Multi-Attack Web Vector
  • Infectious Media Generator
  • Teensy USB HID Attack Vector
  • Help to combat the Social Engineering Threat

    If you are not familiar with www.social-engineer.org, I strongly recommend it as a great source of information regarding all aspects of social engineering. Why is this important? In their own words:

    Social engineering is a real and dangerous threat to Corporate America. In the simplest of terms, social engineering is manipulating a target to take an action that may or may not be in their best interest. As companies devote more resources to technical security, technical attacks become more expensive. Social engineering is a popular alternative for cyber criminals interested in operating on the cheap. After all, these attackers seek the same high return on investment as business owners.

    If you don’t believe that social engineering is a major issue, read an overview about the social engineering contest that was held this past August at Defcon 18 in Las Vegas.

    One of the most alarming findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company. Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies. For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.

    The Full PDF version of the report is available for download from Social-Engineer.Org here.

    Security awareness still a problem even in enterpise IT organizations

    Via Network World,

    Social engineering hackers — people who trick employees into doing and saying things that they shouldn’t — took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie.

    Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.

    Now I would understand the ease with which social engineering would work with non-IT workers. But this contest was focused on IT workers whom you would think are more security conscious. But I guess after the Robin Sage story, I am not surprised.

    The Robin Sage saga – social engineering at its finest

    The Robin Sage story broke in early July and I am late in getting to it. I was going to skip it, but it’s such a good story, I wanted to note it. The Dark Reading version is quite detailed.

    The key though is straightforward – people accepted invitations from someone they did not know. It’s that simple. This is a type of “inside-out,” social engineering attack vector which has become the primary method of cyber criminals. Why bother with the traditional “outside-in” attack on network device or endpoint software vulnerabilities when all you need to do is lure the victim to a malware-laden web page.

    Running a Robin Sage type of “experiment” in your organization should be part of your security awareness training program.