Tuesday, May 12, 2015

Why is it it a threat to me?

Nothing like starting off the day with a topic that I'm passionate about.  Earlier this morning a colleague asked me to weigh in and give my opinion.  Pre-caffiene induced decisions lead to the creation of today's blog post. 

To say that there is a divergence when it comes to commercial Threat Intelligence services is like saying the battle on the gridiron between Ohio and that state up north is "just a silly little game."

Threat Intelligence, in the commercial sector, is relatively new.  We hear and see vendors use terms “intelligence” and “information” interchangeably.  The resulting confusion around precisely what Threat Intelligence is has allowed a number of vendors to loosely define what “Threat Intel” is and how they position their service offerings to potential clients under these ambiguous terms. Often this turns into what I call "a list of bad" that when challenged the vendor responds back "Trust me, it's good".

So let’s talk about threats for minute, currently the most abused and misunderstood word being slung around by vendors at the moment.  For a threat to be a credible, three dimensions must align:
  • Motive – an adversary wants to do something against you,
  • Means – the adversary has the skills and resources to act against you, and
  • Opportunity – a vulnerability must exist, the proverbial “weakest link” which allows a motivated adversary with adequate means to act against you.
This should come to no shock to anyone, but we have no ability to influence the Motive or Means of an adversary, try as we might, we just can’t do it.  When it comes to Opportunity however, this is the only thing we have any say in or ability to influence.  We had best ensure we are on top of that one, or we could be having a bad day.

Why is this important? Because lacking context, we do not have a clear understanding of the threats that face us.   We must have context and perform some analysis in order to see if an opportunity exists which would provide an adversary a way in.

Now, I don't want to get off on a rant here… 

Let’s take a look at the recent disclosure of the Microsoft Internet Information Server’s HTTP.sys vulnerability:


Netcraft reports that at least 70 million websites are vulnerable –  wow! 70 million websites vulnerable!! Okay, so what does that mean when there are 849,027,856 websites at last count? (Netcraft Web Server Survey April 2015) -- if my pre-caffiene induced mathematical calculations are correct, that's roughly 8.25% of websites.    

Now that sounds like a large scary monsterous threat looming out on the horizon doesn’t it?  HTTP.sys, 70 million websites vulnerable! Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes, the dead rising from the grave, human sacrifice, dogs and cats living together… yup, basically mass hysteria!


This is one of those types of news releases that is going to quickly escalate to leadership.  Leadership is going to act responsibility and start making phone calls to find out the potential impact this “threat” has to our organization. 

Well, what if you’re running Apache, lighttpd, nginx, or GWS? Is it still a threat? More importantly, is it a threat “to you?” 

No, no, we’re all good. You assure management. We run the latest and greatest Apache servers.  We don’t have any IIS systems in the environment, let alone connected to the Internet.  We're not impacted, problem solved, all is well in the world again and I can get back to important things, like… …you know metrics, key risk indicators, and other indicator based yummy goodness.



But wait, there's more! Let’s dive a bit deeper into the information available, we may not be off the hook quite yet. 

Well this seems a tad odd, Windows 7, 8, and 8.1? Those are desktop operating systems!?  I don’t know of many people who run a desktop OS as their production Internet facing web server, but hey I've been wrong before.


You know what they say “Devil’s in the details” and here it looks like yes in deed we may have a threat, because we just upgraded from Windows XP and are now running Windows 7 professional. 

Looks like we’re going to have a long night scheduling patches because it appears this is now a credible threat to us after all.

And now back to the beginning

So, after all that, we are back to the begining. I was asked to weigh in on the comment about “Sharing IPs is not Threat Intel Exchange.”  My opinion, this is a true and accurate statement.  The simple act of sharing or possession of raw data does not equate to intelligence. Now, there still is a potential value and gain in leveraging raw data (that's another blog post I'm working on), but raw data it is not Threat Intelligence.  

Just so I'm not misunderstood:  You cannot have intelligence without understanding.  

You can only gain understanding through the process of analysis, in the context of your environment.

Sadly this is not always the case.  What we are seeing are vendors who are pushing IP Addresses, domain names, and hashes and calling it (and successfully selling it I might add) as “threat intelligence” – I have to call “BULLSHIT”, predominately because I have been advised by legal counsel not to use terms like “fraudster”, “charlatan”, “grifter”, “swindler”, “impostor”, “con man”, or “scammer”, but honestly because 

Raw data, without context and analysis, IS NOT Threat Intelligence.

If you are a vendor and hocking IP Addresses, Domain Names, and Hashes as Threat Intelligence and do not offer the context or insight into how the information was analyzed, you're of limited value to me and at best you're another source feed.  

Remember $VENDORS, when you start talking threat intelligence, be prepared to answer the question

"Why is it a Threat to me?"

P.S. $VENDORS: Do not use terms or phrases like "proprietary", "exclusive technology", or "our tool says", for the love of all that is holy and sacrosanct, we get that you have a number of sensors all over the globe, we know you're running honeypots to collect the data and running them through a tool of some sort. We want the understanding how you went from raw data to Intelligence.  

P.P.S. $VENDORS: If you can't answer that question, maybe you should come to one of the upcoming Threat Intelligence training programs coming up @CircleCityCon June 12th in Indianapolis, IN and for ISACA International's upcoming CSX 2015 Summit October 17-18th in Washington DC.  

Trust me, it's good. 

Thursday, October 2, 2014

DerbyCon 4.0, getting (Smirnoff) Iced and Sexy Explosions

DerbyCon 4.0 - what more is there than anyone can say?


Well, after a little thought, this is what came to my mind…

Friday Morning Keynote: Entering for the keynote on Friday morning was an amazing site to see.  I didn't count how many people were there, but if a picture is worth a thousand words, I'm guessing we may have been taxing the "Not to exceed limit" of the Hyatt's capacity.


SATURDAY GRINDER GIRLS & INFECTED MUSHROOM: I survived, having been given the opportunity to present to ones peers and colleagues is one of the greatest opportunities an individual can be given.  To have a near packed room at 9am on a Sunday following Infected Mushroom, all I can say is WOW!! This Iowa farm boy was greatly humbled by the fact that so many were willing to fight off con fatigue to come here me share my experiences and ramble on.



GETTING ICED:  I learned not that you should ALWAYS check that your presentation is ready to go -- a slight issue with formatting won me one of these at shortly after 9am:

I learned not to taunt the DerbyCon staff, as my comment of "Well that wasn't so bad" earned me another one of these:

Making probably a more interesting presentation, and little tongue twisting stumbling, to boot as I'm typically a teetotaler (I drink very infrequently and even then, only around those I'm comfortable with).

It was captured that while @Jack_Daniel, the original Information Security Curmudgeon and I, the Jaded InfoSec Pro, do actually have moments of happiness and that we actually can and do smile -- then again it could have been the result of being iced during the presentation:



I had a blast. I had the opportunity to see folks with whom I banter with on Twitter, IRC and text whom I don't get the opportunity to see outside of the conferences.  While I love the conferences, I don't think I'm the only one who thinks that they seem to pass by so quickly.

FOR THE RECORD: I did not troll @Egyp7 in the restroom about 'the Hacker conference'

HUGS: While I did get my hug from @HackingDave, I did not get the picture of it , I did manage to get awkwardly hugged by @jaysonstreet however :) 

Rockabye Baby Awkward Hug

I was able to spend time with a number of folks whom I truly admire, not only for their technical skills, but their being humble and willingness to share their information and invest their time helping others grow.

FAMILY: For me, I was able to shake hands and hug a number of folks who, through their generosity in sharing their time, have helped me learn and become successful. Folks who, had it not been for, I may have taken an entirely different route.  This is one of the distinct differences I believe makes our community vastly different than most others.  

But most importantly, I felt at home with family. I believe that I can say for most of us this does not come without serious implication or consideration. A majority of us spend countless hours advancing our knowledge, skills and talents. We are typically on the road with clients, at conferences or in training, all of which takes away from our families.  Some of us have missed birthdays, anniversaries and spending time with those closest to us.  So to come to DerbyCon and have an immediate sense of belonging can be a little overwhelming.

To everyone who made it to DerbyCon, the families, the staff, my fellow attendees and presenters, and especially the folks supporting us at the Hyatt -- you have made a Iowa Farm Boy feel not only at home, but also have reminded me of why we do what we do and why in the face of disparity and moments of being jaded it is important to keep up the good fight; at the end of the day what I realized was "We don't give up on family, because family never gives up on us."

Sexy Explosions: Open Source Threat Intelligence - Building an Threat Intelligence Program using Open Source Tools and Public Sources was the original name of the my presentation.  According to some in my family that was was a BLAND title compared to some of the other talks at DerbyCon this year.  @HaxortheMatrix suggested "Sexy Explosions" - so I opted to adapt to make it such.

Now, I don't know if it was technical difficulties or a result of a couple of wayward Smirnoff Ices, but there were a few issues.  As a result, I'm in the process of converting and posting a copy that isn't technically challenged.


If you have any comments, ideas, free time, spare unsweet Iced Tea (NOT SMIRNOFF) or just want to help out, please don't hesitate to reach out to me and let me know.

Tuesday, August 26, 2014

DerbyCon 4.0 - "Family Rootz"

So this last week I was notified that I was accepted to speak at DerbyCon 4.0 - talk about diametrically opposed emotions.  I am excited and humbled at the same time for being accepted to present.

The reality of being accepted has set in and I've had the opportunity to share with those outside the industry what an honor it is to be accepted to publicly present ones efforts and the feedback that will ultimately grow the source material.  

I had started kicking around the idea several years ago to build out a "business value" capability using a variety of open source tools and sources for identifying Internet borne threats that organizations the world over face on a regular basis.  Building what I had to (I glue and duct tape, I do not code/develop professionally) to bridge where needed.  What I've ended up doing was quite eye opening and (for me) extremely fun.  I've got to meet some really cool folks and do some really cool things since I started working on the nuts and bolts of the program as a whole.

While sites like the Norse Live Attack Intelligence or FireEye's Threat Map offer great "eye candy" - they do very little in the ways beyond introducing you, the practitioner, to buy an additional services. I started this project with the hopes of being able to share how to leverage the open source community with how such information can be leveraged and tailored to the individual organization.  In order to be of any value, threat intelligence must be actionable to you/the organization otherwise its of limited value and can be a drain on resources.

I'm looking forward to having the opportunity to share what I've put together and gain feedback to make it better.  So, if you are at DerbyCon 4.0 this year, and you attend my presentation, please find me and give me your thoughts and comments.

Monday, August 25, 2014

ISACA 7th Annual Geek Week - The Atlanta Ebola Tour - Post-Mortem

I've survived another Geek Week. More appropriately, I've survived the drive back from Atlanta, GA to Columbus, OH which was absolutely grueling. I've been very fortunate to have been asked and allowed to continue share my experiences with fellow ISACA professionals in the New York of the South, or Hotlanta if you prefer.

So this year I had the opportunity to present on two topics, Building an Open Source Threat Intelligence Program and Information Security from a Criminal Perspective. The opportunity to share was amazing and I appreciate all the feedback and questions I've received. We also had the opportunity to hear Frank Abagnale speak and tell the story behind the movie. If you ever get the opportunity to hear him speak, please do.

In addition to rambling on, being able to sit in on some killer tracks presented this year, most enjoyable was the panel discussion on Vendor Management (lively topic), Web Application Pen Testing by James Edge (@jedge_com) POS RAM Scraping by Charles Burke (@cburkeinga) walked through how easy it was to build an application that collected credit cards. Watching the live demo of just how easy it is, I believe opened some eyes.

I also had the privileged to train the next round of Certified in Risk and Information Systems Control (CRISC) professionals which covered a two day review. This class was absolutely awesome to teach, share and overall engage with. It is always great to hear someone say "Before I sat for the class, I was just going to sit for my CPE's -- now I want to take the exam".

What I was unable to do was ensure that I got the presentations to the appropriate folks, this is in part due to the fact that the presentations were highly animated and rather large in file size. I'm currently working on getting the presentations converted into something smaller that folks can download directly.
Additionally, the following will take you to the content of this years Geek Week 2014 Conference Presentations Available for Download for those of you who attended.

So I made it back to Columbus Ohio, for a day before I was back on the road (or rather in the air) heading back to a client site in Rochester Minnesota. FYI, all this stories that Garrison Keeler shares about Lake Wobegon - absolutely true. If you want to know what it's like here, I urge you to check out http://prairiehome.org and listen to their weekly podcasts Listen to the complete show.

So, upon arrival to the Twin Cities (no direct connect flight from Columbus to Rochester) and while I was waiting on my partner to arrive, I noticed something that got me all giggling like mad - another instance of PCI Security Theatre (sigh). 250XP if anyone can tell me what is wrong with these pictures?










Alright, times up folks. For those of you following along with the PCI craze, that should be your retailers, hospitality, service providers, basically anyone that TAKES A CREDIT CARD, PCI DSS in requirement 9.1.2 Restrict physical access to publicly accessible network jacks. Now, I don't know how this complies with the requirement, and if someone could share that with me, I would greatly appreciate it. But from my observation of this particular instance (and it could be that it is the ONLY one like this anywhere and I just happened to stumble upon it by the luck of the Irish) of this being deployed in such a fashion. Next time I have a three hour layover in MSP, I'll have to do some wandering around and taking a look.

So what can one do with physical access? One might put something like this into play, not to saying ANYONE would ever do this:


This little box, costing a few dollars from your local Mendards/Home Depot/Lowes, sits on the wire between the device and the network drop and can listen passively without being discovered logically. This means, outside of a quick unplug and plug of the network cable, one could sit and capture details all day long. With a couple of quick additions (Thank you Raspberry Pi & Teensy) you could install a the drop and then remotely access via wifi or cellular. But no one would EVER do something like that right? I need to head off to the lab and see what I can do.

Friday, June 20, 2014

I really am NOT a certified FUD Peddler



Recently I was presenting at a large conference and a sponsoring vendor's sales rep made the comment, in front of peers and friends alike, that I painted a gloomy picture of the state of security in organizations.  When I asked him what he meant, he said "In short, you sell FUD." - Being a member of polite society where its frowned upon when you begin dunking an offenders head in the community punch bowl, I asked him if he cared to expand on how anything I had spoken on would constitute "FUD"? He then informed me that he had "not been able to see the presentation, but knew the type."  -- A note for Sales Reps "know what you're talking about before you go poking a extremely Jaded Information Security Professional" - just saying.

So how did I respond in this case? I decided the best way was to just "Slay the FUD Dragon!"

That's right - it's time for an accounting, and guess what? Accountability Sucks.  

So I'm going to approach this by dispelling what is "FUD" vs. "What is Really Going On".  The information I'll share and will speak about is not vendor backed, sponsored, endorsed or approved. I definitely know it's not going to be desired by most business leaders who take the stance of "Plausible deniability" and I know I'm going probably going to upset one or more people.  


So what is FUD? Fear, uncertainty and doubt (FUD) is a tactic used in sales, marketing, public relations and general propaganda campaigns. It is used in an attempt to influence others by disseminating negative, dubious or false information.

So let's define these so we can level set the stage, to further clarify the definitions:

"negative" -- harmful or bad.
"dubious" -- not to be relied upon; suspect.
"false" -- not according with truth or fact; incorrect

Now, for those of you who aren't familiar or who have never attended any of my trainings, presentations or ramblings, I don't sell or endorse any specific technology; I actually tend to remain vendor agnostic.  I do however leverage real world experiences and events from the various projects, consultations and engagements I have been directly involved in.  These are the topics to which I tend to speak on and they are pulled right out of those engagements (names changed to protect those of course).  

So I had this sales rep who we'll call Jack Weasel who accused me of promoting FUD.  Jack Weasel actually works for a well known, global Information Technology security - that has its own share of security issues in the past few years.  He hadn't seen my presentation and was speculating and guessing.  At this particular venue I was presenting on the issues regarding the improper, and often over bearing emphasis on Compliance versus that of Security, specifically in regards to penetration testing -- not the "we'll run a vulnerability assessment tool against the network" type of penetration testing but the Red Cell/Team mentality -- basically, what the bad guys are doing.  So this included everything from physical intrusion, insertion of specialized equipment, multi tiered social engineering campaigns, wireless, web application; basically everything short of actually kidnapping an employee and threatening them with bodily harm.

Its what I like to call the business driven pen test, because we're not going after the toxic data that is regulated right off the bat.  We're going to get a way in, pivot around your environment, start siphoning off intellectual property, sales information like customer databases, statements of work, contracts; board minutes, basically everything that makes your business unique and valuable long before going after the commodity information like credit cards.  By the time we're siphoning off the credit card or personally identifiable information, we've already established command and control of the network.

Now, while I agree this sounds "spooky", "scary" or even a little "FUDish" - lets keep things in context and perspective -- the purpose of information security is to protect information, specifically yours and that of your customers.  If you throw up the FUD flag, its probably because your concerned that things are not as "secure" as you would like, but here is the flip side of that coin.  If you don't address it, it will not go away.  Ignoring a problem didn't work when you a child and it sure as hell doesn't work when you're responsible for a business.


This is not Internet reality

I hate to be the bearer of bad news, but the Internet is not made up rainbows, unicorns and fluffy bunny's. The Internet is full of criminals that operate like a business, they have their own forms of currency, everything from cold hard cash, to bitcoin to your enterprises systems that they can whore out and make a buck on.


If you disagree, then by all means, voice it.  I don't know everything, but I have a lot of experience and exposure within the Information Security industry. I thrive on debate and discussion (along with large amounts of un-sweet iced tea and nicotine), as long as it remains professional.