Digitally Signed Malware Proves Again That Attacks Get Through Your Shields

So what, Triumfant guy, exactly gets through my shields?  You tell me I will be breached and you give me statistics, but I have AV, whitelisting, deep packet inspection, and every other acronym and buzzword in place. Oh yea, and I have “the cloud” (pause for tympani emphasis) providing me prevalence information and other cloud-based stuff.

Well, digitally signed malware gets past your protections.  Not according to me, but according to several sources – Symantec, Kaspersky, AlienVault and BitDefender – cited in a March 15, 2012 PC World article “Digitally Signed Malware Is Increasingly Prevalent, Researchers Say”.

It is the blackhat version of “these are not the droids The Droids You Are Looking Foryou are looking for”, using the certificates to get the malicious code waved through.  Some of the first evidence of this technique was found in 2010 in the analysis of Stuxnet.  The PC World article provides evidence that the technique is showing up with increasing frequency.  The article tells in good detail how it works and what protections it can evade, including whitelisting.

This technique is illustrative of the ongoing battle between good and evil in IT security.  Operating system advances in Windows 7 and other OS versions were thought to advance the security of systems, and the adversary then takes the very techniques used to make the systems more secure and subverts them to find new ways to deliver malicious code and evade protections.  I have no interest in impugning the efficacy of prevention software and I have never said to turn off protection software.  What I have said consistently is that attacks will get through your shields.  Here is yet another example of how, and demonstrates that the adversary will always find a way to get through.  No FUD here – I would point out that every vendor cited in this story is a protection software vendor.

This story also illustrates that there are no silver bullets in protection.  Prospects often cite the use of whitelisting tools as their raison d’etre  of why they do not need something like Triumfant, but here is a clear example of how such tools are being evaded.  If you need more, there is a video from Shmoocon that shows multiple techniques for evading several whitelisting tools.  Yet another silver bullet falls short. I am not singling out whitelisting – it is just the current “It” tool of IT security.

Lastly, it is illustrative of how the foundations of trust have become less…well…trustworthy.  I have seen the validation process of a certificate authority up close, and let’s just say I am not shocked to know that malware writers can obtain certificates with false identities. With the RSA breach and other certificate authorities being hacked, the foundation of trust was already showing cracks.  Now we see examples of how trust can be subverted using this technique.

So if this technique essentially waves malware through your shields, how are you going to detect the infiltration?  That is where Triumfant fills the gap, detecting the zero day attacks and targeted attacks, including the advanced persistent threat, that infiltrate your endpoint machines and servers.

I once had a product manager from another company disdainfully tell me “when you find something that gets past my shields, you call me”.  I am looking for his number as soon as I finish this post.

The Reader’s Speak – the Top Ten Posts of 2011

The year is rolling to its inexorable end and it is time to look back fondly on the top blog posts from Exceptional Security in 2011.  The selection process is generally scientific, using the site stats to gauge reader interest.  But personal bias and self-indulgence are also a factor.  At least I am honest, and I refrain from clichéd predictions.

Advanced Persistent Threat: Solution – No, Effective Detection – Yes.  This post was actually written in January of 2010 but has been the most-read post on the blog.  The post addresses the qualifications of Triumfant as a viable and effective tool for detecting targeting attacks, including APT.

The UC Berkeley Breach – You Don’t Know What You Don’t Know. Another post written before 2011 that continues to resonate.  In fact, this post is a very early expression of what I now call Rapid Detection and Response – the ability to quickly detect the attacks that evade preventative software and quickly respond to the breach.

Trojan Horses, Payloads and Flamethrowers.  This post turns the most overused cliché in IT security – the Trojan Horse – on its ear to illustrate rapid detection and response and the folly of relying solely on perimeter defenses.  Not to mention gross misuse of literary license as I insert flamethrowers into classical mythology.

Sayano-Shushenskaya Accident A Model for What a Duqu/Stuxnet Combo Could Mean.  This post uses the incident at a Russian hydroelectric facility to illustrate what kind of terrorism could be performed with a Stuxnet style attack.  The images from a 900 ton turbine unit tearing free of its moorings seemed to provide readers a visual reference point for the potential of such attacks.

Purely Commercial Espionage – The Advanced Persistent Threat Targets Businesses.  The exact definition of APT is hotly debated, but most see it as cyber warfare at the nation state level and not an issue of commerce.  Regardless of definitions, this post explores the burden that commercial organizations are bearing from targeted attacks that extract intellectual property from U.S. companies, negatively affecting the economy.

Certificate Authorities Hacked – So Who Can You Trust? This post speaks to the corruption of the chain of trust caused by the hacking of several certificate authorities.  The important takeaway is that prevention mechanisms can be fail along a variety of vectors, so adding rapid detection and response is necessary and prudent.

The Emotional Barriers to Embracing the Presumption of Breach Doctrine.  Why, in the face of all statistics and other forms of evidence to the contrary, do people cling to the notion of the 100% effective preventative shield?  This post looks at the emotional component that prevents highly rational people from admitting that they are getting breached and taking the appropriate action. I think it is a concept worth exploring more broadly.

Finding a Needle in a Haystack – Child’s Play! Another alternate take on a treasured IT security cliché – the needle in the haystack.  Specifically that finding a known thing – the needle – in a homogenous population – the haystack – was a far easier proposition than locating malware without a signature in the vast IT world. Too big to do in one post, it turned into a series of posts.

Virus Attacks U.S. Drone Fleet and the Need for Rapid Detection and Response.  Sometimes when you are trying to get some traction around a concept or term, the world throws you a bone.  As I was introducing the concept of Rapid Detection and Response, the story broke about the attacks on the C&C center for the U.S. drone fleet and how that was a perfect scenario for the concept.

Time to Put Your Antivirus Software on a Diet.  This was posted in late 2010 but got a lot of reader momentum in 2011.  The post is an answer to the question frequently asked when we present Triumfant: “Are you saying you replace antivirus tools?”.   As a bonus, it contains my favorite phrase of 2011: fusillade of FUD.

Well, that wraps 2011 for Exceptional Security unless something big happens that requires comment.  Otherwise, thank you for reading – it is always humbling to know that someone takes the time to read.

See you in 2012.

The Emotional Barriers to Embracing the Presumption of Breach Doctrine

Every day, another breach.  For every breach story we read, what would you guess is the number of known breaches that do net get reported? 1? 5? 100?  Then there is the big unknown.  The “you don’t know what you don’t know”.  How many breaches are there that will go undiscovered for yet another day?  I have used the following numbers from the  Verizon Business 2011 Data Breach Investigations Report (published May 2011) times: 60% of breaches go undiscovered for a month or more and 84% are discovered by someone outside of the organization.

I witness a very interesting response to the inescapable reality of today’s IT security environment every day from a somewhat unique position.  How Triumfant works and what it does requires organizations to make the fundamental recognition that attacks are getting past their shields and therefore they are getting breached.  In the overwhelming face of the available evidence this would seem to be an easy and completely defensible position for any organization to take.  Yet I consistently see a resistance that seems to be rooted in emotion rather than reason.

As Commodus put it in Gladiator: “It vexes me. I’m terribly vexed.”  So much so I have thought long and hard about the emotional side of this problem and have come to what I think are interesting and valid conclusions.

First is the inability to let go of the notion of full protection against attack and embrace the “Presumption of Breach” doctrine.  It is far more comforting to have 100% faith that your shields will protect your systems without fail and without regard to the attack or attacker. Everyone wants to be protected, and is far more comfortable thinking about prevention versus detection.  When you have spent 20+ years building walls and feeling protected (albeit a false comfort) behind those walls, a conversation about breaches rocks that world profoundly.  Another paradox is that the more organizations are in denial, the less likely they are to have detection capability, which means they won’t know they have been breached, which only feeds their denial.

The IT security market feeds on the myth of the 100% shield and continually sells the next layer to organizations with the promise that this time, THIS TIME, we have the answer.

If an organization faces the uncomfortable reality that they have been breached, then there is an emotional backlash: “How could this be?  My IT security team assured me we were protected!  My vendor partner also assured me we were protected! Who is to blame?”  The problem also cuts across personal boundaries to the heart of the reputation and job security of key people in the organization, because assuming that the organization has been breached creates the misconception that someone has to be at fault.

Let’s address these backlash issues directly.

This is not the fault of the CSO/CISO or the IT Security team, nor have these people failed the organization.  They are up against a motivated, organized, and relentless adversary who benefits from the advantage that offense always has on defense.  A motivated, well-funded and patient adversary that wants to target a specific network for a specific organization is really hard to stop.  The roster of recently breached organizations is a who’s who of the most sophisticated and disciplined security practitioners on the planet.  If they were breached, why would your organization be different or exempt?  Doing the prudent thing and putting a solution in place to detect breaches and provide a rapid response is not an admission of failure by IT security.

This is not the fault of the shield software in place.  At least not completely. There is no 100% shield and in spite of vendor claims there is no silver bullet.  If you bought a shield product believing to be 100% effective, then the fault is yours.  Embracing the cold hard fact that every shield can be evaded is the first step toward progress.  This logic also applies to the notion that getting breached does not imply that the person who bought the shields failed.

This is not the fault of IT management.  Pushing through a new tool that detects successful breaches may raise all manner of questions to the executive level and the board who likely received assurances that the necessary shields were in place.  Breaches now bring reputational risk that could negatively affect consumer trust and even business valuation.  Getting breached is a business risk as well as a security risk, and executive management and the board must be educated accordingly.

This is not going to happen to our organization.  Hope is not a strategy.  Neither is denial.  There are two types of organizations: those who know they have been breached and those who don’t yet know.  The Advanced Persistent Threat is not just a problem for the DoD or the NSA.  The recent Duqu attack is yet another wake-up call that organizations can no longer gnore.

Uncomfortable realities are, well, uncomfortable.  But they are reality nonetheless.  Organizations need to embrace the reality of the moment, get past the emotional objections and associated finger pointed, and face the challenges that this new reality brings.  You will get breached.  Attacks will evade or get past you shields.  You must have a tool in place to perform rapid detection and response to those breaches.

Making the Case for Rapid Detection and Response

In my post “You Need a Plan B for Security“, I cited two numbers from the Verizon Business 2011 Data Breach Investigations Report (published May 2011): 60 and 86.  These two numbers jumped out at me from the report because they are subjective numbers that emphatically support the need for rapid detection and response to identify those attacks that get through preventative IT security software. The attacks that either evade perimeter and endpoint shields, or the attacks that the shields simply fail to detect.

“60” represents the percentage of attacks in the study that went undiscovered for a month or more.  Three out of five attacks that got past the organization’s shields were free to do damage on the host machine and the network for an extended period.  Free to establish command and control, spread to critical systems, and exfiltrate sensitive data and intellectual property.  By the way, there is nothing to indicate that these attacks were super sophisticated zero days or the advanced persistent threat.  The lack of rapid detection and response makes such sophistication unnecessary.

Organizations rest in the false security of security suite reports that show a steady increase in malware detection rates artificially inflated by the always-increasing number of attacks.  Or they are willing to take a gamble that the number of attacks that do get through will be minimal.  Ask Sony how many attacks it takes to cause an enormous amount of seemingly endless headaches and public relations hits.  Better yet, ask their CEO who is under pressure to resign because of the incident.

“86” represents the percentage of reported attacks that were discovered by a third party.  Conversely, this means the attacked organization found the problem only one out of eight times.  If a third party had not brought the attack to their attention, it may have never been discovered.  One could easily surmise that if left to the attacked organization to detect the problem, the 60% number above could have been much worse.

It is clear that organizations are not prepared to detect and respond to successful attacks.  One out of eight is a horrible rate given the accelerating pace that attacks are getting through the shields.  They most certainly are not prepared to detect these attacks rapidly before they can cause significant damage.

There is another component to consider.  Detection of the attack by a third party means that the attacked organization’s dirty laundry is now public.  At a minimum this erodes public and consumer trust and at its worse can negatively impact the organization’s brand and potentially affect valuation.

Budgets are tight, the economy staggering.  Rather than spend more money on yet another shield that will get compromised, organizations may want to take the numbers 60 and 86 to heart and take a hard look at their rapid detection and response capability.  Because by ignoring the need for rapid detection and response, organizations are enabling the adversary to establish a long term and highly destructive presence in their environments.

Attacks are getting through.  You must have a way to effectively identify successful attacks and provide the actionable information to make an informed and rapid response.

Plan B Gets a Name: Rapid Detection and Response

I have been openly evangelizing for a Plan B for malware detection for three years.  I have also been looking for a name for this approach, and today I saw an article that used a term that I have seen in several places lately that I think has some merit:

Rapid Detection and Response.

Great way to describe the concepts offered in a general sense here, and a great way to describe one of the fundamental benefits of Triumfant.

In short, the perimeter is porous, and attackers are smart, motivated and well funded and will target specific things at specific organizations.  The net is that attacks are getting past shields at an increasing rate.  You must have a way of quickly identifying the attacks that do get through and have the information to trake an immediate and informed response.

Triumfant detects the attacks that evade your defenses.  Detection is within minutes of the attacks and returns a comprehensive forensic analysis of the attack including every granular attribute affected.   Triumfant will also build a contextual remediation that will repair the machine, stopping the attack and fixing the collateral damage to the machine.  For details, I suggest you go to the solution brief and the white paper on Malware Detection and Remediation.

Triumfant detects, it does so rapidly, and it formulates a response automatically.  Triumfant detect rootkits.  Triumfant detects zero day attacks.  Triumfant detects the advanced persistent threat.  That sounds like Rapid Detection and Response to me.

Time to Take an Open Minded Plunge

This blog entry is unique because it is the first one written on my new Apple MacBook Pro that I put into service yesterday. The move to the Mac is one of two personal paradigm shifts I have experienced recently, and the process speaks to the changes the IT security industry is experiencing today.

The second paradigm shift was the move from a BlackBerry to a Droid. As near as I can remember, I have had a BlackBerry device of some form for at least the past 10 years. It was an extension of my everyday activity, and that connection only deepened when the PIM device was merged to a phone. As other SmartPhone platforms grew smarter I was able to reconcile my BB loyalty based on my belief that the BB was a better e-mail platform, which of course had long ago became a myth. When the trackball on my BlackBerry stopped working and I was forced to change devices, I finally acquiesced and grabbed a Droid device.

Not only do I not miss my BlackBerry, I never looked back for a second. No misty eyed nostalgia, no frustration that I had somehow lost productivity or functionality. Only the periodic “What took you so long?” self-flagellation as I realized how much I had been missing by clinging to the past in the face of all evidence to the contrary.

I am less that 24 hours into my Mac ownership and I am feeling the same. The transition has been as painless as my departure from the BlackBerry world, and equally pleasing from a business perspective and from a personal perspective. What really surprised me is just how little I brought from my Windows PC to the Mac. Part of that is easy to explain: the world has shifted from host-based applications to web-based applications. The world has changed.

Much of what frustrates me in the security space is the irrational insistence to cling to the tools and techniques of the past. When it comes to attacks and attackers, the world has changed dramatically in the past five years, yet organizations doggedly cling to the security technologies and tools of the past. Headlines scream to the need to change, but new ideas seem to be viewed with enormous skepticism. And the large IT security companies that have traditionally dominated the space are allowed to wield incredible influence and drive the market based more on what they offer versus what the customer needs. I see heated arguments over the definition of the Advanced Persistent Threat, but little to help organizations detect APT attacks.

Funny, but Windows and BlackBerry both promised me that they could step up and give me everything that the new technologies offered, and I bought it for a time. I had to really take an open-minded plunge to really see the folly of that line of thinking. I would encourage the decision makers in IT security to do the same.

Einstein Could Smell the Coffee – Can You?

We cannot solve our problems with the same thinking we used when we created them” Albert Einstein

The past weeks have been on a Headline-per-day rate of high-profile hacks (today it is NATO). What makes these hacks stand out is that they are mostly organizations that you would expect to be secure – Citigroup, Booz Allen, and MIT are a short representative list. Sony is still reeling from their PS3 hack, and shareholders are calling for the resignation of the CEO.

Yet even at the companies that have been hacked, old thinking is being employed as the solution. Or as Einstein put it: the same thinking we used when we created the problem. The bigger tragedy may be that companies continue to look toward vendors who have rested on old technologies and have pushed half-hearted spackle jobs to cover the holes in their products as “innovation”.

Wake up. Smell the coffee. Because it is brewing and it is strong. The adversary has moved on to new techniques and is operating with a new boldness because of tepid defenses we put in their path. Heck, they don’t even have to come up with new techniques or reach the lofty designation of Advanced Persistent Threat, because we don’t adequately defend against the well-known vulnerabilities and attack vectors. We either forego locks on the door or install them only to not bother with turning the dead bolt and engaging the lock. And in the face of enormous evidence that the locks are no longer effective, we continue to install new, shiny versions of the same old technology, only to scratch our heads when tomorrow’s headline is revealed.

How many more lead headline hacks will companies need to see before looking to innovative approaches? Has everyone become so numb that they look the other way until they are the headline? The recent attacks have been characterized as “unsophisticated” as if that should be somehow comforting. I think it is the opposite, because it is likely the sophisticated attacks are working undetected, busily extracting confidential data and corporate IP.

I believe Einstein would tell us that it does not take a genius to see the problem, and it does not take a genius to determine that it is time to embrace new approaches to security. Funny thing is that I discovered this Einstein quote while verifying the attribution of another quote that also applies here:

Insanity: doing the same thing over and over again and expecting different results.” Albert Einstein