[Dailydave] Defeating what's next

Fri Jun 14 19:49:58 EDT 2013

I love offense. I have been offensively focused from a work perspective
since about 1995, and personally since 1982. I love writing exploits and
have personally hacked 10s of 1000s of computers with my own tools.

In the last few years I have been helping a number of very large
customers with security. What I have learned, sadly, is the following:

- No 0day in existence can help them
- Reverse engineering & memory forensics are basically unusable for them
(right now)
- Pen tests are of no value to them (the report can be written without
bothering with the test in most cases, and they know they need to patch
more)
- Kernel mode rootkits, 100% useless to them

To back up the bulleted list above, this is what these organizations
tell me when I show up:

"We have 100,000 computers globally distributed. Keeping services up is
the most important thing but it would also be cool if people didn't have
our data.

We have one guy over there in the corner who mostly does IT stuff but is
our designated security guy and he might get to go to Defcon this year.
(Or, the CEO picked 5, close to retirement, managers and said make
security happen, thats our security team).

We have old, non standard build os's, and we don't know what or where
our data is. Users have admin on their desktops. We might be running an
old version of AV and we probably have a Cisco firewall somewhere.

See this room over here, its full of appliances in boxes. We have
purchased every vendor box we saw at Blackhat. A year ago. They are
still in the packing boxes.

Our bosses mostly care about metrics that they can read on 1 page once a
week and that the FBI doesn't call them saying we have a problem.

If you need DNS logs, thats the infrastructure team. They hate us and
won't respond. If you need AD logs, thats the server team, and they hate
both us and the infrastructure team, and won't give us access. You want
to do a pen test? There are 16 internal divisions  that have to sign off
first, none of them want to look bad, and all insist on their own vendor
instead of you.

Something is beaconing to somewhere on our network, and our last pen
test said we were good to go. (We have automated patching)

So Mr Expert, what do we do, security wise?"

These companies are so far from being ready for offense or advanced IR
that it's frightening. What these companies need is someone to look at
their architecture, understand their business processes & needs, and
help them get basic security related IT operations and sound, manageable
defense strategies in place.

Sometimes, we who are interested in offensive security, are selling (or
criticizing) the wrong thing to the wrong people.

V.