Saturday, February 23, 2008

Microsoft Protocols Programs

Thanks to Robert Graham for pointing me to the fact that Microsoft has started a Protocols Program. This project includes thousands of pages of documentation (in .pdf format, w00t) divided into categories like Microsoft Communications Protocol Program (MCPP, for "server software that interoperates with Windows desktop operating systems") and Microsoft [Work Group] Server Protocol Program (WSPP, for "server software that interoperates with Microsoft Windows server and desktop operating systems to provide file, print, and user and group administration services").

I am frankly astounded by the number of documents available. and are 314 MB total.

I am probably going to follow the recommendations in the [MS-DOCO]: Windows Protocols Documentation Roadmap that outlines what to read and in which order. That means starting with [MS-PROTO]: Windows Protocols Overview and [MS-SYS]: Windows System Overview. Documentation like this is a boon for those who develop protocol analyzers, network security inspection systems, and filtering products. Security analysts and reverse engineers will also like to read this material.

Friday, February 15, 2008

First They Came for Bandwidth...

One of the problems with being a defender is a tendency towards a lack of imagination. As I've maintained for years, sophisticated intruders are unpredictable -- so much so that I call them intrupreneurs. Most defense is reactive (filling holes in the highway instead of deploying flying cars), with Attacker 3.0 outgunning Security 1.0.

This came to mind when I read Ukrainian Hacker Makes a Killing in Stock Market Fraud by Kim Zetter. She writes:

The case involves a Ukrainian engineering consultant named Oleksandr Dorozhko who is alleged to have hacked into a computer belonging to IMS Health, a company that provides market research to the pharmaceutical and health care industries.

Through the computer breach, Dorozhko apparently obtained advance information about a negative earnings announcement that IMS was to make a few hours later on October 17, 2007. He quickly purchased 630 put options for IMS Health, betting that the price of IMS shares, which were then trading at $30 each, would drop within three days. Dorozhko invested about $42,000 in the options, an amount that nearly equals his annual income, estimated to be between $45,000 and $50,000.

Hours later, IMS Health announced that its earnings had dropped 15 percent from the previous year and 28 percent below analysts' estimates, causing its stock price to fall to $21.20 the next day. Dorozhko's prescient purchases landed him a tidy profit of $286,457 in one day -- nearly six times his annual income.

I like this story because it explains why an intruder wants to compromise your company. Too often executives have trouble envisaging risk (expanded on in Analog Security Is Threat-Centric.)

Overall I see a progression like the following. (I thought I posted this before but I cannot find it!)

  • First they came for bandwidth... These are attacks on availability, executed via denial of service attacks starting in the mid 1990's and monetized later via extortion.

  • Next they came for secrets... These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990's and monetized as personally identifiable information and accounts for sale in the underground.

  • Now they are coming to make a difference... These are attacks on integrity, executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data.

The scariest part is the last attack can be the hardest to detect and recover.

Three Capabilities, Three Companies

Recently I've been working to augment my team's detection and response capabilities. I've identified three functions for which I've turned to the commercial software community for assistance. I'd like to highlight three capabilities and three companies which may be able to meet my requirements.

First, I need high-end network forensics. I plan to use my open source tools to do a good deal of collection and some analysis, but in certain cases I need more content-centric capabilities. For example, it would not be easy for me to extract certain types of application layer content (think documents, email attachments, and the like) using some of my tools. I am also not the only person who may need to do this work, so a collaboration- and non-expert-friendly system is needed.

For this I am taking a close look at NetWitness NextGen. I recently bought a copy of Investigator Field Edition. You can think of this product as a network forensics-equivalent of a hard drive forensics product. It's content-centric, not packet-centric like Wireshark. I'm considering using NetWitness Informer to provide Tactical Traffic Assessment services to my businesses by periodically collecting traffic and reporting on what I find.

I can't deploy network sensors everywhere I have a victim host. Therefore, I am going to end up doing a lot of host-centric detection and response. When I suspect a host has been compromised, I want to be able to remotely access that host, collect live response data, and perhaps remotely image the hard drive. I need to know as much about the victim as I can, as quickly as possible.

To meet this requirement I am considering MANDIANT Intelligent Response. I visited their Alexandria, VA offices and got a look at the product. I like the fact that it is built to not only support customers, but also for the MANDIANT consultants supporting DoD and other companies like mine. The consultants feed design ideas to the developers, and the team I met was open to my suggestions. I've also worked with many of the MANDIANT group and I believe they know what is needed to win incident response engagements. MANDIANT's product supports collaboration by allowing multiple investigators to research cases remotely. Their appliance has plenty of storage (3 TB I believe) to house remotely imaged hard drives as well.

The third capability I need to augment involves runtime and binary forensics, also known as memory forensics. Going one step beyond the need to conduct live response, I want to take a snapshot of memory on a victim. I want to identify rogue processes, and then 1) retrieve those processes in binary form for static and dynamic analysis on a test box and/or 2) attach a debugger to the rogue process to learn more about it in the wild. The first case is helpful to determine how malware could be used and how it is like to communicate with the outside world. The second case could be used to observe malware in the wild, possibly even monitoring its communications with its controller -- even if those communications are encrypted on the wire.

To meet this last requirement I met today with HBGary and looked at a beta of their new HBGary Responder product. Over the next few months they are going to add the capability to remotely push their agent to a victim and then pull data from the victim to a concentrator. They plan to add collaboration features (similar to MANDIANT's) so I could manage cases in a distributed manner. Their Responder product provides Active Reversing capability and integrates the pure reverse engineering power of their Inspector tool. I was impressed by Responder's graphing capabilities and the way it showed areas of code that might interest me.

In addition to my technical detection and response needs, I also must provide security metrics for my program. It should be clear after reading such wonderfully titled posts as Control-Compliant vs Field-Assessed Security that I think input metrics are overrated. I need more output metrics to estimate the score of the game, i.e., are we winning, drawing, or losing? I am considering using HBGary Responder to provide one of our metrics in the following manner.

  1. Select a random subset of assets, like employee laptops.

  2. Use HBGary Responder to collect memory images of these assets.

  3. Use the product's binary hashing capabilities to identify processes by comparing them to the Bit9 Knowledgebase and other lists.

  4. Count the number of normal, suspicious, and malicious results over time, per machine. Ideally we want to see fewer suspicious and malicious results, with higher numbers indicating problems.

  5. Beyond the metric, use the conclusions to conduct incident response for those suspicious and malicious results.

I generated a bunch of other metrics last year in Controls Are Not the Solution to Our Problem.
Incidentally, I'm not the only person to think these companies are offering something worthwhile. Today I read Analyze This Malware over at Dark Reading.

Application forensics is a final category of importance for which there are no real commercial tools yet. The canonical example is database forensics. The Oracle leader is (unsurprisingly!) David Litchfield and the SQL server leader is Kevvie Fowler. Both should have books on their respective subjects arriving this year.

Thursday, February 14, 2008

Snort Report 13 Posted

My 13th Snort Report titled How to use shared object rules in Snort is posted. From the start of the article:

Shared object (SO) rules were introduced in Snort 2.6.0 in early 2006 to provide a means to obscure the exact detection mechanism used in the rule and allow for more flexible detection criteria. However, for the most part, organizations have continued to rely upon traditional Snort rules. This may be about to change, in light of a recent security advisory from Sourcefire. Let's take a look at how to get shared object rules working on Snort sensors.

If you have questions on Snort you'd like me to try to answer, please post them as comments here. Thank you.

Tuesday, February 12, 2008

Review of The Dark Visitor

In this post I review The Dark Visitor (TDV) by Scott J. Henderson, owner of the blog of the same name -- The Dark Visitor. Scott generously sent me a copy of his book after I found his blog and learned what the book discussed. The term "dark visitor" is Henderson's translation of the Chinese characters for "hacker".

TDV is a fascinating book, and if I could have reviewed it at I would have rated it 4 out of 5 stars. TDV is the only book I have found devoted exclusively to the Chinese underground. Once in a while I write about China in my blog, but Mr. Henderson's knowledge of the Chinese scene is amazing. What is more remarkable is his comment that all the information one needs to understand Chinese hackers is simply out in the open! The language barrier and cultural differences are probably the most significant challenges for Westerners trying to understand Chinese hackers.

TDV focuses on culture, history, and personalities. Many Chinese hackers are driven by intense patriotism and nationalism. They feel compelled to "defend" their homeland by attacking others, initially foreign sites but increasingly their own countrymen. Chapter four addresses the questions my blog readers are most likely to ask, namely the relationship between Chinese hackers and the Chinese government. Mr. Henderson believes Chinese hackers operate independently but some elements are likely to cooperate with those who perform espionage. Mr. Henderson makes the interesting point that Chinese military doctrine considers civilians to be an element of national power, so working with independent hacker groups to achieve national security and economic goals should not be surprising.

If that seems unremarkable, contrast those points with the American scene. American hackers are not revered as patriots. The intelligence and national security apparatus does not conduct an active and fruitful dialogue with the underground. The American government does not use hackers to advance political goals.

I gave the book four stars because it could use some work. It is self-published and needs the review of a professional editor. There are exceptionally few typos but an editor could improve the overall text considerably. Also, the book abruptly ends without warning. I think there is plenty of new material the author could include in a second edition, which I would eagerly read.

There are unfortunately very few books on real threats, i.e. parties with the capabilities and intentions to exploit vulnerabilities in assets. I would love to see books like this on the Russian and eastern European scene, and perhaps one on the Brazilian underground. I strongly suggest buying and reading TDV if you are trying to understand Chinese hackers. You should also subscribe to Mr. Henderson's The Dark Visitor blog.

ShmooCon Ticket on eBay

I've had a change of plans and won't be able to attend ShmooCon this weekend, so I just listed my ShmooCon ticket on eBay. If you have any questions please contact me.

Monday, February 11, 2008

Review of Router Security Strategies Posted just posted my four star review of Router Security Strategies: Securing IP Network Traffic Planes by Gregg Schudel and David J. Smith. From the review:

Router Security Strategies (RSS) is the sort of Cisco security book I like to read. Some of you were surprised by my three star review of another recent Cisco security book -- LAN Switch Security (LSS). I suggest the authors of that book take a look at RSS as a model for writing a second edition of LSS. RSS is well-organized, very clear, and backed by plenty of actionable command syntax. Were it not for a tendency to unnecessarily repeat and summarize material, I would have rated RSS five stars. Nevertheless, anyone operating Cisco routers would do well to consider how RSS approaches the network security problem.

Wired on Air Force Cyber Command

Kudos to Marty Graham of Wired for writing Welcome to Cyberwar Country, USA. This is original reporting on the Air Force Cyber Command, focusing on the question of where to formally house the command. I personally hope it is located near Washington, DC. Given that the JTF-GNO and NSA are nearby, it would make sense for the Air Force to be physically close to coordinate work and draw on local talent.

Friday, February 08, 2008

Reminder: Last Day for Web Registration for Bejtlich's Black Hat DC 2008 Training

I just wanted to remind interested readers that Black Hat was kind enough to invite me back to teach TCP/IP Weapons School at Black Hat DC 2008 on 18-19 February 2008, at the Westin Washington DC City Center. This is currently my only scheduled TCP/IP Weapons School training class in 2008. The cost for this single two-day class is now $2400, and online registration is supposed to close today. Register while seats are still available -- both of my sessions in Las Vegas sold out. Thank you.

Wednesday, February 06, 2008

NSM at the Endpoint

For many years I've advocated Network Security Monitoring (NSM) as a powerful way to improve digital situational awareness in an independent, self-reliant, and cost-effective manner. NSM relies on watching network traffic to identify suspicious and malicious activity, which prompts incident response and remediation activities. An underlying assumption is that the asset of interest is using a network you own and have adequately instrumented.

What do you do if you do not own the network?

Consider the following situation. First, a company laptop is connected via wired Ethernet to the company LAN. Here, traffic from the laptop out to the Internet can be assumed to traverse a link monitored by a NSM sensor. No problem.

Second, the user moves the laptop outdoors, and the link switches to using a company WLAN. Here, the traffic from the laptop out to the Internet eventually reaches the same wired link used in the first scenario, and hence is monitored by the same NSM sensor. Again, no problem.

In the third case, the user moves outside the reach of the company WLAN. Her laptop transitions to using an EVDO card or other metropolitan wireless network not operated by the company. Suddenly the network traffic generated by the laptop is invisible to the NSM sensor.

In a fourth case, the user moves home and uses her home network connection to access the Internet. This is the same problem as case number 3. If you think the using a VPN client that prevents split tunnels will solve this problem, what do you when the laptop is connected to the home LAN but not yet connected to the company via VPN?

Clearly a large and definitely growing amount of network time is outside the reach of network-based sensors. I would personally still find network traffic generated by a compromised host to be extremely useful, regardless of how that host connects to any network. One option I pitched to NetWitness yesterday was to deploy a software agent to a suspected compromised system for purposes of collecting and storing network traffic to the victim hard drive.

In this model, once an asset has been identified as requiring additional monitoring, an agent is either pushed or activated that begins collection and retention. Periodically the agent reports summaries (probably session data) to a central server, and an analyst can decide what traffic should be fully retrieved for analysis. This approach has the benefit (some would say drawback, but whatever) of intercepting encrypted traffic as well. Remember, this is for an intrusion investigation. I am not a fraud/waste/abuse (FWA) investigator or privacy violator!

Of course you cannot really trust anything an endpoint does or reports once it has been compromised, but I am looking for an improvement over the current situation. The current situation is complete blindness in cases where instrumentation is lacking.

I believe at some point we will see malware that detects the various network access technologies available to a victim, and makes a choice as directed by the intruder. In other words, if the corporate LAN is too difficult for extrusion purposes, switch to a lesser controlled network -- like an EVDO connection.

If anyone knows of a product which offers the capability to remotely capture network traffic via pushing an agent, please let me know via comment. Incidentally, I am aware of Rpcap and similar technologies. Thank you.

Monday, February 04, 2008

Review of Beginning Perl, 2nd Ed Posted just posted my five star review of Beginning Perl, 2nd Ed by James Lee. From the review:

I read Beginning Perl, 2nd Ed (BP2E) to gain some familiarity with Perl 5. I do not plan to really write anything in Perl, but I find myself using other people's code quite a bit! In those situations I would like to know how the code works. I also enjoy being able to make small changes if the code does not work as expected. Perl is basically everywhere, so it pays to understand it to some degree.

Later this year Apress will publish Beginning Perl 6, the 3rd Ed of this book, also by James Lee. I hope to read that too.