Countering the new threats…

The SANS Incident handling steps are

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

I’m going to talk about Preparation and Identification today. See I enjoy the challenge of having a network and resources to protect.   Its funny to see how that translates into my non-work life, for example I always like RTS type games and often take a defensive posture by default.  Called turtling in the gaming world it’s more than likely to get you a loss because most games I played seem to favor the noob friendly kamikaze aggressive style, or rushing. However, that just makes me enjoy defense even more, who wants to take the uneducated inexperienced easy way out?  In the real world all out no fear, attack is not a legitimate info sec strategy for obvious reasons.

First it’s well documented how the “bad guys” have changed over the last 2 decades from notoriety seeking weekend hackers, to “hey I can make money at this” full time hackers, to organized criminal gangs.  What I don’t hear enough about is the current migration from gangs to an underground criminal marketplace, and that is just plain frightening.  Organized crime is dangerous and hard to stamp out but it’s a threat that can be met with equal good guy organization and cooperation.  Like when it took Elliot Ness and the federal government to stamp out the mobs and corruption of the 30’s.   Complicated Bad can be fought with complicated Good, hard but doable.  But how do you fight a decentralized economy of goods/service providers with a specialized skillset, profiting off loose, dynamic, and temporary connections to others?  That is really hard to do. Now throw in more recent fully state sponsored agencies targeting small subsets of the internet (Advanced Persistent Threat [APT] attacks on Google) and you’ll see why Information Security is so much in the news these days.

So here are some of my humble thoughts on how to counter act the new threats.


  • Organization
    • Like having to streamline and color code you’re A/V cable connections, organization is a critical first step. To further the analogy just as your Stereo, TV, DVD, PS3 wires will still work in a rat’s nest, but troubleshooting/maintenance is a headache, and interference is more pronounced. Your network nodes need VLANS and subnets to be given out and arranged in such a way that traffic can be categorized for same reasons as stereo wires.  This does not actually provide security (i.e. reduce risk) but this preparation greatly enhances your ability in the identification and containment phases.
  • Network Segmentation
    • Once your LAN is organized (NOT an easy thing to retrofit, everything just works on VLAN 1 right? 🙂 you need to introduce the security (i.e. break things) by creating ACLs that actually limit traffic between groups that need to talk to each other.  This is where you get intimate knowledge of the network.  The thing that makes modern malware possible is the communication between it and its target, if every computer was an air gapped silo, you’d need sneaker net to infect them, then it comes down to Physical security which I consider out of scope of this discussion. So in my mind the Achilles heel of today’s threats is in their communication. After all w/o physical access, hacking can really be boiled down to this;
      • Black hat sends code to get data
      • Data is sent back to him

      That “sending” of code/data is were we have to strike for identification. With the current state of enterprise LANs you just can’t stop infections/targeted attacks 100% of the time.  While relatively old school blacklisting/reputation signature based techniques are needed (AV, IPS, URL and SPAM filters, DNSBL etc) I believe the future is in whitelisting inbound/outbound/internal traffic, in other words default deny.  The biggest advantage defenders have is that you can say almost w/o a doubt that the malicious code will come in and/or go out through your front door (inet connection). In other words you already know where the majority of attacks will come from, before you even start defending!


  • Network Visibility

Once you’ve limited your attack surface with whitelisting filtering/segmentation, you need to monitor what traffic you do allow, but you can’t secure what you can’t see.  Which is why Network intelligence, next generation firewalls, log consolidation and correlation are all buzz words these days, they allow you to see so you can secure.  Principal of least priviledge FW controls are like boxing in the dark.  You can only protect (block) so much, and hope the hits don’t hurt.  See bad guys have to use your LAN to transfer the data; sending code in and then sending ill gotten data back to themselves. Yes they have encryption, custom protocols, obfuscation, seemingly infinite bot provided IPsURLs so they can be very good at camouflaging their traffic. This is why network visibility must include a record of your past, present, and future traffic.

Because, the one thing they can’t control is what happened BEFORE they got on your network.  So if you can log, are able to data mine, and then alert on what is out of the historic norm along with common attack vectors/unexpected traffic patterns you bypass the bad guy’s above disguising techniques and at the same time the things that make the usual signature based detection so hard.  You are looking at the behavior of traffic not diving into the data is contains.  This is also where organization comes in, if I want to be alerted when any desktop client talks to a SQL server, or directly to a Server’s iLo port (everyone’s using the jumpbox right?), internet server on port 25 (Spambot), 31337(backdoor), or why is the DMZ web server suddenly getting inbound traffic to port 21 (Warez) how can I set that if all IPs are in the same or random subnets?  Individual alerts for every source and destination IP?  Ouch, that doesn’t scale well.  You need something like

  • Desktop subnet:any to Server subnet:<choosen iLo port> alert
  • Desktop subnet:any to !Rfc1918 subnet:25,31337  alert
  • Desktop subnet:any to SQL DB servers subnet:1433,1434 alert
  • !Your IPs:any to DMZ Server subnet:21

In summary, the steps above will take a strong stomach from upper management, committed and knowledgeable info sec professionals, and a change to the default enterprise network access model of filtered inbound, but wide open outbound, and internal traffic. Clearly this level of security is not for all companies, as it will break things and cause many complaints from userland trying to goto non-work related destinations.  But I honestly believe such defensive models will become what is required to keep the critical data safe as the internet becomes ever more embedded in human society it will increasingly be used as a vector to get the data needed by the bad guys. The sophistication of attacks will only going to get worse from here…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s