Adding two more items.
- Learn how to detect snake oil & terrible products
- The IT Security is full of companies that sell snake oil and products of poor quality. They come and go, and they usually work around really brilliant (in fairness) ideas that help them to milk companies while not really adding much value.
- How to distinguish / recognize snake oil products and poor quality software?
- First, read these 3 articles:
- Seriously, read them.
- Reflect on your budget spending in year 2015.
- Recognize signs of snake oil and majestic software fails:
- Company offering is not politically neutral (see my point below).
- Long term deals.
- Long term deployments e.g. one that will require 12-24 months (are you kidding me? IR product should be ‘deployable’ in one quarter max).
- Software components (especially agents) are bloated, use ‘heavy’ programming languages e.g. .NET, Java, LUA, python / py2exe (this thing must run on the systems people use for work, servers, plus you already have other agents there; you can only accept lightweight agents)
- User interface of the products – this is very often a first sign of the product being terrible:
- Uses Flash, Silverlight (this may look cool, but try to copy & paste stuff, work with the web forms)
- Uses Java ActiveX (c’mon, it’s year 2014)
- Use own implementation of GUI widgets – it’s very hard to develop a properly working widget (i.e. one that is not natively available from OS/browser) and anyone using proprietary stuff will most likely be focused on fixing bugs with this proprietary stuff more than the core functionality
- Anything intercepting default behavior of the UI e.g. context menus in the browser
- See how it handles large amount of data, how long it takes to render pages
- Is the UI intuitive? If the UI doesn’t support your workflow then ditch the product, or incident handlers will be struggling.
- Network Traffic generated by software components – this can be quite amusing; if you see anything plain text, drop the vendor; it’s 2014 and if they don’t use encryption, https then they are not serious.
- Documentation is a very good giveaway of the vendor’s attention to details:
- Check metadata of PDFs, Docs and see when it was last updated.
- Check the language used. Is it written by a professional Technical Writer, or it looks like a readme on github (no offense readme writers :))? Mind you, if you are paying gazillion bucks for a product, you do have a justified expectation with regards to documentation.
- No direct access to the databases (they will talk about APIs, but direct access to DB, even if just read-only gives you an ultimate power to extract data they way you want).
- Endorsements. Testimonials. Generally people are nice, and no one will ever tell you that a certain product is terrible. This should change – be honest – if someone asks you if the product delivers tell them the truth. Perhaps there is a need for a Glassdoor-like website for security products.
- In general, anything that sounds too good to be true
- Do not hack back.
- It’s stupid, most likely illegal and you are asking for more trouble (you have a lot to lose while the bad guys will destroy you just for the fun of it; Ref.: HBGary, Sony).
As we approach 2015 I put together a wishlist for the IR world. I am sick today so I ended up with some time on my hands and it all ended up with a lot of babbling, but well, if you don’t like it simply blame it on my cold and move on before it’s too late :). In any case, it’s my subjective take on what can be improved here, may not be too constructive, but either way – here it goes…
- Rename your team from “Incident Response team” to “Incident Discovery and Response Team”.
- Ask your bosses to minimize your involvement in all corporate b/s.
- Ask your bosses to give you authority to access all systems.
- Ask your bosses to send you to Memory Analysis/Volatility training, SANS courses, CISSP. To do your job right you need to possess a decent knowledge within the area of digital forensics, malware analysis, pentesting, programming, databases and have a knowledge of the threat landscape. You must also understand the ‘big picture’ and business angle. Last, but not least you should also like memes and cats.
- Start hunting for hackers on your network full-time.
- Triage as many systems as you can and on regular basis. Use clustering, data stacking, Least Frequency Occurrence (LFO), accessible known white-, and black lists to sift through the data from many systems at once.
- Engage forensics and leverage direct access to systems to:
- Discover malicious agents.
- Discover and analyze actual data present on the systems – this is what will be stolen or exposed WHEN these boxes get popped:
- e.g. retrieve $MFT, scan file names for low-hanging fruits e.g. ‘password.txt’ files, database files, etc. – it has to be customized to your org needs; this can be a fun research/clustering job.
- Do credit card/SSN/other PII scans and act on them (you will find lots of private emails, PDFs of employees – yes, you want them to remove this stuff from their work boxes).
- Work with specific Business Units, Employees and their respective Managers to protect/clean up all unwanted stuff ASAP.
- Collect and preserve the baseline data for future, recurring investigations.
- Stop the cargo cult approach to IR.
- Don’t rely on security controls only.
- Don’t rely on alerts only.
- Assume that at any point of time a subset of systems in your org is popped. You need to find them ASAP.
- Learn the in-depth aspects of technology. You can’t talk about ‘viruses’, ‘trojans’, unless you actually KNOW how they work on the programming/forensic level and what is the difference between them (trivia question: what is a difference between a virus and a trojan?). You can’t look at proxy logs without knowing the basics of how browser renders web content i.e. what are the technical mechanisms engaged in browser accessing the web page (dns, cache, wininet, server-side and client-side, chrome, firefox as well, etc.), both dynamic and static. The ones with a padlock too. Yes, seriously, there are some people who don’t know and work VP functions in the IT Sec.
- Work more on data you already have. And prioritize data generated by your org vs. ‘threat intel’ feeds. Data from your org is you looking for the spoon in your own kitchen. The threat intel data could be a fork, a spoon, or spork in somebody’s else canteen in a different city.
- Don’t take yourself too seriously and don’t be the rightful one on a romantic, self-appointed mission (kinda ironic in a context of this post, but I hope you know what I mean :))
- The old saying goes that hell is paved with good intentions
- Don’t play a role that is not assigned to you. You are not law enforcement. Stop acting like one.
- You also can’t chase after bad guys yourself. You can’t take a revenge other than hoping the LE will eventually find them. Yes, it’s sad. But if you do try doing stuff on your own you will inevitably end up following the mob mentality and will start lynching innocent. Plus you will attract attention of even more bad guys.
- Some guys seem to be projecting their vision of IR in a ‘we change the world’ context and it looks like a life mission to hunt ‘bad guys’ and even more ‘the nation-state enemies’. Perhaps to certain extent it is a mission, but the cynical reality is that it’s just a job. Leave the wars to governments and military. It’s just a job. And the scope of this job is to protect assets and not to go Steven Seagal on the bad guys. And at the moment this job is probably far closer to security guard’s and/or helpdesk technician’s job than to a highly-technical position many have a perception of. Why security guard? Because your role is often left to simply observe and report. Why helpdesk technician? Because removing malware is hardly difficult. You either delete the file(s) and clean that run key, or ask to re-image the box.
- Focus on ‘data security’ over ‘system security’.
- Give more attention next year to offers focused on preparedness, early discovery more than reactive defense or offensive side, assets defined both as systems, and data itself:
- Reactive defense:
- Anything that is blacklisting-based is reactive. Anything that is heuristics, reputation, behavioral, algorithmic, threat-intel, feeds, cloud based is reactive. That is your AV, IDS/IPS, HIPS, SIEM, DLP to certain extent, often sandboxes as well. Kinda ironically, whitelisting software also falls into this category. Whitelisting simply doesn’t work as expected and it often ends up working in a failsafe mode (a lot of exceptions, ‘learning mode’, preapproved grayware). Auditing is here too.
Note: some of these are proactive, provided they are properly installed and are in a blocking/deny mode by default (e.g. whitelisting, reputation)
- All pentesting, vulnerability scans/assessments, etc. A discovery of a new way in is very important, but it does not change much the security posture of the assets you are protecting; an unencrypted cardholder data, HR PDFs, etc. lying around on the HDD are still there after you patch that new scary bug, or update Java. Protect data more than the system, because when it will get popped, you want this data to be hard to get to.
- Preparedness, early discovery:
- Focus is on your data, encryption on the physical (drive) and/or logical (volume) level, encryption on the application level (encrypted configs/data, memory protection) / document level (password in your important xls, pdf) / transport level (data in transit is always encrypted), data cleanups, entitlements / accountability, real-time monitoring of processes, start-up points, etc. also regular mass-forensics exercises (recurring light forensics, light agents constantly feeding critical and minimal data to a data crunching device that spits out anomalies based on data stacking, LFO, clustering analysis). Focus on managed irresponsibility i.e. letting employees do whatever they do knowing that they will do anyway and being prepared for it to happen (your role is to know immediately when they install something stupid). Focus on decoys, planted data that can help in a quick discovery of a breach (e.g. your ‘planted’ credentials or credit card numbers discovered on pastebin) and can also feed attackers with lots of noise (e.g. if you use a POS software ask the vendor to introduce fake track data in memory of their program for the RAM scrapers to harvest – this is a few lines of code).
- Give more attention to offers that are politically neutral
- It’s very tempting to take a revenge; it’s also very tempting and easy to fall for the promises such as ‘we will catch these bad guys and punish/expose them for you'; and even more tempting if the promise is based on somehow patriotic (often jingoistic), or idealistic rationale that is easy to associate yourself with; the reality is that your org will benefit more from securing your assets than chasing after attackers. Again, you are not Charles Bronson, you are just an employee. Also, defensive security is not that boring – active hunting for badness can be very challenging and rewarding if you get it right and start seeing things traditional security controls miss.
- Remember: assume that at any point of time some of your boxes are popped – treat it as a constant. Chasing after attackers is simply resources put in a wrong place. Yes, you may eventually catch some, dox some, even may get them prosecuted, but it won’t stop new ones coming. People still smuggle drugs into countries knowing the capital punishment is there in place. Crime is here to stay. Anyone telling you that knowing your adversaries is important should be telling you that it is far more important to protect your assets.
- How to recognize companies that are politically neutral? Their focus is on technology more than politics:
- They talk about an attacker’s IP being assigned to a country X vs. an attacker _is_ from a country X.
- They joke with you about ‘APT’, because they know your org simply sucks at protecting its assets.
- They avoid ‘nation-sponsored’ narrative all over the place as they understand the attribution is a very difficult problem and there is far more opportunistic attacks happening out there.
- They don’t whine about other security controls being bad/worse. There is not a single one that is better or worse as its like comparing oranges and apples. Security controls are technical tools that are meant to be used to solve specific technical problems and counter-measure threats with a certain level of efficiency, not an ammo in political discussions. An engineer whining about the tools is an indication that s/he doesn’t know what they are for and how to use them. (Okay, fair enough, some products are pure crap, but discussion about vendors’ offering is different from a discussion about security controls).
- They talk about bad guys being everywhere, not just having specific country-, region-specific origins; espionage is as important to nation-sponsored hackers as it is to your competition around the corner in your own country.
- They are usually bitter, cynical, non-compromising assholes that will piss you off, but in your own interest.
- They of course like memes and cats
- Bring more women to IR
- Not much to explain here; there are women in IT Sec that possess razor-sharp minds and there is definitely a lot more out there that could add a lot of value to this male-dominated industry; if only given a chance; hire, train, profit
- Become culturally interested. I will explain why in a second.
- If you don’t travel, start. And I do not mean for business. For leisure.
- Visit countries of your “worst enemies” and “adversaries”. Meet real people in their own country. Eat their food, sleep in their place. Experience their weather. See the stars they see. Face your prejudice about the country and people. Be surprised. Or not. Form your own opinion.
- If you live in US, Canada, Australia it’s a bit hard to travel to other countries for leisure as it’s quite far and pricey. Start small. Visit other districts in your city (if safe), visit other states. There is such a huge variety between different states, cities – you will definitely find something new and it will change your perception of your own country (word of warning: not everything you will see you may like). Avoid organized tours, go on your own. And avoid cheezy entertainment that will make your pockets empty, but not really enriching you in any way – go to see natural wonders, sleep in the motel, hike.
- Visit art galleries, go and listen to concerts, watch a theater show, a musical, a ballet.
- Question media. Your news, the movies you watch are full of propaganda – I will cover it a bit in my next post. It’s the winners that write the history and it’s easy to fall prey to a huge propaganda machine that is TV. The roles are assigned and follow specific political agendas. And mind you, there is no conspiracy theory here. If you are trained for decades to follow certain ideals and patterns you will become the most eager proponent of these ideals w/o even noticing. What works in regimes on a propaganda level works also (and imho often better) in the free countries for a simple reason that we are all gullible, complacent animals and don’t want to think too much. Best, consider avoiding watching TV completely. Alternatively, make an effort to watch news from other countries. It’s a very refreshing experiment – watch CNN, FOX, BBC, RT, NHK, Al Jazeera, Deutsche Welle, Euronews, and whatever else you can find. See how the same news are reported. Pay attention to language, perspective offered. Make a game of distilling facts from opinions.
- Watch foreign movies. Hollywood produces a lot, but lots of it is of poor quality. Go and rent ‘world cinema’. Watch Japanese, Korean, Chinese movies, and TV dramas. Watch movies from Middle East, Australia, New Zealand, Scandinavia, France, Russia, Urugway, Chile, Brazil, and whatever else you can find. Look for various movies, fall asleep on some. Enjoy others.
Now, the ‘why’. The reason is that in IR (and even more in DF) you need to be damn objective. And if you are soaked in a prejudice against specific nation, race, ethnicity then you have a problem. And not just one, but perhaps two. If you are unaware of your prejudice then you are not only unable to change, but also not able to judge fairly. Inability to question your own preconceptions, or what is the cause of them is a progress blocker. You will remain biased, and you may actually hurt people. And majority of people are the good guys.
As an experiment think for a second of North Korea. What is your first reaction? If it is positive, why? if it is negative, why? You may follow with a few basic questions: how many cities in NK can you name? what is the currency? what is the exchange rate to your currency? what is the most popular name for a girl, for a boy? I tried to answer these questions and I failed. My knowledge about NK is pretty much non-existing. I personally know one person who visited NK, but it doesn’t change my knowledge about the country a bit. I am actually a complete ignorant when it comes to NK. You may be surprised to realize that your knowledge about NK is not that far from mine. Yet you may have a pretty strong and negative opinion and perception of this country, or at least its government. And not only because of an alleged association with the recent Sony hack, the movie, but perhaps also thanks to a never ending negative campaign in media. I was curious about it and came up with some numbers and I will cover it a bit more in my next post. It is a very interesting topic for a study and I do hope someone pursuing their degrees in social, political and media studies can explore it more.
And back to the main topic. One more item on the wishlist – please avoid military comparisons – as long as you work for a company, there is no ‘enemy’, you are not combating anyone, you simply have vandals and thieves on your property – it’s your job to possibly prevent them from entering, and if it didn’t work – ensure they can’t steal much, you catch them early, kick them out and move on. That’s it.
If there is one single narrative that should drive security forward it is probably data protection at its core. The data cleanups (all the residual stuff accumulated over years, computers moved from one user to another, etc.) are very difficult to do so the easiest way would be to simply start from the scratch. And not just once, but on regular basis. Difficult, but not impossible. And as crazy as it sounds, ‘being done like Sony’ can lead companies to a very bright future, data-security wise. Perhaps the best way to start a new year is to wipe it all out clean.