IDS is dead, long live IDS
Show transcript [en]
the title of my talk is IDs is dead Long Live IDs my name is Eric Arn I've been in the industry for about 16 years now uh for most of those years I've been doing Network intrusion detection among other things in network security so I have a lot of experience and I've seen a lot of things that I want to share with everyone uh to kind of give a picture of what I think is going on in the industry right now where we need to go as Defenders uh for starters you know we have a problem right and everyone I think in this scen kind of knows this pretty well uh that the attackers have
the advantage uh and it's always kind of been this case right uh it's just that it's gotten a lot worse lately uh and it keeps getting worse with no end in sight those of us who work in this industry that's not such a bad thing but we do want to make it better right we do want to close the door and make sure that the attackers can't get in as much as they could I have been for a long time now uh and you know you just have to look at what's been going on out there in the world to see what I'm talking about the you know media is full of accounts of companies that are left and right major
companies getting compromised in massive ways massive data is EIC proportions that 10 years ago would have been inconceivable uh you know that would have been shocking uh but it's it's become business as usual and we're kind of getting numn to it uh so it's important to take a step back and figure out why did it get this bad and and you know what can we do to fix it uh and and the answer to a lot of it is that you know the defenses we relied upon like inion detection are failing us in a big way and we need to rethink how we're doing things uh and at the end of the day you know those defenses that we've
lived with at the prer for years are pretty well ineffective uh they they don't provide as much value as they used to you know when I started in the field back in the late 90s uh and their value keeps diminishing over time uh and at the end of the day blacklisting as a defensive technology is dying and just not dead already uh many of us have' been in the field for a while kind of know that blacklisting isn't very good at defending us but unfortunately that is the nature of inion based uh systems it's a blacklisting system I'm going to go into a lot of the technical details as to why it's been failing us and what
we can maybe do to deal with it uh and in case you don't believe me uh you know this website up here information is beautiful. that URL the slides will be available and all that U they produced a nice infographic that shows uh the compromises over time and if you notice here you know 2006 2007 is the big troll by lot of white space all the bubbles that dep the compromises that have happened that were public and you know pushed out there uh the the compromises just keep getting bigger and there's less fight space between the compromises and the numbers keep getting bigger you know you see some names that you might recognize like JP Morgan Chase and
Anthem and eBay and Target and we probably all recognize these names from what's been in the media and you know as you saw from that thing strolling by it just got bigger and bigger and it's there's no end in sight uh so why is how did this happen so what happened was about 7 or 8 years ago the threat landscape changed in a really really bad way um 20 years ago when I first you know I didn't quite start 20 years ago but 20 years ago uh in the era in which I started this business uh it was a very different threat landscape you know we were dealing with a lot of server side vulnerabilities you know I started you
know install my first intrusion detection system for the big corporation that I work for uh the drill was always okay you know we got our services out on the internet uh we're worried about protecting our we servers or DNS service and all that good stuff and uh sooner or later some oday announcement was going to drop on full disclosure or bug track or what have you and everyone just going to freak out with their hair on fire because oh my God you know they can break into our web server and they can completely compromise our systems so we'd run around we' try and get patches in and before we can get the patches in patches take a long time we have to go
and install in signatures on our intrusion detection system CU that was you know much easier than installing the patches which is took time and effort to patch and test and roll out and all that stuff uh and so you know go through the process of getting inion detection signatures out there we catch some things as they tried to break in get the patches in close the holes and everything was good and of course because it was all server side where the web server the DNS server was what was vulnerable we could take those assets put them in a DMZ safely contain them so that if there was a breach or maybe when there was a breach uh that would be
contained to that area we wouldn't have to worry about the environment because we had firewalls on the inside protecting us that was the theory uh but about 8 or N9 years ago something changed uh back then I was still doing intrusion detection systems and we just installed some latest greatest vendor name doesn't matter they're all they all have this problem and around that time you know the the one of the guys I was working with was in charge of threat intelligence he was kind of watching the vulnerabilities as they rolled out keeping an eye on things and making sure the company was responding appropriately he started asking me here what about this vulnerability word and an
adobe um that's a good question go check with my vendor ask the vendor hey you know we got these great signatures for all these serde vulnerabilities that's fantastic what about this one over here for office and for the browser let me get back to it and so we went through a couple more cycles of that and very quickly it became apparent that they didn't have a good answer uh and we're going to explain why here in a minute uh and so attackers did start shifting to using those client side attacks which was sea change a major seismic shift from what they had been doing up until that time uh so if we look and uh explore as to why they did
it we'll see what has brought us to where we are today so why do we why did the attacker start using T there's a number of reasons uh for first off the programs that are written uh you know these are processing large pieces of data you know large documents anyone ever look at a Word document lately like how many megabytes in size right the request going to a web server can be measured in bytes or kilobytes the the files that are being processed by word and Adobe and the rest of it they easily number in the megabytes or in the tens of megabytes or even in the hundreds of megabytes we're dealing with a massively more complex data structure
uh and what that translates into is attack service because at the end of the day the vulnerabilities that we face every day in our programs are a function of lines of Po uh so I'm going to uh point out a study from uh Mudge or not a study but a metric cited by Mudge uh from his keynote in 2011 black Happ uh that pointed out that uh well he he quoted an IVM statistic that said for every thousand lines of code there's one to five books IBM had figured out through some study that so every bug every vulnerability is going to be a bug not every bug is going to be a vulnerability and not every
vulnerability will be exploitable but at the end of the day when you're dealing with a program like Microsoft Office which according to Microsoft's own blog has between 25 million and 50 million lines of code so if we measure a tax surface and the number above in a program and if we're measuring programs by the rough metric of one to five bucks thousand lines of code it doesn't really take a lot of MTH to figure out that there's a massive amount of potential bugs that could be in that program uh and so it's not just office right it's browsers it is the Adobe readers it is quick time it is iTunes it is your font libraries it
is your grac library pretty much any code that processes data that you get from the Internet is now a potential Target and so the other wrinkle to this which is a really sweet one for the attackers is you know we have all our assets like web servers and DNS servers locked up in dzs that's great where do our desktops sit sit inside the W right deep inside no firewall protection between them and any other asset in the corporation or in the organization you're protecting all the servers are wide open because at the end of the day internal network security is really is hard to do you know segmented network security maybe some organizations can manage it but as soon as you start
scaling Beyond a minimal size it becomes cost ineffective to deploy a significant amount of network security and as it turns out um well we also have a problem that uh these programs are often run by non-it people so of course that brings us to the social engineering aspect so we can very quickly have of course you know the idea of a malicious Word file and so forth but at the end of the day uh between the buffer overflows and so forth that we have in these programs uh we are dealing with a very different uh landscape as soon as the adversary compromises the desktop inside of your environment they have to run of the mill
there is nothing to stop them from moving laterally and moving on and doing other things and that has changed the way attackers behave which I'll also explore a little bit further on in my talk up ahead so the hli side programs introduced the problem of a massive attack surface they make it easy for an adversary to break into a system because there's just so many potential CL uh and of course these programs constantly change over time right so you have office coming out with constant Provisions Firefox is up to version 40 something by now right uh they keep revving all the time same thing with all the other browsers uh but this also has introduced a problem with
our defenses that we relied upon 10 years ago the network contusion detection system so if you go back to what I was saying about the uh the old model where you know you have to worry about your server having the go overflow all that good stuff release your IDs signatures uh when the vulnerability is published and the exploit is known uh you had the idea that you could stop it and it worked reasonably well for what we had at the time uh but the problem is that doesn't translate into the client C it simply breaks down and it fails completely uh so you know just to remind you know just to kind of give a
refresher there Network confusion detection system you're sniffing packages on The Wire uh maybe you're in line maybe you're an Inus prevention system but you got packet coming through in real time and you have to process package in real time in order to understand what's being said and what's being done and whether an attack might be inside of that or not that is a lot of processing power that you have to apply in order to determine whether or not the traffic is hostile or not because again we're blacklisting right we're assuming everything is good unless we can look at something and compare it to our list of you know 10,000 signatures let's say of known bad so we
have to do a lot of processing to do that I'll show some real world examples in a few slides uh but at the end of the day you know that was always kind of kind of a rough arms race where we had a uh you know signatures vulnerabilities would come out IDs guys would write the signatures uh and on top of that there was some evasion methodologies that bad guys could use in order to avoid the IDS signatures uh but on the client side that model just breaks down at the end of the day uh so serde attacks are relatively simple by comparison to uh pli side but with the pli side programs as I mentioned they're dealing with
massive amounts of data megabytes tens of megabytes and so forth and inside files is an incredible level of complexity that goes well beyond uh anything on the server side you know server side is usually a request an answer back and forth well- defined protocols things are very clearcut on the client side it gets very muddy very fast and I'll give you some examples in the couple slides to talk about that so at the end of the day the final result of that is that the client side uh attack methodology makes deack inspection Technologies fairly well useless which is what we've been depending on so long so just as an example uh we have here a signature from
snort you know everyone loves snort it's a fantastic product I've used it for years uh it's still great at what it does uh but you know if we take a look at this example okay you can't see my curs here so if you look at the there's a Content Etsy Shadow so this is a very very simple signature we're looking for the words Etsy Shadow to see if someone's trying to access the encrypted Shadow file where all our passwords live on the inage device obviously we shouldn't see that in a normal environment unless it's some kind of scanner or something that uh so pretty easy uh there are some Evas methods that can be applied to that
you know the attacker could try and change some of the uh you know the casing or it could try and inject some characters and the IDS has to handle all that in order to make sure that it can translate back to what the web server will receive ultimately to know if this was a bad signature or not there we go for the next one this is a much more complex signature but it's still kind of to the point uh in this case there's this is a signature to detect m867 which is buff Ro Flo that uh Microsoft uh had as a vulnerability in its uh Windows products back in 2008 for those who don't remember this one it was
kind of one of the nastiest of the nasty uh it was in the Windows Server service so this in uh subject was a big a vulnerability for every version of Windows you know Vista uh XP uh it was 2K3 a whole lot of it all the service packs at that time and it was a service uh that was on by default on every microsof window uh it was kind of The Perfect Storm it gave uh it gave system level access on compromised it was extremely reliable as a buffer overflow and it was um again on every version of Windows so very nasty now as complex as this signature is uh what it does demonstrate is how well you
could actually construct signatures to detect buffer overflows uh in service so you got to realize that um you know the Microsoft Protocols are binary in nature right so this is the kind of protocol where you know the fourth bit gets read and the number of btes in there tells you how many characters are going to be in the next several bytes it's a remote procedure call protocol so it's about uh one Windows box talking to another Windows box and saying okay I want to use this function on you to say access a file share or to access a printer service that you have and so one computer is going to another computer and it's basically making a function
calls on that computer the m867 vulnerability was in the uh server service in the net path canonicalized function call of that service and it was basically a bounce checking problem where one of the arguments of that function uh was only supposed to have so many characters but the buffer overflow allowed to have so many more characters and therefore classic buffer overflow scenario and you could uh lay in your hosle code and and you could compromise the machine this signature goes through the arduous process of walking through every bit and bite that's relevant to determine is the function called net path canonic Li being called number one and number two if it is what's the size
of the argument that is being presented to that function code so by doing this this is called you know detecting against the vulnerability rather than the ex and so you're looking to see is the vulnerable service being accessed and is being accessed in a way that would indicate a successful comprable all well and good so here here's a packing capture to show a su a successful attack using met exploit you can easily you know reproduce this yourself it has a wonderful bit of uh a a u a packet a payload and an exploit in order to uh compromise ms67 you can do the packet capture on The Wire yourself and that's fantastic so you can easily
uh reproduce this um and see if you know snor can detected or any other iids that you're running it really doesn't matter all the vendors should be able to catch this in spite of even invas that they have and you'll notice actually that you know the other thing is you walk through a number of packets there's 358 packets on this count if you see uh some of those packets are actually uh Superfluous stuff but if you look down at the actual Trace between three-way handshake to the vulnerable service and then the RPC calls that you need to get down to the vulnerable function and then exploit that function you're talking about 20 packs so the amount of data
that the IDS has to look at in order to get from A to B to say aha here's something vulnerable being exploited very small and measurable now if we contrast that to client size signatures uh we see a very different story very quickly so the easiest of the easy for the server side was just you know like an 8 to 10 B match uh you know in the data set uh and then the more complicated one for m867 was much more complicated but it was still something you could walk through and get your head around if you just you know took the time to walk through all that in this case however the first two
signatures I picked a look at we can't see uh in spite of most of snort signatures being open source and available as text they have a growing body of signatures that are compiled as libraries uh there's a number of reasons that they do this uh one is complexity well actually the first one I'm going to just lay out there is legal reasons you know Microsoft active partner program other vendors have similar programs where they give vulnerability information to vendors in advance so that they can you know get their signatures ready and be you know be prepared when the announcements made uh and then at the end of the day you know but they're not allowed to disclose any
details so snort have you know all the vendors that do this have to not share their details of the vulnerability but snort also does this uh in order to deal with complexity levels that exceed the snort rules language so if those you know if anyone's out there familiar with the snor rules language you'll know it's pretty functional you can do a lot with it with's a lot of power it but when they're trying to to take clientside vulnerabilities that power just isn't enough they had to ride raw seat to do some tricks that go well above and beyond what the snores engine allows them to do but if we take a look at a different signature here uh in this case
it's targeting a cve 2010 1297 it happens to be some buffer overflow in an Adobe Reader product I believe um what we have here is it's looking for a simple matter of a simple string match so it's looking for you jump all the way down you know it's looking for a PDF file uh that snor would pull out with his pre-processors and it's looking for content of either LOLOL or X 5c or 056 swf uh and basically that's what it wants to see so I went back into medlo like I did with the ms67 that's preed there and I gave a look to see what happens if I create a cve 2010 1297 exploit buffer PDF buffer overflow turns
out that the pattern LOLOL does not exist in that document you just take the raw document and do a search for that strength very interesting another interesting little bit is that in on the snort. website they claim there are no false negatives rooms okay well moving on from that if we look at the metas expit and if we start taking apart how this exploit is you'll quickly start to see why client side is a killer for IDs signature based IDs so we have here the exploit function call from the uh Ruby module in metlo that builds the 1210 uh excuse me the 2010 1297 uh exploit and what we see here are some key functions so at the very first
function called below the exploit uh we have here uh make S swf so it's making a swift file that's going to be used in the exploit we see the next function call is make JS which is Javascript so it's going to make some JavaScript and if you'll not the argument for MJS is a payload that is already encoded uh by you know related to us by the variable uh being used and then the PDF uh make PDF function call is used where the output of the MJS function call is taken as an input the Swift data that was created from M Swift function call is used as an input and then a resulting PDF is given which is then uh the the
pedia that has the exploit embedded in it so if we go down and start looking at the uh function calls used to build this exploit starting with MJS we'll immediately start to see where some of the problems so it takes the encoded payload at the top there and it's going to take some uh it's going to basically U Escape some of the characters so that it can um do some stuff with it and if you look down at the next block code here from JS equals what you're looking at here is the exploit uh that that met exploit is building is putting JavaScript in the PDF file that carries the export uh I'm going to go through it
in just a little bit more detail but the long story in short here with this JavaScript is med exploit is giving the JavaScript the disassembled buffer overflow to reassemble so it's basically giving the Adobe Reader all the tools it needs to build the exploit by itself reassemble it into a functional uh attack method and then it will execute it on itself so it's basically giving it parts to a gun and the bullets it's telling it how to build the gun and load the bullets telling it how to point the gun to its own head and pull the trigger that's basically what we're doing here so we have a process where we go through and we on you know we take the Shell
Code of the buffer overflow we do some tricks with it to make an asky we take the knock sled of the buffer overflow we encode that Su so that we can put that in the JavaScript uh we go ahead and we take the uh you know we put all that together with the KN code and the Shell Code and then we put all that together with some further obfuscation uh we basically you know it's not an easy assembly right there's some tricks here that are going on with the JavaScript to make it uh nonon without actually sitting down with the JavaScript with the JavaScript engine and just executing the JavaScript code that the Arthur arbitrarily chose as his
methodology to give the vulnerable program a disassembled exploit to reassemble on its own time so that's not enough right that was the first function call the MJS function call if we go on to the make PDF call uh we see that it's taking that output of the JavaScript function call you see this taking the Swift file that was resulting of the M Swift which is just a plain old Swift file for the exploit and we go through another set of steps here where we're really getting into some further onization here so can write down below the so we have MC PDF arguments we have PDF link uh extract and then we have down below uh where we are through
some Ruby stuff taking in knob Fu nfu function call and we're giving it some arguments that are basically PDF structure elements that declare the JavaScript that is upcoming so we built the JavaScript in the last function call now we're building the PDF calls that say hey you've got some JavaScript coming and then then here's the JavaScript ending so we're taking those strings as input to the knob food function call and if we take a look at the knob food function call uh we go through it and basically what this function is doing is iterating through every character in that string and it is arbitrarily deciding do I make this an upper case or do I make this a lower
case do I change it in some other way into a uh unpacked binary so there's a little PDF article that is referenced in the header of the function call there you can see that deer Steven's uh you know blog post and if what it reads there is okay better read over here in this post I show how basic features of the PDF language can be used to generate polymorphic variant ofous PDF documents if you go to PDF parser write signatures from antivirus or IDs or analyze no's PDF documents you should be aware of these features and then he goes on to say while browsing through the official P documentation I took particular interest in the express uh rules to express SS uh
there are many ways um to write the same token offering opportunities to evade known pattern recognition systems like AV and uh IDs so if you take a look at the input strength you know we have here type action s JavaScript JS uh the irf component of it and then some know greater than symbols to close out the character this is what comes out in the resulting file and you'll notice it looks absolutely nothing like what it came as and so you have here the only REM Remnant that happened in be not encoded again it was randomly choosing which characters it's going to encode and then again it happens with this other part of PDF structure that wraps around the
JavaScript and if that's not enough what also further happens is there's going to be some uh compression of the JavaScript itself which then results in all this stuff which is just you know compressed file uh that is a compressed component of the data that is put inside of that data street so in order for an IDS system that's reading on the wire in real time to deal with this PDF it needs to one parse the entire PDF structure recognize through the doubling of all the encodings of the PDF headers themselves that okay there's JavaScript in here decompress the JavaScript go through the whole JavaScript engine routines to figure out what that arbitrary JavaScript was telling it to
do and then recognize that all that you know the exploit that was given to it was in fact an exploit so that means it needs to understand the ability uh structure enough to say that whatever that exploit was happening to do it was something that would result in a buffer overflow and compromise the reading easy right no problem not so much so I think I've made a good case that signature based IDs cannot handle this yes no okay so not inh good so on the other side well anir sales right was confident that they're running antivirus and you're safe right okay I'm seeing some smiles and some shaking hands good uh so yeah no it's not going to help you
at all um antivirus suffers from the same problems uh and they're worse actually so let's break it down real quick uh all my information here came from a couple of talks I want to give a shout out to them real fast uh the 2013 bsides LV talk now automation by Christopher Ellison outstanding talk go get go to that URL he goes into this in glorious detail uh and then uh well the other one I'll get to in a minute but the long story short of his talk so this is spoiler over apologies uh but the adversaries the bad guys have got us hands down on the antivirus side because uh when you get down to it and I'll
break it down but when you get down to it the bad guys have learned how to automate evasion of our defenses and we are stuck in a process of manual defense against that automation so every time we pit man against a machine we're going to lose right we can't move as fastest the automation so what are they automating they are automating uh the you know they take a piece of malare that want to hide and they're going to pack it they're going to use polymorphism they're going to encrypt it they're going to bind it to legitimate executables there you know there are segments of an underground economy that will sell their services to botnet uh you know operators and say
give me your code give me a big chunk of cash I've got all the ne contusion detection systems in my rack I got all the antivirus in my rack just like virus total I'm going to run through them all I'm going to do all these things to armor up your malware for you until nobody sees it then I'm going to give it back to you you can do your operation and if they see it again come back to me with more money I'll do it again it's no problem I just push a button it it's all automatic and they can just go like you know go for days like this with no problem meanwhile on the defensive side
what do we have to do you know AC Fe so one of the antivirus venders doesn't matter who sees you know finds something in the wild what do they have to do to take it apart well they have to take the sample they have to reverse engineer it some manual intensive process you have to figure out how it works they have to figure out what signature they can ride against it can take hours can take days take weeks bad guys they've got this all automated down to push button so they've got us beat hands down antivirus is not going to save us the only part of good news in this is that we as Defenders
have got a similar offensive capability now to whatever the bad guys have in the veil framework which which was released in shukan um 2014 and that talk is up available on the web as well I'm sorry uh that's the no that's the the slides the project is open source and widely available and it integrates nicely with medicine so now we can use you know offensive technology that shows us how poorly the defensive antivirus can behave and we can do the same thing they can hopefully this challenges the antivirus uh vendors to do better uh whether or not it's possible I don't know I don't know that it is uh because at the end of the day you know if you
look at evasion of 9s you look at evasion and an virus um it's really hard to beat you know we we can kind of beat them on contusion detection service side we can't beat them on P side I the compute power just isn't there the resources you need to throw at it far out the cost that you can possibly ever spend so that leaves us in a very bad way and it's brought us to a very bad place in time advanced process sorry Advanced threat uh so we have a situation now where we have professional adversaries who are well funded they are after a particular Target and the Advent of client side buffer overflows has made
their job so much easier and Coss them to a wonderful place so there's a basic pattern you know there's a basic life cycle to what they do uh they penetrate deep into the network by popping boxes through the CLI side attacks that I described that could be just social engineering that works too uh you know probably works as well if not better because it's easier to trick someone than to spend out you know months and months finding an OD day and word uh and just you know either way they get in then once they're inside that perimeter because that desktop is deep in their environment uh they have the run of the mail like I said
antivirus can't stop them we can't even deploy the never contusive detection systems that will not detect them anyway because it's just too big of a land and too expensive uh so they move around they scan the environment they find the server side buffer overflows they're left open because it's inside the network so we can trust that it's not as at risk right wrong uh they do pass the hash attacks they leverage to attack trust exploits uh they just basically move around the environment at will and it's very hard to detect it uh and of course at the end of the day they have a purpose so they're going to keep at it time is uh not a problem for them they
can just keep chewing at it until they get what they want because it's probably unlikely that the Defenders are going to find them however they are at a final disadvantage right up until now all the advantages all the uh bonuses have been on the attacker side we can't find all the vulnerabilities we can't detect the vulnerabilities when they find them and you know we they have control that whole situation however once they're in our networks the game has changed because now we control the environment we know the environment they don't know it and it's going to take them time now if we're not able to see them on the inside that time is not a problem but if we can
take advantage of the time that they have to burn in our environment and they want to move slowly right like I said if it was a buffer overflow an OD day it might have taken them months to figure out you know OD days can go on the market for $100,000 right it's not cheap it's high value you know they often talk about using a not day will burn it uh but you know so once they get in they want to protect that investment they don't want to get caught they're going to move slowly they're going to move cautiously and every minute every hour every day every week they spend in our environment that's an opportunity we
have to B them and to beat them and to flush them out so it's an opportunity for us and much more because there is a consistent common pattern to the way they do things that's another opportunity to us they have sop a standard oper procedure uh you know a means of doing things that is fairly repetitious it's the same thing you can probably find half a dozen talk said black hat deathcon and the rest they talk about the AP methodology and they're all pretty much the same probably half of them are given by Manny but either way um thanks SL please come on okay bear with me here having a PC moment okay so our defensive strategy
dilemma there there we go so our current defenses it's like a gunfight you know if you miss that first penetration you're done you have no more chances that's it over gain done you know sorry you lost pack up go home uh however advanced persistent threat and you know the types of adversaries we see now from The Blind Side we can't play a gunfight anymore we have to play chests we have to think in the long term we have to get over the idea that we're never going to let them in the environment we can't assume that they're going to get in the environment we have have to live in a world now we have to accept the fact
that we live in a world now that they are going to get in the environment they're probably in the environment already when I started in this business in 99 I was oh my god get broken into about 5 years ago I was like yeah I just wonder who's in on that work and how long have they been there uh and that's really the mindset we need to get into and it's not an easy mindset especially for managers but we have to convince them of that because that's the way it is they just have to come to terms with that we're in a state of denial if we think anything else right now go back to
that chart from information is beautiful and at the end of the day of course you know the key thing with chess is you can't win in one move you have to play at least 5 to 10 moves maybe 20 maybe 30 depends on you and your opponent so really though the problem is we don't have options to do that right now all of our defensive Technologies are built around that idea of stop them before they get in we are now starting to see in the last few years Technologies coming out from the vendor spaces that start to look at the idea of okay they're going to get in we got to live with that fact it's A Hard Sell
because again nobody wants to own the idea that you're already compis but we have to get to that place so we need to come up with some new ideas and some new means of Defending in order to actually take advantage of those uh key differences once they're on the inside we want to take advantage of the opportunity presented to us by the adversary being in our backyard that we know and they don't and they have to move careful so not done here this is just a sof point think about what we're to do here we need to stop depending upon puling attempts to reach the network we just have to stop that it it's we've
lost that game it's done it's over what we do need to do is start playing a deeper game assume they're going to get in do everything we can to stop them you know if we stop best practices and trying to prevent them from getting in it's just going to get worse so we can't stop what we're doing but we need to refocus and put new resources in they're getting in they're already in how do we deal with it we need to stop looking for the m itself I don't know that I say uninstall your antivirus because at the end of the day if you do see something and you get a signature report it will kill it
problem is that it will probably be the old variant and the new variant gets deployed and it will be not terribly effective but there's no solid alternative yet so I wouldn't say rip it out same thing with intrusion detection on the network which has a new role in this pipe of Defense I'm going to talk about in a few uh but at the end of the day we need to look at the behavior right we actually need to knuckle down now and deal with what is the bad guide doing in our Network look for what the uh the bad guy how the bad guys is behaving through his malware we got to stop fighting that tool set looking for
B Ro which just doesn't work in Adobe in browsers in office we rather need to deal with defending against and engaging the adversary directly that's the game of chess you don't play a chess against the pieces on the board you play a game of chess against that guy sitting across from you ultimately they're people they make mistakes they do stupid things you got to take advantage that and you got to be able to be in a position to take advantage of so how do we do it so I'm going to talk about the kill chain yes I'm going to talk about the kill chain get over dislike cyber going to eat our vegetables and use those terms so the
kill chain was developed by lock Martin published back in 2011 something like that uh and you know their this is their graphic uh taken from their paper and you know they have a very their idea is very straightforward the dod had a method a mentality of find out out what the attacker has to do in order to do you harm what's their process a b c d however many two you are now harmed find ways to stop their process at any and all points so that they can't get to that final step if you break the process you prevent them from getting to where they need to be I love this I think this is fantastic uh they even go into some
fantastic depth to say you have options you could detect them you could deny them access you could disrupt what they're doing you could degrade their capability you could deceive them which I really like and we'll get into a bit more you could destroy them now that's probably not an option in the commercial space probably more an option for the government space but that's neither here not there uh but at the end of the day it is a useful means to determ uh to deal with that behavior we have to understand what their behavior is we already kind of know how AP works so if we apply a kill chain to it that might help us out now the problem I have with
the lock kill chain is if you'll notice it's very heavy on the getting pop st right so it goes from reconnaissance to weaponization reconnaissance find out what's going on in the victim environment uh weaponize a buffer overflow that's all that research you have to do then deliver the payload to the aders to the victim the V uh the exploitation happens box gets popped the bad code runs you the bad guy then installs his malware into your environment he has Now command control into your space and he can do a bunch of stuff you know this killchain kind of waves its hands at actions on objectives is how they phas in my mind that's where we need to live that last step that was
just kind of stop actions on objectives because as I said we're not going to stop them on that first one maybe we can with some tricks it's not going to be a consistent method it's not going to get us wins all the time so shortly after the killchain came out from m in 2012 there's a black hat talk by a guy who's handled his for uh he's been in the business a while too and his his talk was intrusion along the kill chain he revamped the kill chain to take out the weaponization and to take out the installation Parts because that's completely in the adversary's control not really in ours and he basically said you know what I want to flip that coin
and focus on what they do once they get in so yeah we do some Recon yeah we do some attack delivery and yeah we do some high exploitation but now C2 command and control okay now local compromise maybe you know escalate privileges on the victim box now do internal reconnaissance to find out what else is living in our Network now we go on to lateral movement move the through past the hatch do the buffer overflow on the server side vulnerability on the server that's five routers down inside of our Network then we through that the bad guy's going to compromise more boxes and more boxes and more boxes until he establishes persistence because at that
point if you find three of his 20 boxes that he owns yeah I found the bad guy and I rooted him out right except you missed the other 17 he's persistent in your environment so this in my opinion is the kind of kill chain we need that allows us to focus on their behavior once they get in because we're not going to stop them from getting in just not and so miter my company has published what they call the attack framework which is I think an outstanding way of looking at this in a bit more depth um I just started doing this you know I'm fairly recent miter and I did a project that used this uh based to work on this
heavily uh and I found it to be an outstanding method to put meat on the bones of that uh you know right side of the kill chain uh so you know we're thinking of after the exploit right of a kill chain going left to right or down if you will um and so the mitor attack framework is a nice project they've had going on where they look at different tactics and different techniques uh the nine different tactics they have uh you know persistence preg escalation credential access these are all the things the broad tactics that the adversary has to do in order to compromise your environment to move within your environment to do all the
bad things of that miter has enumerated a hundred different techniques that are very specific pass the hash being one golden ticket being another Windows admin shares there different methodologies uh that the adversary will use in order to implement those tactics and this ey chart here which is this is all publicly available on attack. m.org it's a nice little Wiki you can go into go into wonderful depth uh to see the different ways that adversaries will use the windows platform specifically I need to stress that the attack framework is very Windows specific it does not go into Linux not go into Network devicesand anything like that this is almost kind of a starter project and they go into well but on the other hand
right let's think about what our biggest attack surface is anyway um so they go into wonderful detail about all the different things adversary will do in order to Leverage The you know the their advantage on the inside of your network so if we start using this framework and leverage it to uh build our defenses against what we know they do because they keep doing this again AP is very consistent for the most part in the you know behaviors they've done because they work they're not getting caught most of the time until mate comes in once in a while so just keep going you know they don't want to spend any more resources than we do so this is a nice way to
start so excuse me uh what we need to do is apply this to right of the uh exploit you know we need to apply right of the exploit to our defenses we need to change the way we're doing things we need to change the tool sets that we're using so you know IBS and Antivirus I think I can I think I can say I've proven that they've seen their day uh and we shouldn't you know rely or invest on meet these we should not increase our investment I think we probably need to maintain them I'm loed to say RI them out uh because they may serve some use in corner cases or in some circumstances
and we don't have a solid replacement for uh and intrution detection on the network actually does have a role to play in right of exper that I'll talk to but like an virus it's kind of a corner case it's not a uh Magic Silver Bullet and no magic Silver Bullet really exists uh but it does have some measure role to play uh but there are new defense Types on on the market that we can start looking uh there's threat intelligence where we're sharing indicators of compromise or I's between partner organizations or you know life organizations a lot of vendors are coming out with this we have forensic technology uh that can look deep into the payload you know there's some
products that will do live packet capture and put it on you know hundreds of terabytes of disc in a rack mounted uh server in your data center so you can comb through it that's great uh for some things that can be useful uh behavioral detection Technologies this is where it gets a little bit harder because you need to be able to understand your environment what's normal what's not but at the same time some of adversarial behaviors like BNS fast flux do kind of stand out like a sore thumb if you look for them if you have the right Tools in order to find them and then lastly my personal favorite but what's really difficult to implement is that deceptive
technology Mi uh I think there's a huge potential here but there's a lot of difficulty in getting them and I'll go through all these in more detail in a couple of slides so having kind of gone through a brief view of what we could do on the right of kill chain on right of exploit side of the kill chain we shouldn't necessarily neglect left of exploit though I definitely think we don't want to spend a whole lot of time working on um try and keep them out as best we can but until something sizen comes along to really shift things in our advantage again I think we'd be much better off spending our resources in looking at
what do they we do once they got in because until we can definitively close that door again they're going to keep getting in and we are just losing an opportunity if we don't focus on that so with the sandboxes you know this is the um you know you sniff on the package stream and you find a bat you know you take a file and you run it in a BM which is in the sandbox and you see if the BM reacts to it in a bad way to show you that it was a buffer overflow or malware or something like that uh endpoint app virtualization you uh you know you take your applications and you put them in a
virtual container so that if the application suffers a buffer overflow it can be contained and it won't affect the overlying system it can shut it down maybe before the buffer overflow has a chance to execute the malicious code in the environment and then lastly after white listing right this one has more interesting possibility because we're now moving away from that black list so we're saying these are the only things that are good we're not going to accept anything else and that's the kind of security we want but you know I think what I'm going to talk through real quick in a few slides is that there are operational issues with that and they could you know it's going to be
difficult to actually Implement that especially in you know the Brownfield environments where we've already been theed we've already got hundreds or thousands of Windows or Linux or whatever running go ahead and try and figure out what you already running what you need to run that's the challenge there so you know we can take all these new technologies on the left and the right of the exoy on that kill chain and we can map them back and see exactly where we cover and if we look at you know we were able to deploy all these in theory we should get a lot of coverage on all the elements of the kill chain that would be nice obviously we can't
deploy all of them uh certainly we don't want to just deploy one of them and of course at the end of the day we don't want to just buy products and throw them out there a lot of security does come down to your processes it does come out to how you do things so you want to bring in some new tools were appropriate but you also want to look at making your whole operation a bit more security Savvy a bit more uh attuned to dealing things that will help you find the adversary once during your environment there we go so and of course to that point I always like to point out the issues with the Technologies there
is no Silver Bullet and you know don't believe the vendors is when to tell you this will solve all your problems sandboxes we have some definite problems with capacity uh with where you know it it's try sandbox is ultimately trying to address that problem where intrusion detection failed and that you have to apply lot of computing power right that's why we're spinning up virtual machines with Adobe and the rest of it hoping to see the buffer overflow execute or the malare execute in this uh sandboxing thing so that we can say yes this is bad the problem becomes that you have so many files moving across you can't run every file in that environment so you still have to pick and choose
most sandbox technologies will go through and say I'm going to pick these cuz I think they might be bad and I'm going to run them in the sandbox and the rest I'll just hope and assume they're okay uh there's also a problem of specificity where you have to be running the vulnerable version so how many versions of adobe are in your environment how many versions of office how many versions of Firefox if you're not running the right one for the exploit that went down to the vulnerable system that happened to be running you know Firefox 37 and everyone else is at 41 you're not going to see it U then there's the problem of evasion right the
whole race for over the 15 years that bad guys would take a buffer overflow and do evasions like we saw with the Adobe PDF what have you or the service evasions they've had for 15 years sandboxes are victim to the same problem there's going to be a there are no evasions where you know they can just encrypt it they can try and detect whether or not they're in a sandbox they can wait for amount of time because again back to the past these sandboxes have to give up after a certain amount of time and move on to the next file that stream of files never stop so if the malare Can Be Clever enough to
wait long enough it will just be missed by the sandbox entirely um the problems we have with endpoint detection uh is that sitting between that operating system and the application can cause serious impact uh the new technologies that are coming out look very promising but they are also can be very disruptive destructive and programs that may not be written terribly well from the perspective of that virtualization sandbox might cause problems and blow up in a bad way and causing a business issue uh the white listing like I already kind of mentioned you have operational issues how do you know what's okay there's a lot of files that get run and the bigger your business is
and the more complicated it is the more you're going to have to deal with all the thousands of cases of programs that you need to identify are okay to put them on the white list uh threat intelligence someone needs to se it so it's great that we to share that's a very good defensive strategy but somebody needs to be the first guy or girl to have seen it and say okay I got got something share it out and then the other side of that is once it's shared out the more people know about the indicator of compromise the greater the likelihood that the adversaries are going to see that they've been compromised that the indicator of compromise is out there to
that you know oh wow they can see me with this if I change this knob suddenly they can't see me with that indicator of compromising Network forensics fantastic if you know the question you want to ask if you know the question it'll tell you the trick is knowing that question and that's pretty much the hardest thing in our area defense right what question you want to ask um behavioral detections uh this can be particularly if we know the adversaries Behavior we want to detect that's great if we want to detect the deviations from our own environment what's normal what's okay that's a lot harder and it scales probably exponentially the size of your organization I used to work in an
organization that was hundreds of thousands of people large this was a nonstarter in other environments it's much more constrained and if you have a very well- defined set of what's normal deviations get easy and this could be an easy win without buying a product uh you want to look at things like logs and so forth and lastly deception this is my personal favorite it gives us the most options because they don't know the environment they don't know what's good and what's bad and what's clean and what's different and what's unusual you do you and your organization should on Theory know your own environment so if you can put little canaries little honey pots honey tokens in your environment
that the adversary has a good chance to trip into then you can easily set yourself up to for Success where they just again they're falling their nose they're fumbling along you know you don't want to make it too good to be true because we'll figure that out real fast but it does have the better potential however uh that's going to be very difficult because on the one hand you know you need to be kind of clandestin about it within your own organization if you're emailing it and have standards published on your website about your deceptive Technologies and they're reading your email and they're reading your websites you're kind of giving them the road map to defeat their
own defenses uh and at the end of the day you know defenses can have their own operational impact where okay we set up these defenses and maybe our own people kind of trip into them and it causes problems and therefore you know management gets upset and we rip them back out again so it's tough but if we can find the right balance I still think it has the highest amount of opportunity but it brings with it a lot of baggage so other mon measures we can take these are kind of more things we can do today uh monitor our outbound traffic hate much more attention to what's leaving our Network forget what's coming in what is leaving where's it
going is that okay uh you know we can do this today with a lot of Out of the Box open source tools look at our logs logs are a very neglected source of information about our own environment take that kill chain take the attack framework and learn what happens to my own systems when they you know when this Behavior happens if past the hash happens you know is there something on the system that can tell me the past has just happened uh don't Focus On Tools rather develop the methods and Technologies to hunt for the adversary in their own backyard so you know learn the behav track the patterns and behaviors and look for those outliers if
you can this may not scale to your environment uh also try and get help from your it Department you know your health desk May well be the first point of contact with you and the AP if you know that help that call from the guy who his box is acting weird and just doesn't understand it that could still be a tip off the way has been for the last 20 years that something's wrong there is definitely something going on here and so lastly you know we need to think strategically as Defenders we've got to stop worrying about the next exploit and the next vulnerability and the next thing to come out we need to look at a large game we need to stop
looking for the Silver Bullet we need to look at def fenses a holistic I'm going very you know Pine the sky here but it's true uh our networks are our tur use that to our advantage home field you want to leverage that that's our best asset right uh and we need to that end to understand our own risk in exposure right we need to understand where are we weak where are we most vulnerable are we vulnerable to pass the hatch or are we using Cur Ro everywhere it's an important question deploy those defensive tools but also enhance your techniques in order to take advantage of that right side of the kill chain you can't just deploy a box and get a right
side of the kill chain win you have to take it deeper than uh and most importantly well resources are limited so we want to minimize the impact excuse me maximize the impact of careful selection and placement you know dollars are hard to find as they've ever been maybe even more so so be very careful if you know your environment know where you might be the weakest you can find the tool that will fit best in your place to give you the best win and then back F the rest of it with techniques and and methodologies on your own side and then lastly you've got to develop an incident response process if you don't have one
if you catch the AP it's like okay now what it's like the dog that c the car what are you going to do now so you know do you want to flush them out immediately do you want to contact law enforcement you want to let it linger for a while and learn from how they're behaving and so on and so forth so in conclusion old signature based Technologies are no longer effective uh in the modern threat landscape they are dead and so in order to have IDs live long uh we must shift to the right side of that kilch we have to uh deal with that post compromise get over the idea that you can keep them out you're not
going to get them out that time is long over if it ever existed uh those new defenses are EXC new defenses are needed that use detection techniques that cannot easily be evaded uh and so you know signatures will always be available easily sandboxes I think will be very well available for the most part and we have to look at ways that it costs the attacker a lot in order to try and evade the method of protection that we put out uh most also strategies and Techni tactics that we need to change our strategies and tactics to deal with that modern adosphere we need to change the way we do things and we must be prepared
to deal with them once we've deal once we've detected them you know once you detected them here on this one box again do they have one more box do they have 10 more boxes do they have 100 more boxes if you root out the one and don't find the other 99 you accomplish nothing and that's
it e
Related talks
31:02
28:25
48:45
57:35
22:25
40:35