tag:blogger.com,1999:blog-58919052703869122062024-03-13T00:55:03.456-07:00Fast HorizonUnknownnoreply@blogger.comBlogger61125tag:blogger.com,1999:blog-5891905270386912206.post-90379328442404898262015-08-31T08:24:00.000-07:002015-08-31T08:24:42.563-07:00Is Cyber Protectionism on the Rise?<br />
<div class="MsoNormal" style="margin: 0in 0in 8pt;">
<span style="font-family: Calibri;">Cyber cold war is clearly heating up. Nation economies may
start trending inward for IT and cyber support as fears about state-sponsored
hacking are on the rise. High-profile technology vendors are being exposed as
arms-length extensions of their motherlands state security apparatus.<span style="mso-spacerun: yes;"> </span>Examples include an expose' claiming
Kaspersky is working closely with FSB (<a href="http://bloom.bg/1JwNb6F" target="__">link</a>), the Snowden leak suggesting clear and
possibly extra-legal cooperation between the NSA and Facebook, Google, and
Apple.<span style="mso-spacerun: yes;"> </span>Consider the silent implications
of U.S. security companies that publish threat intelligence who are notoriously
silent when it comes to threat groups that tie back to the U.S. government. And
Chinese telecom giants like Huawei have already been suppressed in U.S. markets
due to security concerns. Conversely, China has exactly the same concerns
regarding imported technology.<span style="mso-spacerun: yes;">
</span>Government agencies in all nations are notorious for mistrusting outside
technology.<span style="mso-spacerun: yes;"> </span>For example, in the U.S. government
you won't find Israeli technology deployed anywhere.<span style="mso-spacerun: yes;">
</span>The State already practices cyber protectionism. As more high-profile
vendors continue to be exposed, will the civilian market respond in kind?<span style="mso-spacerun: yes;"> </span>Will governments take extra steps to regulate
the import of potentially untrusted technology?<span style="mso-spacerun: yes;">
</span>Can a free market continue when the buyers can't be trusted to
understand the implications of cybersecurity?<o:p></o:p></span></div>
-GregUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-87722310588195081612015-06-17T09:00:00.000-07:002015-06-17T09:08:30.828-07:00Creepy Dystopian Reality mirrors Cyber Fiction<span lang="">Somewhere downstream from the economic churn of the cyber affluent, layers of humans pry and burn minerals and the occasional component from e-Waste to live on less than $100 USD a month. <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZtlR2hc9KQMTBU2CUpfteuCaqa6PSv-Ikeumz9CX0Ap7navL3vYDggAYTvfAcE-nXUeHQzsggATzdEcksFotZDh5ELjMm4lKGp9mOXqd8HZuKl4UHPA3f5THWtMPB9u0jEw27PoH4wM4/s1600/1.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="http://kamalakelkar.com/portfolio_page/al-jazeera-english-e-waste-refuses-to-disappear-from-delhi/" border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZtlR2hc9KQMTBU2CUpfteuCaqa6PSv-Ikeumz9CX0Ap7navL3vYDggAYTvfAcE-nXUeHQzsggATzdEcksFotZDh5ELjMm4lKGp9mOXqd8HZuKl4UHPA3f5THWtMPB9u0jEw27PoH4wM4/s320/1.png" title="" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A man smelts cadmium-laden circuit boards for steel</td></tr>
</tbody></table>
A massive alluvial fan of e-Waste is spreading across Asia at an alarming rate. Illegal [unlicensed] 'kabadi wallahs' call for scrap on their daily runs through the alleyways. Buying and selling here has the feel of an illegal drug deal <em>[or something decidedly cyber from Neil Stephenson]</em>.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuLMl3pW5HyL252A4Te-sSoXitMxyhtMGJsRiToIaV3fAS1OItQvd4YRaXfwciqY10YUzu7Lx764XYHITP2DxxnWNxZNC49UPVi35tWXlPN0CGGJJEdlHxX-xLqHfMlakwMr8V_IP3qFQ/s1600/2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="https://en.wikibooks.org/wiki/Lentis/Where_It_Goes:_Electronic_Waste_and_Salvage" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuLMl3pW5HyL252A4Te-sSoXitMxyhtMGJsRiToIaV3fAS1OItQvd4YRaXfwciqY10YUzu7Lx764XYHITP2DxxnWNxZNC49UPVi35tWXlPN0CGGJJEdlHxX-xLqHfMlakwMr8V_IP3qFQ/s1600/2.png" title="" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">e-Waste deal going down in a Delhi alley</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2KnckWJe69jtY66U2mFopukQ2eVVHpKvu1nUpLBeTpkkpvsbpqs4jfNVJaGS62xg1zMVjiCcA7AMvMCMmaHqDOQXyCI8FevfRibonzwhGUJehYApLM0Vhfeu_ZZ_qg5aoZH5NapA_oR4/s1600/3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2KnckWJe69jtY66U2mFopukQ2eVVHpKvu1nUpLBeTpkkpvsbpqs4jfNVJaGS62xg1zMVjiCcA7AMvMCMmaHqDOQXyCI8FevfRibonzwhGUJehYApLM0Vhfeu_ZZ_qg5aoZH5NapA_oR4/s320/3.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Circuit boards and plastic are smashed to extract components in Ghana</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiuohxb0parPtyv-2Ie7HtK02jVia8bNb_4WRViJPp2En0R4y97QRaWDzvSQLyDOXTV2uw6SKTGfgbxUG8CuH4sGHxKWz2Fy7mTUR7x27WGvumpkoimB4x2ujyOnZLsIzE82iR7-iBTtI/s1600/4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="http://sites.nicholas.duke.edu/loribennear/2012/11/15/electronic-waste-disposal/" border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiuohxb0parPtyv-2Ie7HtK02jVia8bNb_4WRViJPp2En0R4y97QRaWDzvSQLyDOXTV2uw6SKTGfgbxUG8CuH4sGHxKWz2Fy7mTUR7x27WGvumpkoimB4x2ujyOnZLsIzE82iR7-iBTtI/s320/4.png" title="" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Ripping wires to salvage metals in South China</td></tr>
</tbody></table>
Dealers make trades and sell extracted components to others who smelt them or resell them. Some stuff just ends up back in cyberspace - posted by weight on eBay.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE84FpKwNrxB3T1zkMTn1LsV8PVYNevjEsdFYt4TOkRn73MLGdzyy7cPSEQB-jk-hFD-IqNdq9BC_R-TTfAxh7ZDjVmApZfbW_5fyNQVdLCzYllsl5PM3JAUayZpJpTxIdjvm4sZeQ0Jg/s1600/5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="picture found on eBay search for e-Waste" border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE84FpKwNrxB3T1zkMTn1LsV8PVYNevjEsdFYt4TOkRn73MLGdzyy7cPSEQB-jk-hFD-IqNdq9BC_R-TTfAxh7ZDjVmApZfbW_5fyNQVdLCzYllsl5PM3JAUayZpJpTxIdjvm4sZeQ0Jg/s320/5.png" title="" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">52 lb load of medium-high grade circuit boards posted for $110 USD on eBay</td></tr>
</tbody></table>
Crushing and stripping have their place, but <strong>the preferred method of extraction is burning</strong>. Metric tons of plastic and hyper toxic materials are converted to gasses for our atmospheric pleasure.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWbd3IrFR7iasS6jAS7eXb7DFhv8EOJqd82AagtwpCUn132lS9iMQugpsbU21QihRmSjfE7JcSfNN8iGHimAcwisHnc3Cp-6M5Z2JxJYpgw5_bUDfyd1ZsyF6r0yO-eBXxUhqFq2oPGL8/s1600/7.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="http://stephenleahy.net/2012/02/07/toxic-electronic-waste-grows-by-40-million-tonnes-a-year-poisons-kids-in-africa/" border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWbd3IrFR7iasS6jAS7eXb7DFhv8EOJqd82AagtwpCUn132lS9iMQugpsbU21QihRmSjfE7JcSfNN8iGHimAcwisHnc3Cp-6M5Z2JxJYpgw5_bUDfyd1ZsyF6r0yO-eBXxUhqFq2oPGL8/s320/7.png" title="" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">"Cooking Off" motherboards</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTksTL2N8Qyn_25AoVgVkHMaQt3QudC6t_5uTBAwGMOkr_V53w4OIL-RYE3vKzRQlCitFTOQuuD0ozaAxVy5ptfZ2BOxNDeuk7V21STodjz6OQKom4zH1I6lmYxWwm_nUmwYDkawmlPxQ/s1600/6.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="http://kairus.org/082014-artist-in-residence-agbogbloshie-e-waste-dump/" border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTksTL2N8Qyn_25AoVgVkHMaQt3QudC6t_5uTBAwGMOkr_V53w4OIL-RYE3vKzRQlCitFTOQuuD0ozaAxVy5ptfZ2BOxNDeuk7V21STodjz6OQKom4zH1I6lmYxWwm_nUmwYDkawmlPxQ/s320/6.png" title="" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Burning is the preferred way to recover copper</td></tr>
</tbody></table>
e-Waste is a poison generated on the crest of economic progress. As usual, the fallout settles in the lower economic strata affecting the poorest counties and people the most. These images give me a feeling that the dystopian future imagined by cyber fiction writers has already arrived.<br />
<br />
-Greg<br />
<br />
<span style="font-size: x-small;"><em>note: the images were obtained from a Google Image search, the sources of the images are marked in the alt text.</em></span></span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-53613373733835258202015-04-19T13:40:00.001-07:002015-04-19T13:42:55.616-07:00Silk Road for Zero DayI had to be amused after hearing about the <a href="http://wrd.cm/1G9Hcpm" target="__">TheRealDeal</a>, a Silk Road for 0-day. First, that there really isn't anything illegal about selling a zero day - but I can understand the concerns about liability. Back in 2002 I had proposed starting a site called ZeroBay that would auction working 0day, but the possible liability scared me off the project. But for a few years afterward I privately worked with many 0day and I have to say, these RealDeal guys have a load of problems to deal with. <br />
<br />
First, there are the 0day researchers who won't trust the site operators enough to hand over the goods for verification prior to a sale. Without third party verification and escrow the whole model will break down. <br />
<br />
Next, most of the exploits will only work on a certain VM and only when the moon is full. They will inevitably broker a deal where the buyer can't get it to work and the seller vanishes or becomes unresponsive after stating "Works for me!". <br />
<br />
Also, the sellers are going to sell it to multiple parties. I see Internet Explorer client side exploits listed at $17,000 - this is about 1/4 of what an 0day like that is worth, so they must be uninformed or planning on selling to multiple parties. Or, it's not theirs to begin with and it's already being shared in closely knit circles. <br />
<br />
Here is a big gotcha - some of the people selling bugs are going to be actual employees of the vendor, possibly working in the QA lab - so they are 100% insider threats and a huge amount of liability is backpacking on those exploits. <br />
<br />
Be aware that finding a crash bug is a heck of a lot easier than writing reliable shellcode - and I wonder how many sellers on the site have the skills, procedures, or willpower to craft reliable payloads? The number of people that can find bugs outnumbers the number who can make reliable exploits by several orders of magnitude. <br />
<br />
Let me suggest something - if you want to make an 0day deal work, first you enter into a legal contract with the seller that absolves you of liability if the seller is breaking any laws or contracts (i.e., non disclosure, employee intellectual property agreements, etc). Second, you broker the deal so the seller receives a portion of the total payment per month as long as the 0day remains an 0day - if any disclosure or patch occurs, the payments stop early. This keeps sellers financially motivated to stay honest. Finally, don't ever pay up front for something that hasn't been vetted -- under no circumstance trust some video of the guy running it against a VM - you will end up with broken unreliable code. <br />
<br />
0day sales have been around a long time and it's a trust-based business - it doesn't really need some weird blacknet site on Tor to work - it's silly. Start a legitimate above-the-line business doing the same thing and it would work better and provide contractual legal protection to all parties. My conclusion is this: trust is hard to come by - making a darknet anonymized brokerage is just making a hard problem harder.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-56144294043203079302015-04-14T15:55:00.000-07:002015-04-14T15:55:19.130-07:00The network perimeter has been turned inside outThe CISO needs to understand that modern cyberspace is turning the perimeter model inside out. Cloud and social applications have accelerated adoption in the Enterprise, but their protocols are effectively sealed at the perimeter. Think layered, custom, and encrypted. This has rendered network appliances and proxies nearly useless. In effect, the logical perimeter has been forced out onto the endpoint device itself. This has huge implications with regard to the monetary investments made by the Enterprise. Embrace the current state, when you say the word ‘perimeter’ you should immediately think ‘Endpoint’. The lack of this “perimeter is the endpoint” thinking, combined with an ever-increasing sophistication of attacks, is putting Enterprises at severe risk. <br />
<br />
I posted a short (~5 min) video prezo about this here: <a href="http://bit.ly/1Dgdyux" target="_blank">The Vanishing Perimeter - YouTube</a>
<br />
<br />
<div style="text-align: center;">
Come see me in SF next week if you have time, RSA booth
#3032</div>
<div style="text-align: center;">
<a href="http://www.outliersecurity.com/" target="_blank">www.outliersecurity.com</a></div>
Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-28487132878316486372013-08-27T12:47:00.000-07:002013-08-28T09:05:26.135-07:00What is Cyber?As a term, Cyber has a broad spectrum. It has been applied to subjects ranging from low voltage microchips to international
law. In the context of security, when does it apply? Consider a situation where an operator
from hundreds of miles of away initiated events that shredded a turbine and
killed 75 people. This was not an attack, it was an accident. But,
what it a cyber accident? <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://pbs.twimg.com/media/BP-n2nUCIAE_9RJ.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="262" src="https://pbs.twimg.com/media/BP-n2nUCIAE_9RJ.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
After seeing articles about SCADA and ICS security citing the Sayano accident (among others) I was compelled to ask the
community a series of questions about the definition of cyber, which I tweeted over the course of a single day and tagged
#whatiscyber.<span style="mso-spacerun: yes;"> What follow are those tweets. </span>I received some good
feedback and I outline some thoughts here.<br />
<br />
<blockquote class="tr_bq">
<i>A modern computer is attached to the Internet and communicates daily
with the cloud, is this #cyber?</i></blockquote>
<br />
The most basic of definition is that cyber means computing technology, and
in particular, computers that are networked. There is no larger example
than the organic Internet full of people of all intentions, and has the cyber
punk aspects of a wild west, even pseudo-intelligent computer viruses.<br />
<br />
<blockquote class="tr_bq">
<i>A LAN party is disconnected from the Internet, is this #cyber?</i></blockquote>
<br />
If one accepts the previous definition, which clearly many do given the
basis of the accepted Wikipedia entry, then what about smaller networks?
A LAN party involves hosting a group of people, complex computing hardware,
protocols for communication, and probably more than once harbored its share of
viruses. Is this a tiny fractal of the Internet? Is it cyber?<span style="mso-spacerun: yes;"> </span>This introduces the concept of space – a cyberspace
being a place where computing occurs.<span style="mso-spacerun: yes;">
</span>But, what scale of space is required before it can be called cyberspace?<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvufA4pA7YIXg8otTJZ7Lt2y5icPHDnnrXRgofgSirtz6I0LpHKVtv1YnLs9rM-BkxpEwehwm7-e4uzPaktVq_msIBWt67gs9PjEFhLczoOzdZqouHsSl8Ttq24HaSkWauAm5p2t7Fx1U/s1600/old-computer.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvufA4pA7YIXg8otTJZ7Lt2y5icPHDnnrXRgofgSirtz6I0LpHKVtv1YnLs9rM-BkxpEwehwm7-e4uzPaktVq_msIBWt67gs9PjEFhLczoOzdZqouHsSl8Ttq24HaSkWauAm5p2t7Fx1U/s320/old-computer.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
<blockquote class="tr_bq">
<i>You have an old 1980's-era, isolated, stand-alone computer not attached to
any networks, is it #cyber?</i></blockquote>
<br />
Now we break down. Many people are thinking this doesn't match the
fantastic vision of cyberspace that spawned in science fiction. This is
boring and dusty. But, while some say nay, some imagine the awesome
complexity of that machine. Look inside. Systems and subsystems are
dancing in electric light, data in motion. A data bus is connecting
peripheral hardware with a multitude of software entities in a field of
RAM. Ask yourself how two modules communicating over a bus are different
than two computers communicating over a CAT5 cable? In this, scale is just
a matter of abstraction.<span style="mso-spacerun: yes;"> </span>The scale and
complexity is vast if you zoom in.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJxygqoR3yVJ8xbL9BV_D6b-qsorlzX4ZKb27WE8FdShxWZdupqYKyvBE5r1iBXV8nkGpUwsezbp16wlv5RzMa5q2qS8fjp7iT0pJtlhpHtIY3YNdDi7QULO9-1EVLYXXlu2jzo4_EtME/s1600/circuits.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJxygqoR3yVJ8xbL9BV_D6b-qsorlzX4ZKb27WE8FdShxWZdupqYKyvBE5r1iBXV8nkGpUwsezbp16wlv5RzMa5q2qS8fjp7iT0pJtlhpHtIY3YNdDi7QULO9-1EVLYXXlu2jzo4_EtME/s320/circuits.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber? </td></tr>
</tbody></table>
Next... <br />
<blockquote class="tr_bq">
<i>A robotic arm is remotely controlled over wires from 50 feet away, is it
#cyber?</i></blockquote>
<br />
This is just a variation of isolation that introduces remote control,
perhaps by a human operator. There are obviously computers involved, and
there is a cable - perhaps the CAT5 cable from my previous example. There
is a communication protocol of unknown complexity. There is also an industrial
device. But, the operators are probably confined to a warehouse, and not
attached to any large network. This is where the parallel to the Sayano
disaster starts, except that with Sayano the connection was made from 500 miles
away, not fifty feet. <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3jnpZFA1WBtYeMBkBDSGLDwFbaLncW_h-OXHgq9fqo2QMp7PcRD1DQw0WWj38JXklX4LtgKMQSF5RHYo8tGVHdWci9qD8TOD8sV9Rt2ZPhIk1Y_ujIW6oVzO65-5EaYl7WBc8LMjWbvE/s1600/modem.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3jnpZFA1WBtYeMBkBDSGLDwFbaLncW_h-OXHgq9fqo2QMp7PcRD1DQw0WWj38JXklX4LtgKMQSF5RHYo8tGVHdWci9qD8TOD8sV9Rt2ZPhIk1Y_ujIW6oVzO65-5EaYl7WBc8LMjWbvE/s320/modem.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
<blockquote class="tr_bq">
<i>You dial up to the robotic arm using a modem, and give it commands, is it
#cyber?</i></blockquote>
Nearly exactly the same as the previous example except that the connection
can be made from a great distance. Does distance matter? The modem is
interesting, because the Internet used to run on them. By exposing this
dialup, one exposes a system to the world. One could say that even the
BBS networks that predated Internet adoption were a form of cyberspace.
Telephone networks are complex and span the globe, so they very much smell like
cyberspace. If you think a modem makes it cyber, you are in effect saying
that cyber requires networking. And, not just networking, but also networking
of a certain scale. If you define it this way, then ask where the
threshold lies? <br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN0tWGoD6o6lfeS3UzKQVWkIP2GNtJTaEvFY38TbO4JgtlJHpHPE7yHA3P18cDTlQLlmxlur82o46ETxk88i2o_qBZSPtElh-0GA13HbD7k4wX1LfgBvyQIjhWsVKifZ82X79a8_bSpaI/s1600/5-Channel-R-C-Plane-W-Camera.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN0tWGoD6o6lfeS3UzKQVWkIP2GNtJTaEvFY38TbO4JgtlJHpHPE7yHA3P18cDTlQLlmxlur82o46ETxk88i2o_qBZSPtElh-0GA13HbD7k4wX1LfgBvyQIjhWsVKifZ82X79a8_bSpaI/s320/5-Channel-R-C-Plane-W-Camera.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
<blockquote class="tr_bq">
<i>You have a line of sight network with a homemade model airplane that carries
a video camera, is it #cyber?</i></blockquote>
Modern in terms of technology, but small in terms of networking. Not
altogether different than the robotic arm example.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfoAYgdCFVE-KVHVLTtlvQ5I8R2xDdM1p2T1Hjsdp-nhmDlVIOINbkS1GHz8CbmVjnTgjRamF7ou8X1dmDedUjXvy-yDNEcq3sjWMg0Zd3qrWbwn179pgyEdjGg26671lNK_ZkDIlfAr4/s1600/Foto2EnhencedSkylark.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfoAYgdCFVE-KVHVLTtlvQ5I8R2xDdM1p2T1Hjsdp-nhmDlVIOINbkS1GHz8CbmVjnTgjRamF7ou8X1dmDedUjXvy-yDNEcq3sjWMg0Zd3qrWbwn179pgyEdjGg26671lNK_ZkDIlfAr4/s320/Foto2EnhencedSkylark.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
<blockquote class="tr_bq">
<i>The military has a fleet of remotely controlled drones over a city, is it #cyber?</i></blockquote>
The drone programs used by the military are 100% cyber if you use the media
as the yardstick. There is no better poster child flaunted by the modern,
technically advanced military. Any distinction between the small UAV's
controlled by a single soldier and the big UAV's controlled by teams of
soldiers seem superficial, don't they?<span style="mso-spacerun: yes;">
</span>The context of cyber here is not the scale of networking, but the laws
of warfare.<span style="mso-spacerun: yes;"> </span>Nation states using computers
for war is often called cyber, without regard to the details of the technology
itself.<span style="mso-spacerun: yes;"> </span><br />
<br />
<blockquote class="tr_bq">
<i>A cloud computing infrastructure running millions of lines of code, but
isolated in the lab and not being attacked by anyone, is it #cyber?</i></blockquote>
The isolation case is being beaten to death here, but now consider the idea
of the system being attacked. Even if a complex system is not networked,
if it's being attacked by someone does that make it a cyber attack? What
if it’s a criminal, not a nation state, is it still cyber?<span style="mso-spacerun: yes;"> </span>Cyber is used in conjunction with criminal
law all the time. “Cyber-crime” is widely accepted to mean non-state actors
operating for personal gain, and has little to do with details of the computing
technology used.<span style="mso-spacerun: yes;"> </span>Cyber is being applied
to both state and non-state computer attacks. And, hacktivism has blurred the ideological
lines between warfare and crime.<br />
<br />
<blockquote class="tr_bq">
<i>The above mentioned cloud infrastructure is a server running the lastest
virtual-reality MMO with over 10 million users, is it #cyber?</i></blockquote>
<br />
OK, this was a loaded question - we can all agree on a MMO that has over 10
million users. We can probably agree that this virtual world can be
called a "cyberspace". It, after all, is the closest real
representation of the fantastic imagined world of cyberspace spawned in science
fiction many years ago. An attack on this system would most assuredly be
called a cyber attack in the media.<span style="mso-spacerun: yes;"> </span><br />
<br />
By
this definition, cyberspace is a computing environment where structure can be
visualized (at least in the mind). There is some level of interaction between forms, the most basic
being programs interacting with data, and evolving to programs that act as an extension
to a human operator.<span style="mso-spacerun: yes;"> </span>The MMO example is
simply the evolved case of a virtual reality space.<br />
<br />
<span style="mso-spacerun: yes;"></span>Starting with isolation again…<br />
<br />
<blockquote class="tr_bq">
<i>There is an old, isolated, non-networked computer, but it has a USB port, is
it #cyber?</i></blockquote>
<br />
All we did here was introduce a non-networked interface into the otherwise
isolated computer. If this is cyber, then so is the old 1980's-era
computer from above if it has a floppy drive.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCVfi4tw72I7R2RIElvN_c-JVK-kooud_cZvqkn4HSsVkxmEAbnlo1vKrmKqHNY5mXhek256-qxekP0NJEvaPkP9fly2z4E2gyFEroDmAvfjhg5hdmJhfsEmhQswyNuqeX9bJsGbNSJFs/s1600/plcmodification.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCVfi4tw72I7R2RIElvN_c-JVK-kooud_cZvqkn4HSsVkxmEAbnlo1vKrmKqHNY5mXhek256-qxekP0NJEvaPkP9fly2z4E2gyFEroDmAvfjhg5hdmJhfsEmhQswyNuqeX9bJsGbNSJFs/s320/plcmodification.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
<blockquote class="tr_bq">
<i>If it's an old, isolated computer with a USB port, controlling a SIEMENS S7
PLC, is it #cyber?</i></blockquote>
<br />
Yeah. So if old isolated computers are not cyber, then the Stuxnet
attack on the Iranian nuclear plant isn't cyber either.<span style="mso-spacerun: yes;"> </span>That is, unless cyber is defined as a
malicious attack. But if it’s only defined as attacks, that means an
accident that wipes out 10 million users in that MMO isn't a cyber event, just
an IT accident. Albeit, an IT accident that just wiped out a cyberspace
by most accounts. <br />
<br />
If cyber has to be a malicious attack, then Sayano was not cyber. But,
if cyber merely means networking of a certain scale, or remote connections, or
is independent of the age of the system, then Sayano was a cyber
accident. And more importantly, a cyber accident that illustrates what
could happen to a hydroelectric dam if it were under cyber attack.<br />
<br />
<blockquote class="tr_bq">
<i>A computer of any age with a backdoor installed by a foreign intelligence
service, is it #cyber?</i></blockquote>
<br />
Just introducing motive and ideology - a nation state sponsored attack on a
computer system would definitely be called a cyber attack by most
accounts. And, it wouldn't matter if that system were a complex computing
environment, or a lowly embedded system on a security camera.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidRoMjAHkXWtEETldSSZf6FF0xEr2H99Dmac__Vr7yKQcDoRhLCb9hKp4AdPdbrKVMFeWyv1Lf7O1fWsSPYGmJQEdbAaMdz68hVR5keg5q1-pNFGVXaWkvwjcN9eYD8rSkGVAemHsU8WY/s1600/PunchCard.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidRoMjAHkXWtEETldSSZf6FF0xEr2H99Dmac__Vr7yKQcDoRhLCb9hKp4AdPdbrKVMFeWyv1Lf7O1fWsSPYGmJQEdbAaMdz68hVR5keg5q1-pNFGVXaWkvwjcN9eYD8rSkGVAemHsU8WY/s320/PunchCard.jpg" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Is this #cyber?</td></tr>
</tbody></table>
<br />
<blockquote class="tr_bq">
<i>An experimental and 100% _mechanical_ computer is backdoored by a foreign
nation using sabotaged punch cards, is it #cyber?</i></blockquote>
<br />
Of course it is.<br />
<br />
<br />
-Greg<br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-26900126765020125912013-07-25T10:23:00.000-07:002013-07-25T10:23:28.346-07:00The script kiddie is deadSQL attacks are pervasive; the result is leakage of credentials. Millions of username/email + password pairs have been stripped out of compromised SQL servers and posted into public spaces. Thus, attackers are routed to corporate surface areas when employees use their work email when registering on 3rd party application sites. The insidious part is that corporations are exposed to attack even when their enterprise infrastructure is secure. The problem swells when employees re-use their passwords across multiple sites. Even when the corporation has adopted two-factor a<span style="text-align: center;">uthentication and strong password policies – an attacker may still gain access to employee personal data. That personal information can lead to secondary attack vectors against the corporation – such as direct access to the employee’s home network, mobile computing devices, and cloud data. With such vast amounts of contextual data available, it would only be a matter of time until a focused attacker can leverage something to further access into the enterprise. Previously the stuff of spy novels, attacks such as software bugging an Android phone are now very real.</span><br />
<br />
While some security consumers still think of SQL attacks as Plebeian, they should remember that in <a href="http://www.verizonenterprise.com/DBIR/2013/" target="_">Verizon’s 2013 Data Breach Investigations Report™ (DBIR)</a>, <b>76% of network intrusions exploited weak or stolen credentials</b>. Please remember that these stolen credentials are being posted by the millions into publicly shared cyberspaces, largely downstream of an SQL injection. Furthermore, it would be ludicrous to think that a foreign intelligence service doesn't have a desk devoted only to exploiting these leaked credentials – it’s free access. And beyond that, consider they may also have a budget to maintain cyber-criminal persona for directing contractors at targets or purchasing stolen information.
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6XPTzMtdj8ZxJBQEu1S0wXnhFmrhFfFChAvKOU0a51w1N354ijPFXc-rDDdZ6j4ft_-e5SJIRG-DhwyrL3smd_xevkQpI21g6SWF2FgdmzFPGikamB8EX9i2ezgv_AZpnLhn66i7imEc/s1600/leaks.png" imageanchor="1" style="margin-left: auto; margin-right: auto; text-align: center;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6XPTzMtdj8ZxJBQEu1S0wXnhFmrhFfFChAvKOU0a51w1N354ijPFXc-rDDdZ6j4ft_-e5SJIRG-DhwyrL3smd_xevkQpI21g6SWF2FgdmzFPGikamB8EX9i2ezgv_AZpnLhn66i7imEc/s400/leaks.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Credentials stolen over approx 12 month period by a <u>single non-state actor</u> (courtesy <a href="http://www.veraxes.com/" target="_blank">Veraxes</a>)</td></tr>
</tbody></table>
A few years ago, some security marketing programs <u>tried very hard to draw a bright line</u> between cybercrime and APT – but a handful of us took the opposite stance (See <a href="http://www.darkreading.com/attacks-breaches/the-intersection-between-cyberespionage/240002514" target="_blank">Kelly’s article</a>) and illustrated the crossover between cybercrime and APT. Other news stories followed (<a href="https://krebsonsecurity.com/2012/05/at-the-crossroads-of-ethieves-and-cyberspies/" target="_blank">Krebs</a>, et al).<br />
<br />
Regardless of these first hand experiences of security practitioners, security buyers still bifurcate cyber threats into “APT” and “everything else”. In this case, “everything else” means Botnets, Drive-by downloads, Zeus infections, Defacements, and “Script kiddie” attacks on websites. I have heard decision makers in the security organization tell me these are just a low-threat hygiene problem. Perhaps in the past this was true, but threats evolve. <i>[soapbox]Personally I think this is just fallout poisoning from over-aggressive marketing used to educate people about the difference between real intrusions and anti-virus solutions.[/soapbox]</i> <b>Regardless, the idea that malware and script-kiddies are not dangerous is dead wrong.
</b><br />
<br />
Before discounting SQL injection, WordPress backdoors, and Drive-by’s as the work of script kiddies or“just cybercrime”, consider that every one of these is a vector for targeted attacks. Of the thousands of credentials for Fortune-500 companies posted to the Internet in the last few months, how many have been subsequently used by hackers to access email or corporate portals?<br />
<br />
We are witnessing <b>accelerated exploitation economics</b>. Knowledge about compromises, no matter how small, will now quickly disseminate across a vast network of blackhat consumers - many of which have the means to leverage small cracks into massive breaches. I have seen a mass WordPress defacer install credential stealers that were then used for lateral movement to other servers. I have seen an SEO scammer sell server access to an interested 3rd party. We have to see beyond malware and look at the threat - a threat has his hands on the keyboard. So, when a drive-by download installs Citadel (a Zeus variant) on the network, the corporation is being targeted for IP theft. When a script kiddie puts a webshell on the website, the user credentials are being targeted for follow-on attack and lateral movement. When employee PII is compromised, ask who is downloading thousands of employee emails? How will this data expose your company to greater risks?<br />
<br />
Every attack matters. The script kiddie is dead.
<br />
<br />
<br />
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-80497824160797151992013-06-13T12:50:00.000-07:002013-06-13T12:50:00.938-07:00On Precision and Big DataMost true-positive threat detection is rule based. We use our powers of perception and analysis to find patterns in the data. This is effective because threat behavior is highly repetitive. One can’t say this is data intelligence in the strictest definition, but more of an expert pattern. Albeit behavior, I argue this still resides on the edge of the signature playpen. This is fine as long as it continues to work for the security marketplace (and so far, does). Regarding Big Data; In lieu of ingesting huge quantities of data in the hopes that some needle will become self-evident, I suggest continued development of rigorous expert patterns. Of particular value are patterns that can match against host-endpoint behavior (in conjunction with netflows at the perimeter). I believe this can produce highly effective, non-specific (i.e., resilient) extraction of high-fidelity threat events. With data overload being a huge issue, the role of precision becomes ever important.
<p>
-Greg Hoglund
<br>
<a href="http://www.veraxes.com">www.veraxes.com</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-25023483004111136612012-03-28T12:29:00.003-07:002012-03-28T12:30:44.970-07:00Weaponization of Cyberspace<div>The weaponization of cyberspace started with the advent of criminal enterprise, and over time has enabled cyber warfare for a mass audience. Some of the best exploitation technology was created for banking fraud. These tools include remote access botnets, multi-platform reliable exploits, command and control schemes, zero-day exploits, and blackhat-VPNs for anonymous access to the Internet.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUCq8oNK6jh6-RqSTitfzz3oTMaHaUYa7wJa78sSKYUcQG04fGN07vCmx7OjtUWlbdUjzxAJkhe7Du_q37eunqM9n7BJIsTGLQDuMvqWUYu-d0TiCGx9ifIm_Ft8WnlPoWia2XSPhSgr4/s1600/weaponization.png"><img style="margin: 0px auto 10px; width: 400px; height: 245px; text-align: center; display: block; cursor: pointer;" id="BLOGGER_PHOTO_ID_5716499647326090146" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUCq8oNK6jh6-RqSTitfzz3oTMaHaUYa7wJa78sSKYUcQG04fGN07vCmx7OjtUWlbdUjzxAJkhe7Du_q37eunqM9n7BJIsTGLQDuMvqWUYu-d0TiCGx9ifIm_Ft8WnlPoWia2XSPhSgr4/s400/weaponization.png" /></a><br />Because the technology was developed in the underground it can be purchased by anyone - it's unclassified and not controlled by state security. As a result, very advanced attack technology has been disseminated to a greater population and non-state threat actors have emerged. Now individual citizens can access the same weaponized technology that was previously only used by the state-level efforts to conduct espionage that advances national interests. These same 'rogue hacking groups' have emerged with mixed ideological goals - many of them anti-state, religious extremist, and anti-corporate. There are hundreds of internationally organized groups that can be enumerated by anyone willing to do a little open-source intelligence research.<br /><br />The weaponization of cyberspace is a key driving force that started with criminal enterprise, but has grown into a much larger context. Exploitation of systems can now be combined with the exploitation of online media. I predict that traditional terrorist methods will be replaced largely due to the immediate attention an amateur can bring to their cause by latching on to a brand name and posting their ideological views via the countless social outlets available to them. Because the press does not traditionally frequent cyber cafe's in remote parts of the world (where western ideology and freedom isn’t necessarily embraced), would-be terrorists will seek more effective means to distribute and influence from whatever rock they're hiding under. Cyberspace offers far less exposure and risk than carrying a cell phone detonator in a busy marketplace. No, it is far easier to tap out a few keystrokes and get your shot at trending, getting linked, liked, and retweeted. In terrorism the goal is messaging, and those with things to say have found their outlet. Whether highly sophisticated abroad, or in the deepest darkest caves, or down in the basement of their parent’s home, the Internet is their soap box.<br /><br />-Greg</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-55501790630271474762012-03-09T12:44:00.000-08:002012-03-09T12:44:51.926-08:00The Changing Face Behind the KeyboardAt my recent RSA presentation, I talked about the evolution of cyber threats over the last decade and the slowly shifting goals and intent of the hacking groups behind them. Most of us remember the romantic hacker vision - the lone college student exploring systems for fun, not profit. Mostly harmless, this quest for learning at the center of the hacker ethic led to tremendous innovation in Silicon Valley and elsewhere. But the advent of online banking in the mid-2000's changed everything. The criminal goal became profit. This created a malware economy, and something I call the "weaponization of cyberspace" - a trend towards making cyber weapons easier and easier for non-programmers to use. Then, around 2005-ish, we started to see organized and wide-scale attacks into military and defense systems that seemed to originate from foreign intelligence. The malware behind these attacks were not altogether different from known toolkits (think Back Orifice 2000) - but far more interesting was the fact these toolkits were custom-made and each attack group seemed to compile their weapons from private source code. It didn't take long for these attackers to branch into commercial space - most specifically heavy industry and energy. This made sense from a national perspective as China's (and others') need to dominate the world energy market is critical to their expansion.<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzFQmHwnUtdnDY6cA3Qds19M2jVAvVb66mFoHIfm3dEd97MDns7Kf2vXPN1nkXQHEgM90PyTjSDk87BetrWV9bLy-2x2aknrzya9bb3jjjJY881gZjQzhH57AoyDUmvRRHWsAKVhliXK0/s1600/threat_over_time.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 240px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzFQmHwnUtdnDY6cA3Qds19M2jVAvVb66mFoHIfm3dEd97MDns7Kf2vXPN1nkXQHEgM90PyTjSDk87BetrWV9bLy-2x2aknrzya9bb3jjjJY881gZjQzhH57AoyDUmvRRHWsAKVhliXK0/s400/threat_over_time.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5716499640540261618" /></a><br /><br />Now, with hactivism, non-state actors are targeting these very same systems. These rogue threats are focusing on manufacturing, defense, the financial sector, and more - organizations traditionally targeted by state-level espionage. <br /><br />So, what is next?<br /><br />While attitudes against the state are a common recurring theme in younger people in every nation, they rarely blossom into full-blown terrorism. Yet, that is exactly what is occurring right now. As cyber warfare shifts from a state-level coordinated espionage operation to unstructured personal action, the chance for attacks (both physical and cyber) on citizens and the livelihoods of innocent people increases dramatically. The Internet will play a big part in future terrorist attacks - not just because systems can be hacked, but also because of how the Internet has changed media and journalism. As I detailed in my post on <a href="http://fasthorizon.blogspot.com/2011/07/asymmetric-warfare-and-cyber-terrorism.html" target="_">Asymmetric Warfare and Cyber Terrorism</a> last July, remember that terrorism is first and foremost about messaging. Exacerbating the lines of truth, the Internet mediasphere has surpassed all other forms of traditional journalism and has become an information weapon, disseminating propaganda in conjunction with social media campaigns far more effectively than a single actor detonating a car-bomb in Karachi could ever achieve.<br /><br />I will be giving a webcast version of my RSA presentation next Wednesday (March 14th, 11AM PST) for those who are interested. The RSA registration link is <a href="http://www.rsaconference.com/online" target="_">here</a>. <br /><br />-GregUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-88390607219511441622011-11-02T11:26:00.000-07:002011-11-02T12:40:02.812-07:00Detecting APT Attackers in Memory with Digital DNA™HBGary’s Digital DNA™ system is an alternative to traditional signature-based approaches to detecting malicious backdoors. While the “APT is not Malware” mantra is common, APT commonly use malware. To be precise, APT is just a hacker in the network. Remote access to the network is guaranteed only through stolen VPN credentials, or through the placement of a remote access tool (RAT) – in other words, malware. So, enter DDNA.<br /><br />DDNA is designed around generic detection of subversive code. To do this, HBGary disassembles everything on-the-fly and pushes it through a sieve of regular expressions that match against control flow and data flow features. I thought it would be fun to delve into some specific examples.<br /><br />As Martin recently pointed out in his <a href="http://bit.ly/mZpTBj" target="_">blogpost</a>, APT has started to use in-memory injections as a means to hide code. We have noticed remote-access functions injected and split over a range of memory allocations.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinfw3DR4gxBIZ6SyRRWPaYnwYebz_Z91bM8bzNbaqBrELqIn9lZf4gZRXrItEP3Fo96Dy6AjSwoWQ1wlL1qO52b_LteD6JF64kdurroyo6FaSVF2dAmEPPc6rBihbqFfmNAhyVWOG3G8Y/s1600/4kmodules_2.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 207px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5670479007173535250" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinfw3DR4gxBIZ6SyRRWPaYnwYebz_Z91bM8bzNbaqBrELqIn9lZf4gZRXrItEP3Fo96Dy6AjSwoWQ1wlL1qO52b_LteD6JF64kdurroyo6FaSVF2dAmEPPc6rBihbqFfmNAhyVWOG3G8Y/s400/4kmodules_2.png" /></a><br />In the screenshot, you can see a dozen 4K (0x1000) allocations injected into explorer.exe. (Note: this type of activity can be detected using the free <a href="http://www.hbgary.com/hbgary-releases-responder-ce" target="_">Responder CE</a>.) Each page of memory only contains a tiny portion of the overall malware – something that would frustrate most AV scanners. However, the allocations themselves are suspicious to Digital DNA™, and in particular the last page has a suspicious code fragment that scores quite heavily in Digital DNA™. This illustrates why a filesystem-only view is not sufficient to detect APT tools. Many advanced techniques involve modifications to the running system and can only be detected in memory.<br /><br />In this example, the hacker hasn’t hooked anything. Instead, he starts some additional threads to service the malware code. Even though the malware has been split over a dozen pages, the hacker has only started two threads. In this example, allocations #8 and #11 each host a thread subroutine. The other memory pages each hold specific subroutines. For example, one of the memory pages has a function for installation into the registry, while another has a function for hiding a copy of the malware in an alternate data stream. It’s these suspicious behaviors that Digital DNA™ is focused on detecting. Furthermore, it’s the behaviors being used together that will really light up color-coded DDNA alerts.<br /><br />One suspicious feature is when code exists outside the bounds of a known module. This will occur if the hacker allocated additional space for storing an injected routine. This is commonly done using <code>VirtualAllocEx()</code>, but can also be achieved using the stack of an injected thread. In the latter case, <code>CreateRemoteThread()</code> is used with a stack size argument large enough to store an injected routine. In either case, executable code is detected outside of a defined module, and this will score as suspicious by default even without further analysis.<br /><br />Moving further, however, injected code is typically handwritten assembly. In most cases, the operational code will not resemble known compiler patterns (such as code compiled by Visual C++ or Borland). In particular, the code may contain position-independent operations – function calls and data references that are designed to work independent of the address where the code lives in memory. These are further indicators of suspicion. In my experience, the only time this kind of code appears in a legitimate binary is when DRM is being used (DRM looks and smells like malware anyway).<br /><br />To look back at our example, it had some interesting techniques for embedding data inline with code:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jO9T0Czhn4zJHGx7eUosFizzwJPsmBxP68LInhEUYd-QvRx8_vYUdVKRIArkzq6Ckyx_lTdexm1peuVV1q6faUnATJ2V052vRmXw34v0yXDsiuZffEqjiV4Abc9Xb0WxFYKP37NEBPc/s1600/codelisting_1.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 78px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5670479056451567186" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_jO9T0Czhn4zJHGx7eUosFizzwJPsmBxP68LInhEUYd-QvRx8_vYUdVKRIArkzq6Ckyx_lTdexm1peuVV1q6faUnATJ2V052vRmXw34v0yXDsiuZffEqjiV4Abc9Xb0WxFYKP37NEBPc/s400/codelisting_1.png" /></a><br />In the example, you see the “w32_32” string in use, but what makes this interesting is how the string is embedded inline to the code. Right before the string we see a short call that jumps over the string, and code execution continues on the other side. Again, this idiom is suspicious and can be detected generically, as opposed to reliance on a specific string or byte pattern.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjROrqLJ5UhaMyMpeQpdicfjSJ9U5IFtDJPQLB6m8uo3fLakr-PlcjwPzFQ8khkEn6V5o8OUeChbNK6LsQdvxWRN-h4dSOynHjUiwrJNG8RatMN6zXCWuEvSI3iUivNkF7UqUoSUxA-VYY/s1600/16_30.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 48px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5670479019597285986" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjROrqLJ5UhaMyMpeQpdicfjSJ9U5IFtDJPQLB6m8uo3fLakr-PlcjwPzFQ8khkEn6V5o8OUeChbNK6LsQdvxWRN-h4dSOynHjUiwrJNG8RatMN6zXCWuEvSI3iUivNkF7UqUoSUxA-VYY/s400/16_30.png" /></a><br />In the case of Digital DNA™, code <code>16 30</code> detects short calls and jumps over inlined networking related strings. How did we get here? HBGary detected that some APT groups were producing this code pattern as a result of some code-level anti-forensics tools. This is exactly the kind of pattern that produces big wins on the detection side as the code is often cut-and-paste or the obfuscation is applied in batch to otherwise custom-compiled malware. (Of course, now that I’ve blogged about it they will switch off to another trick – it’s OK, we have thousands of traits to detect suspicious behaviors).<br /><br />Another example of handwritten code is the CRC function used by the hacker to load his table of function pointers. This CRC-based technique has been around in shellcode for a long, long time <i>(digression: I think I released the first public CRC loader in shellcode in the early 2000’s – it was 32-bit CRC. Thinking back, Halvar Flake publicly released a better and smaller 16-bit CRC loader in shellcode shortly afterward. The technique has been written about many times since).</i><br /><br />The routine that actually calculates the CRC is usually hand-made – so it too can become a form of attribution. But even if it’s not hand-made, the proximity of CRC to a <code>GetProcAddress()</code> call would be indicative of this pattern. In our APT example, the author has created a CRC for loading a function table:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAb0HUTiPGaqNmSLi8xjWQHrCuza-TjgsweLTt8k6hY1gcQ5Nr1FNAE9po7nsnx8HZTW9SCzBpLpzb4ScfK8x9u2inoPGlX_A1-aWMvwzKLA8iEMCmxF4xqNVGu70G_wUsX7hnsldWUfA/s1600/codelisting_2.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 149px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5670479066864814610" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAb0HUTiPGaqNmSLi8xjWQHrCuza-TjgsweLTt8k6hY1gcQ5Nr1FNAE9po7nsnx8HZTW9SCzBpLpzb4ScfK8x9u2inoPGlX_A1-aWMvwzKLA8iEMCmxF4xqNVGu70G_wUsX7hnsldWUfA/s400/codelisting_2.png" /></a><br />The CRC calculation is referenced from a routine that is rolling through <code>KERNEL32.DLL</code> and calling <code>GetProcAddress()</code>. This pattern screams for attention “Hey! I’m malicious!”<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6m0X2RTW7yrkDLifeLacrVlqlfFh7HUfyTVQZXzy-Pt21OxvPV57LRrtWgc6XG-1fRkc_5lsNVv4Wzh57aYT1Li4HXLENfkIZrLVs92EETKYYFfdzdtSktMPo6jP14-m89xLlQqhvaoQ/s1600/C3_F7.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 45px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5670479039589942898" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6m0X2RTW7yrkDLifeLacrVlqlfFh7HUfyTVQZXzy-Pt21OxvPV57LRrtWgc6XG-1fRkc_5lsNVv4Wzh57aYT1Li4HXLENfkIZrLVs92EETKYYFfdzdtSktMPo6jP14-m89xLlQqhvaoQ/s400/C3_F7.png" /></a><br />So again, Digital DNA™ for the win. The CRC can be detected using a generic method, and when detected in control flow in proximity to <code>GetProcAddress()</code> loop, it scores hot with trait <code>C3 F7</code>.<br /><br />These are just some examples of how Digital DNA™ focuses on analyzing the code itself, as opposed to blacklisted MD5’s or ASCII strings. It is not possible to specify these behavioral patterns with simple languages like OpenIOC or even ADXML (Active Defense’s XML for scan policies) – they can only be detected programmatically. That is why our product Active Defense doesn’t depend on IOC’s alone to do the job – in fact, Active Defense starts with full physical memory analysis and Digital DNA™ sequencing. IOC’s come second and only if the user wants to extend the default detection capability with custom threat intelligence. The two methods work well together, Digital DNA™ to detect new and unknown threats, and IOC’s as a follow-up sweep for known APT behaviors.<br /><br /><b>Using IOC’s effectively</b><br /><br />One of the reasons we invented Digital DNA™ is because IOC’s alone aren’t good enough. A problem arises when IOC’s are only used to detect known threats. Think about this – if your IOC’s are just a blacklist of recently discovered malware MD5’s and unique strings then its equivalent to a small AV dat file. Even though IOC’s can be used to detect TTP’s (i.e., scanning the enterprise for split RAR archives or recent use of ‘net.exe’) we generally see them employed to detect specific malware files. If your organization has a database of IOC’s then look for yourself. How many entries have MD5 checksums? How many are specific to a malware sample, a specific registry key used to survive reboot, etc? If you see an overabundance of these signatures then beware – this is the same old blacklist-driven security model that has been failing us for over 10 years now. On the other hand, if you are using IOC’s to scan for more generalized things, such as command-line usage, access times on common utilities, executables in the recycle bin, etc., then you are on a far better trajectory. I support open intelligence sharing, but I caution you against falling into the “magical strings” bucket. Too often our industry shares threat intelligence in the form of blacklisted MD5’s or IP addresses – this kind of threat intelligence is nearly useless.<br /><br />HBGary’s managed services team generates many IOC’s in the course of their work, and I am happy to say that we share all of them with our Active Defense customers – we don’t keep them secret. They are provided automatically in the form of a library that is auto-updated. Customers can pick and choose from many search definitions and use these as a basis to create their own custom searches. Our team tries to steer away from malware-specific indicators, and instead focuses on the generic attack patterns that can be detected at the host. We give these to our customers because we want them to get the most from our software. We enable people to be self-reliant.<br /><br />When you use Digital DNA™ and IOC’s together, you aren’t relying on a “magical bag of strings” that go stale every two months. Instead, you are detecting new threats and then using IOC’s to apply attrition against the attacker’s persistence. This is a strong defensive position. This is why our proven behavior-based solution approach is increasingly winning us new customers – even unseating our competition in many accounts.<br /><br />-GregUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-31804383629098500752011-09-22T11:54:00.000-07:002011-09-22T17:38:16.854-07:00APT - The Plain Hard TruthThe survivors from the front line have reported in. We stand on the ridge, a tangled mess of bodies behind us. We are the ones who have chased the demon, descending into the binary pit the users call the “enterprise”, and climbed up the other side. What we have seen is not pretty. The collective corporate filesystem is a parking lot for castaway software barely able to run on modern operating systems, squeezing the last bit of life out of burned out win32 DLL’s. There are big piles of unwashed garbage downloaded by employees that were passing by, never deleted, never clean. The strangest mutated crap has been swept tightly into temporary directory corners that have since calcified and become permanent.<br /><br />More than a single digit percentage of these software programs are a biohazard. Some are just plain broken, wheezing out juice from a hooked windows message chain just long enough to cough up and die, only to be resurrected by the swift kick of a boot-time registry key the next time the machine reboots. Some have pretty little labels of well-known companies – clearly so you won’t look twice at them and notice how they are exfiltrating personal browsing statistics and other data to some cloud server – really like malware but allowed by the EULA that you didn’t read. Some of these things don’t seem to have any purpose but to act as a low-fidelity binary listening device.<br /><br />Everything looks bad. So, it’s no wonder that hackers can just plug something new in and nobody notices. As long as it doesn’t infect five million residential banking customers then nobody is going have a description of the suspect. That is the reality of hacking today, and it has nothing to do with advanced persistent threat. It has to do with the enterprise and the complete LACK of control you have over the endpoint. When security is limited to the network perimeter, you are not in control. Oh, and what a breath of fresh air the mobile device is. A new pile of software, mostly social media, that is directly connected to thousands of strangers that are not your employees, communicating in real-time with processes running within your defensive wall. In effect, you now have thousands of potential multi-homed routers to 3G-space* from your network that don’t belong to you.<br /><br /><i>*4G if your lucky</i><br /><br />Here are some basic security facts:<ul><li>Today, malware is a tool for persistent adversaries<br /></li><li>Adversaries are financially or politically motivated<br /></li><li>Intrusions involve a real human being or hacking group that targets your organization directly (*)<br /></li><li>Attackers are motivated to steal something from your network</li></ul><blockquote><i>*Somehow in the mid-2000’s it seems like the security industry lost its way and forget about the basic tenants of Hacking Exposed – unfortunately you cannot condense a set of MD5 checksums out of the hacker problem.</i></blockquote>Recently during presentations I have outlined three primary threat groups we face today. I have illustrated the evolution of these in the following diagram.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrKo5r3pFDUcYGn0Y6JdxzTOp75DUiTF2JjHkzC6Tvbo7jq3rOod33hUkBFnwsnquRCKGHOiA4b-HoEJgf2lWFb6qySIEFLBljPwXmuPXnsqQ3mlcwByGOArQrsG6MZZteO-U9OYHGhJA/s1600/evollution_cyberthreat.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 293px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrKo5r3pFDUcYGn0Y6JdxzTOp75DUiTF2JjHkzC6Tvbo7jq3rOod33hUkBFnwsnquRCKGHOiA4b-HoEJgf2lWFb6qySIEFLBljPwXmuPXnsqQ3mlcwByGOArQrsG6MZZteO-U9OYHGhJA/s400/evollution_cyberthreat.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5655270125968022242" /></a><br /><b>A. Criminal Enterprise</b> – these are the guys who make more money than drug cartels and the reason a malware economy emerged over the last few years. This is what mere mortals mean when they talk about malware, and the reason people get malware and hackers mixed up all the time.<br /><br /><b>B. Rogues</b> – these are the hacking groups that you can enumerate on any given day. There are hundreds, if not thousands worldwide. These guys are all capable. The graph expands much slower than criminal enterprise because they aren’t fueled by cash. As early as 2000 these guys were already defacing, DDOSing, and partaking in ‘mostly harmless’ hackery. Yet, a small subset have always been deeply malicious and get pleasure out of destroying things. Others pick up a cause and act like cyber terrorists. And still others really are cyber terrorists.<br /><br /><b>C. Rogues meet cash</b> - these hired mercenaries are the ones who write malware, sell zero day, and get sucked into the vortex of organized crime. These guys are very, very dangerous.<br /><br /><b>D. The problem today</b> - all the membranes have been breached - the threat is blended. We live in a time where a state interest can simply buy access to adversary networks from criminals who are selling their botnets. Where state sponsored attacks can be vectored through private hacking groups. Where private hacking groups can fund their operations from cybercrime, while targeting corporations and governments with methodology indistinguishable from APT. There is no tidy bucket to place the threat, all the wires are now crossed. The only thing that is consistent here is that hacking is hacking, and it always looks and smells the same when you see it. This is why the term ‘APT’ is so tired.<br /><br /><b>E. Private hackers working for the man</b> - when you catch a Chinese malware in a DoD contractor network, it almost always looks like it was written by a “kid”. This “kids” malware is then used to steal the plans for a weapons program that can only have value to the PLA. All the security vendors looking at APT come up with corny little codenames for all the hacking groups (HBGary included), but at the end of the day it’s all the same thing.<br /><br /><b>F. Thank God for APT</b> - a board room level term that we can all use to cover our you-know-what when we tell the man our millions of dollars in security spending has done nothing for us.<br /><br />If you want a no-holds-barred, no excuses, and no-snakeoil analysis of APT and the reality of countering it, you should check out HBGary’s new whitepaper <a href="http://www.hbgary.com/the-new-battlefield" target="_">The New Battlefield</a>.<br /><br />-GregUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-66345394807370117712011-09-07T17:29:00.000-07:002011-09-08T09:10:02.967-07:00Social TerrorismSocial networking does something to people, intoxicating them with near-zero accountability for impulsive behavior protected under a banner of free speech. Fierce defenders of the social media revolution think that because this technology is novel, somehow it should be afforded a special layer of protection. Social media empowers people, but it shouldn't make free speech apply to all forms of the 'fire in a crowded theatre'. Thankfully there are policy makers and courts who still feel that inciting violence, organizing illegal activities, causing riots, partaking in slander and libel, or harassment and abuse is wrong and/or criminal in nature <i>regardless of the medium of communication</i>.<br /><br />New forms of 'fast and wide' communication technology have effectively armed common citizens with an information warfare tool. This is fine, but handle with care. Like any real tool of value, it can cut you. This is not a free speech issue, it's one of safety. When BART wants to shutdown communications due to threat of riot and crime, it's their right to do so. When Philadelphia wants to put a curfew in place to stop <a href="http://articles.cnn.com/2011-08-16/justice/maryland.flash.mob_1_flash-mob-police-patrols-social-networking-sites?_s=PM:CRIME" target="_">flash mobs</a>, they are protecting the citizen. When authorities in London want to curb-stomp looting they should be able to do things like shut down <a href="http://www.telegraph.co.uk/news/uknews/crime/8689076/London-riots-Twitter-users-face-arrest-for-inciting-looters.html" target="_">riot tweeters</a>. When the NYPD runs an <a href="http://articles.nydailynews.com/2011-08-10/local/29887819_1_social-media-facebook-and-twitter-kamisha-richards" target="_">intelligence group</a> to hunt down terrorists and criminals on Facebook and Twitter, it's their right to do so - in fact, it's THEIR JOB to do so. If you are dumb enough to put your personal information on the 'net and then commit crimes, fair play (as Lulzsec has learned). Social media companies have a responsibility to work with government, law enforcement, and private authorities to ensure that they aren't enabling damage. Terrorists using Twitter are still terrorists.<br /><br />When someone falsely claims a bomb threat, they are committing a crime. When they do it on Twitter, they are still committing a crime. As two people <a href="http://edition.cnn.com/2011/WORLD/americas/09/07/mexico.twitter.analysts/index.html?hpt=hp_bn11" target="_">just learned in Mexico</a>, putting it on Twitter doesn't make it legal. And, several men were jailed in the UK for <a href="http://www.cbsnews.com/stories/2011/08/17/501364/main20093364.shtml" target="_">using Facebook to incite violence</a> during the riots. And today it's common for cases to be won against cyber bullying. Yes, embrace social media, but don't think that entitles people to be assholes.<br /><br />-GregUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-25896103700414295822011-08-16T09:07:00.000-07:002011-08-16T18:24:22.417-07:00Inside an APT Covert Communications Channel<blockquote><i>Note: I shortened the title of the post from "Inside an APT “Comment Crew” Covert Communications Channel" to "Inside an APT Covert Communications Channel". To be clear, multiple threat groups are using HTML comments as a means of COVCOM. Thus, this should be considered a general technique as opposed to attribution on a specific group. Both Shady RAT and "Comment Crew", as well as others with additional codenames, have been associated with the use of HTML comments as a means of COVCOM.</i></blockquote>
<br />For many years, hackers operating out of China have been attacking a myriad of commercial and government systems here in the US and abroad. The term “APT” or Advanced Persistent Threat has often been used to describe these attackers. While HBGary is primarily a product company selling an enterprise incident response product, the team has been deep into APT analysis for over five years. Most of the analysis work is in direct support of Digital DNA – an <a href="http://www.hbgary.com/digital-dna" target="_">automated system for detection of unknown malware and APT intrusions</a>. I presented a technical description of how this attribution works, what is solves and what it doesn’t, <a href="http://www.youtube.com/watch?v=k4Ry1trQhDk" target="_">at the BlackHat Conference last year</a>. The work is about tracking threat groups – that is, tracking the humans and the human factors behind the digital artifacts we see. There are many hacking groups involved in these intrusions. One such group has often been called “Comment Crew” for their use of HTML comments as a means of command and control. This group has been associated with the recent “Shady RAT” intrusion revealed by McAfee. For this article I am going to give you a technical in-depth tour of how such a group operates.
<br />
<br />For starters, the attackers will gain access to the network via spear-phishing. In almost all cases we have investigated, spear-phishing was the initial point of infection. These phishing emails are full of very specific project names, names of associates, official sounding documents, etc. It is very clear that the hacking group is using stolen email to learn about their targets before crafting a very convincing email. This underscores why the recent spate of SQLi attacks over the last few months pose a far greater threat than most people realize.
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfKidnsVTR1c3UrxZfnGTIGM4deeA0u3HDaqgAb0G9O76kb8TZs5KoLNtmdzXD2HUJnewnh_MfOcUOU0WzBEWdS8glfBVd-qWljKzI9LddE7yFVzOk1bNK-sbBPiHLnrnZSgLCvCBEUQ0/s1600/phase1.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 182px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfKidnsVTR1c3UrxZfnGTIGM4deeA0u3HDaqgAb0G9O76kb8TZs5KoLNtmdzXD2HUJnewnh_MfOcUOU0WzBEWdS8glfBVd-qWljKzI9LddE7yFVzOk1bNK-sbBPiHLnrnZSgLCvCBEUQ0/s400/phase1.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5641487026000930242" /></a>
<br /><center><i>Exploit and Dropper</i></center>
<br />
<br />Once access is gained into the network, the hacking group places remote access tools into the environment. These are backdoor programs that are downloaded automatically by the exploit email – we called these “droppers”. In the diagram, point A shows the exploit email ‘detonating’ after being viewed by the victim, point ‘B’ is a server where a ‘dropper’ is stored, and point ‘C’ is the dropper backdoor being placed onto the compromised computer.
<br />
<br />Once the dropper has established a beachhead into the network, a hacker will access the host and uninstall the original backdoor, replacing it with a new and more powerful backdoor. These backdoors, especially the secondary and more powerful one, are called “RAT”s – for Remote Access Tool. Many of these RATs are custom written and that can be the basis for a great deal of attribution, allowing us to detect the malware in physical memory.
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkRIKwGyFSD3J82C8WNlz-wHTufQoBscZ1XRHbzBgGaO0ILYCzH88HPtLGMuWrouQGyINpYnkfGGmuCc3RNXnevcshUE4NDAn49Mmc9w30Qrqm7mFXstcV2Fyq-vgrvWwHINGFA52f2Go/s1600/phase2.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 182px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkRIKwGyFSD3J82C8WNlz-wHTufQoBscZ1XRHbzBgGaO0ILYCzH88HPtLGMuWrouQGyINpYnkfGGmuCc3RNXnevcshUE4NDAn49Mmc9w30Qrqm7mFXstcV2Fyq-vgrvWwHINGFA52f2Go/s400/phase2.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5641487030733022786" /></a>
<br /><center><i>Interaction with the Host</i></center>
<br />
<br />Remember that most networks are firewalled. This means the attacker can’t just make a TCP connection into the RAT program. The RAT program is within the internal network so it must first make an outbound connection to the attacker. The RAT is designed to connect outbound over port 80 or 443, a port that is allowed outbound by almost all firewall policies. Once the outbound connection is made, the attacker can use the established TCP session to interact with the host, download tools, run command line programs, and laterally move about the network. In the diagram, point A is where the RAT makes an outbound connection to a server on the Internet, point B is a server under the hacker’s control, and point C is where the hacker uses the established TCP connection to interact with the RAT program and subsequently the host environment, potentially exploiting additional machines nearby in the network.
<br />
<br />One of the greatest challenges for an incident response team is discerning the difference between ‘normal’ malware and an APT attack. As we can see in this example, an APT attack involves a real human at the other end of the keyboard performing actions on the host. We call this ‘interaction with the host’ and we recommend that an IR team pull a timeline of last-access times from the MFT (master file table), browsing history from index.DAT, event log, and other sources to determine if such interaction is occurring. This is a fast and easy way to discern the difference between a non-targeted external threat (which over 80% of all adverse events will fall into this category) and external targeted attacks (of which APT is included, probably less than 2% of all adverse events).
<br />
<br />The RAT program doesn’t contain any fancy stealth or anti-forensics measures. In fact, we rarely even see packers in use (a packer is a method of obfuscating a program after compilation and is a low-cost way for a hacker to add anti-forensics to his malware). It seems the most of the covert methods are applied to the way to RAT communicates with the hacker. This makes sense. Consider that most of the intrusion detection capability lies at the perimeter of the network, and this is what the hacker is trying to defeat. Thus, the HTML comment method of configuring and controlling the RAT programs.
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3tIxD0EsDU0-nyf9NedDbQhY8urPgzRaaRkWk-sSSuSXNIfYkEkjc0AyOW3SpxkLMbXjFzc76-6TLGaRY8hg9JogGdaNLpxEGTWSe8bVXtVUYpRPRXd0tfQyiCURWB5wTTjiB1qLXB9k/s1600/phase3.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 179px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3tIxD0EsDU0-nyf9NedDbQhY8urPgzRaaRkWk-sSSuSXNIfYkEkjc0AyOW3SpxkLMbXjFzc76-6TLGaRY8hg9JogGdaNLpxEGTWSe8bVXtVUYpRPRXd0tfQyiCURWB5wTTjiB1qLXB9k/s400/phase3.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5641487030052742882" /></a>
<br /><center><i>Hidden Comments for Covert Communication (COVCOM)</i></center>
<br />
<br />Instead of letting the RAT connect directly to his personal server, the hacker will first exploit a webserver somewhere on the Internet. This exploited webserver will then be used as the ‘middleman’ to communicate with the RAT. The hacker will place a hidden comment on an otherwise normal webpage and have the RAT connect outbound to this page. Using the hidden comment, the hacker will be able to give commands to the RAT. The RAT will make periodic outbound connections, sometimes waiting days before checking the page. The hidden comment will contain an encoded message that the RAT knows how to decipher. In this case example, the hidden data is base64 encoded. In this diagram, point A is the RAT program making a periodic outbound connection, point B is a compromised webserver somewhere on the Internet, point C is the hidden comment on the webpage, and point D is where said comment is decoded into actual instructions for the RAT. An example of such a comment is shown in the next image. It is interesting to note that the hacker has attempted to make the page look like a 404 HTML error page if viewed in a normal web browser.
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGFLfZFxcQ0CJ-gxysXQ0IiJodR12WIsP12hKlu3FCeuzqDTjRvhZlAJVS0ATP7ve36GFxHDls7ZG0i0Oclsy9BFlU4O-VCja_fQuDgGcg06BXieSl184ZtP_IZVwihufUoCenbsSY1m4/s1600/base64.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 68px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGFLfZFxcQ0CJ-gxysXQ0IiJodR12WIsP12hKlu3FCeuzqDTjRvhZlAJVS0ATP7ve36GFxHDls7ZG0i0Oclsy9BFlU4O-VCja_fQuDgGcg06BXieSl184ZtP_IZVwihufUoCenbsSY1m4/s400/base64.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5641487036061755634" /></a>
<br /><center><i>Example of BASE64 Encoded Hidden Comment</i></center>
<br />
<br />Once the RAT decodes the message, the data becomes a configuration file for the malware. The file has many features, such as the ability to specify which server addresses to use on the Internet, including backup servers, configuration of the check-in times, and even has the ability to completely update the RAT binary in the field (shown in the diagram as a .bmp file – this is actually a normal PE header executable).
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGUhasEG6oph8hKbubQcaQo0Bx0Dv-qSc0Cc6BR_eWjRBUppizhZkIpszcp2UfmdJ3kxqkQ8K10YnOaf9ZXtr0tHskfn13Z5WvLnsOvrtYE5M5euJfZjiYG1EFOm4D15J4qWJTz99qlpI/s1600/config_file.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 384px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGUhasEG6oph8hKbubQcaQo0Bx0Dv-qSc0Cc6BR_eWjRBUppizhZkIpszcp2UfmdJ3kxqkQ8K10YnOaf9ZXtr0tHskfn13Z5WvLnsOvrtYE5M5euJfZjiYG1EFOm4D15J4qWJTz99qlpI/s400/config_file.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5641487040080318226" /></a>
<br /><center><i>The Decoded Configuration File</i></center>
<br />
<br />All of the above technical information can be detected on a host after intrusion. The RAT program itself is near trivial to detect once you know what you are looking for. But beyond that, because the RAT program has certain outbound connection characteristics, sleep timers, and built-in “host interaction” capabilities, HBGary’s Digital DNA lights it up like a Christmas Tree (example shown in image).
<br />
<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh64eSMt3e05T-x2KfYpSqWyukRgMhq6veP8iJPGv931agUunx97bj8Z6Gur4byxV6b5qPulAvyNkJxpb2Bx0So2gtzrvcsl8nNyDhsFNeiV8-y9PM8BUBw-QTrBfxNGaEvPnMfTdJ360c/s1600/DDNA.bmp"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 89px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh64eSMt3e05T-x2KfYpSqWyukRgMhq6veP8iJPGv931agUunx97bj8Z6Gur4byxV6b5qPulAvyNkJxpb2Bx0So2gtzrvcsl8nNyDhsFNeiV8-y9PM8BUBw-QTrBfxNGaEvPnMfTdJ360c/s400/DDNA.bmp" border="0" alt=""id="BLOGGER_PHOTO_ID_5641491389760856130" /></a>
<br /><center><i>Digital DNA Detects Unknown Malware</i></center>
<br />
<br />Even if you had no prior knowledge about this specific RAT, you would have detected it with HBGary. Beyond that, the decoded configuration file can also be found in physical memory – the primary search method used by Active Defense. Regardless of the configuration values, the option headers shown in the example above have a specific pattern that can be detected quite easily, even if fragmented over multiple buffers. This is exactly the kind of information I am referring to when I talk about “actionable threat intelligence”. Once you know about the attackers TTP’s (tactics, techniques, and procedures) you can encode this into an enterprise-wide scan. We call it ‘continuous protection’ when you adopt continual scanning while also updating the threat intelligence as you learn more about the attacker. In essence, you are applying attrition against the attacker’s presence in your network. For example, if you know how to detect the above configuration file, then the attacker has to change the way that configuration file looks to defeat you – something that also requires them to recode their parser in the malware. Hence, you cost the attacker time and money. That is a Good Thing.
<br />
<br />I hope this gave you a somewhat concrete tour of how a real APT covert communication (COVCOM) channel works. Also, I hope it has illustrated some of the threat intelligence that you access on the host. Using enterprise-wide scans, your IR or security team can put a severe dent in the APT presence in your network. As far as product solutions to enable you, obviously we build <a href="http://www.hbgary.com/products" target="_">HBGary’s Active Defense</a>. If you are interested in continuous protection and threat intelligence, we offer 50-node evaluations of Active Defense that can be installed on a laptop. We also offer a deploy-on-demand license for incident response teams (our <a href="http://www.hbgary.com/incident-response-spring-special" target="_">500-node pack</a> has been quite popular), as well as the perpetual node model for full enterprise proactive deployments.
<br />
<br />-Greg
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-38718580895512528872011-08-15T11:28:00.000-07:002011-08-15T15:41:39.232-07:00Shady RAT is Serious BusinessIra Winkler makes some interesting points in his <a href="http://www.cio.com/article/687664/Ira_Winkler_Shady_Rat_Case_Shows_Vendors_As_Big_a_Problem_As_APT_Itself?page=1&taxonomyId=3089" target="_">CIO article on Shady RAT</a>. I tend to agree with his observation that security vendors spend too much energy infighting when we all should be facing a common enemy. It is true that Shady RAT is just one of many other, similar attacks. There is no harm in trying to draw attention to the elephant in the room - APT is a grave and serious threat to U.S. companies as well as national security. Shady RAT may appear to be 'sloppy' but it can still be APT. Within infosec the term APT has been debated - but we at HBGary have a very simple definition: if there is interaction with the host, we call it APT. Now, most of the attacks we deal with are targeting intellectual property and appear to have state sponsored underpinnings. The attackers usually leave tools behind, additional backdoors, etc., but none of these are very complex. The malware and techniques are mostly unsophisticated and sloppy, but yet they succeed and remain persistent. Our assumption on this - APT does the minimum necessary to get the job done. If they don't need hard core boot sector viruses and kernel rootkits, they aren't going to use them. We as an industry have a responsibility to protect our customers from a very serious and evolving threat. Downplaying the seriousness of this threat undermines the reason we are here.
<br />
<br />-Greg
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-58887842792308348272011-08-09T13:52:00.000-07:002011-08-11T13:28:41.984-07:00Command Line Programming with Responder PROOne little known feature of HBGary’s Responder product is that it ships with the full source code to a command-line version. This command-line version of the product can be customized for automated tools, batch processing, and statistical utilities. HBGary is still working to produce an 'official' documentation on the SDK, but in the meantime I figured I would walk the more adventurous of you through some code.
<br />
<br />First you need Microsoft Visual Studio. I use VS2008 Pro Edition with version 3.5 SP1 of .NET. In the SDK subdirectory of your Responder installation, you should find the ITHC directory. Just a backstory, but ITHC means Inspector Test Harness Client – it was originally a test harness used by our QA team that eventually proved so useful for batch processing that we included it for customers. The code is written in C#.
<br />
<br />When I first opened the .sln file on my Responder install, I found that the project file needed some tweaking. Your mileage may vary, but here are some steps I had to take. First, the references to all the Responder DLL’s were broken. By editing the .csproj file I was able to fix this. The trick is to use a HintPath variable with a relative path to the main install directory, which is two folders above the ITHC directory (see image). I’m not sure why it shipped this way, but alas I was able to fix it.
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCYdYfyVwXaKaiv84YEpM0fFbDyUp-01s_NiQWNjK0YSbi7wEAKm7X-IJy99pCIwBdgOak9S3A5o0rnaSqbsoMbxY3rP4rDAHGT-P9Z6KMsQQsAQ6U1ktOwF34jBiQOS2uxDrHwHN1oro/s1600/Untitled-1.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 365px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCYdYfyVwXaKaiv84YEpM0fFbDyUp-01s_NiQWNjK0YSbi7wEAKm7X-IJy99pCIwBdgOak9S3A5o0rnaSqbsoMbxY3rP4rDAHGT-P9Z6KMsQQsAQ6U1ktOwF34jBiQOS2uxDrHwHN1oro/s400/Untitled-1.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638963956187818386" /></a>
<br /><center><i>Fixing the references</i></center>
<br />
<br />Now, in most cases, I like programming in Debug mode so I can single step, use breakpoints, inspect variables, etc. I ran into a snag with my debug build and had to get one of the HBGary engineers to take a look. Again, it was a configuration thing. When you make build settings, the platform will probably be set to AnyCPU. You will need to set the platform target to x86 (see image). This has something to do with mixed mode code and if you don’t set this to x86 you will get a binding error when you attempt to run the ITHC exe. Lastly, I set my output path so the ITHC.exe ended up in the main Responder install directory (see image).
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6MeYTdBgKxPbKUwDxgGo5c4GKEeYMlS-m6MgYjfvJb4fWENjtIg98iQpNkEYFXLkWfUcVcMxZV_opiDcEfMkXf9xy3Kf2F1wfzWY9Hyk_xcnoz_tUX1QnhFhGldvGqI0xuhnrfpz-dKo/s1600/Untitled-2.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 225px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6MeYTdBgKxPbKUwDxgGo5c4GKEeYMlS-m6MgYjfvJb4fWENjtIg98iQpNkEYFXLkWfUcVcMxZV_opiDcEfMkXf9xy3Kf2F1wfzWY9Hyk_xcnoz_tUX1QnhFhGldvGqI0xuhnrfpz-dKo/s400/Untitled-2.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638963962184668306" /></a>
<br /><center><i>Setting the platform target</i></center>
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgILePBq9RwgJeFAdmYfjBVE6LqBWl-pHBuPjflPHBZ15FIjpKhlUUYldwKahrchY7Kb1OW-Bw4Z82z2Y2GVFGN_tutf326pXadHCSXaEJuG4HkRUBATavo83gvY9ibVrHk9Yw-tUxKfSM/s1600/Untitled-3.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 277px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgILePBq9RwgJeFAdmYfjBVE6LqBWl-pHBuPjflPHBZ15FIjpKhlUUYldwKahrchY7Kb1OW-Bw4Z82z2Y2GVFGN_tutf326pXadHCSXaEJuG4HkRUBATavo83gvY9ibVrHk9Yw-tUxKfSM/s400/Untitled-3.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638963965734920322" /></a>
<br /><center><i>Setting the output path</i></center>
<br />
<br />Running the tool requires some precise command line arguments (see image). The project path needs to be as shown path/projectname/projectname.proj and the path to the memory image needs to be fully qualified. If you want to change any of that, you can edit the code in NewProject() and OpenProject() to parse the path differently. At this point I had a fully functional ITHC.exe that would analyze Windows physical memory snapshots.
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgdmB2LIZo1i5W1QVofIy19G6IV3PDowGgWUxSpTP86txaar693FiPH0ymG_sXadDUYyyeBUPt-aqcU8jeULPwcopN3y06SXvU6YUuKUNf0PEkVmyjcya-nlACxKJ3DKjLAHDEN7y59cA/s1600/Untitled-4.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 169px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgdmB2LIZo1i5W1QVofIy19G6IV3PDowGgWUxSpTP86txaar693FiPH0ymG_sXadDUYyyeBUPt-aqcU8jeULPwcopN3y06SXvU6YUuKUNf0PEkVmyjcya-nlACxKJ3DKjLAHDEN7y59cA/s400/Untitled-4.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638963965943642674" /></a>
<br /><center><i>Command line parameters to the tool</i></center>
<br />
<br />Most of the analysis magic happens in THCAnalyzeFile(). The project file ends with the .proj extension and this will be created or opened if it already exists. There is also a .tmp file that contains cached lookup data for Responder which only exists after an analysis. THCAnalyzeFile() will handle all of this.
<br />
<br />At this point I need to explain packages and classes. In Responder, a package is any binary object. For example, the physical memory snapshot is a package. Every extracted livebin is also a package. If you import a file for static analysis, that file is considered a package.
<br />
<br />Both packages and classes can have parent/child relationships. The difference is that a class is simply a container without any associated binary data. Think of it as just a folder. In fact, in the Responder GUI, classes are shown as folder icons. Just remember that packages can have child classes, classes can contain other classes, classes can contain packages – there is no restriction on the way you nest these objects.
<br />
<br />Around line 249 in the ITHC example you will see the creation of the root package (see image). Every project has a single root package that everything else will reside under. Usually this package has no associated binary object and is simply a placeholder. We usually set this to the name of the forensic case – such as “Case 04321”. In Responder’s GUI, the root package is always shown with a safe icon. Depending on the project type, a class will be created directly under this root package. The name of this class is very important and affects the kinds of things Responder will let you do. So, for a physical memory analysis you need to name this first class "Physical Memory Snapshot". You will see this created around line 266.
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXz1PzkdUl9QHh8hVkls7zOeWwfre8D42Z3lG1clkERn3xVSurv0vvnvDa298fFj0SIJ6O4OM2aSR-2xIHHFD5Wh7YzXlKfeabB8qaebvgrAGZLqvX-uo2AIicf6tcvOel9Qkc_f2alV0/s1600/Untitled-6.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 110px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXz1PzkdUl9QHh8hVkls7zOeWwfre8D42Z3lG1clkERn3xVSurv0vvnvDa298fFj0SIJ6O4OM2aSR-2xIHHFD5Wh7YzXlKfeabB8qaebvgrAGZLqvX-uo2AIicf6tcvOel9Qkc_f2alV0/s400/Untitled-6.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638966082906170930" /></a>
<br /><center><i>root package, bulk update, named attributes</i></center>
<br />
<br />Now just a word on event management. Responder has a robust event alerting system that will post an event to your code whenever an object is modified. You could subscribe to these events and be notified if the user changed a property of an object anywhere in the GUI, for example. But, there is a flipside – if you make a large number of changes all at once you will flood the system with these messages. Most of the time if you are going to change a bunch of objects all at once, you want to disable events for a short time. To do this, you use the BeginBulkUpdate() and EndBulkUpdate() methods. You will see these in use around line 249 (see image).
<br />
<br />Around this same section of code you will also see named attributes being set on the case. These attributes are being applied to the root package, the one that shows up as a safe icon when you view it in Responder’s GUI. Any object, including packages and classes, can have named attributes set. The attribute system is typed and the first letter of the name indicates the type. See my <a href="http://fasthorizon.blogspot.com/2011/06/scripting-with-responder-community.html" target="_">previous post</a> on plugin development for a description of these.
<br />
<br />Around line 293 you will see the creation of a second package. This package is the one associated with the physical memory snapshot. It is placed under the root node and folder. You will also see the creation of something called a snapshot that is then linked with the package. This is how you link a binary to the package – via the snapshot object. The snapshot is just a small header of metadata that is associated with the binary file – including the path to the file – and this is set as the “.InitialSnapshot” property of the package. After this step, the package and the binary are linked.
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-2Y3K51z3X6p9xNK3u4tK-Du3ygijvW8GMgkscEKS69yBYlKIRhJR_P-GSEYstWkQEHce3q0z9KPiWlRuxoLHxUXnYRomq6ULmlM9wZOxFyLUelLHrI1dYgwvD0SfVt25A2Dfl7x7EPY/s1600/Untitled-7.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 97px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-2Y3K51z3X6p9xNK3u4tK-Du3ygijvW8GMgkscEKS69yBYlKIRhJR_P-GSEYstWkQEHce3q0z9KPiWlRuxoLHxUXnYRomq6ULmlM9wZOxFyLUelLHrI1dYgwvD0SfVt25A2Dfl7x7EPY/s400/Untitled-7.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638966942642621362" /></a>
<br /><center><i>package and snapshot for the physical memory image</i></center>
<br />
<br />The most important function is then called – the AnalyzeMemory function (around line 329). This function performs the bulk of the memory analysis. It returns true or false depending on whether it understood the memory snapshot. Just a note; it will return false if you don’t have a valid license. If you have the free version of Responder CE, you still have a license file that must be present or this call will bail out on you.
<br />
<br />After analysis is complete, the analysis history is updated to include “WPMA”. This tells Responder that “WPMA” analysis has already completed, so it won’t attempt a second analysis later. Note: WPMA means Windows Physical Memory Analysis. Responder has other analysis types that can be added to this history. You can also add your own for reference later.
<br />
<br />Now that analysis is complete you can parse the datastore, query all the found windows objects, processes, modules, etc. You can also query the DDNA results if you are using the Pro version. Some object types, such as control flow, disassembly, dataflow, graph objects, and recon traces are only available in the Pro version. However, the results of the windows memory analysis are fully available in all versions, including the free CE version. See the THCDumpProject() function for more information on parsing the project’s object tree.
<br /><blockquote>
<br /><code>
<br />Package: ws2_32.dll
<br />Parent Package: svchost.exe
<br />Length: 0 bytes.
<br /> Class: Symbols
<br /> Class: Strings
<br /> Class: Report Items
<br /> Class: Global
<br />Strings:
<br />Package: vmwaretray.exe
<br />Parent Package: VMwareTray.exe
<br />Length: 0 bytes.
<br /> Class: Strings
<br /> Class: Global
<br /> Class: Report Items
<br /> Class: Symbols
<br />Strings:
<br />Package: msctf.dll
<br />Parent Package: IEXPLORE.EXE
<br />Length: 0 bytes.
<br /> Class: Strings
<br /> Class: Symbols
<br /> Class: Global
<br /> Class: Report Items
<br /></code>
<br /></blockquote>
<br /><center><i>a short snippit of output from the THCDumpProject() function</i></center>
<br />
<br />For those of you using the Pro version, ITHC includes examples of not just physical memory analysis, but also extraction of livebins and code-level analysis of extracted livebins. If you made it this far, then take a look at AnalyzePackage(), AnalyzeExtractedPackage(), and ExtractPEImageFromMemory() to get more familier with the code level analysis features. I hope that I can write some more specific posts about these features in the near future.
<br />
<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisog37xR6mU9NONMO99NDqit114jZyV0bugd99h8z1wvg6L87DqkFCVAnq9VcRCynGSUzsvz7MLPx3NGYFZau3_ZFr5vrgb78WTrfY3P4x4EonV0jIaP0t5Qp0tb2vLKqL8d0Dmr-uNlk/s1600/Untitled-5.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 202px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisog37xR6mU9NONMO99NDqit114jZyV0bugd99h8z1wvg6L87DqkFCVAnq9VcRCynGSUzsvz7MLPx3NGYFZau3_ZFr5vrgb78WTrfY3P4x4EonV0jIaP0t5Qp0tb2vLKqL8d0Dmr-uNlk/s400/Untitled-5.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5638963971185685346" /></a>
<br /><center><i>ITHC.exe analyzing a memory snapshot</i></center>
<br />
<br />Because the ITHC utility is written in C# it’s very easy to interface to other systems. Microsoft has done a good job building a robust set of API’s that can be used for SQL database access, serializing files, communicating over the web or TCP/IP, regular expressions, etc. All of this is at your fingertips and can be interfaced with the results of physical memory assessments. I am partial to building bulk analysis tools for large directories of memory snapshots. You are only limited by your imagination.
<br />
<br /><blockquote><i>The SDK directory should be in your Responder install directory. If you are using the free Community Edition you may not have the SDK directory. In this case you can download the SDK as a small but separate download from the free tools section on HBGary's support site. Visit <a href="www.hbgary.com">www.hbgary.com</a> for more information.</i></blockquote>
<br />Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-43490616159315119992011-07-26T10:04:00.000-07:002011-07-26T12:55:39.946-07:00Asymmetric Warfare and Cyber TerrorismIn the newly released document, “DoD Strategy for Operating in Cyberspace", the Pentagon states that “while the threat to intellectual property is often less visible than the threat to critical infrastructure, it may be the most pervasive cyber threat today.” Pervasive, yes – but not necessarily the most dangerous.<br /><br />In 2003, I founded my company, with the help of the federal government’s Small Business Initiative Research (SBIR) program, to develop products to counter these advanced unknown, stealth cyberthreats today often referred to today within the security community as Advanced Persistent Threats (APT).<br /><br />While the APT threat is significant, the attacker can take months or even sometimes years to steal the information. However, the recent attacks made by small hacking groups illustrate a highly more tangible, immediate, and potentially more severe form of economic damage. It is appropriate to classify these acts as asymmetric warfare, and possibly as a type of cyberterrorism.<br /><br />In contrast to APT threat actors and other traditional cyber criminals, cyberterrorists are not motivated by monetary gain. Instead, the cyberterrorist wants to cause grave harm or economic damage as quickly as possible, and to get attention for it. Attacks may be economic, political, or even shutting down the power in the dead of winter. The technical aspects of the attack may be similar to APT, but the intent and goal is wholly different.<br /><br />Cyberterrorism first was a buzzword in the late 90’s associated with power outages and explosions orchestrated over computer networks. These types of attacks seemed like the digital equivalent of IED’s. While traditional terrorists clearly use the Internet to recruit and communicate, we operate under the assumption that the ‘ground of action’ is still the physical world – think suicide bombers. But, recent events have shown that attacks don’t have to be kinetic to cause damage. The ground of action can be entirely in cyberspace and damages can be measured in billions of dollars of stock value and the threats to persons are very real.<br /><blockquote><i>Edit: There are different views on the definition of cyberterrorism. In 'Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress', Clay Wilson defines two forms of cyberterrorism:</i><br /><br /><b>Effects-based:</b> Cyberterrorism exists when computer attacks result in effects that are disruptive enough to <u>generate fear</u> comparable to a traditional act of terrorism, even if done by criminals.<br /><br /><b>Intent-based:</b> Cyberterrorism exists when unlawful or politically motivated computer attacks are done to intimidate or coerce a government or people to further a political objective, or to cause <u>grave harm</u> or <u>severe economic damage</u>.<br /></blockquote><br />Since the early 2000’s, ‘electronic jihadists’ (i.e., Younes Tsouli, Mohammad Peerbhoy, etc) and other hacking groups (many can be researched on www.zone-h.org) have been content with web defacement and the occasional DDOS. But, these actions never gained the media attention like the recent spree of hacks in 2011. This is, in part, due to the advent of social networking. Former British Prime Minister Margaret Thatcher once stated “Publicity is the oxygen of terrorism”. Anyone studied in matters of terrorism knows that the primary goal of terrorism is media attention. The act is secondary to the message.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDocv28bdRJTgL1bt5H75XRg4dl31JaeXE95i748RyAzo6FP44jnp0sfdR2D7HnTkdyxqHpuBpXwRaCY-BJR6l5W4KizRpr2Rkre8lFCZ3si5IOOo51teiK4n4e_Ib5_6Kl8sDh1-9_RI/s1600/terrorists.png"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 120px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5633716416649357058" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDocv28bdRJTgL1bt5H75XRg4dl31JaeXE95i748RyAzo6FP44jnp0sfdR2D7HnTkdyxqHpuBpXwRaCY-BJR6l5W4KizRpr2Rkre8lFCZ3si5IOOo51teiK4n4e_Ib5_6Kl8sDh1-9_RI/s400/terrorists.png" /></a><br /><center><i>Younes Tsouli and Mohammad Peerbhoy, both criminal hackers working with Islamic extremist groups (photos via Associated Press)</i></center><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8343SY6RA5k5s50nhoR_AqnDSYeJC3TpUGteThh_BXlqG-O6fRwi_gKvkou25ZCkfWC-X_0egZjRbFXaL7bdWfkIoJVj9SWEoCDwDym8AsackCElHtWIf33ADztIFUMkEL2xG-y5cu5g/s1600/hacking_groups.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 298px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8343SY6RA5k5s50nhoR_AqnDSYeJC3TpUGteThh_BXlqG-O6fRwi_gKvkou25ZCkfWC-X_0egZjRbFXaL7bdWfkIoJVj9SWEoCDwDym8AsackCElHtWIf33ADztIFUMkEL2xG-y5cu5g/s400/hacking_groups.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5633720024538083442" /></a><br /><center><i>A small sampling of criminal hacking groups operating in the Middle East. All of these groups are at least as-skilled as the current Lulzsec/Anonymous hackers, as evidenced by similar techniques, use of SQL injection, etc. The myth that traditional terrorist groups don't have access to hacking skill is simply outdated. (groups via zone-h.org)</i></center><br /> <br />In the words of William Gibson, “Terrorism is ultimately about branding”. Every press release, tweet, and claim is part of that brand to raise awareness for their cause or message. And, the media can function as an extension of the group’s propaganda machine. As TechCrunch columnist Paul Carr <a href='http://techcrunch.com/2011/06/26/the-lion-that-squeaked/' target='_'>recently pointed out</a> in his piece on the media coverage of the now defunct LulzSec group, most journalists were all too happy to hop aboard the ‘Lulz Boat’ and parrot propaganda verbatim without a hint of criticism and provide ‘celebrity fluff’ reporting. Paul especially calls out online journalists and bloggers as “downright shameful” for showing support for these criminal hackers. Gene Spafford, the professor and director at Purdue University and a leading security expert, <a href='http://www.cerias.purdue.edu/site/blog/post/bullies_pirates_and_lulz/' target='_'>has also objected</a> to how reporters romanticize criminal hackers, drawing a parallel to computer virus authors in the early 90’s portrayed as “swashbuckling, electronic pirates” (pointing out that their legacy is now costing billions in damages).<br /><br />Even in recent days, reporters have used lofty, inconsistent terms such as “masked crusaders,” a “loose hacker movement” and an “online activist group” to describe Anonymous. The fear of retribution by the criminal hackers within this group is real. No one wants to become a target. News organizations need to take a step back and take a close look at how they are covering these incidents and make sure they aren't enabling these groups’ propaganda machine.<br /><blockquote><i>Edit: as a case in point, notice the significant lack of the word 'criminal' when media reports on Anonymous/Lulzsec. To illustrate, here is how reporters/bloggers described Anonymous in the 24 hours following the Monsanto/Booz Allen Hamilton attacks:</i><br /><br />"Online activist collective" - CNET<br />"hacker group" -- IT Business Edge<br />"Hactivist collective" -- The Inquirer<br />"Hacking Group" -- MSNBC<br />"Hacktivist Group" -- SC Magazine<br />"Hacker Group" -- WSJ<br />"Hacker Group" -- Network World/IDG<br />"Notorius Hactivist Collective" -- The Register<br />"Group of hactivist computer-savvy hackers" -- Economist<br />"Loose-hacker movement" -- Forbes<br />"Masked crusaders" -- Time<br />"Cyber-activist group" -- Financial Times<br />"Hacker Group" -- Dark Reading<br />"Online Activist Group" -- Associated Press<br />"Hacker Group" -- BBC News<br />"Hacking collective" -- NY Times<br />"Hacker Group" -- Washington Post<br /></blockquote><br />While the threat landscape is always changing, we must continue to highlight that a real criminal is at the other end of the keyboard, and that he is persistent and will keep coming back. While the DoD outlines some important initiatives for a more secure cyberspace, we, as citizens, also have a role. Just as we all participate in our local neighborhood watch to keep our physical community safe, we, as Internet users, need to be vigilant and work together to ensure our cyberspace remains safe.<br /><br />-Greg HoglundUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-18569035410177684342011-06-23T11:59:00.000-07:002011-06-24T10:25:57.885-07:00Scripting with Responder™ Community EditionOne of the most powerful features of <a href="http://www.hbgary.com/responder-pro-2" target="_">Responder</a> (all three versions, including the free <a href="http://www.hbgary.com/hbgary-releases-responder-ce" target="_">Community Edition</a>) is the ability to write custom plugins. The entire application is basically a GUI over an API. You have the ability to access this same API and extend the application in any way. HBGary hasn’t produced an official SDK document yet, so it’s best to learn by example. For this exercise, I am going to illustrate a plugin that ties information from Responder into Google maps.<br /><br />First, you should become familiar with the object tree. The object tree (shown in the graphic below, point A) illustrates how the data is organized within Responder after a physical memory snapshot has been reconstructed. You can query any of this data directly using the Responder API’s. For example, you could query low-level details about running processes (point B).<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrasqLnijmdqBA3upH7s1xlxLLve1-WZ6UzNpfKG2aqVaRAIbV0yPsX-fsneaMJN9rbAwKl6UJbaQ4_j3hRJ6cilghbi4byxPxaVXj-Slzj5zRrRVDwmQTEADqkPI10nWWfBuc0ZPY8j0/s1600/object_tree.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 299px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrasqLnijmdqBA3upH7s1xlxLLve1-WZ6UzNpfKG2aqVaRAIbV0yPsX-fsneaMJN9rbAwKl6UJbaQ4_j3hRJ6cilghbi4byxPxaVXj-Slzj5zRrRVDwmQTEADqkPI10nWWfBuc0ZPY8j0/s400/object_tree.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5621498847965680770" /></a><br /><br />For this example, we are going to query the open network sockets. These are reconstructed from internal undocumented structures within the kernel (the same ones used by tcpip.sys and afd.sys). Even if a rootkit is hooking netstat, the data would still be revealed in Responder. In our example, we have some outbound connections to China. Using our plug-in, we are going to read the connection data and plot the location of the registering entity using Google Maps.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHzT6rXfpZR2OUB9nsU7u-5c8zqsHn98TDYRVsKPlxvPPHTkJAYYZXknZLS2vJ4-uT-f8bQBtoqYn7zVnAFhayrrXPKv-WOfqffksUOczlOQitT8MakymZSof-HovnwXRTyNM71LOFVCs/s1600/script_tab.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 254px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHzT6rXfpZR2OUB9nsU7u-5c8zqsHn98TDYRVsKPlxvPPHTkJAYYZXknZLS2vJ4-uT-f8bQBtoqYn7zVnAFhayrrXPKv-WOfqffksUOczlOQitT8MakymZSof-HovnwXRTyNM71LOFVCs/s400/script_tab.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5621499352902574690" /></a><br /><br />To load the script, first go to the script TAB and select OPEN. Once open, the script will be visible in a code-editing window. Press the PLAY button to load the script.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-JfCK49ANPlQF8rgWHvYhODzepD7rBUHwO_2rZfqzJ5rSoaGxZDIVzxLeLDofamDf6Ljd9iVpXlozi_8LrH_QJl9r8MOuKhxoaWpTJCRwMiNY9XHGm4CS7Je8uUeYS1pcOhqGquV1Jnc/s1600/code_editing.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 322px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-JfCK49ANPlQF8rgWHvYhODzepD7rBUHwO_2rZfqzJ5rSoaGxZDIVzxLeLDofamDf6Ljd9iVpXlozi_8LrH_QJl9r8MOuKhxoaWpTJCRwMiNY9XHGm4CS7Je8uUeYS1pcOhqGquV1Jnc/s400/code_editing.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5621499632223233090" /></a><br /><br />As you can see, the script is written in C#. Almost all of the GUI components in Responder are written using C# and, for those who haven’t tried it, you will find it to be very similar to Java. The language is very easy to learn and use.<br />After we load the plugin, the list of network connections are obtained along with registration data. The address of the registration is then plotted on Google Maps.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHEcAAcwMMb0fofvFLpVNr5MlKhtYAEOMxjWIt91sNykU8B89avEzoqNrgWJCCwp7NxjUabKN_280fG0ao44ghkCt-HiEuKq-B36mzWkPAdv7Aes2TdpCAbvqg-nXgIGnmQWu5vcHWCv4/s1600/google_maps.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 203px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHEcAAcwMMb0fofvFLpVNr5MlKhtYAEOMxjWIt91sNykU8B89avEzoqNrgWJCCwp7NxjUabKN_280fG0ao44ghkCt-HiEuKq-B36mzWkPAdv7Aes2TdpCAbvqg-nXgIGnmQWu5vcHWCv4/s400/google_maps.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5621499850694259554" /></a><br /><br />When a plugin is loaded, the OnLoad function will be called with a list of all open “Documents”. In Responder, a “Document” is a container for data. The architecture requires that the user-interface be decoupled from the data. For those of you with programming experience, you may recognize the “Document/View” pattern here. At any rate, the list of open documents is passed into the OnLoad function and we need to locate the “NetworkBrowserDocument”. The network browser document has the list of all open sockets.<br /><br /><code><br />public bool OnLoad(ArrayList OpenDocuments)<br /> {<br /> try<br /> {<br />// get the frame document, this allows us to add menu items and menu bars<br /> _frame = FindMainWindow(OpenDocuments);<br /><br />// see the Launch() subroutine to learn how to launch your own popup window<br /> Launch();<br /><br />// init the whois class for later use<br /> _whois.ResponderForm = (Form)_frame.MainWindowInstance;<br /> _whois.Inspector = FindInspector(OpenDocuments);<br />// the network browser document gives access to open sockets<br /> _whois.Net = FindNetworkBrowserDocument(OpenDocuments);<br /></code><br /><br />For those who want to explore other documents, there are several example plugins that ship with Responder. For example, "StringsBrowserDocument" is responsible for showing lists of strings associated with a livebin. "SymbolsBrowserDocument" is responsible for symbols when a livebin has been disassembled (Responder PRO only). The "DriversBrowserDocument" has the list of detected device drivers.<br /><br />In this plugin example, we have a helper function defined to locate the network browser document. Notice we use GetType() to locate the actual type of each document in the list. As stated, there are many different document types in Responder, usually one type for every visible window or panel in the application.<br /><br /><code><br />Logic.NetworkBrowserDocument FindNetworkBrowserDocument(ArrayList documents)<br /> {<br />// note the use of IDocument interface class here, <br />// use GetType() to compare instanced type against Logic.XXXX where<br />// XXXX is the document type you are after. Use reflection to see the<br />// whole list...<br /> foreach (IDocument doc in documents)<br /> if (doc.GetType() == typeof(Logic.NetworkBrowserDocument))<br /> return (Logic.NetworkBrowserDocument)doc;<br /><br /> return null;<br /> }<br /></code><br /><br />After finding the network document we can use it to query the list of sockets. Documents will have custom methods and utility functions for dealing with specific data (these are all different depending on document type). You can also access the raw data directly, usually in the form of name/value pairs (my preferred way to do it). This is shown below. Each attribute has a specific name and type as shown.<br /><br /><code><br />ArrayList socks = _net.Sockets();<br /><br />// all objects are referenced by GUID<br />foreach (Guid socketEntryID in socks)<br />{<br /> // src and dest ip are stored as string<br /> string source = _net.ObjectName(socketEntryID, "sSource") as string;<br /> string target = _net.ObjectName(socketEntryID, "sDestination") as string;<br /> <br /> // remember that 'i' is UNSIGNED <br /> UInt32 sourcePort = (UInt32)_net.ObjectName(socketEntryID, "iSourcePort");<br /> UInt32 targetPort = (UInt32)_net.ObjectName(socketEntryID, "iDestinationPort");<br /><br /> // the src and dest DNS names, obviously string as well<br /> string sourcename = _net.ObjectName(socketEntryID, "sSourceName") as string;<br /> string destname = _net.ObjectName(socketEntryID, "sDestinationName") as string;<br /><br /> // a bool stores whether the session is TCP or UDP <br /> bool bTcp = (bool)_net.ObjectName(socketEntryID, "bIsTCP");<br /><br /> string sockType = ((bool)(_net.ObjectName(socketEntryID, "bIsTCP"))) ? "TCP" : "UDP";<br /></code><br /><br />The socket list is stored as a list of object ID’s. Responder uses a GUID to identify every object in the project database. Every object that is found in the physical memory snapshot is assigned a GUID and can subsequently be looked up. In this example, we have a list of objects which represent sockets. The object ID can then be used to query additional attributes. In this example we query “sSource” “sDestination” “iSourcePort” etc. This is the generic attribute naming system used by Responder. The prefix is a type. ‘s’ means string, ‘i’ means integer, 'b' means bool. There are hundreds of these named attributes across the application - something I hope HBGary writes an SDK document for soon.<br /><br />After obtaining the source and destination IP’s, our example plugin has a Whois class that is used to lookup the name and address of the registrar. This data is then passed to a browser control along with the URL for Google Maps so the location will be mapped on the right. <br /><br />This plugin could be extended in many ways. For example, a geoip database or service like ip2location could be used to locate the missile-coordinates for a specific IP address, as opposed to the registration data. The plugin could also be extended to extract IP addresses from artifacts in memory, as opposed to active connections in the socket list. For example, IP address fragments stored in tagged page pool memory. <br /><br />The plugin is open source and can be downloaded from <a href="https://support.hbgary.com" target="_">HBGary’s support site</a>.<br /><br />Cheers,<br />-Greg<br /><br /><i>Ps. Thanks to Dean, the HBGary engineer who wrote this plugin</i>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-11151231626435416582011-06-15T05:20:00.000-07:002011-06-15T05:26:16.862-07:00Changing APT Tactics: Remote-Access Tools vs. Stolen CredentialsAdvanced Persistent Threats (APT) are adaptive, their tactics will cycle after an intrusion takes place. For example, an APT group may start to lean away from RATs (remote-access tools) and rely more on stolen credentials. Let me explain.<br /><br />An APT initially will enter the network via malware, typically through spear-phishing. Once on the compromised host, the threat actor will place one or more RATs into the environment. If we pick up RATs with our <a href="http://www.hbgary.com/digital-dna" target="a">Digital DNA solution</a> or another indicator, we start hunting them down. After targeting and removing these RATs in the customer environment, we have found that specific malware will last about a week, maybe two, before the APT drops it altogether and switches tactics to remain in the network. We commonly see APT shift to using stolen credentials and no malware at all. <br /><br />Stolen credentials are the very currency of APT. As it turns out, it’s much harder to detect malicious users than to detect RATs. In fact, the APT will use these accounts the same way a legitimate admin would – making it very hard to tell the difference. They create file shares, use the ADMIN$ share, and defrag the hard drive. APTs will even update the AV and patch the machine. Of course, the defrag is actually a way to cover up forensic evidence on the drive, and the ADMIN$ is a way to laterally move malware and tools between machines. One would think that upgrading the AV would be counter to an APT’s self preservation. Actually, the APT updates it purely for self preservation – to appear “normal” as a legitimate admin.<br /><br />At this point in the investigation, in terms of malware, we are still picking up a great deal of material – but not RATs. When the APT shifts to credentials, we start to pick up password sniffers and keyloggers that have no outside network capability. The malware in this case is entirely focused on obtaining more credentials. Finally, once the customer updates all the passwords, one or more RATs pop out of the woodwork and the cycle repeats itself. <br /><br /> Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-82297695069475137842011-05-25T08:07:00.000-07:002011-05-25T08:57:02.521-07:00A Brief History of Physical Memory Forensics<p>Lately, we have been doing a lot of work around physical memory forensics. Recently, we released the free, <a href="http://www.hbgary.com/hbgary-releases-responder-ce" target="_">community edition</a> of our Responder™ product and plan to release the fourth generation of our memory analysis engine later this year. During this work, I have been reflecting on the origins and advancements in the field of physical memory forensics over the last 10 years.<br /><br /><p>In the early 2000’s, two headline-making malware infections, Code Red and SQL Slammer, demonstrated the possibility that malware could reside only in memory and never leave a file on disk. In the world of incident response, the evidence challenged the traditional notion of dead-box forensics. It meant that critical data would not be obtained by the traditional forensic methodology. It also set the stage for future malware that would subvert API calls, forcing live response scripts to rely on the OS as little as possible.<br /><br /><p>Physical memory analysis started as crash dump analysis for debugging, but it soon became apparent that volatile data in memory could contain encryption keys, passwords, and other critical information about recent user activity. From a tools perspective, the well-known dd utility has been able to acquire memory from the start, simply by reading /dev/mem or /device/physicalmemory. Other memory tools also emerged. In 2002, Eoghan Casey documented how Arne Vidstrom’s PMDump tool could be used to dump virtual memory and defeat PGPTray.<br /><br /><p>Rootkits helped drive development of memory forensics –more for malware detection than evidence collection. In 2003, Jamie Butler demonstrated the DKOM (Direct Kernel Object Manipulation) method for hiding processes by removing items from a linked list directly in memory. This was a data-only attack and didn’t involve any kernel hooking. It would be a few years before researchers like Andreas Schuster and Chris Betz developed memory-forensics methods for finding hidden processes that countered Butler’s DKOM . Things took another significant step forward in 2005 when Sherri Sparks released <a href="https://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf" target="_">Shadow Walker</a>, a rootkit that was able to hide sections of virtual memory from scanning tools. This lead to the notion of physical memory acquisition – using a raw dump of RAM instead of using OS- supplied virtual memory reads – as a means for rootkit detection.<br /><br /><p>Attempts at OS reconstructions didn’t really start until the DFRWS memory analysis challenge in 2005, where George Garner [<a href="http://www.dfrws.org/2005/challenge/kntlist.shtml" target="_">kntlist</a>] and Chris Betz [<a href="http://www.dfrws.org/2005/challenge/memparser.shtml" target="_">memparser</a>] developed process and thread reconstruction for Windows®. Everything changed after this – instead of searching for binary patterns and strings, the memory image was seen as a complex snapshot of interrelated structures and data arrays. A keystone development was the ability to discover the page tables in physical RAM and thus translate virtual addresses to their physical offset. In February 2006, I wrote the first version of this technology for HBGary using the self-referencing physical address pointer trick (AFAIK first publically documented by Joe Stewart w/ the <a href="http://www.secureworks.com/research/tools/truman/" target="_">TRUMAN project</a>), and we soon added PAE support. Physical memory forensics had become a hot new area of research. Later that year Mariusz Burdach <a href="https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf" target="_">presented</a> on physical memory forensics at the Blackhat conference. Jamie continued his research as well and <a href="http://www.blackhat.com/presentations/bh-usa-07/Butler_and_Kendall/Presentation/bh-usa-07-butler_and_kendall.pdf" target="_">presented numerous advances</a> in physical memory analysis to detect rootkits at the Blackhat 2007 conference. Shortly after Jamie’s talk, AAron Walters released Volatility. It were these initial advances with page table translation and OS reconstruction that lead to ”modern” physical memory analysis. <br /><br />By this time, Brian Carrier and Joe Grand had already released Tribble, a PCI card that could monitor and analyze physical memory. It was later that several commercial attempts were made to build a rootkit protection solution in the form of a PCI card. Via a DHS grant, HBGary was subcontracted to work on a similar project and this lead to a prototype PCI card that could analyze Windows XP and detect kernel hooks. Jamie Butler joined Komoku, which had already built a similar device, around that time. Joanna Rutkowska was <a href="http://invisiblethings.org/" target="_">quick to respond</a> to all of this and developed an extremely low level software-only rootkit for Windows that could defeat even a PCI-based physical memory read – by reprogramming microchips that are part of the bus controller and I/O chipset. In the end, a hardware solution for rootkit detection was not economically feasible and these projects were never successfully commercialized.<br /><br />HBGary’s work on the hardware PCI card was the genesis for more R&D memory forensics work to come. We abandoned the hardware approach and developed a software library called WPMA (Windows Physical Memory Assessment) - written in C++ and core to Responder’s memory parser. We later developed a second-generation parser and started reverse engineering all the different memory footprints left by every conceivable version of Windows and service pack (we didn’t analyze NT 4.0 – only Win2K and newer). It took about two years to get the Windows platform complete. This work led to the development of our flagship product, <a href="http://www.hbgary.com/responder-pro-2" target="_">Responder™</a>, and the library that performs the physical memory parsing is integrated into our enterprise product’s <a href="http://www.hbgary.com/active-defense" target="_">Active Defense™</a> agent as well. <br /><br />I’ve highlighted only a few of the researchers in this important field of physical memory forensics – there are many others who have also made significant contributions. At HBGary, as I mentioned, we will soon release a completely rewritten version of our physical memory analysis engine marking the fourth generation of the technology. Recently, I was watching the performance testing in the lab and I have yet to see it cap 150 MB memory usage while analyzing a 10-gig snapshot, and it is about 30% faster than our current generation. I will post more details on this work as we progress, as the new engine has many additional features that extend our Digital DNA™ technology. <br /><br />-Greg HoglundUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-70246368416405626602011-05-12T12:28:00.000-07:002011-05-13T13:38:41.779-07:00Stop PDF Exploits ColdI’m happy to announce that HBGary has released another free tool, similar to the Aurora scanner and the Chinese RAT catcher tools we released in past months. This one isn’t looking for malware, however. Acroscrub is an agentless scan of the enterprise that will find out-of-date versions of Acrobat Reader. Adobe is pretty good about patching vulnerabilities, but many machines in the enterprise won’t have the latest version of Acrobat Reader. PDF exploits are a common method used with spearphising attacks and APT intrusions so it’s imperative that organizations keep this software up to date. HBGary has released many popular free tools over the years and Acroscrub is another cool addition to the toolbox.<br /><br />All of the existing free tools are available to users on the HBGary support site. We have upgraded the security on the community support site and now require two factor authentication for all access, both for commercial customers and for free tools, so that means no more direct downloads. I support this upgrade to authentication and believe it acceptable for legitimate practitioners in the security industry.<br /><br /><a href="http://www.hbgary.com/hbgary-releases-acroscrub">http://www.hbgary.com/hbgary-releases-acroscrub</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-41764699569787937492011-04-19T07:24:00.000-07:002011-04-19T07:26:39.303-07:00Is APT really about the person and not the malware?<div>Maybe the “APT is person not malware” pendulum is swinging to the extreme. Understandably it’s a response to commercial enterprises being obsessed with pure-play malware detection. But what is the alternative? Spend tons of money on consulting and RE/forensic services for years on end? Customers are tired of paying for that. They must build a security methodology that accounts for persistent attackers – something that can be managed internally and that leverages automated detection as much as possible. To that end, detecting APT must include the malware, tools, and codified threat intelligence. </div><div><br /></div><div>As tired as it is, the ‘hacking exposed’ story hasn’t changed. We must continue to highlight that a real criminal is at the other end of the keyboard, and that he is persistent and will keep coming back. We know that he will use more than one tool, more than one method of entry, and he won’t go away no matter what kind of malware detection you have. But the idea that it’s all about the human and not malware or TTP’s is simply untrue. Malware and TTP’s have a critical role to play in combating APT. </div><div><br /></div><div>To date this year, HBGary has identified and tracked multiple human threat actors using the science of attribution, many of them operating overseas. Our attribution begins with profiling the CnC, the developer toolmarks, and forensic artifacts left behind after an intrusion. While some RAT’s are “easy to detect - difficult to attribute” (i.e., poison ivy) we have also found modified and custom tools that contain unique indicators. This information can be used along with open source intelligence and link analysis (we heart Maltego) to locate online identities, forums, and social spaces. This can lead to the discovery of real identities – the attacker’s real name, address, and even photographs. </div><div><br /></div><div>It makes no sense to separate the human from the malware and TTP’s. They are two ends of the same spectrum. This is not a black and white science; it works because humans aren’t perfect. It works because humans are creatures of habit and tend to use what they know. They use the same tools every day and don’t rewrite their malware every morning. They don’t have perfect OPSEC. They put their digital footprints out on the Internet long ago – and it’s usually just a few clicks away from discovery. There is a reflection of the threat actor behind every intrusion. To discount this is to discount forensic science.</div><div><br /></div><div>Digital attribution is important because it scales. An army of consultants watching your network does not scale, they don’t share their threat data, and they’re expensive. Couple that with out of date methods for determining a breach (imaging a 500GB hard drive to find 200 bytes of actionable data) and you can see why customers want/need a better solution to empower their own teams. This is why researching automated methods for threat detection is so important. Threat detection leads to threat intelligence, actionable data you can feed back into your process to make it more difficult for the attacker to succeed in your network. For example, the endpoint physical memory can reveal decrypted CnC addresses that can plug directly into the perimeter IDS – making your existing investment smarter. </div><div><br /></div><div>For me, the concept is clear – reverse engineer the endpoint hosts down to the rawest dataset. From this, automatically piece together the parts that appear to relate to suspicious activity. Map this against a database of known malicious behaviors – software, host, timeline, forensic, all of it. Do this automatically and alert on the outliers. HBGary’s Digital DNA does this by using a weighted fuzzy hash of the behaviors. Fuzzy hash because hashes are understood in the enterprise, and weighted because security is a risk management problem that begs for red/yellow/green. The result is huge scalability and effectiveness for a problem that is traditionally expensive and understaffed.</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-56405111851759956592011-04-12T10:13:00.000-07:002011-04-12T10:28:26.628-07:00Two new threat intelligence papers CSO's will want to read<div><strong><a href="http://www.hbgary.com/attachments/chinathreat_sm.jpg"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 70px; FLOAT: left; HEIGHT: 129px; CURSOR: hand" border="0" alt="" src="http://www.hbgary.com/attachments/chinathreat_sm.jpg" /></a>Industrial Espionage in the Global Energy Market </strong></div><br /><div>Since 2005, HBGary has been tracking variants of malware created and originated in China that indicate a complex cyber espionage operation targeting multiple industries, including the energy sector. In this new whitepaper, "Industrial Espionage in the Global Energy Market," HBGary provides technical details about these cyberattacks as well as the type of critical data targeted and successfully obtained and sent back to China. This report is restricted release to qualified executives, government, and law enforcement only. <a href="http://www.hbgary.com/" target="_">Available from hbgary.com</a> </div><br /><div></div><a href="http://www.hbgary.com/attachments/insider_threats_cover_med.png"></a><br /><div><strong><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10ZJPrb9rAqZMOW2E0m8fuVYOXra2qKJHUCvzlb8j1HA56DhRqudR8RnjgqX9f8AOaGZjQZ2ASRhXXuJiz3iWPiWJ6N8p0Gr2ziUW9eskCqb04hQxwQrbVqvjT7U9QDXzN43a9xd_LNc/s1600/wikileaks_logo.png"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 71px; FLOAT: left; HEIGHT: 159px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5594749765750571938" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg10ZJPrb9rAqZMOW2E0m8fuVYOXra2qKJHUCvzlb8j1HA56DhRqudR8RnjgqX9f8AOaGZjQZ2ASRhXXuJiz3iWPiWJ6N8p0Gr2ziUW9eskCqb04hQxwQrbVqvjT7U9QDXzN43a9xd_LNc/s320/wikileaks_logo.png" /></a>Threats in the Age of WikiLeaks </strong></div><br /><div>HBGary has released its threat report ‘Threats in the age of WikiLeaks’ – CSO's will want to read this report. Cyber-threats are evolving fast but we must stay ahead if we are to secure our information systems and our brands. With leak platforms (WikiLeaks, AnonLeaks, CrowdLeaks, InfoLeaks, People’s Liberation Front) comes the increased risk of insider threats and acts of information terrorism. Unlike traditional APT which damages over years, leak platforms represent immediate damage to stock value, profitability, and brand. Acts of cyber terrorism can disrupt systems and business continuity. To date, the severity of this threat has been underplayed in the press – this report exposes the true and dangerous nature of the threat. The report provides immediate and actionable data to help you detect potential insider threats and attacks. This report is restricted release to qualified executives, government, and law enforcement only. <a href="http://www.hbgary.com/" target="_">Available from hbgary.com</a> </div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-19191764741299574022011-04-08T20:47:00.000-07:002011-04-08T21:29:38.501-07:00Rootkit EvolutionOver the last few years HBGary has researched significant advancements in rootkit technology. We are pushing the envelope of what’s possible in the windows kernel. I’m glad to say that we haven’t seen anything in the wild that is remotely close to what we have developed in our labs. So, we are still ahead of the threat. This keeps our <a href="http://www.hbgary.com/digital-dna" target="_">Digital DNA</a> ‘frosty’ so-to-speak, but probably further ahead of the threat curve than it needs to be. That’s not a bad thing for people protecting against APT – we want to stay one step ahead of the bad guys. For those who have followed my work in rootkits over the years you probably noticed I stopped releasing public material on the subject years ago. This is because I didn't want to educate the bad guys on how to develop this stuff. But, that doesn’t mean the research has stopped – just that some things should only be briefed behind closed doors.Unknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-72384658171970527832011-03-14T14:14:00.000-07:002011-03-14T14:38:43.810-07:00Cyber Conflict and State PowerThere has been a rapid change in the global security paradigm. Cyberspace has fundamentally changed the stability between state and society. New conflict groups are not tied to any one state. There is a boom in conflict. Dangers come from many sources, not just military. The distinction between civilian, domestic, guerilla, terrorist, and criminal is blurred – small numbers of individuals can inflict great harm upon the establishment – perhaps more-so than any army. Recent activities have been directed at states themselves (Egypt/Iran/US/Estonia/Georgia). International bodies have been notably absent in their duties to protect its members (UN/NATO).<br /><br />The security environment is defined by the state’s weakness in cyberspace. The borders are permeable because the information flow is weakly controlled – there is no better example than Wiki-Leaks. The threat today is not from the projection of power, but instead from the projection of instability. Power projection defines a state's ability to influence and enforce their policy globally, which can be seriously harmed by not applying equal effort in cyberspace (Georgian conflict). You need a passport to travel to a foreign land but can reach that country's marketplace in milliseconds via cyberspace, without ever crossing a checkpoint. Any group can influence a state's population using social media outlets, including but not limited to instigating riots or uprisings (Egypt/Iran), as well as spreading disinformation. <br /><br />The U.S. war on terrorism is an example of this fight. The shadowy cell-based terrorist network cannot be linked to any one state. We live in an increasingly borderless world system. Groups are recruited and mustered entirely on the international stage of cyberspace, and include members from many countries. New conflict actors are flocking to cyberspace for communication, organization, and as a medium of attack – both directly through criminal assault and through influence campaigns and control of media. Threat actors include transnational criminals, warlords for profit, economic insurgents, state intelligence, and agents of industrial espionage. <br /> <br />Cyber is a zone of lawlessness and conflict. While not armed in the traditional sense of explosives, the landscape is ripe for soft munitions that can alter industrial operations with a few lines of code (Stuxnet). The traditional means of peaceful activists have migrated to acts of criminal nature, favoring methods such as denial of service, intimidation, theft, harassment, defamation, disinformation, hacking, and cyber-thuggery. Peaceful protests such as sit-ins or boycotts have been replaced by violations of Federal statutes without fear of prosecution, and states are increasingly challenged to bring charges against the perpetrators due to the ability to exploit the world stage of cyberspace. <br /> <br />When the citizens of one nation wage cyberwar against the government of another, the international treaties that trigger the right to wage war (jus ad bellum) are absent, and the conduct of protecting a nation under these acts are not governed (jus ad bello).<br /><br />The implications of all nations not cooperating to develop and enforce regulations, treaties, extradition, and establishing cyber checkpoints will continue to occur with increasing severity.<br /><br />-Greg HoglundUnknownnoreply@blogger.comtag:blogger.com,1999:blog-5891905270386912206.post-65731869535789017862010-12-13T08:43:00.001-08:002010-12-13T08:49:01.193-08:00Malware Persistence in the CloudThe cloud is certainly going to change some things about malware infection. When a desktop is reset to clean state every time an employee logs in, you now have to wonder how malicious attackers are going to maintain persistent access to the Enterprise. This is similar to what happens when an infected computer is re-imaged only to end-up infected all over again.<br /><br />There are several ways to maintain persistent access without having an executable-in-waiting on the filesystem. Memory-only based injection is an old concept. It has the advantage of defeating disk-based security. One common observation is that such malware doesn't survive reboot. That is true in the sense that the malware is not a service or a driver - but this doesn't mean the malware will go away. Stated differently, the malware can still be persistent even without a registry key to survive reboot. This applies to the problem of re-infection after re-imaging (a serious and expensive problem today in the Enterprise) and it also applies to the future of cloud computing (where desktop reset is considered a way to combat malware persistence).<br /><br />The most common method for persistence without reboot is re-infecting the system from a neighboring, already infected system. It has sometimes been called the "Hack Finn" model - two or more malware programs that know about each other. Unless you kill both of them simultaneously the one will re-create the other. In today's world, the neighbor doesn't need to be physically nearby - it can be anything that has some access path to the other machine. This neighbor could be a social networking peer, a shared desktop (think exploited .ini), or a machine with lateral domain credentials.<br /><br />Another way to maintain access is to store crafted (exploit) data in a commonly used document - think PDF exploit but for google docs. User's in a cloud based environment are going to have persistent data storage, whether this is up in the cloud or down on a USB stick. When the execution environment is constantly reset, as it might in a desktop cloud, the attacker can move method of persistence to the data itself. The malicious code must obtain execution cycles - think of the cloud based desktop simply as an execution space. The user opens said boobytrapped document every day as part of their work, and the malicious code activates. Or it can be delivered via a system used on a daily basis, such as an exploited image on an ad-banner, or the little calendar program in the corner of your timecard system.<br /><br />For the window of time the user is interacting with the desktop, the code has execution cycles. This is when data is most at risk - this is when other documents are open, other social network contacts are online, and the user's access token is live and can be used to access other resources.<br /><br />Remember, the attackers always adapt to new environments. The cloud just provides new ways for our adversaries to attack us.Unknownnoreply@blogger.com