[Dailydave] APT

J. Oquendo joquendo at e-fensive.net
Tue Mar 11 12:09:21 EDT 2014


On Tue, 11 Mar 2014, Dave Aitel wrote:

> So the thing about being advanced enough is that you don't really have
> to be persistent in any normal sense of the word. Nobody has pointed out
> how the first stage of the NSA shellcode (as leaked by "backgrounded by
> the Constitution and definitely not at all a narcissist" Snowden) just
> avoids executing anything on systems protected by HIPS. Imagine if you
> were so good at your job you could ignore targets you already had
> execution on if you felt even a /little bit/ queasy about their defense.
> 
> Look, Richard Beitlitch thinks I don't know anything about "Strategy"

"I never read any treatises on strategy... When we fight,
we do not take any books with us." Mao Tse-Tung

Working in an MSP/MSSP I *have* deployed defenses, working
in the malware analysis arena, I *know* about encryption
tactics used by bad actors, performing network analysis
functions for over 14 years (http://seclists.org/incidents/2000/Aug/278)
I think I can qualify myself to chip in my .02.

I will counter-argue some of Mr. Bejtlich's points.

1) Providing visibility. This all depends on the environment
sometimes an architect CANNOT decrypt traffic without red
tape (regulatory controls, HIPAA, Sox, whatever). While
we'd LIKE to decrypt, we also have to put privacy at the
forefront as well depending on where the guidance is coming
from especially when CPOs (Chief Privacy Officers) gripe
and moan about privacy. 

While on the network and security scope, we'd ALWAYS love
to see what is occurring, the reality is, every network
differs PERIOD.

2) "technology to defeat/decrypt obfuscation" is a moot
point. If things were so grand, we wouldn't have instances
of "advanced persistent" anything on a network for days,
weeks - wait oh look here... YEARS - on end. All we have
is what is visible. There are NOT enough resources in ANY
company to weed out the anomalies, "sic" a malware analyst,
create IOCs in real time. Not even close to "near real time"
so we oft rely on the security vendors and researchers to
tell us: "something is off with these connections, these
applications, etc." But against REALLY good threats? This
is not happening. You *WON'T* see them in your honeypots,
NSMs, IDS', IPS', ITS' (because who doesn't love Intrusion
TOLERANCE Systems). Obfuscation via way of "hiding in plain
sight" works a long way on the offensive side, which is
how, and why, groups like the "Comment Crew" likely pervaded
in orgs for so long.

3) Archiving, and analyzing network traffic is looking for
a needle in a haystack. You're playing the signature game
again. You're either ignoring the known knowns, weeding
out anomalies. You can do it modularly (deploy NSM to say
a segment, to make it easier), but its unfeasible to pretend
for a minute that you'd be able to pick a needle out of a
haystack and isolate someone INTENT and ADVANCED. 

So you go out on an NSM spree, deploy hundreds, heck even
thousands of instances. Isolate the knowns, ignore them,
and look for the discrepancies. Guess what? What are you
going to do in say the case of Target where you MAY have
ignored a "known" (third party vendor). What are you going
to do in the following scenario:

Company --> data --> internet --> EBay

In this scenario, from your company, someone is visiting
the LEGITIMATE EBay site. However, an attacker decided to
shove in spliced bits of data with those connections,
because somewhere along the lines, he/she is sniffing
the connection, to compile spliced data. Think your NSM
skills are going to be able to piece that together? I can
assure you it won't.

Program Goals and "Strategies" from my perspective can be
combined since they rampantly change no matter HOW you
want to cut it. CISOs depend too much on book level nonsense
and often ignore those in the trenches. Those who see the
attacks, those who PERFORM the attacks. This is the reason
why so many companies get themselves "owned." You can
strategize all you want, and I go back to:

"Strategies too often fail because more is expected of them
than they can deliver" 

http://www.economist.com/news/books-and-arts/21588834-strategies-too-often-fail-because-more-expected-them-they-can-deliver-why

Maybe I missed something on the "Drinking the Cool Aid"
thread, with "strategies" or even tools and tactics. I
read it to be some form of a starting point for counter
and defense. On Bejtlich's writings, it goes off into a
"this is what worked for me... How I strategized" which
*may* have worked for him, but should not be an umbrella
for defensive anything. I'd run circles around the entire
concept of what he perceives as defense. IN PLAIN sight.


-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF


More information about the Dailydave mailing list