ActiveResponse.org

Re-Imagining Cyber Security

Tag: accounting

A New Security Accounting or How to Win Against a Formidable Adversary

Many intrusion analysts are constantly plagued by a nagging thought that we are fighting a losing battle.  The problem only gets worse, it never seems to get better.  There are only more hackers, more damage, more vulnerabilities, more exploits, more toolkits, etc.  Everyday we feel overwhelmed and under-resourced.

This feeling is not wrong.  Our instinct is correct.  We are fighting a losing battle.  There are many more adversaries than there are network defenders.  The adversary needs only one vulnerability, one exposure, or one exploit to win – while we need to find and patch all the vulnerabilities and exposures and prevent all exploits to just stay even.  We have already lost before even playing the game.

To win this battle, or bring it to a draw, we must initiate a new security accounting.  We must change our thinking.

First, we must accept loss.  We must understand that we will be penetrated and exploited.  We must focus on early detection, discovery, and the minimization of loss/mitigation.  We must not count every intrusion as a failure.  This is a game to be played over decades, not days.

Second, we must be truthful with ourselves and then truthful with others.  No more counting scans detected by the firewall as “millions of blocked intrusions.”

Third, we must stop accounting for security in terms of money/resources we have spent to secure ourselves.  It is a self-centered and foolish accounting.  We must start focusing on how much did we force the adversary to spend in money/resources to exploit our network – what was their $ per Megabyte of data stolen.  The larger we make that ratio the more secure we become: (1) we will reduce the number of adversaries operating against us because only the most resourced will be able to gain any profit from their operations, (2) we will reduce the effectiveness of the adversaries which do operate against us by increasing their costs and decreasing their gains.

Some may say that this is a losing proposition.  What about the adversary willing to spend $10 million to exploit my network and steal my intellectual property, but I can only spend $1 million to protect it?  You’re screwed.  The adversary obviously values your data more than you.  The only hope is to band together with other targets/victims to combine your forces in the hopes of creating parity with the adversary.

An analogy: if one country is willing to spend billions to create a military to defeat another country, and the target country cannot even spend millions in defense – they will likely lose.  Their only hope is to create an alliance with other countries in the hope of (1) creating an effective combined force to battle their adversary or (2) being able to pull other handles (e.g. trade/economics/etc) costing the hostile country enough to make the attack worthless.

In the end, it comes down to a relationship built on value.  As long as the adversary is making a profit (however that is defined) there is no incentive for them to stop.

There are two types of victims: victims of opportunity and victims of interest.

Victims of opportunity are victims because they were available to the adversary at the right time but possess little value.  If the adversary was to lose access they would likely not notice.  These organizations can utilize standard security practices to protect themselves reducing their likelihood of becoming a victim.  Example: a home computer infected with a botnet.

Victims of interest are victims because they possess great value to the adversary.  If the adversary were to lose access to the victim it would be noticed, and the adversary would spend resources regaining access and maintaining that access.  The adversary will not stop victimizing the organization until the relationship between adversary and victim changes and the victim no longer provides enough benefit to justify the cost of exploitation.  Example: Advanced Persistent Threats.

Therefore, a security strategy must be based on the adversary/victim relationship.  The only way to win against a formidable adversary, one in a considerably better position than yourself, is to make it too costly for them to wage war.  (NOTE: the cost will be different for each adversary, some may be sensitive to finance while others might be sensitive to jail/loss of freedom, etc.)

Why Malware Numbers Don’t Matter and What it Means for Security Accounting

McAfee recently reported over 75 million new malware samples detected in 2011. This number, while shocking, no longer matters as an absolute value. It also highlights a glaring flaw in network defense philosophy.

First, this number is only calculated from all detected hashes. Any changes in the binary results in a new, unique, hash. This means that only a small change by the adversary is necessary to effect a “new” piece of malware. A simple thought experiment: if there were 75 million malware samples, each with only one byte difference between them – this method would count 75 million “unique” pieces of malware.

Second, the number alone says nothing about the threat environment. It does not illustrate the attack vectors, vulnerabilities, or exposures used by the malware; nor does it describe the danger or effectiveness of the various malware samples. Maybe there is only one piece of malware and it’s 75 million varieties are all harmless. 75 million is now a very large number signifying nothing.

However, it does matter as a relative value showing the number of unique samples over time. For example, in 2007 unique malware samples rose 565% from the previous year [from A Brief History of Malware]. The velocity of unique malware samples detected in the wild (or the slope of the line if you prefer) is clearly increasing.

Why? It means that malware authors and operators are exploiting the primary network defense practice: default allow all – the black list. Defenders are still stuck in the “allow all” mind-set to trust everything except code which does not pass certain tests or follows certain behavior. To exploit this mind-set an adversary only has to change their malware enough to bypass these filters (e.g. AntiVirus). As defenders update their blacklists/AntiVirus/firewalls, the malware authors make a small change or re-pack and re-deploy the malware bypassing the new rules/filters/etc.

For an adversary, changing their capability slightly and re-deploying is a relatively inexpensive operation – particularly with pervasive exploit kits such as BlackHole. Whereas the cost for the defender to find the new malware, develop a signature, and deploy that signature is relatively costly leaving the security accounting on the side of the adversary.

To win this battle, the defender must switch to a known-good model, or “deny all with exceptions.” Also known as the white list. However, as we have seen – this simply adds a new target for the adversary: the white list itself.

Powered by WordPress & Theme by Anders Norén