Month: March 2012

20 Questions for an Intrusion Analyst

On March 31, 2012

There are many approaches to finding the right people with the right talent to solve problems. Intrusion analysis and incident response is no different.

I recently saw a great recruiting quiz to test potential employees in various knowledge areas which included programming, packet analysis, protocol analysis, snort rule writing, reverse engineering, data encoding, advanced mathematics, and other topics. The test was designed so that it crossed so many topics one person would likely not successfully complete it. However, it would highlight a person’s strengths and interests to give the assessor a more complete picture of the applicant.

This made me think, what topics and questions would I use to achieve the same effect? After some deliberation, I have developed my own “20 Questions for an Intrusion Analyst” recruitment quiz (below) to highlight areas I think are important about a potential analyst joining a team.

As you may notice, I have covered several areas with these questions: analytic reasoning, creativity, adversary operations, packet analysis, intrusion detection, programming, reverse engineering, vulnerability analysis, exploit writing, and teaming.

I am purposefully not providing the answers 🙂

20 Questions for an Intrusion Analyst

Describe you first experience with a computer or network threat
You are given 500 pieces of straw and told that one piece is a needle which looks like straw. How would you find the needle? What other pieces of information would you like to have?
Explain the difference between intrusion and extrusion detection
Describe an adversary pivot, give an example, and explain its importance to intrusion analysis.
Describe your analytic biases.
Use the bit string 1101 to answer the following questions:

The bit string when XORed with 0
The decimal value of the string
The string represented in hexadecimal
Does this represent a printable ASCII character? If so, which character?

What is your favorite intrusion detection system? What are its biases and limitations?
Circle any of the following films you have seen: Hackers, War Games, Sneakers, Tron
Describe a method to find an intruder using only network flow data (no content).
Explain insertion and evasion of intrusion detection systems. Give an example.
Describe the activity detected by the following Snort rule. What could be done to make the rule more effective? alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg: “activity alert!”; sid:10000011; content:”MZ”;)
Write a code snippet to sort the following data by the first column

10,bob

8,sally

2,suzy

3,billy

5,joey

How much time/week do you spend on your own researching computer security/threat topics? What sources do you use to maintain situational awareness on threats in the wild?
What will the following code print out? Is there a vulnerability in the code? If so, describe the vulnerability and a potential method of exploitation.

#include
#include
int main(int argc, char *argv[])
{
   char string[40];
   strcpy(string, argv[1]);
   printf("The message was: %s\n", string);
   printf("Program completed normally!\n\n");
   return 0;
}

Describe and explain any “interesting” entries in the netstat log:

Proto Local Address     Foreign Address    State
 TCP  0.0.0.0:53        0.0.0.0:0          LISTENING
 TCP  0.0.0.0:135       0.0.0.0:0          LISTENING
 TCP  0.0.0.0:445       0.0.0.0:0          LISTENING
 TCP  0.0.0.0:5357      0.0.0.0:0          LISTENING
 TCP  192.168.1.4:53    91.198.117.247:443 CLOSE_WAIT
 TCP  192.168.1.4:59393 74.125.224.39:443  ESTABLISHED
 TCP  192.168.1.4:59515 208.50.77.89:80    ESTABLISHED
 TCP  192.168.1.4:59518 69.171.227.67:443  ESTABLISHED
 TCP  192.168.1.4:59522 96.16.53.227:443   ESTABLISHED
 TCP  192.168.1.4:59523 96.16.53.227:443   ESTABLISHED
 TCP  192.168.1.4:53    208.71.44.30:80    ESTABLISHED
 TCP  192.168.1.4:59538 74.125.224.98:80   ESTABLISHED
 TCP  192.168.1.4:59539 74.125.224.98:80   ESTABLISHED

A host sends out an ICMP ECHO REPLY packet. List all of your hypotheses to explain this activity.
Describe the protocol stack of the following packet and the payload. Is the packet legitimate? Why or why not?

0000  00 00 c0 9f a0 97 00 a0 cc 3b bf fa 08 00 45 10   .........;....E.
0010  00 89 46 44 40 00 40 06 72 c7 c0 a8 00 02 c0 a8   ..FD@.@.r.......
0020  00 01 06 0e 00 17 99 c5 a1 54 17 f1 63 84 80 18   .........T..c...
0030  7d 78 cc 93 00 00 01 01 08 0a 00 9c 27 34 00 25   }x..........'4.%
0040  a6 2c ff fa 20 00 39 36 30 30 2c 39 36 30 30 ff   .,.. .9600,9600.
0050  f0 ff fa 23 00 62 61 6d 2e 7a 69 6e 67 2e 6f 72   ...#.bam.zing.or
0060  67 3a 30 2e 30 ff f0 ff fa 27 00 00 44 49 53 50   g:0.0....'..DISP
0070  4c 41 59 01 62 61 6d 2e 7a 69 6e 67 2e 6f 72 67   LAY.bam.zing.org
0080  3a 30 2e 30 ff f0 ff fa 18 00 78 74 65 72 6d 2d   :0.0......xterm-
0090  63 6f 6c 6f 72 ff f0                              color..

What type of encoding is used in this example: aGVsbG8gd29ybGQNCg==
Who do you turn to most on technical questions?

You didn’t expect the 20th question to be here did you? You should expect the unexpected by now.

Protect All Information Completely? Expect Exploitation Instead

By Sergio Caltagirone

On March 22, 2012

In Defense, Strategy

Packet Pushers recently published an opinion titled “Pill-Chomping Hackers and Security Whack-a-Mole.” There are several very good points.

All information about a target is a potential vulnerability

Information is helplessly entangled and one piece of innocuous information can lead to other pieces of critical information

Information is only as secure as those protecting it

There is one point worth re-iterating: when you share your data (whether it is your social security number at a medical office or your credit card number at a restaurant) it is only as secure as the security of those holding it. In essence, both organizational and personal security must expand the boundaries to include anywhere their information is held.

However, there is one point I would like to argue, the implication that all data must be secured because it is a vulnerability. It is not possible to protect all data equally. A data owner must place different values on different datum and protected it appropriately.

Second, hiding all of your most critical data using in the most secure method still does guarantee security. Instead of attempting to build the best security controls and assume they work, it is better to protect your data as well as possible and then assume you will be exploited.

Don’t just protect the data, one must watch for signs of exploitation and prevent further exploitation. In the case of a social security number in the real-world, if one assumes the theft and misuse of the number then it is best to watch for further misuse (e.g. unauthorized new lines of credit being opened, activity on credit cards, etc.).

Furthermore, reduce loss. If at all possible, make sure that any compromise is as insignificant as possible. In the real-world, it is best to reduce password re-use so that if a password to one application or website is compromised, not all of your passwords have been compromised.

Yes, protect your data as best as you can, but assume it adversaries are out to exploit you – and they will be successful.

Death by a Thousand Cuts: Proliferation, The Biggest Cyber Threat

By Sergio Caltagirone

On March 18, 2012

In Capability

The cyber community is always teaming with conversations about the newest/greatest threats, exploits, or malware. Who remembers the Morris Worm? Nobody but students of computer security and computing historians. The sendmail and fingerd exploits were long patched and RFC 1135 written to memorialize the event. Today, the Boston Museum of Science displays the Morris Worm source code stored on a floppy disk. Over the last year it has been Stuxnet.

Outsiders, and even insiders, think that we are only one exploit/worm/virus away from total destruction. However, any single rational-actor adversary with a capability, even an advanced and dangerous capability, is relatively limited in their damage potential.

The biggest cyber threat is not any one particular capability or vulnerability, but rather that we will die a death by a thousand cuts. The biggest threat to the global network is the proliferation of offensive cyber tradecraft in the hands of many capable actors.

U.S. General Accounting Office put the total damages of the Morris Worm at $100K – $10M. This is small compared to the estimated $5.5B in worldwide damages caused by the ILOVEYOU worm in 2000. Yet, the tradecraft of self-replicating computer code began with the Morris Worm and proliferated into the ILOVEYOU worm 12 years later.

The danger with Stuxnet is not the worm itself, it is that others will learn tradecraft from Stuxnet such as more advanced malware droppers, the targeting of industrial control systems (e.g. SCADA), and better obfuscation techniques. In total, Stuxnet will make networks harder to protect for years to come and in the meantime Stuxnet will be a museum display.

Hacker Motivations or Hackers Need To Eat Too

By Sergio Caltagirone

On March 17, 2012

In Analysis

New research appears to raise questions over the conventional wisdom that pure nation-state cyberspies rarely, if ever, dabble in traditional financial cybercrime. – “Cybercriminal By Day, Cyber Spy By Night?” in Dark Reading on 1 March 2012

Dark Reading (@darkreading) wrote from the RSA 2012 conference of an intriguing analytic correlation made by the Dell SecureWorks Counter Threat Unit between the RSA attackers and cyber financial crimes.

The article is interesting in two ways. First, it showcases some good analytic tradecraft correlating seemingly independent activities through adversary personas and infrastructure (in this case domain name registration). Second, it asks the question: can a hacker be both a spy and cyber criminal?

The fact that an adversary will be using their skills for two purposes supposedly challenges “conventional wisdom.” Normally, intrusion analysts work towards identifying the motivation of the hacker/attacker to gauge the best response (hopefully) and potentially offer clues to attribution. There are many “conventional” terms we use to describe “hacker motivations”: script kiddies, espionage, hacktivism, black/white hat, etc. (see McAfee’s 7 Types of Hacker Motivations).

However, we often look too much towards our technical understanding and fail to acknowledge basic human motivations: safety, physiological needs (water, shelter, food, etc), love, esteem, and self-actualization [see “A Theory of Human Motivation” by Abraham Maslow or a summary of Motivations on Wikipedia].

Hackers, as all humans, are not above the basic motivations which include greed. This would be a very simple hypothesis of why a cyber espionage actor would turn to cyber crime – for financial gain. Maybe they were not being paid enough in their espionage job and “honeymoon” as cyber criminals, or they were simply contractors to multiple customers (a state vs. a criminal organization). Money is a highly motivating factor.

I use the case of the “Wiley Hacker” by Cliff Stoll (on the Reading List) while teaching to highlight that a hacker working day-in-and-day-out needs to eat, live, and provide for the most basic human motivations. Therefore, it is perfectly reasonable to ask: if they are hacking all day/every day, how are they providing for these motivations? Is somebody paying them to hack? Are they living in their parents’ basement? Do they have a trust fund? All of these are perfectly reasonable hypotheses with varying degrees of likelihood. But they all lead to other questions of attribution and higher motivation.

If, in fact, “conventional wisdom” is that espionage actors are not motivated by money to use their skills in other endeavors, an even more fundamental understanding of human motivation contradicts that wisdom. “Conventional wisdom” is simply another term for analytic assumption and this again highlights that analytic assumptions easily cloud judgement.

A New Security Accounting or How to Win Against a Formidable Adversary

By Sergio Caltagirone

On March 6, 2012

In Defense, Doctrine and Policy, Strategy

Many intrusion analysts are constantly plagued by a nagging thought that we are fighting a losing battle. The problem only gets worse, it never seems to get better. There are only more hackers, more damage, more vulnerabilities, more exploits, more toolkits, etc. Everyday we feel overwhelmed and under-resourced.

This feeling is not wrong. Our instinct is correct. We are fighting a losing battle. There are many more adversaries than there are network defenders. The adversary needs only one vulnerability, one exposure, or one exploit to win – while we need to find and patch all the vulnerabilities and exposures and prevent all exploits to just stay even. We have already lost before even playing the game.

To win this battle, or bring it to a draw, we must initiate a new security accounting. We must change our thinking.

First, we must accept loss. We must understand that we will be penetrated and exploited. We must focus on early detection, discovery, and the minimization of loss/mitigation. We must not count every intrusion as a failure. This is a game to be played over decades, not days.

Second, we must be truthful with ourselves and then truthful with others. No more counting scans detected by the firewall as “millions of blocked intrusions.”

Third, we must stop accounting for security in terms of money/resources we have spent to secure ourselves. It is a self-centered and foolish accounting. We must start focusing on how much did we force the adversary to spend in money/resources to exploit our network – what was their $ per Megabyte of data stolen. The larger we make that ratio the more secure we become: (1) we will reduce the number of adversaries operating against us because only the most resourced will be able to gain any profit from their operations, (2) we will reduce the effectiveness of the adversaries which do operate against us by increasing their costs and decreasing their gains.

Some may say that this is a losing proposition. What about the adversary willing to spend $10 million to exploit my network and steal my intellectual property, but I can only spend $1 million to protect it? You’re screwed. The adversary obviously values your data more than you. The only hope is to band together with other targets/victims to combine your forces in the hopes of creating parity with the adversary.

An analogy: if one country is willing to spend billions to create a military to defeat another country, and the target country cannot even spend millions in defense – they will likely lose. Their only hope is to create an alliance with other countries in the hope of (1) creating an effective combined force to battle their adversary or (2) being able to pull other handles (e.g. trade/economics/etc) costing the hostile country enough to make the attack worthless.

In the end, it comes down to a relationship built on value. As long as the adversary is making a profit (however that is defined) there is no incentive for them to stop.

There are two types of victims: victims of opportunity and victims of interest.

Victims of opportunity are victims because they were available to the adversary at the right time but possess little value. If the adversary was to lose access they would likely not notice. These organizations can utilize standard security practices to protect themselves reducing their likelihood of becoming a victim. Example: a home computer infected with a botnet.

Victims of interest are victims because they possess great value to the adversary. If the adversary were to lose access to the victim it would be noticed, and the adversary would spend resources regaining access and maintaining that access. The adversary will not stop victimizing the organization until the relationship between adversary and victim changes and the victim no longer provides enough benefit to justify the cost of exploitation. Example: Advanced Persistent Threats.

Therefore, a security strategy must be based on the adversary/victim relationship. The only way to win against a formidable adversary, one in a considerably better position than yourself, is to make it too costly for them to wage war. (NOTE: the cost will be different for each adversary, some may be sensitive to finance while others might be sensitive to jail/loss of freedom, etc.)

The Art of Intrusion Analysis and Incident Response

By Sergio Caltagirone

On March 2, 2012

In Analysis, Discovery

“In every block of marble I see a statue as plain as though it stood before me, shaped and perfect in attitude and action. I have only to hew away the rough walls that imprison the lovely apparition to reveal it to the other eyes as mine see it.” Michelangelo (1476-1564)

Michelanglo was once asked how he came to carve such a beautiful statue of an Angel in the Basilica of San Domenico. His response is seen above.

I have many times expressed that intrusion analysis and incident response is more art than science. Expertise lies with experience rather than book knowledge and gut instinct is invaluable and as likely correct as an educated guess.

I then wondered: if Intrusion Analysis is an art, to which art should it compared?

I recalled this, one of my favorite artistic quotes, and how aptly it applies to the domain of intrusion discovery and analysis.

In many ways, the answers we analysts seek is in the data. It only requires us to “hew away the rough walls” of the unimportant data revealing the activity of interest.

I teach many new analysts that to find the new and unknown you must distinguish the old and known, remove that, and you are left with what you are seeking.

Analysts Should Expect the Unexpected

By Sergio Caltagirone

On March 1, 2012

In Analysis

Diocyde tweeted a good but older (2009) article about hiding malicious executable code (malware) in the Windows Registry: Malware IN the Registry a.k.a. if it can’t be Done, Why Am I Looking At it?

The post is a good description of what almost all incident responders/intrusion analysts encounter regularly: Is that right? How could that be? Hey [analyst sitting in the next cubicle] is this what I think it is?

After 9 years of intrusion analysis in various organizations, I can say that this happens to me very regularly. Now, I expect the unexpected. Not much surprises me any longer.

However, it is fun to watch a new analyst come upon these things and me, nonchalantly, describe what they are seeing and how cool it is. They are always astonished at the tactics of the adversaries and the lengths to which they will go.

While we should always expect the unexpected, we should never lose our respect for the adversary and their ability to find new ways to astound and confound us. For when we lose that, we blind ourselves.