virtual panel reveals big picture on attack and countermeasure evolution
TRANSCRIPT
7December 2006 Computer Fraud & Security
WAR & PEACE IN CYBERSPACE
IntroductionAs part of our recent three-part series, “Ten Years in The Wilderness,” we asked some of our colleagues for their views on trends in technology and whether or not we were, on the whole, making progress in securing cyberspace. The insights offered were invaluable, and we felt we should explore the questions in more depth. So we have assembled another virtual roundtable of friends and col-leagues, who are all industry leaders in their areas of expertise:• Becky Bace, author, CEO of Infidel,
venture partner in Trident Capital.• Rik Farrow, independent consultant
and journalist (www.spirit.com).• Justin Peltier of Peltier and Associates.• Keith Rhodes of US General
Accountability Office (GAO).• And of course, we included some of
our own remarks as well.
Where are attacks and countermeasures today vis-à-vis 10 years ago, or even five years ago? What are you seeing out there today that surprises you?
Becky Bace – Unfulfilled prophecyThe attacks observed in the wild capture my attention (and differ from the pre-dictions we made over the past couple of decades) because:• There does not appear to be a con-
sistent correlation of the sophistica-tion of the attacks to the amount of mayhem they wreak – stone cold stupid attacks bring down companies as easily as more sophisticated hacks.
• Even proclaimed "experts" in both attacks and countermeasures acknowledge only a tiny subset of all of the potential exploit strategies we understand are possible (for example, the Salzer-Schroeder failsafe set or the Bisbee-Abbott set of etiologies).
• Even as we watch attackers move with ease up the application stack in their activities, solution providers are extremely slow in following them/thwarting them with countermeasures, let alone selling users on tools that head the bad guys off at the pass.
• Attackers still have the advantage in attracting new talent – it's still a lot more fun to attack systems than it is to protect them.
• There's a non-trivial element of organized crime involvement in design and execution of new attacks. I've observed more classic criminal tradecraft (e.g. extortion) ported to cyber venues.
CountermeasuresThere are several things that appear certain to me at this point, from the perspective of commercial trends in countermeasures:
Customers are still looking for silver bullets – one countermeasure to cure all security issues. By the way, marketing personnel for security solution firms are still trying to convince them that they have that silver bullet.
Commercial and open source solu-tions as a major industry are here to stay – security is considered (from an invest-ment perspective) one of the only areas of the IT market that has not been com-moditized (and subsequently shipped offshore). There are in excess of 1,000
venture funded solution providers in exist-ence today. (“all pursuing about 2.5 good ideas,” in my admittedly jaded opinion). Classic antivirus (AV) and anti-worm mechanisms are hitting the capabilities wall. It is expected they will be superceded by better-leveraged approaches.
As reacting to attacks of various sorts becomes non-optional, there is a pre-mium associated with solutions that do not require human intervention or reaction.
Rik Farrow – the end of the worm and rise of complianceTen years ago, firewalls and AV were the only countermeasures. Host-based Intrusion Protection (HIPS) existed, but wasn’t terribly popular. The focus was on creating a perimeter. Five years ago, people realised they really had no perimeter, so the new fad became Intrusion Detection (IDS). Therefore, exploitation was consid-ered inevitable, and best practice shifted to detection after the event occurred.
Today, things have changed again. Both Network IPS (NIPS) and Host IPS have become more popular with NIPS becoming almost safe enough to work (that is, not being more of a nuisance by blocking more traffic than the attacks it is supposed to stop). But the real move has been towards compliance-based prod-ucts. Security firm Tenable, for example, used to sell vulnerability scanners, but has refocused its products on compli-ance. Systems like Tenable’s, Elemental Security’s, and Verdasys’ risk manage-ment software maintain system patch level and configuration in a way that can be described as best practice. This does prevent old and known attacks from suc-ceeding, but does not actually solve the
Virtual panel reveals big picture on attack and countermeasure evolutionRichard Power and Dario Forte organize an expert roundtable to answer three big questions about attacks and countermeasures in the past, present and future.
Dario ForteRichard Power
8
security problem. What it does, is give the entities using the products legal protec-tion covering SOX, HIPPA, and liability torts against negligence claims.
What was surprising? At first, it was the lack of worms. But this is easily explained because launching showy worms is no longer considered a cool thing to do. Instead attackers concen-trate on gathering large botnets, and worms result in countermeasures to the very techniques used to own and control thousands of systems. These systems, in turn, produce income by being used as spam relays, phishing sites, sources for identity information, and DDoS sources. There are so many of these sites that the price for spam relays is less than a dollar at US$0.25, while comprised hosts sell for US$0.40 – US$7. In conclusion we see less of the flamboyant and flashing attacks of the near past because exploits have real value now, but only when used in volume and quietly.
Keith Rhodes – three bothersThree things bother me but don’t neces-sarily surprise me:
Isolated cyber realmIn my experience, I hear very few people speak of the cyber realm as being just another arrow in the adversary’s quiver. “Cyber” is just another vector for attack, not something special and discrete unto itself. If an adversary uses the cyber vector in isolation, it is only because he chooses to, and not due to any constraints based on a cyber environment. As you have asked, “What if the last thing you saw was the plane hitting the World Trade Center and then your TV went blank and your phone went dead?” “Cyber” in isolation is more a lack of imagination on the adver-sary’s part.
Users in ignorant blissI am constantly struck by the lack of knowledge of the “users.” People are now so accustomed to access and converged technologies that they do not take the time to understand how the things they use actually work. Thus, they are becoming more and more of a hindrance to solving the security/crime problem. People can
understand why a lock needs to be on a front door, not because they know how a lock works, but because they know how a door works. Users do not necessarily know how the converged access works, how many vistas it opens to them. As a result you get the confusion on the part of both parents and young people about what to do with their virtually public image on MySpace and so on. When I talk to school children about MySpace, I tell them: “Think of what you are writing as going onto the front page of the Washington Post as you write it.” Their looks of surprise are very telling. They do not imagine the vir-tual world is not private.
DevelopersThis lack of inquisitiveness is also bleed-ing into the developer community, as they increasingly build software through interface tools and module builders rather than by actually writing code. I have had conversations with develop-ers who are well-versed in how a code builder works, but do not understand how a logic gate works. That, combined with the literally dirt-cheap cost of hard-ware (particularly memory), accounts for much of the sloppiness in current software. If memory is cheap, then there is no incentive to do “garbage collection” at the end of each function in the code. Also, I do not agree with those who argue that there’s lots of memory out there so question why we should bother to clean it up all the time. If there is lots of memory out there, then why do many programs all write to the same memory address, which causes collisions and silly truncations, which can then be exploited by those with nefarious intent? Perhaps people should be made learn to write programs in 12K of memory first and then they can go wild with their code builders.
Justin Peltier – Port 80 highwayThe attack sophistication has increased markedly in the past few years. In 1996 stateful inspection firewalls were starting to become more common and the ability to protect our Web server from telnet sessions was a big step forward. Today port 80 is often called the highway into the network.
It has changed from having many ports open to having a single port called a high-way. I do not think that countermeasures have kept pace with attack sophistication.
What kind of evolutionary or revolutionary spirals can be expected in attacks for the next two to five years?
Becky Bace – infrastructure, authentication and virtual machine attacksAs a large part of my work these days is in the investment industry, I’ve the lux-ury of incentivised crystal ball gazing, with a horizon of three to five years. Therefore, I know what sorts of tools will likely come to market in areas of countermeasures to attacks. I don’t nec-essarily have a direct view of attacks, but can make some educated guesses:• There will be more attacks that either
disrupt or subvert virtual machines. • There will be more attacks that target
strong authentication systems – we already know that phishing attacks provide a successful strategy for defeat-ing two-factor authentication.
• Rootkits, both offensive and defen-sive, are with us already, and will only grow over the next few years.
• Application-level attacks will continue, driving reverse engineering technologies (and one might assert, also driving reverse engineering countermeasure markets).
• I think that we are way overdue for major infrastructure attacks on SCADA and other device management systems. The attack techniques won't necessarily be unique, though the goal of the attacks may be subtler than a brute force denial-of-service.
Rik Farrow – desktop attackFor years attacks have been disguising attacks. Polymorphic viruses are old news, but it is now common for exploit code to do this as well. These techniques are
Computer Fraud & Security December 2006
WAR & PEACE IN CYBERSPACE
9December 2006 Computer Fraud & Security
WAR & PEACE IN CYBERSPACE
designed to avoid detection via pattern recognition, but the code that decrypts or unpacks the exploit code is itself a pattern.
This has led attack code writers to vary the small portion of code by adding extra instructions that only obfuscate the pattern virus for which the NIPS systems look. Expect a spiraling of defensive and countermeasures in this area.
But the real change has already taken place. Instead of attacking servers, people attack desktops. Web browsers have long been the most insecure software available, not because programmers don’t try and secure browsers, but because Web brows-ers execute remote code by default. As Microsoft and other vendors (Apple) con-tinue to improve the security of their core operating system (OS) and libraries, the browser will continue to have the great-est attack surface because of the nature of what browsers do – execute code that per-sons unknown provide to the browser.
Keith Rhodes – physicalThe evolution will take place in the physical world. The convenience of con-vergence will be used against us, and we will not be able to identify the physical event as having a virtual origin, as in the Day After exercise. Is a train derailment a purely physical event or is it a virtually triggered physical event? Also I predict an attacker will use a combination of vectors – a fire combined with a blocked 911 emergency service. These are the things that worry me as we become more tied to technology. I fear we will lose our ability to improvise, which is the key to responding to any emergency.
Justin Peltier – DDoS and CD-based firewallsOver the past year or two deep packet inspection started to emerge as a way to further protect any open port into your network, but the filtering is mostly crude and it can introduce a good deal of latency. Attacks are going to become increasingly complex in the next few years. The field of anti-forensics is mak-ing the attacker more aware of how to hide attacks and penetration. With the use of onion routing and utilities like Tor making it more difficult, if
not impossible, to track down the true source of an attack, forensics will have to be completely revised.
Since the DDoS problem was never addressed after the attacks of February 2000, it has been mostly luck that has stopped the wave of attacks from hit-ting again. In the next year or two, I think, the infosecurity community’s luck will run out and the next wave will begin. This wave of attacks might be the final push necessary to move major networks away from IPv4 to IPv6. Over the next year or two, SSL will have to go through a major change. The protocol as it is now is known to be vulnerable. The attacks against SSL are something that can be executed with a minimum of techni-cal expertise. The security of SSL lies with the user, and most users do not care about the differences between asymmetric and symmetric encryption, certificate authorities, and expired certificates. On the defensive side I think that CD-based firewalls (using the knoppix environment) will become much more common. Using a CD-based firewall will ensure that the firewall’s ruleset will be present only in RAM on the firewall and a read-only copy will be stored on the CD. This will make defeating a properly config-ured firewall more difficult.
In general, in terms of cybersecurity and cybercrime, would you say: “one step forward, two steps back” or “two steps forward, one step back”? Alternatively would you characterise it some other way?
Becky Bace – promoting IDSThough one might argue that we’ve made progress in both cybersecurity and cybercrime, they’re both seriously behind the power curve. I think they suffer from the “one generation trailing” problem. By definition, both are reactive
disciplines, especially in the commercial arena. Funding is applied to the problem only after someone has divined there is a problem. Furthermore, someone finds an approach to solving a problem that makes sense for most commercial venues, meaning financial measures determine whether it makes sense. If I knew then what I know now, I’d have been even more aggressive in promoting IDS for tech transfer to the commercial world with more focus on the monitor-ing capabilities so such products could be used to establish that bad things were coming in over the wire. ID technolo-gies were a logical means of establishing need (and quantifying the value of meet-ing that need) for the rest of the coun-termeasure industry, even as they were totally disastrous with regard to cost of operation/ownership.
Legal issuesAnother aspect of the problem that I understood early in my relationship with law enforcement and the legal system regarding cybercrime is that there is an inherent mismatch between the virtual environments of cyberspace and the legal system. Most recognize cyberspace is a virtual environment. Ironically, the world of litigation, in which one spars (by proxy, with attor-neys responsible for actually throwing punches on your behalf ) before a ref-eree is also a virtual environment, in which ideas fly, vs. bits and bytes. The ability to design an appropriate inter-face between these two realms is a criti-cal exercise in system engineering, one of extreme importance to the future of IT and society alike. Therefore, one of my current passions is to equip cur-rent IT security leaders with the skills and awareness that enable them to be effective experts in service to the legal process.
Education Another aspect that is frustrating to me personally is the lack of attention paid to security education. I can’t think of any area that has more strategic impact on our industrial base and national security, yet public funding
is consistently under budgeted, off target and misspent. My frustration transforms to panic when I realise our government leaders are the least edu-cated among us with regard to security issues – this is a recipe for disaster with regard to both economic and military stability of the country.
Rik Farrow – no steps forwardHave there been any steps forward at all? Identity theft is still on the rise, a large part of it due to identity information being stolen via keystroke monitors or phishing/scam sites. This information is traded in large online bazaars, and it appears that law enforcement is doing little to stop this. The very nature of trading in identity information requires lots of criminals to interact, and the more anonymously the better (for them). While this does make it more difficult for law enforcement, the trading servers themselves are wide open to attract more criminals to participate. VulnerabilitiesHas software security improved? Nope. While buffer overflow vulnerabilities are no longer the number one reported vulnerability after five years of tracking, they have remained constant over those five years! Despite Microsoft’s huge push on security, even IE7 had a buffer over-flow exploit published during the final stage of its pre-release. This means code reviews as well as buffer overflow preven-tion mechanisms used by Microsoft still fail. And the software giant is not alone in this, as we see as many Apple vulner-abilities (just not as many exploits) and Mozilla flaws now as in the past.
So things have not got better. Instead, we continue to see a band-aid style approach (here, let me sell you AV-anti-spyware-compliance monitor-ing- firewall-NIPS-HIPS). Microsoft has changed its approach to the prob-lem by selling its own AV service (we can’t secure it, but we will charge you to protect it!). Oh boy.
Keith Rhodes – one step forward, two steps backI would have to say that while our attack morphologies are getting much better (one step forward) the attack vectors are increasing in number and speed due to everyone having high speed Internet access from their home (one step back). This is exacerbated by code getting buggier and buggier (one step back). So, if my math is correct, that’s one step forward, two steps back.
Justin Peltier – failing technologyIn characterising the cybercrime landscape, I would lean more to the one forward and two back. Too many security technologies are entrenched in the corporate environment and not enough innovation is taking place. Most organizations are rolling out the same technologies that have failed time and time again, while the attackers are gaining complexity and new attacks on an almost monthly basis. As long as security is mostly defined by one large enterprise firewall and a poorly configured IDS/IPS system, the attackers will still have an edge.
Dario Forte & Richard Power – Is this security enough?During our daily practice, we are commonly asked whether a security imple-mentation is enough to keep the risks at bay. The answer we get – not directly from the customers actually – is no. Here is an example we recently found during a project. The project started about one year ago, and was related to log collection. The primary goal was to “keep the raw logs safe with integrity intact.” The architecture was designed in a way to allow further integra-tion with audit. But, since the security team didn’t talk to the audit department, another identical project was started by audit. The project involved the same logs, same architecture (already in high avail-ability), and same fields in the log files. The only difference was the use of a new supplier.
We have absolutely no doubt of the honesty and the integrity of the customer’s management. However we think that there is no security, whatsoever, if the right hand does not know what the left hand is doing.
About the authors Richard Power (www.wordsofpower.net) is an internationlly recognized authority on cybercrime, terrorism, espionage, and so on. He speaks and consults worldwide. Power created the CSI/FBI Survey and his book Tangled Web is considered a must.
Dario Forte (www.dflabs.com) is one of the world’s leading experts on Incident Management and Digital Forensic. A former Police Officer, he was a Keynote at the BlackHat conference and lecturer at many worldwide recognized conferences. He’s also Professor at Milan University at Crema.
10Computer Fraud & Security December 2006
WAR & PEACE IN CYBERSPACE
Keith RhodesRik FarrowBecky Bace Justin Peltier