Archive for May, 2012
This week the security blogs have been abuzz about Flame, the newly discovered malware that appears to be geographically targeted at Iran, Lebanon, Syria, Sudan, and other countries in the Middle East and North Africa. Security analysts are infatuated by the “massive, highly sophisticated piece of malware”, and are likening it to Stuxnet and DuQu.
I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.
In fact, IBM’s X-Force analysis concludes that, “At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.”
Stuxnet was a new breed of threat, created as a cyber weapon to serve the goals of a government or alliance. It was sophisticated and keenly targeted. Duqu was a cousin with a slightly different purpose–to gather intelligence–although still targeted at industrial control systems. Flame does not appear to share the same code base and is not targeted at any particular industry. You can read all about its capability to capture screenshots, turn on the microphone or video camera on computers and laptops, and other features elsewhere; there’s no need to clutter up the internet with redundant descriptions.
Flame may not share the same ancestry, but it’s just another piece of malware with a primary purpose of cyber espionage. It also looks like it’s extendable via plug-ins. When you gather all the modules that comprise Flame, it encompases 20 megabytes. Stuxnet, by comparison, was one-half of a megabyte. In many cases software goes through an optimization stage in its development, particularly for drivers, code that has strict performance or size requirements, or other specialized runtime requirements–like stealth. Stuxnet and DuQu were compact and efficient; whereas, although Flame has a broader purpose, it most likely has not been subjected to a rigorous optimization effort. This suggests a general-purpose application rather than a targeted weapon. So maybe the cyber criminals have taken a lesson from Stuxnet, and Flame is intended for black-market hire like most botnets, with plug-ins tailored for all sorts of nefarious objectives.
Flame was discovered almost two years after Stuxnet, but there’s speculation that they may have been under development in parallel. Files with the same names as those found in Flame were discovered on machines as early as December, 2007, and April, 2008. There are many possibile relationships between Stuxnet and Flame that begin before the pubic became aware of either. There are underground forums for malware developers and it’s entirely possible that the architects of both Stuxnet and Flame frequented those venues, where the ideas for both were sparked, perhaps in tandem, or they may have collaborated on challenges as anonymous peers with one effort predating the other.
Regardless of their possibly divergent parentage–a government project and a framework for cyber crime–their development timeline, and their narrow or broad purposes, Flame is not a game-changer. We learned the lessons from Stuxnet and they apply directly to Flame. It’s a good reminder that DuQu wasn’t the last of its kind, but now it’s time to carry on, albeit with a newly heightened sense of awareness, and get back to business.
Allan Paller of the SANS Institute had a few interesting things to say at the ISSA-LA’s Security Summit IV, but two struck me as incredibly salient. The first is that CEOs actually do understand the importance of information security. I’ve heard security experts–smart and well-respected ones–utter that executive management doesn’t “grok” security. That’s true, but they don’t need to grok it; that’s the responsibility of us who inhabit the world of zero-days and hacktivists and APTs. CEOs need us to analyze and summarize our knowledge and present it to them in a business context. The problem isn’t just that we in security generally don’t speak the language of the boardroom, we simply aren’t wired the same. Security practitioners are a risk-averse group, by and large; CEOs are risk managers.
Which makes sense: CEOs are responsible for growing the business and there’s no reward without risk—hopefully well-calculated risk. We don’t want our executives pumping tokens into slot machines in Vegas hoping to hit it big. On the other hand, we don’t want them stuffing the cash from revenues into their mattresses. So when they decide to invest in new market opportunities or augment the current business model using technology, they want to be on the safe side of the risk threshold—but just barely.
But security folks’ impulse is to grab the business stakeholders by the shirt collars and drag them away from that scary precipice. We’re much like lawyers in that way. Their job is to minimize liability, a form of risk, optimally to eliminate it with the fabled iron-clad contract. Of course with lawyers it’s as much a negotiation tactic as dogma; each party stands on opposite sides of an issue with backs to their own walls, fully knowing they’ll both end up somewhere in the middle.
But security is not at odds with the business; it’s not a negotiation between the two parties. Our job is to determine appropriate responses and come to the table with the best, most informed decision possible with the given data. We need to find a happy middle between a purist security stance that discourages new initiatives (e.g., cloud, BYOD, partner portals, etc.), and a Wild West approach where the business does whatever it wants without addressing risk — and present that to executive management. They need to trust that we understand the business and are helping them to make the right risk management decision. Remember, “defend” is not the only response to a threat; other mitigating controls include transferring risk and accepting it.
Alan also said that CEOs want to know “how much is enough.” This is the heart of the matter. Finding the center of gravity that lets the business grow and thrive is the key to transforming the perception of information security from a cabal of naysayers to trusted risk analysts and business enablers.
What would you do if someone was repeatedly trying to break in your front door? Would you add an extra lock and hope that was enough? Would you completely ignore the back door? If you lived in a neighborhood where lots of homes had been broken into, would you do some research to see what the common entry points were and maybe take some precautions to better address those risks- even if your house had been safe so far?
I’d like to think you’d do just about anything in your power to protect your home, and definitely your business. But finger crossing and dead bolt- equivalents seem to be the approach a lot of organizations take when it comes to security, especially network security. Those organizations are resting on hope; hope that they won’t be targeted by a cyber attack, hope that no disgruntled insiders will take a shot, hope that their network security analysts won’t miss something in the piles of log data being generated every minute, and hope that their first generation solutions are working good enough to catch modern attackers.
Earlier this week I read an article in Network World about the failure of CSOs to properly evaluate risk in their security strategy. It asked the important question- “what happens if your security strategy doesn’t work?” I’m betting there’s a lot of organizations out there who don’t know the answer to that question, and if they did, they wouldn’t be happy.
To truly be secure, you need to know where your vulnerabilities are and then figure out how to fix them. Your team needs to be prepared to identify and respond quickly to attempted and successful breaches (because inevitably, some will get through). They also need to know how to minimize the damage that can be caused by an incident. They need to be able to find the who, the what, the when, the where and most importantly, the how- and they need this information in real time! This is the essence of Security Intelligence. Do you have it?
As we have lately read and seen, the style and sophistication of cyber attacks on organizations’ networks have become ever more complex. One type of attack that has had a lot of media coverage in the UK are DDoS attacks, with hacktivists using multiple IP addresses to attack one IP address within an organization, resulting in critical business services and infrastructure being made unavailable. Although this type of attack may not be new news to people, in the UK there has been a lot of fresh exposure, bringing DDoS top of mind.
When reading through these cases it is not the seriousness of the cyber-attack that is the problem, but the late reaction to the attack. These can occur at any time and in many cases the technology is not in place to detect and highlight these immediately. The consequence? A DDoS attack that happens after people have “finished” work are not being acted upon by the Security team until the next morning when the attack has been successful in its mission. This raises the need for organizations to have an effective threat detection system, highlighting an attack to the security team, regardless the time of the day or a DDoS could be used opportunistically to mask other harmful activities.
Real time correlation and effective rule settings allow this to be combated successfully. With the right technology in place, automated alerts can be sent to the security team immediately when there is a suspicious incident, such as a DDoS attack. This allows an instant reaction to occur and enables the security team to be on top of the problem instead of chasing the issue– when it’s already too late to stop or prevent more damage.
For more information on how a next generation SIEM and Log Management solution like QRadar can bring you total security intelligence, changing your security posture from reactive to proactive, as well as responding to “dumber” brute force attacks such as DDoS, download this white paper “The Business Case for a Next Generation SIEM.”
Posted by John Burnham in Threat Management
According to a UK news website, the CEO of a large, really large, hardware vendor just noticed that the world is being ravaged by terrorists, and warned that a ”cyber-attack of 9/11 scale” is likely to take place in the near future. So now the terrorists are using cyber attacks. Hhmmm…selling security with FUD is not even old school: it’s irrelevant. And when delivered by a CEO, well it just smacks of over the top chest thumping. Nowhere in the entire article did she discuss how they solve their customers’ complex security problems. Instead, more defensive posturing: “We will darken the skies with our agenda to help organisations (sic).”
Oh wait: “We are offering customers differentiated products in security. They (sic) are about applying actionable intelligence and compliance (sic).” Uhh, how does one “apply” compliance?
Okay, I am being snarky, Ya got me, guilty as charged. But, we are not talking about trivial matters here. And our leaders need to take this just as seriously as our customers do. It’s not just about offering “differentiated products” to help their customers “protect their infrastructure.” Yes, the perimeter is essential, but not sufficient in dealing with Advanced Persistent Threats, insider attacks and fraud. Keeping the Bad Guys Out and Letting the Good Guys in means telemetry from all sources, applications, mobile devices, cloud platforms and and cloud services. It means partnering with your customers and their chosen suppliers.
It means applying analytics to all the data, constantly. It means Total Security Intelligence.
Learn more about security intelligence in this webinar from the IBM Institute for Advanced Security, featuring Chris Poulin, “Defining Security Intelligence for the Enterprise: What today’s CISOs Need to Know.”