Giving and Being Thankful – MIRcon 2011

MIRcon 2011 is fast approaching. I’ve been putting the finishing touches on my presentation and I hope it offers some ideas for dealing with infected hosts with Mandiant’s Intelligent Response and other tools you either already have deployed or can have for free. Well free to you. They’re really paid for with the blood, sweat and tears of some of the brightest, most giving and caring professionals you’ll ever encounter in any field…and Mandiant gives away a bunch of very useful ones. Which is why I decided to present.

I likely wouldn’t be attending MIRcon this year if I weren’t presenting. Budgets are tight and I prefer not to be away from my family anymore than I have to. I don’t have the technical ability or in depth knowledge to create some of the incredible tools freely available to anyone who cares, like Redline, Web Historian, and the “blows my mind/how cool is that” Heap Inspector from Mandiant or the LiveCD distributions like the SANS Investigate Forensic Toolkit (SIFT), Snorby/InstaSnorby, or Security Onion to name only a few.

It’s often lamented that we, the defenders, don’t share enough and to an extent it’s true. The attackers are sharing and trading tools and tactics in shady undergrounds, while the defenders are cloistered in their walls with minimal awareness of how surrounding castles fair. Look at all the breaches that have happened this year. How many have resulted in details of exactly what happened, how it happened, what was lost and why it can happen to anyone. The more we understand attacker methodologies the better we can prepare, detect and respond. We shouldn’t have to learn that lesson over and over again from company to company, living Madonna’s “Like a Virgin” each time it happens to an organization. Cybercrime is a war…it helps if allies actually talk and share.

But where the security community has proven to be a shining example of sharing is in the tools market. For most commercial detection and prevention tools there are freely available alternatives. They may not be for the weak or squeamish or be easy to find, but they’re effective, can do the job and are getting better and easier to use every year. These tools enable professionals like me. They allow me to go deeper and further than I may have without them. They make me better at security. They make me smarter than I am. They make me want to try to give something back. Like this blog. Like presenting at MIRcon.

I’m not a fan of public speaking, mostly due to nerves and not enough experience/comfort doing it. But my incredible wife constantly reminds me with her words and actions how important it is that we give back. That we share what we do have or know or create if it can help someone else through a struggle or to overcome a problem. So I’ll take the butterflies and try to overcome the awe and wonder of speaking at a conference where the likes of Richard A. Clarke and Michael Chertoff are keynoting. It’s more than worth it to try and give a something back, even if it’s just a little.

To anyone who has given something of themselves for the betterment of security, thank you. I’m looking forward to being able to thank some people in person for their efforts at MIRcon.


Mouse Traps?

Wired reported on a blog entry by Netragard detailing a wonderfully clever social engineering attack that should open some eyes. I’m not sure it will, but it should. For the unaware, social engineering is the art of manipulating a person into doing something you want, in this case inserting a USB device into their work computer.

Fearing the awareness levels around USB flash drives and malware were too high, they opted for a different USB device…a mouse. Carefully disassembling the mouse, they added a mini USB hub to which they attached a mini flash drive. When the user plugs in the mouse, they get the added bonus of a free flash drive with malware. After reassembly, they repackaged the mouse and sent it on it’s way. Are you surprised that within three days of sending it to their target the malware phoned home?

It’s a truly brilliant attack and they are to be commended for their creative thinking. I would think with most targets this attack or a variant thereof (free printers anyone?) would have a 100% success rate. I’d also like to thank them for sharing the story. While it sounds like to the stuff of spy movies, it’s real. And if good guys can think up these kinds of attacks you can bet the bad guys can to.

Which gets me thinking about risk. Does risk matter at all when the reality is you’re faced with attacks like this? Lesser attacks are just as effective, like targeted spear phishing. At one point does risk just become a way of measuring security through obscurity? Or is it there already? We already assume a lot of risk. Have we crossed a threshold?

It does confirm what I’m reading a lot of lately, especially from the likes of Richard Bejtlich of TaoSecurity and Mandiant CSO. The future of defense is a balance between prevention AND detection, trust AND distrust. The new model is not foreign to us. It’s the same castle and inner-keep concept. The difference is we’ve been lulled by security vendors into thinking we can prevent attacks while all along we watch virus detection rates fluctuate but never striking anywhere near 100%. In fact,’s most recent tests of “proactive on-demand detection” topped out at 61% back in May.

The key to defense is in knowing where your sensitive data lives and building your architecture around protecting that data. It’s your Fort Knox. Guard it, monitor it, trend it, know it. Inbound and outbound access should be locked down to required use only. This is your inner-keep. If it falls, game over.

That doesn’t mean your people milling around inside the castle’s walls get left for the vikings. But you can never know everyone and everything going on out there. Focus on what you need to protect, position it so it can be protected and closely monitored and defend the rest to the best of your abilities. But always, always watch the keep.

SMBs take heed as you’ll likely have greater agility in adapting this approach. If you have a server, a point of sale host and one or more daily operations hosts, do they all need to talk? Isolate the server and the point of sale host. Those machines that get used mostly for surfing the web for research, lookups or entertainment? Keep them away from your server and point of sale. And keep casual use away from sensitive systems.

If you don’t try to protect your company’s data, no one will.