Mandiant Webinar Wednesday; Help Us Break a Record!

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011.

Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.

If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.

Tweet

Read More

Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"

I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.

David Spark asked for my "security tip for 2012," which I listed as:

Improve your incident detection and response program by answering two critical questions:

1. How many systems have been compromised in any given time period; and

2. How much time elapsed between incident identification and containment for each system?

Use the answers to improve and guide your overall security program.

Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.

Tweet

Read More

Become a Hunter

Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter":

IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.

Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider
the “self-defending network” concept to be marketing at best and counter-productive at worst. If technology and engineering aren’t the answer to security’s woes, then what is?

Download and read my article starting on page 19 for the answer! July-August 2011 issue (.pdf)
Tweet

Read More

National Public Radio Talks Chinese Digital Espionage

When an organization like National Public Radio devotes an eleven minute segment to Chinese digital espionage, even the doubters have to realize something is happening. Rachel Martin's story China's Cyber Threat A High-Stakes Spy Game is excellent and well worth your listening (.mp3) or reading time.

Rachel interviews three sources: Ken Lieberthal of the Brookings Institution, Congressman Mike Rogers (chairman of the House Intelligence Committee), and James Lewis from the Center for Strategic and International Studies.

If you listen to the report you'll hear James Lewis mention "a famous letter from three Chinese scientists to Deng Xiaoping in March of 1986 that says we're falling behind the Americans. We're never going to catch up unless we make a huge investment in science and technology."

James is referring to the so-called 863 Program (Wikipedia). You can also read directly from the Chinese government itself here, e.g.:

In 1986, to meet the global challenges of new technology revolution and competition, four Chinese scientists, WANG Daheng, WANG Ganchang, YANG Jiachi, and CHEN Fangyun, jointly proposed to accelerate China’s high-tech development. With strategic vision and resolution, the late Chinese leader Mr. DENG Xiaoping personally approved the National High-tech R&D Program, namely the 863 Program.

Implemented during three successive Five-year Plans, the program has boosted China’s overall high-tech development, R&D capacity, socio-economic development, and national security.

In April 2001, the Chinese State Council approved continued implementation of the program in the 10th Five-year Plan. As one of the national S&T program trilogy in the 10th Five-year Plan, 863 Program continues to play its important role.

1. Orientation and Objectives

Objectives of this program during the 10th Five-year Plan period are to boost innovation capacity in the high-tech sectors, particularly in strategic high-tech fields, in order to gain a foothold in the world arena; to strive to achieve breakthroughs in key technical fields that concern the national economic lifeline and national security; and to achieve “leap-frog” development in key high-tech fields in which China enjoys relative advantages or should take strategic positions in order to provide high-tech support to fulfill strategic objectives in the implementation of the third step of our modernization process.

There's more to read, but that gives you a sense of what the "letter" involves.

I hope this NPR story helps some of you realize that the China threat is not "hype." Consider Dr Lieberthal in relation to Chairman Rogers and Jim Lewis. You can decide to try to refute their positions by saying that the Chairman has "an agenda," and Mr Lewis is essentially too distant from the problem. I personally think Chairman Rogers is right on the money, but I sometimes question where Mr Lewis gets his information.

Dr Lieberthal, however, is one of the world's finest minds regarding China (Wikipedia entry), and he served in the Clinton administration. He even wrote a book on how to achieve corporate success in China (Managing the China Challenge: How to Achieve Corporate Success in the People's Republic). He is not a "China hawk" trying to start some kind of "war" with the Chinese, yet he takes the threat seriously enough to discuss the countermeasures he takes when visiting China ten times a year. Do those who doubt the China threat still believe it's all "hype"?

Tweet

Read More

Dustin Webber Creates Network Security Monitoring with Siri

Dustin Webber just posted a really cool video called Network Security Monitoring with Siri. He shows how he uses his iPhone 4S and SiriProxy to interact with his Snorby Network Security Monitoring platform.

The following screenshot shows Dustin asking "Can you show me what the last severity medium event was?" and Siri answering.



Later he asks Siri to tell him about "incident 15":



Near the end Dustin asks Siri if she likes Network Security Monitoring:



This is just about the coolest thing I've seen all year. Ten years ago I thought it was cool to listen to Festival read Sguil events out loud -- now Dustin shows how to interact with a NSM platform by voice command. Amazing!

Tweet

Read More

Trying NetworkMiner Professional 1.2

Erik Hjelmvik was kind enough to send an evaluation copy of the latest version of his NetworkMiner traffic analysis software. You can download the free edition from SourceForge as well. I first mentioned NetworkMiner on this blog in September 2008.

NetworkMiner is not a protocol analyzer like Wireshark. It does not take a packet-by-packet approach to representing traffic. Instead, NetworkMiner displays traffic in any one of the following ways: as hosts, frames, files, images, messages, credentials, sessions, DNS records, parameters, keywords, or cleartext. To demonstrate a few of these renderings, I asked NetworkMiner to parse the sample pcap from a sample lab from TCP/IP Weapons School 2.0. I did not need to install it; the software starts from a single executable and loads several DLLs in the associated directory.

The following screen capture shows information from the Hosts tab, showing what NetworkMiner knows about 192.168.230.4.



Notice that in addition to summarizing information about traffic to and from the host, in terms of packets or sessions, we also see what NetworkMiner knows about the host, like Queried NetBIOS names, Web Browser User Agents, and so on.

The following screen capture shows the Files tab. This displays all the content that NetworkMiner extracted from the traffic to the analysis workstation hard drive (or in my case, the NetworkMiner USB thumb drive).



I think NetworkMiner is pretty cool, especially given what you can do with the free version. My primary recommendation for improvement would be an interface that allows the user to easily pivot from one piece of information to the next. With the current environment, the analyst seems confined to the tab at hand. I would like to see a way to right click on an element of the displayed information and then execute a query based on my selection. It would also be helpful to be able to right click and open associated data in another traffic analysis program like Wireshark.

Thank you to Erik Hjelmvik for the opportunity to take another look at NetworkMiner!

Tweet

Read More

Thoughts on 2011 ONCIX Report

Many of you have probably seen coverage of the 2011 ONCIX Reports to Congress: Foreign Economic and Industrial Espionage. I recommend every security professional read the latest edition (.pdf). I'd like to highlight the key findings of the 2011 version:

Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.

• Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.

• Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.

• Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.

What's so significant about that section? The ONCIX is naming names right from the start, and concentrating squarely on China and Russia.

Contrast the 2011 approach with the 2008 report. If you search for "China" in the 2008 edition, you'll see only these sections in the main body of the report:

• China and Russia accounted for a considerable portion of foreign visits to DOE facilities during FY 2008.


• China continues to be a leading competitor in the race for clean coal technology.


• The DNI Open Source Center (OSC) contributes to the CI community’s effort against
  China by monitoring foreign-language publications and Web sites for indications of
  threats and sharing this information with appropriate agencies, including law
  enforcement.

That's very different from the direct approach taken in 2011. However, if you check "Appendix B: Selected Arrests and Convictions for Economic Collection and Industrial Espionage Cases in FY 2008," in the 2008 report, you find China listed as the perpetrator of 7 of the 23 cases! So, although China has been an active threat for many years, only now is the ONCIX shining the spotlight on that country (along with Russia) as primary threats to US secrets and intellectual property.

Tweet

Read More

Tao of Network Security Monitoring, Kindle Edition

I just noticed there is now a Kindle edition of my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection, published in July 2004. Check out what I wrote in the first paragraphs now available online.

---

Welcome to The Tao of Network Security Monitoring: Beyond Intrusion Detection. The goal of this book is to help you better prepare your enterprise for the intrusions it will suffer. Notice the term "will." Once you accept that your organization will be compromised, you begin to look at your situation differently. If you've actually worked through an intrusion -- a real compromise, not a simple Web page defacement -- you'll realize the security principles and systems outlined here are both necessary and relevant.

This book is about preparation for compromise, but it's not a book about preventing compromise. Three words sum up my attitude toward stopping intruders: prevention eventually fails. Every single network can be compromised, either by an external attacker or by a rogue insider. Intruders exploit flawed software, misconfigured applications, and exposed services. For every corporate defender, there are thousands of attackers, enumerating millions of potential targets. While you might be able to prevent some intrusions by applying patches, managing configurations, and controlling access, you can't prevail forever. Believing only in prevention is like thinking you'll never experience an automobile accident. Of course you should drive defensively, but it makes sense to buy insurance and know how to deal with the consequences of a collision.

Once your security is breached, everyone will ask the same question: now what? Answering this question has cost companies hundreds of thousands of dollars in incident response and computer forensics fees. I hope this book will reduce the investigative workload of your computer security incident response team (CSIRT) by posturing your organization for incident response success. If you deploy the monitoring infrastructure advocated here, your CSIRT will be better equipped to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps. The intruder will spend less time stealing your secrets, damaging your reputation, and abusing your resources. If you're fortunate and collect the right information in a forensically sound manner, you might provide the evidence needed to put an intruder in jail.

---

I wrote that eight years ago, and thankfully my concept that "prevention eventually fails" (which I coined in that book) is finally gaining ground.
Tweet

Read More

Why DIARMF, "Continuous Monitoring," and other FISMA-isms Fail

I've posted about twenty FISMA stories over the years on this blog, but I haven't said anything for the last year and a half. After reading Goodbye DIACAP, Hello DIARMF by Len Marzigliano, however, I thought it time to reiterate why the newly "improved" FISMA is still a colossal failure.

First, a disclaimer: it's easy to be a cynic and a curmudgeon when the government and security are involved. However, I think it is important for me to discuss this subject because it represents an incredible divergence between security people. On one side of the divide we have "input-centric," "control-compliant," "we-can-prevent-the-threat" folks, and on the other side we have "output-centric," "field-assessed," "prevention eventually fails" folks. FISMA fans are the former and I am the latter.

So what's the problem with FISMA? In his article Len expertly discusses the new DoD Information Assurance Risk Management Framework (DIARMF) in comparison to the older DoD Information Assurance Certification and Accreditation Process (DIACAP). DIARMF is a result of the "new FISMA" emphasis on "continuous monitoring" which I've discussed before.

Len writes "DIARMF represents DoD adoption of the NIST Risk Management Framework process" and provides the diagram at left with the caption "The six major steps of Risk Management Framework aligned with the five phases of a System Development Lifecycle (SDLC)."

Does anything seem to be missing in that diagram? I immediately key on the "MONITOR Security Controls" box. As I reminded readers in Thoughts on New OMB FISMA Memo, control monitoring is not threat monitoring. The key to the "new" FISMA and "continuous monitoring" as seen in DIARMF is the following, described by Len:

Equally profound within DIARMF is the increased requirements for Continuous Monitoring activities. Each control (and control enhancement) will be attributed with a refresh rate (daily, weekly, monthly, yearly) and requisite updates on the status of each control will be packaged into a standardized XML format and uploaded into the CyberScope system where analysis, risk management, and correlation activities will be performed on the aggregate data.

Rather than checking on the security posture every three years or whatever insane interval that the old FISMA used, the new FISMA checks security posture more regularly, and centralizes posture reporting.

Wait, isn't that a good idea? Yes, it's a great idea -- but it's still control monitoring. I can't stress this enough; under the new system, a box can be totally owned but appear "green" on the FISMA dashboard because it's compliant with controls. Why? There is no emphasis on threat monitoring -- incident detection and response -- which is the only hope we have against any real adversary.

Think I'm wrong? Read Len's words on CyberScope:

CyberScope is akin to a giant federal-wide SEIM system, where high-level incident management teams can quickly pull queries or drill down into system details to add analysis on system defenses and vulnerabilities to the available intelligence on an attack. CyberScope data will also be used to track trends, make risk management decisions, and determine where help is needed to improve security posture.

If you're still not accepting the point, consider this football analogy.

Under the old system, you measured the height, weight, 40 yard dash, and other "combine" results on a player when he joined the team. You checked again three years later. You kept data on all your players but had no idea what the score of the game was.

Under the new system, you measure the height, weight, 40 yard dash, and other "combine" results on a player when he joins the team. You check again more regularly -- maybe even every hour, and store the data in a central location with a fancy Web UI. You keep data on all your players but still have no idea what the score of the game is.

Until DoD, NIST, and the other control-compliant cheerleaders figure out that this approach is a failure, the nation's computers will remain compromised.

Note: There are other problems with DIARMF -- read the section where Len says "This shakes out to easily over a hundred different possible control sets that can be attributed to systems" to see what I mean.

Tweet

Read More

SEC Guidance Emphasizes Materiality for Cyber Incidents

Senator Jay Rockefeller and Secretary Michael Chertoff wrote the best article I've seen yet on the CF Disclosure Guidance: Topic No. 2, Cybersecurity issued by the SEC last month in their article A new line of defense in cybersecurity, with help from the SEC:

Managing cybersecurity risk has always been, and always will be, in large part a private sector responsibility...

Until recently, this responsibility may have been unclear — or unknown — to the directors and officers of publicly traded companies. But on Oct. 13, the Securities and Exchange Commission issued groundbreaking guidance to clarify companies’ disclosure obligations about material cybersecurity risks and events.

Federal securities law has long required publicly traded companies to report “material” risks and events — that is, information that the average investor would want to know before making an investment decision. But before the SEC’s action, many companies were not aware how — or perhaps even if — this duty applied to cybersecurity information. In fact, a Senate Commerce Committee review of past corporate disclosures suggested that a significant number of companies have not reported these risks for years.

This SEC guidance is critical because it allows market participants to weigh cybersecurity as an investment factor. It is generally understood that disclosing material breaches — such as the significant loss of a company’s intellectual property — will affect the value of a company, because existing or potential investors will reconsider their investment decisions. Without detailed public information about these events, investors are unaware of the risks to which companies are exposed. And without pressure from investors, corporate officers are less likely to change their risk-management practices.

The SEC guidance will fundamentally alter this equation by raising questions that historically have not been asked at many U.S. companies. Businesses will now have to consider, among other things, what constitutes a material cybersecurity breach and how to disclose such events to investors; how the value of intellectual property is measured; whether appropriate defenses are in place around that property; and whether risks are being appropriately mitigated, through defensive technologies or appropriate insurance coverage. (emphasis added)

Make no mistake: this is a big deal. Until now "disclosure" laws have aimed at protecting consumers by making their PII the important aspect of a digital incident.

With the SEC guidance, we have a new audience for "disclosure" -- shareholders. The SEC is telling publicly traded companies that they have to disclose material cyber security incidents. Now the battle to define materiality will begin.

Tweet

Read More

MANDIANT Webinar Friday

Join me and Lucas Zaichkowsky on Friday at 2 pm eastern as we talk about what happened at our annual MANDIANT conference, MIRCon! Registration is free and I expect you'll enjoy the discussion! We plan to review what we saw and heard, and how those lessons will help your security program.

Tweet

Read More

Review of America the Vulnerable Posted

Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below.

I've added bold in some places to emphasize certain areas.

---

America the Vulnerable (ATV) is one of the best "big picture" books I've read in a long while. The author is a former NSA senior counsel and inspector general, and was the National Counterintelligence Executive (NCIX). In these roles he could "watch the fireworks" (not his phrase, but one popular in the intel community) while the nation suffered massive data exfiltration to overseas adversaries. ATV explains the problem in terms suitable for those familiar with security issues and those learning about these challenges. By writing ATV, Joel Brenner accurately and succinctly frames the problems facing the US and the West in cyberspace.

In this review I'd like to highlight some of Mr Brenner's insights and commentary.

On pp 65-7 he discusses "China's Long View... China had the world's largest economy for eighteen of the past twenty centuries. The two exceptions were those of America's youth and rise to power.... Like India, China does not regard Western domination as normal, and it does not suffer from an inferiority complex. China's chief national strategic objectives are to lift its population out of poverty and reestablish its place in the international order."

On pp 68-71 he explains the problem with the binary thinking of Westerners regarding war. China does not see war as a binary issue, where one is either at peace OR at war. "This kind of ambiguity is difficult for Americans to digest. We are direct and aboveboard, and we like to think others are like us -- or would be if given half a chance... [W]e suffer from a Western misconception in our law, religion, and policy that 'peace' and 'war' are opposites that cannot occur at the same time... Many Americans cling to this view, even though war has not been declared on the planet since 1945, while there have been hundreds of organized, violent, and militarized struggles in the interim."

On pp 71-3 he reiterates my point that the consequences of digital assault from China are indeed new, as well as the assault itself. "Our companies are under constant, withering attack. After the Google heist, companies [all emphasis is original] started asking the government for help in defending themselves against nations. This was unprecedented. We are now in uncharted territory... the boundary between economic security and national security has completely disappeared... While the scope of and intensity of economic espionage have assumed startling proportions, the 'traditional' espionage assault on our national defense establishment dwarfs anything we have ever before experienced."

On pp 75-77 Mr Brenner describes instances of espionage and consequences. "[Chi Mak] is the first spy (that we know of) through whom we lost critical military secrets and who was not a government employee. He will not be the last. If further proof were required, the case thus illustrates how thoroughly the functional boundary between the private sector and the government has dissolved... In essence, the PRC is leveraging the Pentagon's R&D budget in support of its own war-making capability."

Mr Brenner focuses on Chinese espionage in ATV; the following from p 78 is a good summary: "In contrast to the Russians, who are highly professional, the PRC often enlists amateurs from among a huge pool of sympathizers."

In the middle of the book Mr Brenner concentrates on the China threat by correctly identifying that the Chinese do not want a shooting war with the US. Rather (quoting Chinese military thinkers on p 118) "the objective in warfare would not be killing or occupying territory, but rather paralyzing the enemy's military and financial computer networks and its telecommunications. How? By taking out the enemy's power system. Control, not bloodshed, would be the goal... [Continuing on pp 126-7,] The Prussian Carl von Clausewitz, and Mao after him, had called war 'politics by other means.' [Strategists] Qiao and Wang seemed to be saying the reverse: Politics -- and economics and communications and everything else -- was war by other means. And while Clausewitz had preached the doctrine of the decisive battle, Qiao and Wang said there would be no more decisive battles."

Ch 9, "Thinking About Intelligence," is one of my favorite chapters because Mr Brenner examines the role of information and intelligence agencies in the modern world. On p 196 he makes a fascinating point: "To understand the future of the private sector's role in intelligence, we don't need a crystal ball. We can just as well look backward as forward, because we are experiencing a return to a historical norm." He then argues that the private sector is developing intel capabilities rivaling the government, which was the case prior to the creation of national agencies in the 20th century. On p 209 he recommends the following: "[T]he best way to run an intelligence agency is to focus tightly on the parts of the business that are really secret and separate them from the rest. You spend more money on open-source collection and analysis, and let them happen in controlled but unclassified space. You beef up counterintelligence. And you pay much more attention to the electronic handling and dissemination of information."

In the final chapter he offers some recommendations for improvement. I liked this statement on p 216: "If you wait for the incoming danger to reach you, you won't be able to defend against it. CYBERCOM solves this problem by letting the general in charge of defending national security networks use offensive tools outside his networks in order to know what's coming. To be blunt, espionage is an essential aspect of defense. To know what's coming, we must be living inside our adversaries' networks before they launch attacks against us." Note that is the traditional role of espionage, a model which the Chinese shatter by living inside our companies' networks, solely to steal our intellectual property.

I only found one small typo on p 194: The Yom Kippur War happened in 1973, not 2003.

Overall, I really enjoyed ATV. While I don't think the suggestions for improvement in the last chapter are sufficient to mitigate the threat, several of them are a good start. I highly recommend reading ATV at your earliest opportunity!

Tweet

Read More

Republican Presidential Candidates on China

(Photo: Business Insider)

This is not a political blog, so I'm not here to endorse candidates. However, I do want to point out another example of high-level policymakers discussing ongoing activities by China against the US and other developed economies.

First, the Washington Post published an editorial by Mitt Romney which included the following:

China seeks advantage through systematic exploitation of other economies. It misappropriates intellectual property by coercing “technology transfers” as a condition of market access; enables theft of intellectual property, including patents, designs and know-how; hacks into foreign commercial and government computers...

The result is that China sells high-quality products to the United States at low prices. But too often the source of that high quality is American innovations stolen by Chinese companies.

I missed this in August, but former ambassador to China Jon Huntsman said the following during a debate:

Huntsman Jr. pointed to China as a culprit in what he described as “the new war field” — cyber-intrusion as a way to steal corporate and government secrets. “Not only have government institutions been hacked into, but private individuals have been hacked, too. It’s gone beyond the pale,” Huntsman said.

The third candidate in the photo, Rick Perry, is also involved in the China debate. He's currently defending Texas' relationship with Huawei.

I'm going to be fairly strict regarding comment publishing for this post, so please be civil, nonpolitical, and relevant. Again, my point is to show that Chinese cyber campaigns are now a hot topic in political campaigns.

Tweet

Read More

Bejtlich in "The expanding cyber industrial complex"

Christopher Booker interviewed me and several other policy-oriented security people for his video Financial Times story The expanding cyber industrial complex. This was a different experience for me for two reasons. First, Christopher conducted the interviews via Skype. Second, you can see what appear to be the home offices of several of the contributors, including me.

One technical note on the video: I had some trouble getting it to play. To get it working I selected another video then went back to this one.

Thank you again to Christopher Booker for the opportunity to offer my opinions.

(Bonus points to anyone who can identify the box on the shelf over my right shoulder, on the lower left side of the photo.)

Tweet

Read More

Computer Incident Response Team Organizational Survey, 2011

Today at MIRCon I mentioned that one of my colleagues, Jeff Yeutter, had updated the somewhat famous CERT/CC study of CIRT characteristics as part of his degree program. Jeff posted the survey online as Computer Incident Response Team Organizational Survey, 2011 with this description:

In 2003, the CERT CSIRT Development Team (www.CERT.org) released a study on the state of international computer security incident response teams with the goal of providing "better insight into various CSIRT organizational structures and best practices" for new and existing members of the CSIRT community (Killcrece, Kossakowski, Ruefle, & Zajicek, 2003). The attached survey, a modified form of the original, will be used to update the 2003 study with a greater focus on the methods of organization used by American and international CIRTs, the tools that they employ, and how these vary across organizations of different sizes and industries.

This research is being conducted, and is independently funded, by Jeff Yeutter, Technical Sales Executive at Mandiant, as the final project for his Master's in Information Systems with a concentration in Computer Security Management at Strayer University. This survey will also be distributed to members of the Forum of Incident Response and Security Teams (www.FIRST.org) with the assistance of Richard Bejtlich, Chief Security Officer and VP, MCIRT, at Mandiant.

No identifying information is required to complete this survey. Participants may include such information if they are interested in immediately being notified of the results of the study once it is complete, or if they would like to make themselves available for follow-up questions. Any and all identifying personal or professional identifying information offered by participants will be held in strict confidence. The results of this study, minus any identifying information, may be included in a future, cost-free whitepaper.

The original CERT study from 2003 can be found at: www.cert.org/archive/pdf/03tr001.pdf

The time to complete this survey is approximately 10-15 minutes.

If you're a CIRT member and want to contribute, please consider completing the survey at Computer Incident Response Team Organizational Survey, 2011. Thank you!
Tweet

Read More

Interview with One of My Three Wise Men

Tony Sager from the NSA is one of my Three Wise Men. (Dan Geer and Ross Anderson are the other two.) Eric Parizo from SearchSecurity.com interviewed Tony this week and posted the video online.

Tony notes that the escalation in threat activity during the last few years is real. He is in a position to know, given he has worked at NSA since the 1970s. Tony says the threat activity is getting people's attention now, especially at more senior levels of the government and industry. Now targeted organizations are thinking beyond the question "does this affect my company" to "does this affect my industry?"

Tony explains that a generational effect may account for the change in awareness. More senior leaders grew up with technology, so they know how to think about it. There is also more public reporting on serious security incidents today.

My favorite quote was:

"If you're not a little concerned, you haven't been paying attention."

Since Tony is Mr Reasonable, I think that's a significant statement!

Eric asked Tony for his opinion on APT, and he replied that APT isn't that useful a concept for his line of work. That's possibly because his agency uses the original intrusion set names to manage threat intelligence, rather than an unclassified, "umbrella" term for discussing threat actors in private industry. Tony did explain that the "advanced" aspect for him means conducting operations in multiple "domains," e.g., escalating to physical, non-digital attacks when necessary.
Tweet

Read More

Russia v China -- Sound Familiar?

Thanks to a source who wishes to remain anonymous, I read Chinese spy mania sweeps the world, an article not from a Western publication. Rather, it's from Voice of Russia. Does any of this sound familiar?

[T]his is the most powerful secret service based on the principle of attracting all ethnic Chinese, wherever they may live. An adherent of the “total espionage” strategy, Beijing even encourages emigration in the hope that its citizens will remain loyal to and useful for their historical homeland after moving to another country...

"The history of China’s espionage activities on Russian armaments is not only limited to one precedent or one type of weapons. One of the top Chinese priorities is to produce complete replicas of Russia’s best machines and weapons, from the Sukhoi Su-33 fighter jet to missiles, aircraft carriers and so on.

This is a truly purpose-oriented strategy of a large country - snatch anything you can and reproduce it domestically," ["IT expert"] Andrei Masalovich points out.

Cynics will point out that perhaps this article is trying to deflect attention from Russia's own espionage activities. However, you can't deny that even the Russians have issues with Chinese operations.

For an example of the sorts of problems Russia is having, see this ABC News story China Still Spies the Old Fashioned Way, Russia Says:

Russia's secretive spy agency, the Federal Security Service (FSB), issued a rare statement Wednesday claiming the state had arrested a Chinese citizen who, posing as a translator for official delegations, was working under the direction of the Chinese government in an attempt to buy state secrets from Russians about Russia's S-300 missile system.
Tweet

Read More

It's All About the Engines

(Photo credit: AINOnline)

I just read Big New Chinese Order for Russian Fighter Engines at China Defense Blog, which quoted AINOnline:

China has placed additional orders for Russian AL-31-series fighter engines. State arms trade agency Rosoboronexport clinched two big contracts earlier this year...

To serve them, Salut has established partnerships with Limin Corp. and Tyan Li company in Chengdu on deliveries and manufacturing of spare parts for both the AL-31F and the AL-31FN. Russia has also agreed to provide all necessary maintenance and repair documentation to the Chinese partners.

To see China treats or will treat Western aircraft and aircraft engine makers, look no further than Russia.

The comments in the CDB post pointed me to this engine comparison for the J-20, which I sometimes mention in my classes. Essentially the Chinese appear to be testing two engines on the J-20, because they are not sure if they will use a Russian-made engine (or copy) or an "indigenous" engine (which is probably a copy of someone else's technology).

Tweet

Read More

House Cybersecurity Task Force Report Released

The House Cybersecurity Task Force released its report (.pdf) today. NextGov offers a good summary in their story House GOP Cyber Task Force Touts Industry Leadership by Jessica Herrera-Flanigan.

The report includes the following recommendation:

Companies, including Internet Service Providers (ISPs) and security and software vendors, are already conducting active operations to mitigate cybersecurity attacks. However, these are largely done independently according to their individual business interests and priorities. Congress should facilitate an organization outside of government to act as a clearing house of information and intelligence sharing between the government and critical infrastructure to improve security and disseminate real-time information designed to help target and defeat malicious cyber activity.

I would like something bolder, like the National Digital Security Board I proposed in 2006. Still, such a "clearing house" could evolve into an organization with the authority to investigate incidents, or at least contract an organization to conduct investigations, and then publish anonymized lessons and results.

I would find leading that organization to be a great challenge!
Tweet

Read More

C-SPAN Posts Video of Tuesday Hearing

You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN.

Some people are already asking "what's new" about this. For me, what's new is that the chairman of the HPSCI is pointing his finger straight at the threat, and letting the world know in an open hearing that the adversary's actions are unacceptable and will not be tolerated. This is exactly the sort of attention and action that the threat deserves and I applaud the Chairman and HPSCI for pursuing this course.

Remember that the HPSCI is more likely to hold closed hearings than open hearings due to the nature of its classified intelligence oversight work. By conducting an open hearing, Chairman Rogers wanted to send a clear message to victims, the public, and the adversary.
Tweet

Read More

Inside a Congressional Hearing on Digital Threats

Today I was fortunate to attend a hearing of the US House Permanent Select Committee on Intelligence (HPSCI). That's me on the far left of the photo, seated behind our MANDIANT CEO Kevin Mandia. I'd like to share a few thoughts on the experience.

First, I was impressed by the attitudes of all those involved with HPSCI, from the staffers to the Representatives themselves. They were all courteous and wanted to hear the opinions of Kevin and the other two witnesses (Art Coviello from RSA and Michael Hayden from the Chertoff Group), whether before, during, or after the hearing.

Second, I thought Reps Mike Rogers (R-MI, HPSCI Chairman) and C.A. Dutch Ruppersberger (D-MD, HPSCI Ranking Member) offered compelling opening statements. Rep Rogers squarely pointed the finger at our overseas adversaries. As reported by PCWorld in U.S. Lawmakers Point to China as Cause of Cyberattacks, Rep Rogers said:

"I don't believe that there is a precedent in history for such a massive and sustained intelligence effort by a government to blatantly steal commercial data and intellectual property...

China's economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy."

You can watch all of Rep Rogers' statement on YouTube as Rep. Mike Rogers criticizes Chinese economic cyber-espionage (currently 21 views -- let's increase that!)

General Hayden reinforced Rep Rogers' sentiment with this quote:

"As a professional intelligence officer, I step back in awe of the breadth, the depth, the sophistication, the persistence of the Chinese espionage effort against the United States of America."

Third, I was very pleased that this hearing was conducted in an open forum, and not behind closed doors. While I haven't found the whole hearing online or on TV yet (aside from Rep Rogers' statement and that of Rep Myrick (R-NC)), I encourage as much discussion as possible about this issue.

One of General Hayden's points was that we are not having a debate about how to address digital threats because no one agrees what the facts are. If you work counter-intrusion operations every day, or participate in the intelligence community, you know what's happening. Outside that world, you likely think "APT" and the like are false concepts. We can really only build a national approach to countering the threat if enough people know what is happening.

As more information becomes available I will likely publish it via my @taosecurity Twitter account.
Tweet

Read More

Chinese Espionage in Five Minutes

This evening I watched last week's episode of This Week in Defense News with Vago Muradian. Vago's last guest was David Wise, author of Tiger Trap. If you want to learn as much as possible about Chinese espionage in a five minute interview, I recommend watching History of China spying on U.S.. I hope this book encourages attention at the highest levels of the US government and industry.
Tweet

Read More

Review of Robust Control System Networks Posted

Amazon.com just posted my five star review of Robust Control System Networks by Ralph Langner. From the review:

I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment.
Tweet

Read More

Impressions: The Art of Software Security Testing

I'll be honest -- on the same trip on which I took The Art of Software Security Assessment, I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance.

TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA.

Tweet

Read More

Impressions: The Art of Software Security Assessment

I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book.

One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters.

In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and 1.1.2, each trying to fix a bug caused by the previous change.

Another amazing aspect of TAOSSA is its coverage of subtle differences between different Unix-like systems, e.g. FreeBSD, NetBSD, OpenBSD, Solaris, and Linux. I really appreciated such careful attention to detail.

Probably the strongest aspect of TAOSSA was the overall methodology, which I define as 1) show how the technology works; 2) show vulnerabilities in code; 3) show how to fix the code (usually all with real examples).

My only criticism is more philosophical, because the authors recycle the flawed Microsoft "threat modeling" paradigm. This approach results in weird sentences like "threat identification is the process of determining an application's security exposure based on your knowledge of the system" (p 59). Fortunately the authors use the proper term "attack trees" rather than "threat trees," presumably because they recognize that Bruce Schneier was right when he promoted the "attack tree" approach!

Overall, the book is very well written, with great consistency despite three authors and hundreds of pages. If you can find a software developer who honestly read the entire TAOSSA and integrated its wisdom into his or her coding, hire that person!
Tweet

Read More

Impressions: Tiger Trap

I just finished reading Tiger Trap by David Wise. I read the whole book (so my "impressions" label isn't really accurate, because I use that for books I didn't fully read). I don't feel like writing an entire review but I wanted to capture a few thoughts.

First, if you know nothing about Chinese espionage against the United States, read Tiger Trap. I didn't think Tiger Trap was the easiest book to read about the subject, but I haven't seen any other source cover so much history in one volume.

Second, it seems the Chinese prefer to use human resources to steal classified information, mainly because accessing classified networks is tougher than accessing unclassified networks. Still, there are plenty of cases where humans physically stole unclassified but sensitive information. Most of these predate the Web however.

Third, the Chinese like to "get good people to do bad things," as I Tweeted last week (citing page 16). In other words, China appeals to its overseas ethnic community to steal information because China "is a poor country," and it "needs to develop." (Oddly enough I have read these exact words in articles by various people who brush off reports of espionage.) While some spies act out of greed or revenge or a need to feel important, it seems plenty of other spies think they are really doing the right thing, leveling the playing field, or even helping both sides!

If anyone can provide the names of other resources describing Chinese espionage, I would appreciate the comment.
Tweet

Read More

Bejtlich Cited in Chinese Article on APT

I found it ironic to see the names Richard Bejtlich and MANDIANT appearing in the article How to reduce the losses caused by APT attack? The reason this is funny is that the article appears in a Chinese-language story, published by a site operating in Beijing!

You can read the Google Translation if you can't read the original.

According to Tianji Media Group:

Established in January 1997, ChinaByte was the first IT news website in China.

So, welcome to the APT coverage!
Tweet

Read More

Classic Chinese Defensive Propaganda

Thanks to the sharp eye of a colleague from a mailing list, I learned of the article Is China Really Cyberdragon? in the English-language China Daily newspaper. The article is by Tang Lan, deputy director of the Institute of Information and Social Development Studies, China Institutes of Contemporary International Relations (a state-directed research institute). His writing displays all of the class elements of what I call Chinese defensive propaganda, in this case specifically addressing APT intrusions.

I'll cite a few examples so you know what I mean.

Hacking poses a threat to both China and Western countries and politicizing the problem will be detrimental to all.

The beginning of the article introduces the reader to the concept that China is just as much a victim of hacking as the West. This is the first invocation of "the victim card," which is a constant aspect of Chinese self-identity and international relations.

Tang Lan then dismisses accusations that the Chinese hack Western organizations, naming a few companies specifically. Then we read:

This is not the first time China has been the victim of such accusations. In fact, it was also accused of having instigated several previous systemic long-term intrusions, namely Operation Titan Rain, Night Dragon and Operation Aurora.

Again we see the victim card, using the actual word "victim." I think this section is counter-productive, because it reminds the reader that the Chinese have been publicly active against Western targets since 2003 (i.e., the mention of Titan Rain).

Western governments and media would have people believe that China has become a "cyberdragon", able to infiltrate the computer systems of countries and companies seemingly at will.

It may be tough for the author to appreciate this statement, but it's fairly true.

Besides, it is simply untrue to say that China is not a victim of cyber attacks. China was hit by nearly 493,000 cyber attacks last year, about half of which originated from foreign countries, including 14.7 percent from the US and 8 percent from India, according to a report issued on Tuesday by the Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT/CC), the country's primary computer security monitoring network.

Notice the third use of the victim card. More interestingly, who said "China is not a victim of cyber attacks?" Tang Lan introduces a red herring (pun intended) to divert our attention, and then uses statistics from CNCERT to show an argument (made by no one) is false.

Hacking poses a great threat to both China and Western countries and should be considered a common enemy. It is irresponsible to accuse any other country without ample evidence, and politicizing the problem will only prove detrimental to the interests of all.

As a responsible country, China has long held the principle of strengthening supervision of the Internet, and encourages all countries to cooperate for the common good.

We also hope other countries can hear China's voice, and understand China's efforts in defending the security of all.

In this amusing conclusion to the article, there are three points. First, we have a fourth invocation of the victim card. Second, we read of "irresponsible" and "responsible" countries. The US is "irresponsible" because its private, non-state-owned security firms are pointing the finger at China. China is "responsible" because it promotes "supervision of the Internet" (obviously via the Great Firewall of China). Third, China is supposedly encouraging "all countries to cooperate for the common good" and "defending the security of all." How is that happening, exactly?

I thought it was telling that someone in the Party decided to commission a response via an institutional speaker. The double-speak in the article shows China craves being seen as "responsible," which gives the West a strategy for diplomatic pressure against APT intrusions. I also expect to see the victim strategy used by China as a constant justification for whatever activity they pursue.

On a slightly humorous note, one of the responses to this article that I read on a mailing list asked the following question:

Given that the Chinese PLA assaults Chinese Web sites from compromised IP addresses in the United States (reported in Slip-Up in Chinese Military TV Show Reveals More Than Intended), what would the statistics look like if they removed all their self-inflicted attacks?
Tweet

Read More

Government Takeover of Compromised Digital Infrastructure Provider

The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports:

DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.

But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations. The government also is trying to shift over to other companies that act as digital notaries, he said.

As you can see I highlighted two points.

Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?"

Regarding the second, I can't remember a time where a government assumed control of a private company in order to implement digital security measures. (Can anyone recall a similar event at another time?) This could be a wake-up call to governments that one of the foundations of digital security is a commercial arrangement whereby the fall of any of 600 or more certificate authorities puts the entire system in danger.

Tweet

Read More

Watch National Geographic Channel's The Liquid Bomb Plot

Over the last week I've been watching a new National Geographic Channel documentary titled The Liquid Bomb Plot. It explains how British intelligence detected and thwarted an AQ operation to destroy at least seven aircraft flying from the UK to the US in August 2006. The show is excellent and features first-hand accounts, including key US personnel like Secretary Chertoff and General Hayden.



I recommend watching this show because it demonstrates the tensions between the law enforcement and intelligence communities. The content also touches on the question of whether counter-AQ operations are legal affairs or military affairs.



After the show you will be less likely to doubt the value of US and UK intelligence operations (and those of our allies), even after the demise of UBL.



Furthermore, you can probably imagine how this sort of intel-centric operation is similar to the new sorts of wars we're fighting else -- i.e., in the digital domain.

Tweet

Read More

TaoSecurity Security Effectiveness Model

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.



Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as "Threat Actions"; and 3) What is in reality defended in the enterprise, whether or not defenders or the adversary cares, what I label "Live Defenses".



I call the Defensive Plan "Correct" when it overlaps with the Adversary Actions, because the defenders correctly assessed the threat's interests. I call it "Incorrect" when Live Defenses are applied to areas outside the interest of the security team or outside the interest of the adversary.



I call the area covered by the Live Defenses as "Defended," but I don't assume the defenses are actually sufficient. Some threats will escalate to whatever level is necessary to achieve their mission. In other words, the only way to not be compromised is to not be targeted! So, I call areas that aren't defended at all "Compromised" if the adversary targets them. Areas not targeted by the adversary are "Compromise Avoided." Areas targeted by the adversary but also covered by Live Defense are "Compromise Possible."



The various intersections produce some interesting effects. For example:

1. If you're in the lower center area titled "Incorrect, defended, compromise possible," and your defenses hold, you're just plain lucky. You didn't anticipate the adversary attacking you, but somehow you had a live defense covering it.



2. If you're near the left middle area titled "Correct, undefended, compromised," this means you knew what to expect but you couldn't execute. You didn't have any live defenses in place.



3. If you're in the area just below the previous space, titled "Incorrect, undefended, compromised," you totally missed the boat. You didn't expect the adversary to target that resource, and you didn't happen to have any live defenses protecting it.



4. If you're in the very center, called "Correct, defended, compromise possible," congratulations -- this is where you expected your security program to operate, you deployed defenses that were live, but the result depends on how much effort the adversary applies to compromising you. This is supposed to be "security Nirvana" but your success depends more on the threat than on your defenses.



5. The top-most part titled "Incorrect, undefended, compromise avoided" shows a waste of planning effort, but not wasted live defenses. That's a mental worry region only.



6. The right-most part titled "Incorrect, defended, compromise avoided" shows a waste of defensive effort, which you didn't even plan. You could probably retire all the security programs and tools in that area.



7. The area near the top titled "Incorrect, defended, compromise avoided" shows you were able to execute on your vision but the adversary didn't bother attacking those resources. That's also waste, but less so since you at least planned for it.

What do you think of this model? Obviously you want to make all three circles overlap as much as possible, such that you plan and defend what the threat intends to attack. That's the idea of threat-centric security in a nutshell -- or maybe a Venn diagram.

Tweet

Read More

TCP/IP Weapons School 3.0 in McLean, VA 26-27 Oct

I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue only seats 20-25 students, so please keep that in mind. You can register through RegOnline immediately. Thank you.



Tweet

Read More

Jaime Metzl Describes "China's Threat to World Order"

Props to LS for pointing me to this WSJ article titled China's Threat to World Order. I found the following pertinent for the "cyber" aspect:



Allegations that the Chinese government is behind the largest computer hacking operation in history will not come as a surprise to observers of recent trends in international relations. If there is one thing that China's actions across a range of fields have made clear, it is that Beijing will do whatever it takes to advance its narrowly defined economic interests, even if that requires riding roughshod over global norms...



It is no longer acceptable for China to claim global leadership in some areas but then pretend it is a weak developing country and shirk its responsibilities in others. A China that leads the world in the theft of intellectual property, computer hacking and resource nationalism will prove extremely destabilizing. If it continues on this course, Beijing should not be surprised if other countries begin to band together to collectively counter some of the more harmful implications of China's rise.



I think contrasting China with Russia may be helpful here. We tend to have more cooperation with Russia, even in areas of digital security; for example, see the work of the EastWest Institute.



After publishing the WSJ article, Jaime then summarized open reporting on China's activities over the last few years and published the result at China and Cyber-Espionage.



Tweet

Read More

Expect to Hear "IDS Is Dead" (Again)

Do you remember when IDS was dead, and supposed to be replaced by "thought-leading firewalls" by 2005?



Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn:



About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's Einstein 3 effort, said Deputy Defense Secretary William Lynn.



During an address to the 2011 DISA Customer and Industry Forum in Baltimore, Md., Lynn said the sharing of malicious code signatures gathered through intelligence efforts to pilot participants has already stopped "hundreds of intrusions."



Lynn also laid blame for intrusions into military and defense industrial base networks on "foreign intelligence services," stating that they have stolen military plans, weapons system designs, source code and other intellectual property.



"This kind of cyber exploitation does not have the dramatic impact of a conventional military attack," Lynn said. "But over the long term, it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy."



Foreign intruders have extracted terabytes of data from defense companies, he added.



This sort of story is likely to lead to the same arguments I heard eight years ago regarding "Intrusion Detection Systems" vs "Intrusion Prevention Systems," namely:



If you can detect it, why can't you prevent it?



This is a broad topic, so rather than try to answer everything here and now, I'll likely work on it over the coming weeks in individual posts.



Tweet

Read More