Ruh Roh Shaggy.  This should make the RSA Conference experience very interesting for Bit9.

–Chris

Many client side attacks that are part of cyber threat actor arsenals can cause issues in the client system. IE crashes when a certain site is visited, the PDF opens but is blank, the word document also opens a command window, etc. Fortunately for us cyber sleuths many times the user will call the help desk and report the issue. Hopefully your help desk has a ticketing system (like Remedy or Peregrine) that you can search in.

Once a week I go into our help desk ticketing system and search for the following:

IE / Internet Explorer
Browser
Adobe
PDF
Flash
Office document
Word, PowerPoint, Excel
Other terms depending on current activities

Honestly I do not find things every week but I feel it is well worth the 30 minutes a week I spend.

The discussion today made me realize that in addition to challenges in sharing threat data there are also challenges in receiving that data. I’ve recently had the opportunity to talk to Incident Response and advanced threat / intelligence teams for several very large organizations. What stuck out was the variance in maturity levels within these organizations security programs. The more advanced ones had a cyber threat intelligence function and someone(s) focusing on advanced threats (I.e. APT…there I said it . It is these functions that are almost a necessity to process threat data and IoCs from other sources. The challenge is that these functions are still not that common in organizations. Why? Well it’s hard to show ROI for these functions.

These functions are almost considered a luxury in man organizations. My team and I get paid to “hunt” more or less. Our ammunition is IoCs and threat actor TTPs. If we find something today but don’t find anything else for a week does that mean there was nothing to find or we did a poor job looking? That’s a question that is almost unanswerable. It’s a leap of faith or an investment that organizations make to support those functions. The very functions that are an integral part of processing threat data. Without which an intelligence driven security model is very tough to get of the ground and support,

So before you run out and sign up with threat intel providers, private mailing lists and other sources of threat data and IoCs ask yourself a question. If someone gave me the file hash of a specific Trojan, could I actually do anything useful with it? The same would apply to other IoCs like HTTP user agent strings or email MTAs. If the answer is no, what then?

I was asked during the panel why some of the IR teams I met with had cyber intel / advanced threat capabilities and others did not. I can say that there was a direct correlation between an organizations maturity level in the IR department and whether or not they have had a major breach. The ones who have been breached realize these functions are not a luxury but an absolute necessity to combat the current cyber threats we are all facing.

A little shameless plug, SC Magazine published my article on Cyber Threat Information and Intelligence sharing in their The Last Word column. You can find it here: http://www.scmagazine.com/take-to-the-offense-with-intel/article/264315/

–Chris

–Chris

Technorati Tags: PGP, ios, iPhone, iPad

These positions are:
Senior Software Architect (1 opening)
Secure Software Engineer (6 openings)
Usability & User Interface Specialist (1 opening, 9-12 month temporary position with permanent placement option)

Contact Andrew Robinson for more information,  atr AT maine.net

Senior Software Architect (1 opening)

Description:
- The Senior Software Architect (SSA) will report to the CTO
- The SSA will design and implement the development environment, including the underlying IT infrastructure
- The SSA will design, document, and implement, and enforce a rigorous RAD-based secure SDLC
- The SSA will manage the software engineering team including programmers, testers, UI architects, and other related functions
- The SSA will function as a member of the programming team

Qualifications:
- US citizen or permanent resident (non-citizens will be restricted from access to some information and operations)
- 10 or more years in a leadership role in both software engineering and SGRC
- Demonstrated experience implementing secure SDLCs
- CISSP _and_ CSSLP certifications preferred but not required (both certifications must be obtained within 6-12 months after hiring)
- PMP certification is “a plus,” but demonstrated large project management experience is even better
- Strong basic information technology skills
- Experience with Java, Java enterprise components, JavaScript, HTML5, and mobile platforms
- Excellent technical writing skills
- *CRITICAL* The ability to rapidly assimilate and use at an expert level new languages, platforms, and technologies
- *CRITICAL* Eager and able to engage in all aspects and phases of the SDLC

Compensation:
- Base salary between $90,000-$120,000 based on experience and qualifications
- Fully paid medical insurance for employee (spouse and family available through payroll deduction)
- Company supplied 3G/4G smart-phone and tablet (person use permitted), upgraded every 2 years
- 35 days of paid leave (“flex time”) per year
- Profit based bonuses after first year
- Casual work environment

Secure Software Engineer (6 openings)

Description:
- US citizen or permanent resident (non-citizens will be restricted from access to some information and operations)
- Each Secure Software Engineer (SSE) will report to the Senior Software Architect (SSA)
- SSEs with the most experience and aptitude will be placed in management positions as the team grows
- SSEs design, implement, document, and test business and presentation (logic) using a secure SDLC under the supervision of the SSA
- SSEs write and maintain user and developer documentation for the application(s)
- SSEs will directly support customers and users
- SSEs will support the organization’s IT infrastructure on a rotating, 7×24 basis
- SSEs will rotate through various functions in the software engineering team, including developers, testers, IT support,  and other functions.

Qualifications:
- 3-7 years of experience with both software engineering and SGRC
- Demonstrated experience or ability working within secure SDLCs
- CISSP _and_ CSSLP certifications preferred but not required (both certifications must be obtained within 6-12 months after hiring)
- Strong basic information technology skills
- Experience with Java, including Java enterprise components, JavaScript, HTML, XML, and mobile platforms
- Excellent technical writing skills
- *CRITICAL* The ability to rapidly assimilate and use at an expert level new languages, platforms, and technologies
- *CRITICAL* Eager and able to engage in all aspects and phases of the SDLC

Compensation:
- Base salary between $60,000-$90,000 based on experience and qualifications
- Fully paid medical insurance for employee (spouse and family available through payroll deduction)
- Company supplied 3G/4G smart-phone and tablet (person use permitted), upgraded every 2 years
- 35 days of paid leave (“flex time”) per year
- Profit based bonuses after first year
- Casual work environment

Usability & User Interface Specialist (1 opening, 9-12 month temporary position with permanent placement option)

Description:
- The Usability & User Interface Specialist (UUIS) will report to the Senior Software Architect (SSA)
- The UUIS will work directly with the software engineering team on a full-time basis
- The UUIS will take a leadership role in the design and evaluation of the application user interface
- The UUIS will organize and maintain the end-user guide for the application(s)

Qualifications:
- US citizen or permanent resident (non-citizens will be restricted from access to some information and operations)
- 3+ years of experience as a usability consulting and/or user interface designer
- Demonstrated experience or ability working within secure SDLCs
- Strong technical writing skills

Compensation:
- Base salary between $40,000-$70,000 based on experience and qualifications
- Fully paid medical insurance for employee (spouse and family available through payroll deduction)
- Company supplied 3G/4G smart-phone and tablet (person use permitted), upgraded every 2 years
- 35 days of paid leave (“flex time”) per year
- Profit based bonuses after first year
- Casual work environment
- PERMANENT PLACEMENT OPTION (for UUIS candidates who have or develop SSE-level capabilities)

Home sick today so I was catching up on some reading and came across “The Prolierfation of Cyber Janitors” by Jeff Bardin. I have to say that I had to re-read it a couple times to let it sink in. The gist of the article seems to be that security organizations are spending too much on “detect and respond” capabilities and not enough on proactive security measures. The principle is simple and correct….if you prevent it from “spilling” then you don’t need a janitor to mop it up. First off I think many information security professionals that are involved with incident handling and incident response probably do not like being called janitors. Jeff uses it for a bit of sensationalism or controversy. The title got me to read the article so mission accomplished I guess.

RSA chairman Art Coviello made a comment regarding breaches which in a nutshell said “It’s not a matter of if or when you will be breached, it’s a matter of how you will respond.”  To which Jeff wrote “This statement indicates that he is beaten. He has thrown in the hat with the not if but when statement. All because they were breached. “  Thrown in the hat? Art is stating what those of us who deal with security incidents have known for sometime but were somewhat ineffective in getting senior management to see:

1. If you have human beings using software developed by human beings on systems designed by human beings and connected to the Internet you are going to have a compromise. If you think otherwise then your head is firmly in the sand…..or elsewhere. Think about this in terms of physical security. Why do Security Operation Centers for physical security exist? Because people will try to break in and someone has to be ready to monitor for  and respond to that. Have organizations that built SOC’s for physical security also “thrown in the hat”?

2. Despite what the article says about the proliferation of CSIRT / CERT functions most organizations still are not equipped to deal with a compromise. Over the last 4 years I have had the opportunity to meet with many different security organizations and the majority do not have the processes in place to deal with a major compromise. I would argue that there aren’t  enough CSIRT teams out there.  Most organizations aren’t anywhere near the level of the Hanover Insurance security team that won awards when Jeff was the head.

To me the article seems to be implying the CSIRT’s rely on special technologies or products that come out the cottage industry mentioned. While many CSIRT’s may have some specialized tools (and usually built by them) they rely on the same tools and products that most likely already exist in the organization. A CSIRT isn’t about technology. It is about process. It is organizationally separating those who administer the security technologies from those who are looking at the logs and responding to the alerts. It is about dedicating some resources to very basic things that many organizations still don’t do, like looking at logs and doing root cause analysis. Security controls fail every day. Someone needs to have their eye on that ball.

I don’t argue that we need to be doing more to prevent. No I don’t mean buying WAFs or IPS. I mean addressing the root cause. Secure coding and change management principles are foreign to many, many organizations. User education is also lacking as a whole. I also agree with Jeff that a shakeup is necessary. However I do not think the shakeup needs to be in the security space. Security exists because something (outside of security) is failing. The root of the problem isn’t that security fails to be proactive. The root of the problem is that we need IDS, WAF, etc. in the first place. We do work in a reactive security world for the most part. In order to be proactive, security cannot be a technology. It has to be a principle that is part of all levels of the organization.  We have not reached that Utopian point where incident response and cyber janitors are not needed. I doubt I will live long enough to see that point. We need to react to what is happening now and plan for where we think things are headed.

I find this statement interesting. ‘We need true innovative thought that uses cyber intelligence, counterintelligence and active defense and offensive measures in our programs. ” Is it a coincidence that Jeff’s company (Treadstone71) offers those services? I’m not saying he is wrong. He is absolutely correct in that functions like cyber intel are sorely needed and do not exist in most organizations. You have to understand who your adversaries are, their methodoloiges and what they know about you. Those organizations which I have met with that have cyber intel / counterintelligence functions all have those functions in the same place.

Ironically it’s with the “janitors”.

–Chris

https://www.sans.org/security-training/reverse-engineering-malware-malware-analysis-tools-techniques-54-mid

–Chris

What I wanted to point out here is that you can’t have attribution with regards to an attack by only analyzing the tool used, no matter how through the analysis. We all know IP’s can be changed, compromised, rented out….so relying on that wont work. Code can be borrowed, stolen, reversed so that isn’t conclusive either. This especially true if we are talking about Nation State sponsored cyber attacks. The tool is only part of the bigger picture. Attribution requires taking a step back and looking at that this bigger picture.  Who received the email? What is their role at the company? Where did the adversary get their email address? What tools did they use once inside? What order did they use the tools? What time of day, week, month did the carry out the attack? How did they exfil the data? What did they do with the data once exfiltrated? These are just examples of data not directly tied to the code in the malware that needs to be analyzed. Threat actors have patterns that they follow just a criminals have M.O.’s. However these cannot be relied upon completely. Misdirection is your friend when you don’t want to be named.  A lot of data needs to be analyzed before you are in the position to claim attribution. I would argue that few organizations have the expertise and experience to do so and fewer still could say conclusively, outside of Defense and Intel circles.

Also remember that not all advanced intrusion are APT just as not all APT intrusions are advanced. What helps constitute the Advanced in APT is their ability to pick the right tool for the job. They are not going to pull out their 0-days unless they have to, in my opinion anyway.

–Chris

[TAGS] APT, RSA [\TAGS]

–Chris

Congrats to the team at, NitroSecurity. They were acquired by McAfee according to this press release today: http://www.mcafee.com/us/about/mcafee-nitrosecurity.aspx

Nice job guys and girls. It’s good to see a successful exit.

–Chris