Skip to content

Are You a Target? Q & A with Mandiant CTO David Merkel

5 July 2011, 11:01 am

David Merkel, CTO of Mandiant, a security company that specializes in incident response technology and services, talks about what he is seeing in targeted attacks, why they are effective and some basic ways organizations great and small can improve their ability to respond.

NR: Does advanced persistent threat (APT) really represent something new, or is it mostly hype?

Merkel: We’re talking about it more, but it’s not new; Kevin Mandia, our CEO, has been dealing with it for nigh unto a decade. It’s just more visible. It was initially the province of government and defense industrial base companies, but what brought it into the public eye was Aurora in early 2010, and the fact that Google was fairly straightforward in talking about the situation. That really raised awareness; right after that the vendor advertising machine started up and market got very crowded with APT messages.

That being said, here’s what we see that is new: We had historically seen a lot of government-defense industrial base focus; what we’ve seen through the years –year over year in 2008-9-10-now – is the number of other commercial entities that are targeted by the same threat groups using the same techniques is increasing. By commercial, I mean non-defense industrial base; you look at a company and say, that has nothing to do with planes, bombs, tanks; why the heck is that happening? It all comes down to international trade, business, resources. Those kinds of things that are issues of large scale, country economic impact seem to be areas of interest. That continues to be very prevalent.

NR: But, aren’t most attacks targets of opportunity?

Merkel: All can I can comment on is what we see; we’re not under the delusion that we are some accurate proxy for the world view. I am sure there are still plenty of criminal enterprises that operate under a broad range of targets of opportunity, but we still see a preponderance of targeted attacks in which particular threat actor has a specific set of companies they want to compromise, and focus very much on that activity. But there could be other companies that tend to get different types of investigations and probably have a different world view because of how they market their expertise, so we probably end up selecting from different sets of clientele with different problems; therefore, the data we have at hand is different.

NR: Fair enough. So from what you are seeing, what are the bad guys after?

Merkel: It depends on who the actor is. APT actors are all intel-based. They care about the business intelligence; they are not stealing financial instruments. It’s everything that may be considered national interest; you’re talking about weapons systems and things of that nature, to business dealings in China. There’s no question there is still very healthy criminal trade focused on financial instruments, ACH networks, credit cards, but it’s hard for me to say what’s more prevalent. From our seat in the theater we see a lot of each. We see tons of APT, but that has a lot to do with our position in the industry and our expertise.

NR: Do smaller organizations have to worry about APT?

Merkel: The tail on defense industrial companies is a long tail. There are a lot of 500, 1,000, 2,000 node network infrastructures in small DIB companies that are further down the supply chain. They are just as actively targeted by advanced threats like APT as anyone else, because stuff they are making is interesting in some intelligence context.

NR: What are attackers doing better than they did a year or two ago? Is it a matter of more sophisticated attacks, or is something else going on?

Merkel: In my opinion, it’s not new technical techniques that are making attackers more successful.  It’s the aggression of the attacker, the persistence of the attacker and the adherence to process that they exercise relentlessly that is making them successful. There’s cool new kung fu being practiced, but what scares see me is when the cool new stuff is being commoditized and put into that really interesting, dedicated process. Then it gets really dangerous and scary.

NR: Please explain what do you mean by dedicated process?

Merkel: One thing we have seen on the targeted attack side that is kind of interesting is managing a social engineering campaign. It’s like managing a marketing campaign. If you are phishing credentials, it’s a communication that you want a result from. You have a population of targets you want to work through. So you start with an initial communication, shoot it out, measure response and adjust it. Then, again, shoot it out and measure response and adjust. I’m struck with the parallels between that and managing marketing campaigns. It’s just operationally well executed. It looks like a business, but the goal isn’t a page view but a compromised asset.

NR: Aside from buying Mandiant incident response products and/or services, and maybe have very little in the way of response resources, what is some of the very basic blocking and tackling that will help in terms of IR?

Merkel: Start with a little psychotherapy: Say to yourself, “I will be breached,” and believe it. Start with getting that cognizance in the right levels of the organization, so you can get the conversation going about: What we will do when this happens, as opposed to what are we going to do if this happens. If you come to that realization you are already way better off, even if you do nothing else

Next take a look at your processes for dealing with that. It’s very similar to a  business continuity or disaster recovery drill; you’re thinking about a contingency that has a super high probability of happening. So, at least talk about what you are going to do: Who are stakeholders? Who do you need to coordinate with? Do you least have a playbook, so you’re not vapor-locked standing still so you make decisions in the moment. If not going to invest a lot of time and money in what true preparedness, you might make a small investment, if don’t have incident response expertise, to at least have third party help you with plan and assess your capabilities so you know what they are and let your stakeholders know what they are, so if something bad happens everyone knows what you can and can’t do and what you need to do to augment your program with outside parties.

NR: Before we wrap up, I have to ask you about Stuxnet. Was it a fluke – a very special case using very special resources against a very specific target? Should I be worried about this kind of thing? Should critical infrastructure be worried?

Merkel: Let s hypothesize that Stuxnet was state sponsored. I’m not necessarily saying it was, but how does your security budget stack up to that of a nation state? That’s a tough thing to sit and tell people, “Yep, you should be planning on dealing with that.” For a long time Kevin Mandia was saying, “Look, I’m less worried about attacks on controllers, not that they are not possible on SCADA systems, etc., but because the U.S.s response would be kinetic not cyber. What’s the defense department’s official stance on cyber attacks on the U.S.? War. We’ll drop bombs on you.

There’s a certain class of problem that I don’t know if it’s worth spending time and energy on. That doesn’t mean you should completely ignore it. You should still look at fundamental practices that can impact something like that. For example, if you choose to have your control network fully disconnected, make sure it is it fully disconnected. How do you get data from high side to low side? Do you allow that data to transit? Those are the sort of policies and controls you can be thinking about.

Worrying too much  about trying to countrer all potential targeted attacks could be a lot of energy and effort, and you would still have a problem if a nation state decided it was coming in.

Filed under data breach, Incident Response, Uncategorized. Tagged 
Comment

Renewed Interest in DDoS Brings New Tech to Market

27 June 2011, 2:17 pm

Distributed denial-of-service (DDoS) attacks have always been more or less on the periphery of security concerns, important, even critical for government agencies, much less so for most enterprises. The wave of attacks that brought down sites including Amazon, Yahoo and eBay in 2001 caused quite a stir then, but the concern receded. As Internet attacks moved from sheer nastiness and digital vandalism to highly organized and increasingly sophisticated criminal activity, security efforts have been focused on things like detecting and stopping malware, Web application attacks, and information leakage.

DDoS seems to be moving up the charts, and we’re seeing some activity in the security market to reflect the change. It’s not the Whitey Bulger of cybercrime on the Most Wanted List, but it’s worth taking note. A couple of the leading names among anti-DDoS vendors, Arbor Networks and Corero (formerly Top Layer Networks), have each announced new DDoS prevention/mitigation appliances. Interestingly, the target market is the enterprise, not carriers and ISPs, which use this kind of technology to throttle potential massive network-based attacks aimed at bringing down their downstream clients.

The key here is the emergence of application or connection-based attacks, which are typically aimed at the application on the Web server. The aim is not to overwhelm the network with a SYN flood or similar method to saturate bandwidth, but to overwhelm the target application. This type of attack cannot be detected by more traditional network-based technology, because it doesn’t take up an inordinate amount of bandwidth. The anti-DDoS appliance must sit inline and inspect incoming traffic, responding by blocking or selectively throttling selected traffic.

Corero’s announcement of a dedicated anti-DDoS appliance a couple of weeks ago was interesting in that Top Layer was one of the handful of early anti-DDoS vendors, including Arbor, Captus Networks and Mazu Networks (both since acquired), but found a better market opportunity in intrusion prevention, with anti-DDoS as a subset of its security technology. Corero’s announcement of Top Layer DDoS Defense System (DDS) is aimed at the enterprise data center in the expectation that they can sell inline anti-DDoS in the face of application-level attacks that cannot be detected upstream and cannot be mitigated by simply (albeit expensively) purchasing more bandwidth from providers. The DDS appliances, which will be available in Q3, will be optimized to scale for attack traffic, built around a 64-core multiprocessor architecture. Corero continues, of course, to market its Top Layer IPS with the same base anti-DDoS technology.

Corero believes there will be a strong enterprise play in a range of verticals doing business on the Internet, as well as the education market. However, the strongest market will likely continue to be online gaming/gambling, which has been at the heart of DDoS activity over the years, as criminals use denial-of-service threats as a type of protection racket or, in some cases, unscrupulous rival sites try to bring competitors down.

It’s likely that some enterprises will opt for upstream protection to bear the brunt of detecting of network-based attacks, either through DDoS mitigation services from companies such as Verisign or Prolexic, or their providers if they offer similar services. At the same time, they might have inline protection, primarily aimed at application-based DDoS. Corero, in fact, believes they will have customers that use DDS in the data center and cloud-based protection as well.

Competitor Arbor Networks is looking to cover both ends. Arbor’s bread and butter has been its Peakflow line of appliances, aimed at the carrier/ISP market. However, in May they announced the Pravail Availability Protection System (APS) to protect enterprise data centers against application layer DDoS attacks (see my report in Network Computing).

The announcements are geared at capitalizing on a perceived rise in DDoS, whether profit-driven, political, government-sponsored or out of pure spleen. This month, Turkey arrested 32 members of the Anonymous Group following attacks on government websites. In London, a teen was arrested in connection with attacks aimed at taking down the Serious Organized Crime Agency, as well the DDoS against the International Federation of the Phonographic Industry (IFPI) in November and the British Phonographic Industry (BPI) in October. Last week, DDoS attacks brought down hosting provider Network Solutions.

A recent survey of 225 U.S. IT executives and decision-makers conducted by Verisign revealed that three out of five had experienced at least one DDoS attack. One in nine say their organizations had suffered six or more attacks. Nearly half of those attacked say that their website was down for five or more hours, and just under a quarter of the victim organizations say their sites were down for 12 hours or more.

Filed under DDoS. Tagged , , , , , ,
Comment

Security “context” fuels Cisco’s TrustSec initiative

19 April 2011, 5:14 pm

With announcement of its Identity Services Engine (ISE) several years after first laying out its TrustSec vision, Cisco appears to be positioned to deliver on its promise of persistent identity management and access control throughout the extended corporate network.

The central theme of TrustSec 2.0  is around the magic word “context,” which we see recurring throughout contemporary security discussions. Context – in this context ;^ ) – is the ability to create and enforce granular security policies based on:

  • Detailed static information from, say, Active Directory (who is Neil, what AD groups does he belong to, what applications and servers can he use, etc.).
  • Dynamic, session-based information. What device is Neil using (corporate laptop, home PC, iPad, Macbook, Droid); where he is logging in from (inside the firewall; home; an airport or coffee shop hotspot; New York or Beijing; somewhere in the back of a taxi); how (wired, WiFi, 3G); when (regular business hours or 3 a.m. local time – why is Neil accessing the customer database at this hour? Maybe he’s on a business trip Tokyo or maybe it’s not really him).

This notion of context is very powerful and brought to bear in a number of security discussions. Tying together application intelligence and identity gives SIEM a far richer information fabric in which to correlate and analyze data, broadening the discussion around what is often called security intelligence, an analog to (some might say a subset of) business intelligence.

We’re seeing the same marriage of application and identity awareness in next-generation firewalls (including Cisco’s), in which combined firewall/IPS  leverages this wealth of information for granular policy and rule formulation and sophisticated detection against increasingly sophisticated attacks. It’s also a factor in areas such as privileged identity management, gateway Web security and Web filtering for security and acceptable use policy enforcement and security (e.g., controlling employee use of social networks).

Cisco is pushing context at the heart of realizing its “Secure Borderless Networks” initiative, the ability to define and enforce AAA (authentication, authorization and audit) policy based  not only on who wants to come on the network but how, where, when etc. This carries well beyond the more conventional notion of network access control (NAC), which has focused primarily on a variety of gateway enforcement mechanism to mostly do basic hygiene checks (up-to-date AV, patch levels) for devices seeking network access. For all the talk about NAC on and off in the last few years (largely off lately), it’s still seen primarily as a way to control guest access.

TrustSec takes this to the next level, with tags that embed contextual data in the packet as it moves to and throughout the network, regardless of device or how or where it is transport. Thus, you have persistent, informed access management that can be enforced on the NAC device, on the switch, the router and/or the firewall. Compare this (and Cisco does) to reliance on ACLs, which continue to grow and never shrink, because no one is willing to take the hit when removing an ACL entry disrupts traffic.

TrustSec also supports link layer encryption realized by MACSec (past of the 802.1AE standard) for secure transport across any pipe. It simplifies deployment of 802.1X authentication, which many enterprises advocate but have shied away from   because of implementation and management complexity.

ISE is the practical enabler of TrustSec, allowing the centralized creation, distributed enforcement and comprehensive audit of policy throughout the network. It also enables device profiling, so enterprises can know and report on what is on the network at any given time. This isn’t trivial. I’ve spoken to organizations, in fact, that have deployed NAC primarily to know what devices were coming into their network. For example, one healthcare wanted to see the personal mobile devices that were gaining access. They were startled to find five times the smart phones (we’re talking tens of thousands of devices) they guesstimated.

The new release, dubbed TrustSec 2.0, also extends TrustSec to WLANs, allowing policy across wired and wireless networks and distributed enforcement throughout the WLAN rather than depending on an inline control device.

ISE also unifies Cisco access control devices into a single appliance, so enterprises can consolidate their deployments and scale efficiently. ISE combines Cisco’s Access Control Server, NAC Profiler, NAC Guest, NAC Manager and NAC Server. The software is backwards compatible, so enterprises can upgrade on existing hardware.

Cisco also announced  a TrustSec Planning and Design Service – this isn’t easy stuff, even for large enterprises with a lot of resources. Creating and attempting to enforce policy is difficult and, in some cases, beyond the means of enterprises for conventional internal access to the wired network, let alone this rich but bewilderingly complex maize – this smorgasbord of context – in a world of smartphones and iPads, social media and highly mobile workforces.

If Cisco is indeed providing the technology to enable this type of early 21st century access, the big challenge for enterprises is creating and maintaining complex policies for employees, partners, contractors, etc. that reflect the way their business is actually working.

Filed under Network Access Control. Tagged , ,
Comment
« Older Entries