Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[DeepSec 2014] The Measured CSO – Alex Hutton

DeepSecLogo

The Measured CSO - Alex Hutton

One of the most significant changes technology has wrought over the last decade is the current movement to use data and quantification as a means to better our everyday lives. In both our work life and leisure life, almost no aspect of modern life has escaped our desire to become better using evidence, data, and quantitative methods.

This talk discusses one method to help a Security Department build a better understanding of historically amorphous goals like “effectiveness, efficiency, secure, and risk” using data and models.


Where are we as an industry?

“… when you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot express it in numbers, your knowledge is of a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the stage of science, whatever the matter may be.” - Lord Kelvin

This is the journey towards knowledge, and therefore security. We are at the point where we can’t talk about risk using high, medium, low. How would your investors feel if your CEO talked about profit as High, medium or low! We need to talk about things in a different way.

CVSS… “I use it every day, and I’m about to bash it!”

Where we’re at with our risk calculations:

  • somewhat random fact gathering
  • interesting, trivial, irrelevant observations
  • little guidance to data gathering

First Mistake: Limiting ourselves

Security is an engineering issue… Looking at security only as a piece of the OSI layer.

Second Mistake: Blind leading the blind

Example: mobile malware is trending… this must be what we focus on. The FUD factory

Using the DBIR you can pull out more targeted and industry specific metrics that speak a lot more to the real threats. Looking at the DBIR it’s less than 1%. What we should focus on as an “industry” is not what’s hot right now!

mobile malware does not move the needle in out stats as we focus on organizazional security incidents as opposed to consumer device compromise

We’re dealing with complex systems… You can’t make point predictions in a complex system (Freidrich Hayek)

Correlation between CVSSv2 ratings and actual exploitations shows that even the highest rated CVSS vulnerabilities are not that widely exploited.

The measured CSO

The measured CSO must be more like W.E Deming

The potential for improving the system is continuous and never ending… there is no perfect system. The only people who knows where the opportunities to improve are, are the workers themselves. There are countless ways for the system to go wrong.

Having workers are management speak the same language is important… having workers record and analyse statistical information helps to improve the system and evaluate changes easily. Everybody in the system has to be responsible for working towards improvement.

How many of us spend an hour doing statistical analysis on the other 38 hours of work we’ve done!

A measured CSO:

  • Relies on metrics, data, intel for good decisions
  • Invests in improvements to people, process and technology

To provide the best and least-cost security for shareholders, and continuity of employment for his workers

  • We as an industry, know that “best” and ” least-cost” are not necessarily contradictors
  • We also have a HUGE continuity issue

Extending something like VERIS is incorporate controls data can assist a measured CSO in understanding where they stand. Using map reduce (HADOOP) this information can be modeled and look for IOC. The key to this is enriching the data with as much metadata as possible.

Framework <–> Models <–> Data

The Metrics and models that “defend” against threat patterns

Mobile malware might not be an issue now, but we need to plan, build, and manage to ensure when it is an issue, we have things already in place.

A Micromort… a one in a million chance of death… we can apply that

We’re bad at combining all those metrics… overweight, on drugs, and doing something stupid.

Becoming measured

What does that mean? What do we need?

Most metrics programs are gathering of some information without any context.

A metric is like a lego piece. It has no context until you build something with all the lego pieces you have.

How do you get context?

Goal, Question, Metric (GQM)

  • Execution: Define goals
  • Models: Question how this can be measured
  • Data: Define metrics that answer the question

The measured CSO creates a scorecard of KRI’s and KPI’s that he can use to evaluate where they currently stand

Framework for GQM –> NIST CSF (Cyber Security Framework)

Links:

[SecTorCA] Reverse Engineering a Web Application – for fun, behavior & WAF Detection

Reverse Engineering a Web Application

For fun, behavior & WAF Detection

by Rodrigo “Sp0oKeR” Montoro (Sucuri Security)

Abstract

Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing so we started research on a new approach to mitigate the problem. We started with reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us to creating a way to detect attackers based on whitelist protection in combination with behavior analysis.  Integrating traffic analysis with log correlation has resulted in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, our results and how we have maintained WAF (Web Application Firewall) using very low CPU processes and high detection rates.

Presenation is based on WordPress / NGINX, but concepts can be applied to any Wed Application / CMS technologies. The goal of this talk to better protect CMSs, with better performance (less rules is better), but also protect against new vulnerabilities as they are released/discovered.

Introduction

By reverse engineering common CMSs (in this case WordPress) it is possible to better understand how they work.

WAF Detection (breakdown):

  • Traffic Analysis
  • Application Structural Analysis
  • Behavior

Detection steps

Reverse Engineering Traffic

As we’re taking about web applications we’re mostly talking about HTTP here. By breakdown down the traffic into specific categories it’s possible to better understand the traffic. We include such as IP source in this section.

Crawling the application

Various ways to crawl the application from a blackbox perspective (Burp Suite for example). From a whitebox rerspective there are various other options.

Looking at requests

By looking at the parameters used by the applications it’s possible to identify parts where an application is only sending numbers or letters as part of the parameter. For example, a name field should not contain numbers. However this could be problematic if you don’t consider edge case situations, like names with special characters.

Looking at the common headers, it’s easy to identify headers values that must fall within specific whitelists. E.g. HTTP/1.0 or HTTP/1.1. Anything else is either corrupted data or somebody fiddling with the date being sent.

With wordpress.com, the response contains an x-hacker header saying “if you should read this you should apply for a job…”

Brute-force attacks are on the rise, so if you can, compare users passwords against a list of the top X passwords and inform the user that it’s weak.

Malicious user-agent strings tend to be shorter than legitimate user agent strings. They also tend to send more complete request headers (often over 8 headers). Also, you don’t see normal browsers sending HTTP/1.0 requests anymore. Drop these simple things. Checking that all expected parameters are sent is also important. A lot of attackers only send the parameters they need, and ignore the others. This can be checked easily enough.

A regular user is also not going to request a whole load of pages that result in a 404. If there are a lot of request that end in a 404, this looks more like a attack than a normal users traffic.

Detection

Using a PCAP of real traffic and simple regex matching, it’s possible to test your logic to list what requests would normally be dropped BEFORE implementing something as a rule. You can then tweak the matching logic before going live.

NGINX is meant to be quick, so doesn’t allow IF ELSE, only IF statements.

e.g.

if ($request_method != <something>){
     return <status_code>
}

WordPress has a lot of files (check the tarball for a full list). So we can slim that down a bit by removing things like initial config and setup files. Administration (/wp-admin) console is also something that can either by disabled or restricted to specific source addresses (think 2FA). Core files (wp-includes) are not meant to be externally accessible, same with uploaded content (wp-content). WordPress also has an XML-RPC interface that allows somebody to perform specific actions (e.g. ping-backs, comments, user-auth, …). Redirecting them to a honeypot might be an option for you.

<ifModule mod_alias.c>
     Redirect 301 /xmlrpc.php
     http://honeypot.address
</ifModule>

Lots of brute-forces seen from June 2014 using the xmlrpc.php. Similar rise in traffic seen in the use of xmlrpc.php as a DDoS tool in March 2014. By looking at the logs it’s easy to see spikes where there may be new attacks or new methods being tried out.

To secure things further, deny specific filetypes in directories where you may have user content or data (e.g. uploads, logs, …).

Mitigating the attack surface

Turn off the machine and remove the network cable –> Not really an option

OSSEC for real-time monitoring.

Monitor specific locations for alteration or addition of files to ensure you get visibility on the web application.

Threshold ideas

Too many 404s –> somebody searching the web app

GET/POST per time for same IP source –> automated user hitting the site (not a normal user)

File specific: Set files on Linux as immutable (lsattr)

Statistical data

Useful for counter intelligence and to find behaviors, new trends and alerts.

Instead of blocking “user-agent: ABCD”, think about blocking connections from user-agents with < 19 bytes (maybe a few false positives, but less specific).

GEO-IP Blocking –> based on top countries, you could block specific countries if you don’t have business reasons to allow traffic from them. This may change week by week however.

Methods –> If your application only allows GET/POST, then drop everything else

HTTP Version –> If you only accept HTTP/1.1, then drop 1.0 and all malformed versions (stats from Sucuri show 1 mill hits a week dropped by this rule alone)

Conclusions

This is a constant process, not set it and forget it.

Challenges:

  • Developers
  • plug-ins
  • Bad Code
  • languages

Next steps:

  • Integration with SCAP
  • open source PCAP parser tool
  • build rule-set for CMSs under OWASP banner

 

Links:

[Guest Post] A first-timers view of the “Hacker Summer Camp”

As many people are aware, the big „Hacker Summer Camp“ took again place in Las Vegas this August. This get-together describes the occasion of Black Hat, for the Business sponsored InfoSec employee, BSides Las Vegas, for the techies, and DEF CON, which apparently became object of both type of folks already years ago, and many more little side conventions.

As these types of conferences are usually a big chance to meet all of the friends that you don’t see the rest of the year, attending many talks is never a goal. Especially not, as these days most of the talks are recorded. As for the full lists of recordings, please check the following links:

The DEF CON 22 Talks will be published by the speakers on YouTube, or can be bought, some of the slides are also already available here: https://www.DEF CON.org/html/links/dc-archives/dc-22-archive.html

The Black Hat Talks will show up here: https://www.youtube.com/user/BlackHatOfficialYT

Over the last few weeks already many Blogposts arose that listed personal favorite talks and what the learnings are. For such a reference, check out other European sites like http://www.scip.ch/?labs.20140819 in German or http://blog.csnc.ch/2014/08/blackhat-and-def-con-usa-2014/ in English.

The big topics this year were infections over USB and wireless transmission of signals like the ones that can be read with a HackRF. One topic that isn’t completely over yet, is hacking of Point of Sale devices. Although they are usually very specific by the country the research originates, and therefore can’t be applied to every vendor or product. They are still interesting though and give new hints on what to consider when securing such an infrastructure.

As an outlook we were informed at the Closing Ceremony of DEF CON, that the next year DEF CON will be hold at the Paris and Bally’s. With DEF CON becoming not only bigger in numbers of attendees, but also space, and seeing the changes that just happened to the German Chaos Communication Congress, I personally like the change. More space can give more ways to be creative.

The CCC has become a very colorful but dizzying experience, which makes it hard for new people to find navigation or orientation in. But CCC, early on, started having villages where like minded people and friends have a “public” space where they can be found and present their stuff. The concept becomes very visible at the hacker camps, where usually even more equipment is brought in and spaces are decorated with lots of creativity and love. DEF CON has also started with the villages, by having for example, Hardware, Social Engineering and Wireless villages. This concept of organized interest groups can be quite a help, if an event becomes too big. I personally also wouldn’t mind seeing more talks in villages, which have smaller audiences but also give the speaker more chance to interact and talk, learn and share information. I always feel sorry for speakers who prepare a talk and only get to hold it once. Presenting a talk several times with slight variations, depending on the target audience, might improve the rate of knowledge exchange and therefore be beneficial for both sides. The big talks still should be held in big rooms of course, but information overflow has become such a big topic, that the concept of split, addressed information might help. If there were more spaces like DEF CON SkyTalks, the chance exists that the quality of the presented information would also improve again.

- Des

Last Hacker Standing… Episode IV: The Last Hope

Just when you thought it was safe to go back into the water…LastHackerStanding_singleFace

With the untimely demise of the Network Security Podcast, Martin McKeay (along with Dave Lewis and myself) decided it was time for something new.

In the inaugural podcast, we talk news (straight up, with a twist), alongside our wonderful guest Katie Moussouris from Hacker One.

 

 

We’ve tried to add a twist to the usual podcast style of news and interviews… so feedback on the first part of episode IV is always gratefully received!

Lookout for part II dropping in a few weeks…

Links:

Follow

Get every new post delivered to your Inbox.

Join 132 other followers