The cyberchild of Omelas

October 14, 2016 in Preaching

With the explosion of everything that can be seen as a ‘cyber as a service’ – the hot potato that everyone loves to talk about, but no that many have much idea of – we have witnessed a rapid, almost instant transformation of the industry that was once quite specialized and yes – technical – into a non-sense that it is today. The non-sense that is repeating all the not-so-humble steps of its many predecessors (firewall, IDS, honeypot, etc.).

The hippie, Woodstock atmosphere is still on and it feels great… except it is not. The good news is – the end users are not that dumb anymore. Or, at least we can hope so… Well, let’s try to make the world a better place… In this short post I will describe the real-case examples of idiocy that I see in this space. Sometimes it’s frustrating, sometimes it’s a great source of joy… Oh well… such is life. I guess I must emphasize that this is not to whine about it, but to warn the end-users and future customers of what they should be aware of when signing up multi-million deals for that next big thing…

  • The antivirus industry spent a crazy amount of time developing the cure for malware; they went through all the paths that today’s ‘next-gen’ software and IR researchers go through:
    • Static Signatures
    • Behavioral signatures
    • Statistics
    • Artificial intelligence
    • Reputation
    • Heuristics
    • Predictive analysis
    • And so on and so forth, you name it…
    • Rule #1: if someone tells you their software will protect your company better than antivirus – s/he is lying
      • Bonus:
        • If you get high about AI, yara signatures, searching for the IOCs, and even threat hunting – then you are like that South Park episode – Simpsons already did it – like 20-30 years ago
        • Update: see a quick addendum post
  • Doing the manual, old-school forensic analysis of the system teaches you one significant and humble lesson- you can automate certain tasks, but at the end of the day – it’s  a tough, mundane, and boring job to go through the whole evidence… if not for finding the smoking gun, then at least to _conclusively_ exclude all the other possibilities; if you screw it up, the court, the customer, the other (competitive) forensic company will expose you as a liar, fraud, and a mediocre analyst
    • Rule #2: if someone tells you their software will do IR/forensic work for you in an automatic fashion – s/he is lying
  • Working in a consulting environment is a highly stressful, but also rewarding exercise – it teaches you a lesson that you are not as good as you think you are, it also tells you that there is NO 2 systems from different customers that would look alike.
    • Rule #3: if someone tells you their software is customized, tailored, and totally adapted to your env. – s/he is lying
  • If you ever worked in SOC, or a similar function, you know that blocking stuff on the proxy is a tricky business; you have more than one proxy server; you have some legacy servers no one knows about; you have some rules and exclusions, and so on and so forth
    • Rule #4: if someone tells you their software is preventing/detecting all the network badness  – s/he is lying
  • The manual maintenance of many records is tiring; hence, this is a reason why using databases is so tempting and convenient. Open your mobile phone, and walk through all the phone numbers you called last year; there are some calls that at that particular time were incredibly important, now you don’t even know what they were all about….
    • Rule #5: if someone tells you their rules are properly categorized and prioritized  – s/he is lying
      • The maintenance costs of keeping the sigs/rules relevant is incredible and is very environment-oriented (check your vendor’s classification for: Code Red, ILOVEYOU virus, Slammer, or any ms06-xxx…)
  • The Threat Hunting is fashionable as hell; everyone is happily presenting about it, but reality is that it doesn’t work the way it is prescribed
    • The users do insane things that break your awesome threat hunting rules
    • The software is doing insane things that break your awesome threat hunting rules
    • The dual-purpose tools that are definitely, undeniably 100% malicious and indicate a hacker on the box – just one of the support guys running their ‘gather info about user’s box’ script on the system
    • The incredible as it sounds 1000 instances of cmd.exe spawn on the system, a number of visual basic script interpreters executed in just 30 minutes – oh, it’s just that new shiny EDR solution doing its thing
    • The guy running netstat, ping, and ipconfig – you can either send the S.W.A.T team, or conclude it’s just an admin trying to connect back to the system that went down
    • The Windows Event Logs that are threat-hunter’s wet dreams because they are so often logged, stored and can be queried… oh, except that all these scheduled tasks, ‘runas’ commands, new accounts created, and someone banging on the shared folders with wrong credentials for 12876 days … it’s actually thousands of events that are NOTHING BUT A NOISE
    • This bullet point can go forever, I can assure you 🙂 I am listing only a few things at the top of my head, but it’s just a non-sense
    • Rule #6: if someone tells you their feeds, rules detects malicious hackers using sophisticated rules based on the attacker’s behavior  – s/he is lying
    • Update: see a follow-up post about Threat Hunting bubble

Yup… the cyber child of Omelas is there to keep us all happy.

To write about a problem is just half of the story.

What could be the solution?

We can’t count on honesty of vendors. It’s not technical people selling this stuff. (Update: I stand corrected; I also need to mention ThreatGrid as one of the vendors that blew my mind in the past; not humble to say, but it’s a pleasure to speak to people who obviously know more than me)

What we need is a point of reference. The crowd-sourced, unbiased (as much as it can be) view on solutions in the ‘cyber’ space. It has to be anonymous, but brutally honest. If the thing is a snake oil, then it should be exposed. The EDR sheet is a good example, but we can do better.

Comments are closed.