You are browsing the archive for Preaching.

Threat Frameworks – some quick thoughts

March 12, 2018 in Incident Response, Preaching

Update

Added some more ideas

Old Post

We reached the stage where we have a number of threat frameworks on ‘the market’ – they all look at the threat taxonomy from different angles – they overlap, they compete, and sometimes they go in some weird directions. I’ve been thinking of the usefulness and completeness of these frameworks for a while and eventually decided to post some quick thoughts about it. What actually inspired me to write this post is the Twit posted by Rick Holland where he said:

I was happy to see that I am not the only one who sees it as a new buzzword and a fad really.

BUT

Having said that, I do believe there is a great need to choose _some_ threat framework and use it to model your defensive strategy around that.

And I actually like Att&ck more and more.

If Kill Chain was very high-level, Att&ck attempts to itemize every single tactic & technique that affects Confidentiality, Integrity & Availability. This is actually a great approach as it can very directly drive the anomaly hunting, use cases, choice of additional controls, etc. Being in a position to say you cover this and that % of the Att&ck matrix with your defenses can be a very good quantitative data that can be presented to the senior management, and maybe even auditors.

Before you go to use the Att&ck in its current form, be aware that this is work in progress and it will certainly change in the future.

Why?

Because it’s far from being complete.

For instance, looking at techniques, you won’t find a lot of tricks that could be included there, or items for which description could be potentially amended:

  • alternate data streams on NTFS
  • extended attributes on NTFS
  • many persistence tricks
  • cases where malware is found dormant in archives (e.g. mailboxes, backups, or remnants of very old infection) or on removable devices – it’s actually not even an active attack, but it does affect integrity of the system
  • cases where artifacts are downgrading the security posture of the system (e.g. disabling UAC, changing IE zone settings, etc.)
  • cases where malware belongs to old-school OSs e.g. win95/DOS (risk is minimal, but threat taxonomy should include them)
  • EICAR
  • remnant from internal pentesting (sometimes can be detected long after the actual test)
  • viral infection, including unusual infection methods like EPO (Entry Point Obscuring)
  • I didn’t seem to be able to find worm
  • trojanized applications (e.g. web shells, but also fake applications on torrent sites)
  • adware, PUA/PUP (is it considered an attack if a legitimate software is bundled with adware?)
  • tracking cookies (not sure if it fits)
  • atombombing and propagate code injection tricks
  • enabling DEBUG/VERBOSE flags of the applications (e.g. to enable logs to include track data that bad guys can collect)
  • hooking is a very loaded technique – it’s actually a class of techniques; the current description talks mainly about Windows, but misses EAT hooking, COM hooking, SSDT hooking, and there is also hooking that can be observed on a web side (e.g. hooking of functions managing php buffers or adding javascript callbacks); there are also cases where hooking is incorporated via a subtle, small patching inside a native OS binary that loads a malicious DLL; and plenty of other tricks like this (I once saw a vendor DLL replaced with a malicious one that injected itself as a man-in-the-middle, observing all buffers transmitted, in plain text)
  • ‘Modify Registry’ is such a loaded technique too – not sure if it should be listed there as a separate technique, since it’s a class of techniques really… on the other hand, I don’t know where else we could place it
  • Accidental data leakage (e.g. github, wikipedia, translation services)
  • LSASS Driver – ‘driver’ word may be a bit misleading – the word is usually reserved for kernel mode drivers
  • etc.

There is also additional complexity which comes from the fact the framework tries to cover Windows, OS/X and Linux platforms in one table (correction: there are various views available, so it helps a lot). Obviously, digging into each item will give you lots of information and references.

Now, it’s easy to sit down and criticize.

I have tried to build some taxonomy in the past myself and it’s an extremely daunting task to build such a multidimensional database – and Att&ck already contains lots of very useful information – we really need to applaud the efforts of the Mitre team!

Fad, or not we are slowly moving from technology- or control-oriented approach to security to more measurable, and reliable risk management-driven approach.

The cyberpoppers, the security fix, and … the Other guys

May 10, 2017 in Preaching

Cyberpopping is a term I coined for the lack of a better word to describe any vague and most of the time responsibility-free activity that is either used and/or abused to sell and market IT security in whatever form and shape possible. Yup, the activity where the seller is not being necessarily responsible for overseeing that security to the remediation/closure/assurance phase.

We all practice it.

There are various cyberpoppers out there:

  • 0days
  • APT
  • Dumps
  • Security Certificates
  • Security Conferences
  • Social media, including Twitter and blogs (including yours truly)
  • Periodical reports from vendors and Gartner
  • Compliance requirements (PCI DSS, ISO)
  • Groups, forums
  • etc.

At every step of this journey the ego and schadenfreude prevails. We all know better. And anytime we find something new and cool, the Champagne cork pops and we get the fix. I love it, you love it. We are one big family of security enfants terrible 🙂

As I get older though and get more and more insight into the less flashy part of the security world – one where the security is actually being implemented – it becomes more and more apparent to me that none of these things really help the Other guys. If you watched the movie you know who I am talking about. These poor creatures that sit in the backend offices, spend hours on the calls, actually talk to business people and clients, speak to non-technical people, and ensure the stuff that we are all breaking, or talk about breaking – is actually fixed. This is not a fun job, it’s error-prone, it ricochets when they screw up (it often costs big bucks!), it is long hours, and on-calls where the big decisions are made. I just want to take the moment today to say thank you to all engineers, admins, firewall guys, architects, customer-facing security guys, vulnerability management teams, and ISOs and any other guys who actually deal with the _real_ world aspects of IT security.

Copyright note: the pic adapted from the one posted on wikipedia