Security Gets the Priority it Deserves

As nuggets of what was and was not done to protect information and systems at the OPM trickle out, its worth revisiting the issue of just where security falls out when it comes to organizational priorities, and why.

They are not taking security seriously.

This is a common refrain from security practitioners when talking about, well, just about anyone not in security. Most often it is directed at managers and executives in the “business” or “operations” division in any given organization. You know: where money gets made and how people get paid. Whenever a security problem arises that would infringe on an operation’s ability to make money, the business executives put the kibosh on whatever fix would address the problem and "accept the risk."

In response, the security practitioner will try to present data to help bolster their case. Some examples they might use:

Consumers lost an average of $1,800 in Internet crimes and a total of $535 million overall, according to the Internet Crime Complaint Center's annual report...

...or...

In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.'s in a matter of hours.

Most executives are not scared by these kinds of statistics from a strictly business point of view. Why? Because getting robbed doesn't really impact the top-line; improving security definitely eats into the bottom-line.

Consider the massive ATM hack mentioned above. The money quote (no pun intended) is related to the amount that was stolen, but not in the way you think:

"The U.S. accounts for about a quarter of the world’s card spending but about half of the world’s card fraud. The odd $45 million here or there doesn't make much difference to the overall calculation,” says Dave Birch, a director at electronic transactions consulting firm Consult Hyperion.

It boils down to the lack of a business case that is based purely on security.

Getting robbed sucks, but getting robbed of the loose change in your sofa doesn't merit dropping thousands of dollars in a new home alarm system and a pair of highly trained Dobermans.

The bottom line is: security that isn't in sync with the core business is never going to garner respect or accomplishing anything meaningful. If you want to spend the rest of your life as a digital janitor, cleaning up after other people exploit yesterday’s engineering messes, knock yourself out, just stop complaining about how not enough executive-level attention is being paid to the merits of Mr. Clean vs. Simple Green.

This is not a dig on janitors. Digital janitors in particular are not stupid, but their input rel to business goals often stands in opposition to what everyone else in the organization is trying to do. If, for example, I could increase the productivity of my sales force by allowing them admin privileges on their laptops and letting them install whatever productivity/time-management/scheduling/etc. software that they were most effective, I'm going to listen to the digital janitor and then accept the risk because a more effective sales force drives all the metrics I care about from lower-left to upper-right; the digital janitor wants to do something that not only doesn't drive my metrics in the right direction, it costs me extra money to boot.

Now, if I had a business goal to cut costs and the actual janitor came to me and said, "Boss, I've got a way to keep the floors and carpets just as clean as they are now, but it'll take half the time to complete the job and cost 1/3rds as much as it used to," I'm going to listen to that man because he's credible (talking about his area of expertise) and he's making a meaningful contribution to the business as a whole. The more security practitioners start to think about how security can enable business, the more respect they are going to get and the more they are going to get done. If you have an old copy of @Stake's Secure Business Quarterly tucked away somewhere, this will sound familiar.

Fighting the power only works if you're a rap star: everyone else has to bow down to the gods of revenue and profit (or the governmental equivalent thereof). I don't doubt that the security practitioners at OPM were doing everything they could to keep their enterprise secure, but while security is one of OPM leadership's responsibilities, its not a function of the Office, and consequently it was never going to be a top priority.

At least it wasn't...

A Cyber Service, or The Return of the Specialists?

A couple of reports talking about the need for a “Cyber Service” along the lines of the existing military services have come out recently. None of them seem to be aware of Rick Forno’s InfoCorps paper from 1998, back before everyone was slapping “cyber” in front of everything and calling it something new. The idea of a separate service to deal with problems digital is an attractive one, but I would not count on it happening in any meaningful time-frame for a couple of reasons.

C.R.E.A.M.

First, we have five services and each one is fighting for a finite amount of appropriations in order to operate. The shooting war ‘over there’ is largely over, so Congress is not letting the Pentagon print money in the basement anymore. Everyone can’t have everything they want, so instead of bombing the Taliban we’re back to sniping our sister services over cash. Adding a new service means throwing another player into the mix, one that would take away human AND financial resources from the others, which no existing service is going to take lying down.

Mission Creep

A given government agency might have dominance over a given mission or function, but that does not mean other agencies or military services stop doing that mission or performing that function. This is a famous and perennial battle in intelligence circles: ‘Those guys can’t be trusted to look after my interests or share with me, so I’m going to stand up my own duplicative capability, call it something else, and keep doing what I want.’ The probability that this would happen upon creation of a cyber service is 1.

Incident or Event?

We still can’t get the existing services to agree on all things cyber. This after nearly two decades of intensive interest in the subject matter and several decades more of knowledge about the problems, but willful ignorance of the potential impact. One service could establish and promulgate standard definitions, doctrine and standards…but not everyone has to toe the line.

On the Other Hand

The one good thing a cyber service could bring to the problem is a structure and culture that the current services cannot and will not provide. While all services are ostensibly a meritocracy, the best rifleman in the Corps can’t jump from Private to Gunnery Sergeant: he still has to wait till a sufficient amount of time has passed, and have the right cutting score, before he can get past Terminal Lance. That’s a situation no serious computer security practitioner I know would stand for.

You also can’t maintain the very perishable skills required of a digital warrior if every two or three years you have to rotate out of a cyber unit and head off to a tactical one where you spend more time on long, vigorous strolls through the woods than you would on keyboard, which is how most services operate today (supposed to make you well-rounded or something). A cyber service would have no need to rotate people and minimal PCS or deployment requirements (at last check we were still killing terrorist in Afghanistan via a facility in Nevada).

One thing the legacy services (in particular the Army) might do to abate calls for a separate service is to bring back “technical” ranks. Denoted by a “T” in the rank insignia in the WW II era, and later distinct “specialist” ranks in the 50s through the mid- 80s. Specialists were technical experts, and while they earned as much as their non-commissioned counterparts, no specialist of any grade outranked an NCO of a lesser grade, nor did they hold leadership positions. Absent additional reforms Specialists would of course be “second class” in the eyes of hard-stripe soldiers, but cyber specialists wouldn’t care and it would be a small, internal price to pay in order to avoid a full-on external political-financial battle over who leads the way in cyberspace.

How Do You Get Good At Incident Response?

The Verizon Data Breach Report has been saying it for years. The Forrester/Veracode report Planning for Failurereiterates the same points. It is only a matter of time before your company is breached. Odds are you won’t know about the breach for months, someone other than your security team is going to tell you about it, and the response to the breach is going to be expensive, disruptive, time-consuming and…less than optimal. If you’ve been breached before, or if you’re an enterprise of any size, it’s not like you don’t have an incident reponse plan, but as Mike Tyson famously said: “Everyone has a plan till they get hit in the mouth.” When is the last time you tested that plan? Is your plan 500 pages in a 3” three-ring dust-covered binder sitting on a shelf in the SOC? That’s not a plan, that’s praying.

Your ability to respond to breaches needs to be put into practice by sparring against partners who are peers or near-peers to the kinds of threat actors you face on a daily basis. How do you do that? By testing with realism:

Over long(er)-terms. Someone who wants what you have is not going to stop after a few days or even a few weeks.Adversaries whose efforts will accelerate by years because of stolen intellectual property don’t mind waiting months; adversaries who strategize over centuries don’t mind waiting years.

Goal-oriented. Serious threat actors attack you for a reason: they are going to get paid for your data. Efforts that don’t help them accomplish their goals are time and resources wasted. The vulnerability-of-the-month may do nothing to advance their agenda; they’re going to find a way in that no one on your staff even knows exists.

In the context of your environment. The best security training in the world is still contrived. Even the most sophisticated training lab is nothing like the systems your security team have to work with every day.

Contrast the above to your average pen-test, which is short, “noisy,” and limited in scope. Pen-tests need to be done, but recognize that for the most part pen-testing has become commoditized and increasingly vendors are competing on speed and price. Is that how you’re going to identify and assess potential risks? Lowest bidder?

If we’re breached I’ll call in outside experts.

As well you should, but what are you going to do while you wait for them to show up?

Even if you have a dedicated security team in your company, odds are that team is trained to “man the battlements” so-to-speak. They’re looking for known indicators of activity along known vectors; they’re not trained to fight off an enemy who has come in through a hole of their own making. It doesn’t make sense to keep a staff of IR specialists on the team; that’s an expensive prospect for even the most security-conscious organization.But it does make sense to train your people in basic techniques, just enough to prevent wholesale pillaging. More importantly, they need to practice those techniques so that they can do them on a moment’s notice, under fire.

Your enterprise is not a castle. There is no wall that you can build that will be high enough or thick enough to repel all attackers. If your definition of defensive success is “keep bad guys out” you are setting yourself and our people up for failure. The true measure of defensive success is the speed at which you detect, eject and mitigate the actions of your attackers. If you don’t have a corresponding plan to do that yourself – or to hold out long enough for the cavalry to come – and that plan is not regularly and realistically tested, you’re planning for victim-hood.

Cyber Security Politics: Imperial Nudity (part II)

(part I is here) Legacy futures distract us from thinking clearly about the reality of cyberspace, and hobbles efforts to advance original thinking that could actually lead to superior outcomes. Not all old-think is irrelevant to the problems we currently face, but these are academic discussions until the cyberspace takes the form and follows the function that would allow them to become practical. We have serious problems now with the cyberspace we have; devising strategies for a notional cyberspace aren’t helpful.

One could argue that cold war stratagems are good ones because they worked, but you’re working off of an awfully small data set and overlaying those constructs onto an entirely different world than the one that existed 50 years ago. For all the time and energy expended trying to counter the proliferation of nuclear weapons, the number of nuclear powers in the world has only gone up. Somehow though, the same approaches are supposed to work when the players and problems are far more numerous and vastly more complicated?

Cyberspace is a construct with physical underpinnings. As long as those underpinnings are resilient enough to withstand or recover from attacks in a timely fashion, an adversary can attack all day, every day, to little or no avail. Someone once said the “war on terror” should continue until terrorism was a nuisance, and so should it be for cyberspace as well. A safer cyberspace is less about security as it is about resilience. “Security” is a multi-billion-dollar market; resilience is…see that COOP binder collecting dust on the shelf? Yeah… It’s a shame because of the two communities – security and resilience - the latter is achievable. Backups and redundancy in connectivity, in storage, etc., do more to neutralize cyber-threats than firewalls, intrusion detection systems, or anti-virus software.

A safer cyberspace also depends on addressing behavioral factors that enable threats. When BBS sysops ruled the roost, you complied with the rules or you were off-line. In our rush to watch dancing hamsters, participate in the worldwide garage sale, and speed access to nudity, being a good netizen didn’t just take a back seat, it was left in the garage. We lose billions in R&D and trade secrets that support national security, yet we still don't punish people for their digital sins the same way we would if they had committed a similar violation in meat-space. The adversary’s job is so much easier with a lackadaisical target set.

We should support wholeheartedly practical efforts to make cyberspace a better place for everyone around the world, but where are those practical efforts? I see thrust but no vector; movement but not necessarily forward motion. The lessons have been learned and the recommendations are clear; what stops us from acting in any meaningful way is the pain associated with the cure, which for now is worse than the disease. Until national leadership starts acting like they care as much about the ability of an adversary to run arbitrary code on a national security computer as they did nuclear fission occurring over CONUS, there will be no progress.

Cyber Security Politics: Imperial Nudity (Part I)

It is all well and good to talk about how efforts are being made to bring “norms” to conflict in cyberspace, but proponents continue to forget that cyberspace doesn't care about the Peace of Westphalia. Political-Military leadership that cut its teeth during the Cold War default to what they know best and suppose we can secure the future if we look to the past. It is natural to try and frame new problems into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere. Consider the recent revival of talk of cyber deterrence. The point of a strategic deterrence scheme is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government and national interest systems are hacked regularly, yet for all the hullabaloo about the associated impact, life for most people soldiers on unaffected (something you could not say if we were talking nukes). In the short-term we have attribution in a meta sense, and justification to act in a correspondingly meta fashion. Not enough to justify a missile launch; not enough to spawn a Colin Powell-at-the-UN moment.

Let me know how that strongly worded demarche goes over.

The problem with traditional thinking around this topic is that that we’re not dealing exclusively with governments, and therefore it cannot be politics as usual. Some of the largest and most powerful actors in cyberspace are publicly traded and/or focused on profitability, not geopolitical dominance. Hegemony (a/k/a “market penetration”) is certainly a part of their strategy, but to the extent that such organizations practice politics, it is to find out what buttons to push, skids to grease, and functionaries to pay off, in order to achieve permission to sell: nothing more, nothing less.

Secondly, governments do not have an exclusive corner on the creation and projection of power in cyberspace the way they do in the physical world. Your average person cannot raise an army. In cyberspace, an average person with little capital investment and no political standing can acquire the skills necessary to steal vast sums of money, deny people’s access to resources, inhibit a government’s ability to provide services to its citizens, and otherwise do things that only the most powerful entities in meat-space can perform.

Finally, whatever shortcomings past control, monitoring, or counter-proliferation regimes had in the physical world seem trivial when compared to the complexity if not outright impossibility of doing so in a digital context. Computer science is not nuclear physics; you cannot build an atomic bomb by reading books in the library and tinkering in your basement; you most certainly can build a digital weapon by doing so. By extension you cannot keep track of all the tools, resources, and individuals associated with a digital “weapons program.” In reality, everyone with a computer and the intellectual capacity to write computer code is the next Oppenheimer, every computer lab in every college or high school is a potential Los Alamos, every computer science or engineering textbook an ITAR-controlled item.

/* It is at this point when someone gets the bright idea of starting up a ‘Cyber Manhattan Project’ to help kick-start better defenses…to which I channel my inner Inigo Montoya and respond: “I don’t think you know what the Manhattan Project actually did.” */

Next Week: A More Productive Way Forward

No Accountability; No Peace (of Mind)?

Thanks to the ever vigilant Richard Bejtlich for pointing out Jeremiah Grossman’s slides on the idea of INFOSEC security guarantees. Reading them reminded me of a saying, the exact wording of which I forget now, but it is something along the lines of ‘some analogies being useful’ and others…not so much. Jeremiah does a good job explaining how guarantees can be a discriminator and how certain issues surrounding guarantees can be addressed, but there are a few factors that I think make this an untenable prospect:

Boots are not Computer Systems. A great American outdoor gear company has no problem issuing a 100% guarantee on their outdoor clothing because they have intimate knowledge and granular control over every aspect of a given garment; you cannot say the same for any random business and their IT infrastructure. Yes, CIO Alice knows Big Co. is running MS Windows; neither Alice, nor anyone that works for her, knows the Windows kernel like Bob the guy breaking into Big Co. does. Defenders talk in metaphors and envision their domain in terms of PowerPoint clip-art; attackers are living practicalities and breathing assembly.

Money Over Everything. You know another reason why the great American outdoor gear company doesn't mind issuing a 100% guarantee on their products? Margins. 1 boot out of 10,000 goes bad? Oh my, how ever will we afford this? Oh, right, those boots cost me $20 to make and $50 to ship and market…and retail for $200 a pair. I don’t know any security practitioners who are poor, but I also don’t know any whose money is so long they could survive more than one claim against their labors.

Compliance. How does victim Big Co. prove they’re compliant with the terms of the guarantee? Yes, we are awash in data these days, but do you have someone on staff who can effortlessly and instantly call that data up? What if your findings are disputed? Yes, if you can conduct an effective forensic investigation you might be able to pinpoint a failure…but who covers the cost of the investigation? What if, in trying to claim that $100,000 guarantee payout you have to spend $500,000 over six months?

Fine print. A guarantee isn't really useful to a customer if it is so heavily lawyered-up that it would be useless to file a claim. An example Richard points out in his post: If someone manages to overcome a defense via a sufficiently novel approach, the vendor isn't liable for that because it is not a ‘failure’ on their part. Yet a sufficiently resourceful and motivated attacker isn't going to break a window or kick in a door – where he knows the alarm system sensors are – he’s going to take a saws-all to a wall and walk through the studs.

Competent practitioners can and should take pride in and stand by their work, but there are far too many factors involved in “securing” a thing than can be identified, calculated and accounted for such that a guarantee would be both meaningful and valuable to both parties. Let’s be frank: nothing is coded to be secure; it is coded to be functional. Functionality and utility are what people are willing to pay for, security is what they are forced to pay for. Not the same thing.

 

A Cyber Service or Return of the Specialists?

A couple of reports talking about the need for a “Cyber Service" along the lines of the existing military services have come out recently. None of them seem to be aware of Rick Forno’s InfoCorps paper from 1998, back before everyone was slapping “cyber” in front of everything and calling it something new. The idea of a separate service to deal with problems digital is an attractive one, but I would not count on it happening in any meaningful time-frame for a couple of reasons.

C.R.E.A.M.

First, we have five services and each one is fighting for a finite amount of appropriations in order to operate. The shooting war ‘over there’ is largely over, so Congress is not letting the Pentagon print money in the basement anymore. Everyone can’t have everything they want, so instead of bombing the Taliban we’re back to sniping our sister services over cash. Adding a new service means throwing another player into the mix, one that would take away human AND financial resources from the others, which no existing service is going to take lying down.

Mission Creep

A given government agency might have dominance over a given mission or function, but that does not mean other agencies or military services stop doing that mission or performing that function. This is a famous and perennial battle in intelligence circles: ‘Those guys can’t be trusted to look after my interests or share with me, so I’m going to stand up my own duplicative capability, call it something else, and keep doing what I want.’ The probability that this would happen upon creation of a cyber service is 1.

Incident or Event?

We still can’t get the existing services to agree on all things cyber. This after nearly two decades of intensive interest in the subject matter and several decades more of knowledge about the problems, but willful ignorance of the potential impact. One service could establish and promulgate standard definitions, doctrine and standards…but not everyone has to toe the line.

On the Other Hand

The one good thing a cyber service could bring to the problem is a structure and culture that the current services cannot and will not provide. While all services are ostensibly a meritocracy, the best rifleman in the Corps can’t jump from Private to Gunnery Sergeant: he still has to wait till a sufficient amount of time has passed, and the right cutting score, before he can get past Terminal Lance. That’s a situation no serious practitioner I know would stand for.

You also can’t maintain the very perishable skills required of a digital warrior if every two or three years you have to rotate out of a billet in a strategic unit and head off to a tactical where you will spend more time on long, vigorous strolls through the woods than you would on keyboard, which is how most services operate today (supposed to make you well-rounded or something). A cyber service would have no need to rotate people and minimal PCS or deployment requirements (at last check we were still killing terrorist in Afghanistan via a facility in Nevada).

One thing the legacy services (in particular the Army) might do to abate calls for a separate service is to bring back “technical” ranks. Denoted by a “T” in the rank insignia in the WW II era, and later distinct “specialist” ranks in the 50s through the mid- 80s. Specialists were technical experts, and while they earned as much as their non-commissioned counterparts, no specialist of any grade outranked an NCO of a lesser grade, nor did they hold leadership positions. Absent additional reforms Specialists would of course be “second class” in the eyes of hard-stripe soldiers, but cyber specialists wouldn’t care and it would be a small, internal price to pay in order to avoid a full-on external political-financial battle over who leads the way in cyberspace.

 

“Cybering” things up won’t help

The other day a problem at a remote location caused a series of failures throughout parts of the power system that services much of the national capital region. Businesses, residences, federal agencies and even the White House were affected to one degree or another. The root cause of the problem is still under investigation, but signs currently point to this NOT being a “cyber” issue.

But of course all the news can talk about is “what if” this HAD been caused by a cyber-attack. My response – back to the radio, which doesn’t have ears – was “what would be the difference?”

Do the patients relying on life support in a hospital whose generator is about to run out of fuel care if they’re about to die because of a cyber-attack or a squirrel? Is the family who is totally unprepared for more than a few hours without electricity care if hackers or a back-hoe are the cause of their woe?

The answer of course is “No.”

Tacking “cyber” in front of everything as a way to attract attention or extract funding has been all the rage over the last few years, but there is no indication that such a tactic actually works. There are no ROI figures for what the billions in CNCI funding got us, but if recent reports are any indication, the answer is ‘not much.’ Massive breaches continue, new laws get proposed (but never become law), and everyone keeps talking about “wake up calls” that are really just the world hitting the snooze button and hoping for the best.

We have real problems in the “cyber” community, and it doesn't help when people misuse and abuse the term or the issues in order to advance an agenda that should be able to stand on its own.  The question is not ‘how should we protect the grid from a cyber-attack,’ its ‘How do we improve our resilience to power outages. Period.’ You’re not going to stop a cyber-attack, just like you can’t stop careless backhoe drivers or errant ship anchors from cutting cables or squirrels from blowing transformers. S*** happens. The difference between those who get splattered and those who don’t is preparedness.

How do you get good at Incident Response?

The Verizon Data Breach Report has been saying it for years. The Forrester/Veracode report Planning for Failure reiterates the same points. It is only a matter of time before your company is breached. Odds are you won’t know about the breach for months, someone other than your security team is going to tell you about it, and the response to the breach is going to be expensive, disruptive, time-consuming and…less than optimal.

If you’ve been breached before, or if you’re an enterprise of any size, it’s not like you don’t have an incident reponse plan, but as Mike Tyson famously said: “Everyone has a plan till they get hit in the mouth.” When is the last time you tested that plan? Is your plan 500 pages in a 3” three-ring dust-covered binder sitting on a shelf in the SOC? That’s not a plan, that’s praying.

Your ability to respond to breaches needs to be put into practice by sparring against partners who are peers or near-peers to the kinds of threat actors you face on a daily basis. How do you do that? By testing with realism:

Over long(er)-terms. Someone who wants what you have is not going to stop after a few days or even a few weeks. Adversaries whose efforts will accelerate by years because of stolen intellectual property don’t mind waiting months; adversaries who strategize over centuries don’t mind waiting years.

Goal-oriented. Serious threat actors attack you for a reason: they are going to get paid. Efforts that don’t help them accomplish their goals are time and resources wasted. The vulnerability-of-the-month may do nothing to advance their agenda; they’re going to find a way in that no one on your staff even knows exists.

In the context of your environment. The best security training in the world is still contrived. Even the most sophisticated training lab is nothing like the systems your security team have to work with every day.

Contrast the above to your average pen-test, which is short, “noisy,” and limited in scope. Pen-tests need to be done, but recognize that for the most part pen-testing has become commoditized and increasingly vendors are competing on speed and price. Is that how you’re going to identify and assess potential risks? Lowest bidder?

If we're breached I’ll call in outside experts.

As well you should, but what are you going to do while you wait for them to show up?

Even if you have a dedicated security team in your company, odds are that team is trained to “man the battlements” so-to-speak. They’re looking for known indicators of activity along known vectors; they’re not trained to fight off an enemy who has come in through a hole of their own making. It doesn't make sense to keep a staff of IR specialists on the team; that’s an expensive prospect for even the most security-conscious organization. But it does make sense to train your people in basic techniques, just enough to prevent wholesale pillaging. More importantly, they need to practice those techniques so that they can do them on a moment’s notice, under fire.

Your enterprise is not a castle. There is no wall that you can build that will be high enough or thick enough to repel all attackers. If your definition of defensive success is “keep bad guys out” you are setting yourself and our people up for failure. The true measure of defensive success is the speed at which you detect, eject and mitigate the actions of your attackers. If you don't have a corresponding plan to do that yourself - or to hold out long enough for the cavalry to come - and that plan is not regularly and realistically tested, you're planning for victim-hood.

Industrial Age Approaches: Still Not Working

Today comes the announcement of the new Cyber Threat Intelligence Integration Center. Its reported mission: sharing intelligence and coordinating responses to major attacks. If this sounds familiar it’s because we’ve done this before. It was called the NIPC and it was started in part because the U.S. had suffered a rash of major computer security incidents and inter-governmental coordination and response had been found lacking. NIPC was widening a trail blazed by InfraGard but because it was designed, built and staffed by bureaucrats (in the best possible use of the word) the promise of the idea never lived up to reality.

NIPC didn't last long. Originally housed and hosted by the FBI, it got punted to DHS and eventually devolved as other agencies amped up their own cyber security awareness and capabilities.

NIPC wasn't the only activity designed to try and improve the sharing of information and establish relationships to help deal with cyber threats. ISACs were formed about the same time as the NIPC. DOD-centric organizations have the DCISE. All of these efforts have a couple of things in common that preclude their being runaway successes:

  • Bureaucracy. This is the government. It can’t be helped. But guess who doesn't operate like a bureaucracy? The bad guys.
  • Borrowed Labor. Any “community” activity has to be staffed by people from elsewhere. People from places with their own agendas.
  • Competing Mindsets. Spooks are going to want to wait and watch; cops are going to want to collect and prosecute. Industry – if they will even be allowed to participate in any meaningful way – just wants the pain to stop. What do we do? Whatever the person in the room with the most political juice that day says to do.
  • It’s an Intelligence Activity. CTIIC is an ODNI baby. In case you haven’t been paying attention, U.S. intelligence agencies are not exactly high on everyone’s trust list (fair judgement or not). You know what intelligence activities don’t do very well? Share.  They never have and press releases notwithstanding they never will. They’re intelligence agencies. That's not an indictment, simply a statement of fact.

 

I am eternally optimistic, but there is nothing to indicate that CTIIC is going to have any less a dismal end as NIPC. What could improve our national awareness of and response to digital threats?

  • Non-governmental leadership. You can point to attacks against governmental agencies, but the main victims here are in the private sector. The Air Force doesn't make F-35s; the Army doesn't make M1 tanks. Far more of this nation’s treasure has been lost to various adversaries over .com than .mil or .gov.
  • A non-threatening home.  Commerce, for example. An FFRDC if you must. As long as it is an intelligence activity it will always be viewed with suspicion (merited or not) and it will always do anything but share.
  • Light-weight. We’re talking about data. Data that should be as accessible to as many people as possible as quickly as possible. Data goes in - validate, deconflict, anonymize, format - data goes out. There should be far more CPUs than humans in this activity. Like, in ratios you find in data centers.
  • Unclassified. If not, what’s the point? Only companies with a representative who can pass a poly are worth talking to? No one is attacked in isolation. Attackers share, beg, borrow and steal code, tactics, techniques and procedures. They don’t have classification because it would impede their ability to kick our ***es. If you’re not sharing with entire markets, with the full vertical, you’re basically the “cyber” equivalent of an anti-Vaxxer, and promoting all the evils that will befall the community through your actions.

 

 

You keep using that word…

For those of you who have never read the book or seen the movie The Princess Bride, the meaning behind the title can be found here (go ahead, we’ll wait). I use that phrase in reference to all the times people use the word “sophisticated” to describe a hack (or malware), or to be more precise, how hackers breached the defenses of an unfortunate victim. To paraphrase Voltaire: this would be a much more useful conversation if we agreed on what all the words meant.

From a technology perspective, sophisticated is generally meant to mean advanced or complex. As generally used in cybercrime reporting, “sophisticated” is what people say when they are either trying to cover-up shoddy performance or trying to justify an outrageous invoice. That sounds a little harsh, but the truth will out and the hyperbole of first reporting is almost always tempered once all the facts available (nothing makes me happier than to have my cynicism proved wrong.).

This is not to say that there are no sophisticated hacks. If you’re trying to destroy some large, intricate, well-protected, non-commodity-based system that cannot be accessed in a trivial manner, then you indeed have to come up with something advanced – novel even – in order to succeed. But if in the aftermath of an event it comes to light that system defenders didn’t take the most fundamental precautions against attack – as is almost overwhelmingly the case – “sophisticated” is just a smokescreen.

Most hacks are neither advanced nor complex. Iterations of the age-old? Variations on a theme? Certainly. Sophisticated? Maybe if you’re being extremely liberal with your definitions. Tedious and uninteresting as this issue may be for technical practitioners, its important if we're ever going to hope to make headway in this business. When your words mean whatever you want them to mean at any given moment, how can you ever hope to advance your cause? How do you expect to be taken seriously by the very serious people who make the life or death decisions in this country? Big boost in cybersecurity spending coming? Sure, because we're not shooting at people, which is what very serious people concern themselves with above all else (then taxes, health care, etc., etc.).

Anthem is a victim. We should do everything we can to provide them with as much help and sound advice as we can muster. But if there is one over-arching favor you can do for your customers, your profession, and 'netizens as a whole, its to establish a widely-accepted and accessible lexicon and don't misuse or abuse it.

 

 

 

 

 

 

Ransomware: The Future is Here

Since the emergence of CryptoLocker we have been helping victims of various forms of ransomware, sometimes with services, mostly just with advice. It was opined at the time that ransomware was the future of malware, and that seems to have come true. And why not? Done properly and by “professionals,” ransomware is lucrative for the perpetrators, and while not painless for the victims, not fatal to their data if they react in time. While not all ransomware is created equal, if bad things are going to happen to good people, you could do worse than be hit with something like Cryptowall.

Unfortunately, bad-news and slightly-less-bad-news is not a scenario people like to deal with.

“You’re computer security experts, can’t you fix this?”

In the immortal words of Star Trek's Dr. McCoy: We’re doctors, not miracle workers.

“How can you advocate paying the ransom? That’s just encouraging bad behavior!”

That’s a refrain uttered by people sitting on a high horse whose livelihoods are not in jeopardy. On the scale of distasteful things, paying a ransom for your business-critical files is not exactly negotiating with terrorists. You have to make a business decision. An un-emotional, cold, calculated business decision. The ransom is the cheapest way to get your data back – and the cheapest lesson you can learn about the importance of a good backup scheme.

Having said that, paying the ransom is not the ONLY way to get your data back IF and ONLY IF the ransomware didn't fully or properly execute.  In that case there is a slim hope, and just how much hope is something that can be determined in a few hours (anyone telling you it’ll take longer likely has a boat payment due). Again though: it will cost more than paying the ransom, and what is recovered might be a fraction of what actually is lost.

I don’t like telling people to give in to data-nappers, but this isn't a kidnapping like the movies or TV. The FBI is not going to rush to your house and set up a wiretap and stake out the ransom drop-off point. I’m sure the FBI is working to catch the people behind various forms of ransomware, but they’re working in a fashion and at a scale that is beyond any individual victim. You are not without options, but this is a hard call you have to make yourself.

Welcome to the future.

Clarity on CryptoLocker

CryptoLocker has climbed up the news cycle attention ladder thanks to the recent announcement that you could decrypt your encrypted files for free. Just to make sure folks are clear on what is going on and what is possible:

  1. The free service provided by Fox-IT and FireEye uses the code we produced and placed on GitHub. Thanks to Fox-IT for giving credit where it is due;
  2. To decrypt your files you need a key. If you paid your ransom and got your key before the Feds took CryptoLocker down you don’t need anything more. Read the README file and you should be good to go;
  3. If you don’t have a key (or are not that technically savvy) and FireEye/Fox-IT have it, you can use their service to decrypt your files at no charge

Unfortunately we are not in a position to decrypt your files for you. You get the same effect by using this new service since it’s our code running under the hood.

Props to all involved for helping a whole lot of innocent victims.

Professionalizing Security? Let’s Start with A Better Internet.

A new report came out recently that argues for the professionalization of computer security practitioners. I haven’t checked my calendar lately, but if you’ve been in this business long enough you know you can expect to hear this refrain about every two years. Never mind the existence of organizations like ISC2 and SANS (and others), which test and certify practitioners of varying skill levels and areas of expertise, what the world needs now is honest-to-goodness professionalssuch as exists in Engineering – to keep us safe. Let’s pretend for a moment that the government(s) would actually back such an idea: how does that actually improve online security? It’s a great deal for certification companies and whatever outfit wins the contract to set up the security-version of SEI, but how precisely does this proposal make things better?

Forget for any new/future technologies and think about the Internet as it is for a moment. For all the fiber optics and pretty LED-lit boxes that inhabit the data centers of the world, the ‘Net and everything that rides on it is basically held together with duct tape and bailing twine. You don’t have to be a “professional” programmer to write an app, strike a chord, and make a billion dollars. Any random Joe or Jane can literally connect any ‘thing’ to the Internet by meeting the most minimum of requirements, get a metric ton of people to use it, and then watch the train wreck as the simplest thing brings it all crashing down. As soon as the smoke clears the first thing people will start screaming: “we need better security to stop this from happening again!”

Yeah, that’s not a security problem.

The vast majority of Internet “security” problems are divided between engineering decisions from the 60s not jibing with the desires and demands of the present day, and poor coding practices. You can talk about the sophistication and heavy-thinking required to design and implement a secure system all you want, most work in this field is janitorial in nature: cleaning up the mess the founding fathers left us.

To be fair, it’s not the founder’s fault we’re in this situation. The ‘Net at its founding and what it is today are two wildly different things. Every year we just kept layering new things on top of a resilient-yet-brittle structure and when things break we point our fingers at the bad guys. Fair enough, as evil-doers deserve punishment, but by the same token we have to take responsibility for our risky behavior/environment. I mean, notice how the OWASP Top 10 changes so radically from year to year…

…Exactly.

This is not to say that we should not constantly be looking at ways to improve and mature our field of endeavor, but let’s start to focus more attention on the meat of the problems we’re dealing with before we start thinking about having pudding. “Professionalizing” coders? That’s likely to go over like a lead zeppelin for obvious reasons, but some kind of “UL” for the ‘Net to bless what anyone puts together is not an unreasonable approach.

Cryptolocker Revisited

We appreciate the massive positive response we've received related to our Cryptolocker posts and work, but with our commercial focus shifting entirely to our Red Canary work, we have to get out of the Cryptolocker-assistance business. Our decryption program will remain on our GitHub repository so if you would like to avoid the insult of having to use the hacker's own tool to decrypt your files once the injury of having to pay the ransom is over, feel free.

Why you can’t hire your way out of your cyber security problem

Richard Stiennon wrote in Forbes the other day that the solution to the problem of not enough cyber security talent isn’t more STEM education it’s the teaching of tools and very specific skills. If you’re an advocate for channeling more students into computer science or engineering programs that that’s going to sound pretty anti-intellectual to you; if you think Richard is calling for the return of vo-tech you’re absolutely right. /* If you’re of a certain age you probably don’t know what vo(cational)-tech(nical) school is. It’s where people who were interested in building and fixing stuff went to school before society told them that if they didn’t go to college they were losers. Having recently paid a plumber $150 just to cross the threshold of my house I question how accurate those claims are. The fancy word for vo-tech kids today is “maker.” */

Now there are a lot of ways to find a job in the computer security field, college being one of them, certification-mills another. A vo-tech model for ramping up the headcount of computer security talent is a good idea; plenty of tool use so you’re productive on day-one; enough “education” to make sure you understand what is going on when you push buttons.

Success for such a model is going to depend in large part on the ability of those who need such talent getting their heads right about requirements and then acting accordingly. This means hiring for security like you hire for other parts of your business (and paying accordingly). When you’re looking for an accounts receivable technician you don’t advertise for a CPA. The accounting unit in a business of any size is pretty substantial, with the most experienced and educated people at the top, generalists managing in the middle, and specialists operating at the bottom. If you tried to build a security unit of that size with your current job requirements it would be the most expensive and highly skilled bunch of people in the company; and it would churn like a maelstrom (ninjas bore easily).

Building a security unit that is staffed and compensated along more traditional blue- and white-collar lines wouldn’t be nearly as expensive as a unit of “ninjas” but it would take a pretty radical organization to adopt such a course of action and there is no guarantee that it would be able to defend itself online in a superior fashion.

At the risk of coming dangerously close to mis-quoting an ancient Asian military strategist, let me just say that if all things physical and technical are equal in a conflict, the day will go to the smarter general. The problem is you’re not in the digital warfighting business; you’re in the widget business. You need access to the best and most diverse widget-talent you can find just to be competitive; adding computer security to the mix doesn’t improve the bottom line and you’d lose the vast majority of your battles.

 

 

Red Canary - Improving Threat Detection

Several years ago, when we were still very much a start-up, we sent three of our team (of five) to conduct an incident response for a much larger company. Two of the team members had done incident response before; the third was more the kind of guy who caused incidents rather than responded to them. When we did an internal after-action report of the IR, our offense-minded colleague pointed out that a lot of the work associated with 'generally accepted IR principles' was unnecessary if you had the ability to log execution on a host. This was not a novel discovery - others had toyed with the idea around the same time - but as recent events have illustrated, we were the most successful of the bunch.

That idea - Carbon Black - is now installed on hosts all around the world, but wherever Cb is operating the refrain from system owners is the same: "Carbon Black produces the best data I have ever seen, but I don't have the resources to deal with it all." The idea that Cb would disrupt incident-response-as-usual was not going to come to fruition if we could not provide a governor to the power we had developed. Turning the old proverb on its head: we provided people with a boatload of fish when what they really needed was an order of sushi.

On a more granular level the problem is not just being able to know something bad has happened faster and with more fidelity than ever before, but to accelerate from threat detection to remediation. You've read the Verizon Data Breach Investigations Report. You know that year-after-year the conclusion is the same: most people go for months without realizing they've been hacked. When they find out its usually because someone else tells them.

Red Canary is our answer to these problems.

 

 

Carbon Black - Bit9 Merger

It has been a long, hard road traveled to get to this point. From a rare insight gleaned from an otherwise "ordinary" incident response, through the full life-cycle of prototyping, developing, marketing, selling, spinning off, capitalizing and finally merging. We could not  be happier for everyone at what was our sister company in Carbon Black, or prouder for our fellow Kyrus co-founder Mike Viscuso and Kyrus's first employee Ben Johnson. https://www.bit9.com/company/news/press-releases/2-13-14-bit9-carbon-black-merge-deliver-unmatched-level-prevention-detection-response-cyber-threats/

Computer Security in the Age of CryptoLocker

It’s that time of year again, when everyone comes out with their “best/worst” lists and predictions for the next year. These are usually fairly optimistic affairs because you can’t be in this business for any length of time and not retain some semblance of optimism (even if every moment of your workaday life has left you filled with cynicism).

Holding true to form however, I’m not going to leave you in a happy place this year.

Let’s face it: computer security, like war, is a bit of a racket. For all of the good intentions that exist amongst us, in the end nearly every decision made is a business decision. This is true both from the perspective of solution providers, who are all angling for that massive “enterprise” sale; as well as potential customers, who have been known to make buying decisions based on the hack-of-the-month. But what happens to that decision-making calculus when the victim of a hack can be made whole again for a fraction of the cost of an incident response? In the age of CryptoLocker, how soon before computer security industry collapses because crime not only pays, being a victim of crime makes more economic sense than spending for security?

Think about this for a minute: If I am a victim of CryptoLocker and if I act now, I can pay $300 to undo the mistake of clicking on a dodgy email attachment, and no one would be the wiser. $300 is about what a well-qualified computer forensics or incident response practitioner is going to change – if you’re lucky – for one hour of their time.

…and as a reminder: no amount of forensics knowledge of skill will get you out of a CryptoLocker jam

This last point is important. Our own experience dealing with CryptoLocker cases over the past few months drives it home: the genius behind CryptoLocker is that it is – whether intentionally designed that way or not – the best lesson in computer security economics ever.

Unfortunately, victims are not learning the lesson. Too many of them refuse to pay the ransom. Usually it is based on moral grounds, but absent current backups from which to restore your data, paying the ransom is your only option. I know of cases where people would rather let their businesses flirt with failure, or surrender supposedly “priceless” memories in the form of family pictures, rather than part with $300.

Think about the computer security industry today. What are some of the major themes it is promulgating?

  • “increase attacker costs”
  • “Active Defense”
  • “Find evil”
  • “Assumption of breach”

How are computer criminals responding?

For starters, committing computer crime is always going to be cheaper than fighting it. The bad guys cooperate. They don’t care about jurisdictions or inter-agency politics. They appreciate and understand the value of time and money. I  have no idea how much it cost to develop CryptoLocker, but I think it is safe to say that the people behind hit have probably made several orders of magnitude more than their initial investment.

Find evil? Every year the Verizon data breach report drives home the point that people are indeed finding evil…months after its landed.

Active Defense is not a bad idea, but who knows an organization – outside of the government - that actually wants to derive maximum value from an investment in Active Defense? If you’re going for attribution the end-goal should be some kind of legal or economic or political action. I’ve never dealt with a commercial concern that wanted to exercise that level of effort. They want the pain to stop, not to go to court.

Assumption of breach is probably the only thing that defenders are saying that makes sense, but what is being done about it? Back to the Verizon report: people aren’t just owned, they’re constantly owned. Our own experience supports Verizon’s findings, but customers keep making the same procurement decisions and vendors keep making the same “solutions.”

Here is the real problem going forward: what happens when the computer criminals decide to adopt the CryptoLocker model for all their activities? What am I talking about? I’m sure if we spent five minutes together we could come up with some better ideas, but here is what came off the top of my head:

  • Wikiware. CryptoLocker in reverse. Pay me a minimal amount of money in a given time-frame or I’ll publish your sensitive or proprietary files online for everyone to see. Same problem as CryptoLocker: cops can’t help you, incident responders can’t help you, forensics can’t help you. Maybe it won’t be so bad because, you know, you can count on the good will and sense of fair play in your competitors…right?
  • Creeperware. You’ve got selfies, you’ve got an…interesting…browser history, you’ve got a fetish (nothing wrong with that, you’re an adult). How much are you willing to pay to keep that out of the hands of your family? Friends? Employer?
  • Mobware. Live in a country or community that frowns upon certain types of behavior? Pay me or I’ll make sure the pitchfork brigade is at your door. Complicit in some kind of action that I find offensive or think you've gotten away with a crime? I’m going to go Steubenville on your ***.

In each of these cases the victim is faced with the same dilemma CryptoLocker victims face today, and again, no amount of security after-the-fact will help save the day.

What, if anything is going to save us from the future this ghost of computer security past has revealed?

The one thing we all know we can count on is legislation. Legislation to combat computer crime isn’t going away, but it’s going to become increasingly useless in a practical sense. The CFAA is a pretty blunt instrument, or at least it’s used that way today. But any attempt to refine it or come up with a more granular approach is going to run straight up against the legal version of Moore’s Law, which is to say by the time a new, well-crafted bill against CryptoLocker-like activity becomes law, CryptoLocker activity will become obsolete. But legislation is something we know how to do, so it’s what we do, rather than come up with something else.

As long as insurance companies are going to write data breach policies, there will always be a demand for some level of security. But breach policies will be a lot more like health insurance policies: we’ll write you a policy if you’re old, fat, smoke, drink too much, and skydive five days a week and swim with sharks on the weekends…but we won’t offer much coverage and it will be expensive. As long as that price is less than a SOC-worth of hardware and a platoon of people with a lot of letters after their name, people will pay it.

Perhaps the more important question is: do we deserve to be saved? Are you doing anything novel? Are you doing anything different? Or are you doing things ‘the way they’ve always been done’ or because ‘that’s policy?’ Some of you don’t have much of a choice: you’re law enforcement officers and you have a protocol you have to follow or you’re not doing your job. Nothing wrong with that except that crime fighting is radically outpaced by actual crime.

To the extent that we’re a community, we need to think about developing and promulgating some new, sound, ways of doing things if we’re going to remain relevent:

  • Work at scale. In the U.S. we have the Marshals Service, which hunts fugitives. A lot of large police departments also have a fugitive squad. Normally they hunt people down one at a time, but every once in a while they hold a “stupid criminal contest” whereby they send a letter to the last known address of all the fugitives in their database telling them that they won a prize and come down to (innocuous office that is clearly not a police station) to collect. Of course the police are waiting behind closed doors because, surprisingly enough, some fugitives are dumb enough to show up. The digital world analog is botnet takedowns, which Microsoft and others have done. We need to do more at or near the same scale as the bad guys. That’s the only way you have any hope of raising attacker costs.
  • Restoration, not Conviction. Most victims of computer crime don’t want to prosecute. They don’t want to involve Law Enforcement because cops get points for arrests and prosecutions; businesses get points for making money. I’m not saying one is better than the other, I’m saying tactics, techniques and procedures (and tools) need to start reflecting that reality. If you’re a cop and you have to be involved in a case and it has to be worked a certain way then by all means do your thing, but everyone else: are you really doing right by your customers if you are driving them towards a LE-approach when all they want you to do is to make the pain go away and get back to business? That may mean less revenue for you, but are you about security or are you about money? Which leads me to my last point…
  • Retire a problem. You've heard the phrase: “if you’re so smart how come you’re not rich?” Well I have a variation on that phrase: “if you’re such an expert how come you haven’t solved something?” Now not every computer security problem can be solved, but there are problems that can be minimized or trivialized. Even if you could outright “solve” a computer security problem, what then? Its not like we're going to run out of them? There is nothing wrong with making a living, but there is also no shortage of opportunity as long as you don’t mind killing one cash cow in order to milk another.

Happy New Year everyone. ;-)

Carbon Black Training Pilot

What: Carbon Black training (pilot)When: January 27-29, 2014 Where: Sterling, VA

In conjunction with our partners at Carbon Black, we will be hosting the first ever Cb training course. This is a pilot course that will cover Cb 4.0 soup to nuts. Additional details about the course are in the flyer (Cb Training Pilot).

Because this is a pilot offering the course has been heavily discounted. At this point your input post-training is more valuable to us than profit. Should one of your colleagues wish to take the "production" version of the course once it is offered, we'll be happy to extend a discount off of the regular price as a way to thank you and your organization for your support.

To register please follow the instructions in the flyer (Cb Training Pilot).