Saturday, June 22, 2013

Red Sky Weekly: Welcome to the new normal.

A few weeks ago my new VW Touareg broke down in the parking lot of the dealer as I drove it in for an unexpected service. As it turns out, the thing stalled, once in traffic and once in the parking lot because of a bum fuel pump. Evidently the fuel pump in today’s new high tech cars are located inside the tank, thus leaving me driving a Passat for two days while the dealer dug out and replaced the pump. In the end, the car, with new pump, runs great, but the dealer never re-calibrated the fuel gage. So now, even when the pump handle clicks and the tank will take no more, the needle on the fuel gauge lands just over three quarters --annoying the hell out of me.  How exactly does a fuel pump in a relatively new car go bad? Why would the needle not be recalibrated? Why is it that tires get over-inflated during routine VW service (they did, and the rear tires were badly worn as a result!). I’ve come to a conclusion...  today’s automotive technicians just don’t all have the education and/or experience --or attention to detail, to deal with the new technologies that are embedded in today’s cars! Not only did they need two days to find a guy who could actually do the job, the guy never took the last step and recalibrated my gas gauge! Education or lazy? Maybe both.
Why am I talking about cars? Because there’s a concerning parallel between these guys and CIOs and CISOs.
Targeted distributed denial of service, cyber corporate espionage, and computers as a [competitive] weapon in the corporate landscape... Welcome to the new normal.
You see, we just wrapped our quarterly threat day at Arbor Networks. The presentations were OUTSTANDING. The first was about routinizing APT Incident Response, followed Anatomy of APT Attacks, DDoS Malware Analysis and Attribution, Rooting and backdooring Android Mobiles (and other cool stuff!), and finally, a Threat Brief from one of our most active members... and you know what conclusion I came to? If you’re an IT worker or an Infosec pro, and you’re not talking about this stuff, learning lessons from others, sharing information, and CONSTANTLY seeking updated gouge; if you’re not analytically curious and actively scratching that itch, you’re being left behind --and fast. --Education. motivation, and high levels of situational awareness are all required to live in today’s changing cyber landscape.
I feel pretty confident in my understanding of the current cyber environment. This by no means is a complete picture, nor that of the incident responder that I used to be, but I understand what it means to know that there isn’t a CISO out there that’s going to keep up with the crop of determined attackers that we all face today. Botnets with names I’ve never heard before; DDoS networks rented by the hour; sleepers living in your networks waiting for the right trigger before they begin connecting home. And past defenses, while still required, are becoming less and less effective against these new attackers, attacks, and threats. I dare say, don’t give up your antivirus or firewalls just yet --they’re required to keep the old stuff out. Code Red and Nimda are still out there and will infect your network if you’re using old versions of IIS or Internet Explorer, but at the same time, you need to build on that foundation. Agility in defense, the ability to capture and act on intelligence sources and indicators of compromise learned from others, having your gamebooks built, practiced and ready to go --your incident response team should never have to think about what to do next during an event.
The risk is real:
  • Cyber is real. Southwest Airlines was on WMUR this morning for a stand-down related to a computer glitch. Even if not malicious, a “computer glitch” caused the temporary shutdown of Southwest Air! What would it take for an attacker to create such a “glitch”?
  • During the Gartner event two weeks ago, I sat through a talk on HIPAA --our private information in medical records. An analyst told us that out of 60 sampled healthcare providers, 59 had HIPAA computer related privacy violations!
  • Systemic risks against our banking/financial environments are VERY real. With Managed Service Providers handling the IT for smaller banks using standard images, common gateways, and shared virtual servers, even one small targeted event has the ability to affect thousands of banks --all at one time.
  • Attacks targeting less sophisticated companies in the supply chain are being targeted for access to critical components. Heck, we did it during WWII. Remember bombing ball bearing companies? We did this to keep our adversary from building new airplanes. I pass a ball bearing company in NH at least once a week. They produce miniature and precision ball bearings, and are owned by a larger ball bearing company in California. The company boasts 1400 employees, but I can’t find a CISO in their website. I’m hoping he’s just shy.
  • HHS last week issued a report saying that 60% of small businesses that suffer a cyber event will be out of business in six months. Why? These companies will have no idea what hit them. Nor will will they know how to respond.
We issued Fusion Report 17 this week. FR13-017 offered an analysis of a piece of malware that is only detected by five out 45 antivirus vendors. It was picked up and submitted to us by a member who found it without AV and submitted the sample for our review. We authored the analysis, and passed out a snort signature (to find it early in the kill chain --before infection), a yara rule to help find the file in bulk examination, a look at the jar files used during infection, and the command and control it communicates with as it’s stealing your information or money.
...One report; five different places to protect against it provided in a temporally format.
Is Kill Chain perfect? Our reporting? Not by any means. Does it give you the ability to STOP attacks proactively? Absolutely. And if you can’t instrument your network, FR13-017 gave you four other places in your network where you can stop this tool. Anyone can write an IPS rule --but if you can’t, we did it for you.
You need information. We have it. Private information sharing and intelligence collaboration; Public | Private for those who don’t care as much about the privacy; forensic and lightweight managed security services to help figure out how to move forward in your now untrusted networks.

Until next time,

Have a great week!
Jeff