Thursday, September 27, 2012

Antibiotic Resistant security

I was reading an article recently about how some of the sterilization requirements in factory farms actually encourage more damaging infections which then led me to think about antibiotic resistant strains of diseases popping up due to overuse of antibiotics. This finally led me to think about similarities in computer security.

Since I started officially working in security around 1996 a number of us have suffered from a Cassandra complex; providing warnings and gloomy predictions, which have usually come true, and being generally ignored. Now, over a decade later, it's too late to do some of what we should have done back then. Everything is owned. We have to retrofit now instead of building security in from the ground up. Its MUCH more expensive and difficult today than if we would have started then.

One of those predictions I was making back in the early 2000's was the following:

  • We should move away from standardized IT environments where everything is centralized and the same
  • We should stop trying so hard to stop the 80% of low sophistication attackers and focus on the 20% of attackers we really care about and who can really hurt us
Recently I have been doing a lot of incident response work and every organization I have dealt with is suffering from bullet number one. Everything centrally authenticates, everyone is running the same OS image, usernames are conventionalized and standardized, networks are flat and everything is hacked. I consistently see an attacker take over an entire network because once they had 1 machine, they had them all. Does a scientist need the same environment as a secretary? Should the sales department windows desktop be able to touch the production SQL database? Don't know, don't care, everyone gets the standard image. (And the spread of an attack is massively higher)

That the industry has tried hard to solve the low hanging 80% attacks is obvious from looking at the "solutions" that are provided such as IDS, AV, Firewalls, failure logging, scan-exploit-report penetration tests etc. These have done a decent job of stopping scans, worms and mass malware for the most part and have failed miserably at stopping the remaining 20%. So why is this a problem? 80% is pretty good right? 

Well lets look at what the differences between the two types of attackers are:

  • Goals
    • Might steal your SSN or CC
    • Might use your system as a bot in a DDOS
    • Might redirect you to advertisements
    • Might strip your WoW character
    • Might deface your website / embarrass you
  • Techniques
    • Mass scans
    • 1day exploits (often available patch)
    • Exploiting poor web coding 
    • SQLinjection
    • Mass malware
  • Goals
    • Will try to steal your intellectual property and us it for strategic advantage
    • Will gather intelligence against you to gain an edge in negotiations, legislation, bids, etc.
    • Will destroy the master boot record of all your desktops to financially damage your country
    • Will use you to attack your customers to achieve the above
    • Will steal your source code to find 0day, insert backdoors or sell it to competitors
  • Techniques
    • 0day
    • Targeted spear phishing
    • Sophisticated post exploitation & persistence
    • Covert channels
    • Anti-analysis & evasion
    • Malicious insiders, supply chain, implanted hardware
    • Mass data exfiltration
    • Crypto key stealing
    • Trust relationship hijacking
So what we have effectively done is build an environment where all target hosts are uniformly the same, and ensure that the only "germs" who can get in are the ones who we can't detect, can't stop and can't deal with. Superbugs. 

Whats worse is the more we get compromised and hurt by the 20% the more money and resources we throw at trying to solve the 80% and the more we put our head in the sand about the attackers that really want to hurt us and are good at doing it. We've pushed the motivated attackers way from using the easy to deal with techniques towards the ones we can't solve very well and are very expensive.

There are a few possible solutions:
  • Build active response capabilities (offense). This is messy and will cause a lot of problems but no one ever won a war with high walls and defense only. (Maginot line?)
  • Start throwing money and resources at the 20% problem. PCI is not going to do it. Compliance pen tests are not going to do it. Researching virtualizing every process, location aware document formats, degradation of service for anomalous connections, better intelligence, data sharing and correlation, in short making it increasingly expensive for the sophisticated attacker is what we should be looking at.
We have to stop popping antibiotics and figure out how to cut out the flesh eating bacteria.


Friday, September 21, 2012

More on APTSim

Today I wanted to talk a bit more about APTSim.  We all know by now that the bad guys always get in. Especially determined, well funded and well equipped attackers. We know roughly HOW they are getting in which is usually via a targeted Phish, SQLinjection, malicious URL, etc. Things that are hard to defend against because they depend on a human element or trust partnerships between organizations.

What we don't think about is the fact that our Incident Response and detection teams don't get exercised sufficiently (or ever) which makes them much less effective than they could be. We also don't think about modeling and understanding what real attack traffic looks like so we can tune our defenses against it. REAL traffic, not Nessus scans or CoreImpact exploits.

How can we know that our people and systems are actually able to detect the types of attacks we really care about if we don't know what each attack looks like in every data source we have. Is there a windows event log entry reflecting a change in service permissions? Can the timing pattern in the call home beacon be seen in net flow? What does an exfil file hidden in the recycle bin via user SID look like, and is it visible?

If you know all the malicious inputs to the system ahead of time, then you can determine all the data sources you have that show indicators that something has happened, rather than waiting until an attack happens to attempt to track it all back and hope for the best.

This subject is a bit more tricky so lets approach it first with an example. Using HERMES, we analyzed some samples and activity from a group of APT actors that we call "UPS". The typical UPS attack performed the following activities (this information was compiled from IR activity and shared data from other victims):

  • Generate a particularly timed beacon that communicates over HTTP
  • Drop the command line Chinese language version of  winrar on the target
  • Replace sticky keys with cmd.exe for persistence and access via RDP
  • Turn on RDP if it's not already enabled
  • Index and archive all office documents, compress and encrypt them with RAR and a specific password and store them in the recycle bin
  • Enable the support_388945a0 account and add it to the local admin group
  • Exfiltrate the data encoded over port 443 (but not SSL)
  • Setup an insecure service for persistence / privilege escalation

That is a fairly comprehensive list of attacker activity and each action generates either specific network traffic, log entries, and files on the target. So what we do with APTSim is to take all the above information and create a piece of pseudo-malware that takes the same actions, except in a safe and controlled manner, and includes cleanup components so it can be removed when the exercise is complete.

Customers have different preferences as to how we take the next step but generally one of a few options is commonly used:

  • AR has VPN access to the customer network
  • AR has shipped a special box which the customer plugs into their network
  • AR conducts a physical penetration to launch the APTSim via a malicious USB key, custom developed Teensy, or other hardware implanted in customer equipment
  • AR generates a targeted phish mirroring the initial vector used by the original actors whether that's a malicious attachment or a URL, etc.
  • The customer executes the APTSim model themselves

The APTSim model then connects back to our command & control center, takes all the same actions as the real attacker, exfiltrates data and then the customer is notified of what activity took place. The notification is a short document contains log entry examples, PCAP examples, time and dates, ports used, in short everything that is needed to detect the activity as well as track it back post event.

If the attack simulation is not detected then AR will assist you in tuning your defenses whether that means new rules for your Cisco ASA's, custom ClamAV or Snort signatures, specialized Splunk apps, etc.

Rather than a barely useful once a year event, this process is ongoing, monthly or as new attacks are found and analyzed. When one of the organizations in your business sector is hit, within a very short period of time you know the crucial details of the attack, are tested to see if it could hit you as well, and finally are ready to defend before the attackers come for you. This is being proactive rather than reactive.

For more information hit up info [at]


Thursday, September 20, 2012


As a follow up to yesterday's post I would like to talk a bit more about HERMES and how it works.

INITIAL KNOWLEDGE - First there there is some form of information that comes in indicating a potential attack. This information usually has some trackable piece of information such as an email address, subject line, content, an md5 sum, etc. This information usually comes in one of the following methods:

  • Law enforcement notification
  • Incident Response/forensics post compromise information
  • A detection system picks up an attack (rare)
  • Specialized sourcing (AR gathers targeted attack tools, malware and other indicators using a variety of means including IR and direct sharing)
Example HERMES Intel Report Components
ANALYSIS - Typically focused on attack files, net flow, PCAPS, etc. The results include the following information:
  • Static
    • Disassembly, strings, code capabilities, maliciousness ratings, file identifiers, import/exports
  • Dynamic
    • File system & registry modifications, processes, memory modifications
    • Network activity, flow & full PCAP
    • User Agent Strings
  • Forensic information (file timestamps, etc)
  • Multiple Anti-Virus Scanning
Example HERMES Dynamic & Network Activity Report

What's special about the above is that HERMES uses your standard build image rather than a generic XP VM, the way maliciousness is determined, and some of the memory work we do. Also the fact that the AV scans (unlike sites such as VirusTotal, Jotti, etc.) do not submit your sensitive samples to AV vendors is fairly unique.

CORRELATION - Most organizations track incidents over time via a notebook, a wiki or most commonly a white board. HERMES allows you to identify relationships between attacks over time.
  • Incident Tracking
  • Analyst Notes
  • Actor/attribution Information
  • Relations between IOCs on different samples or cases
There are several ways in which HERMES is already benefiting our clients and options how it may benefit you:
  • HERMES can be delivered as an appliance to supplement or provide your reverse engineering and incident tracking operations
  • HERMES can be delivered as an ESXi implementation which can fit easily into your existing virtualized environment
  • Finally AR can provide organizations with HERMES targeted threat intel reporting or be operated by AR staff for you. Results can be provided as a XML feed, PDF, etc.
All of this information is fed into APTSim models to ensure  that ongoing testing mirrors actual current targeted attack techniques and grows in sophistication over time in sync with the attackers. This information is also used to generate your IDS, AV, Splunk and other defensive signatures.

Rather than focusing on the entire set of malware, for which there are millions upon millions of samples, HERMES focuses on a handful of sophisticated, targeted attack tools which are in use over the last 30 days or less. 

Most security tools are designed to deal with the 80% of attacks such as botnets, scans, mass malware, etc. But its the other 20% that you should care about because those are the ones that are intentionally (and successfully) damaging your business and that you have no defense against. This is something you can get your hands around with a tool like HERMES.

On the next post I will talk a bit more about APTSim and how it works.

As always, hit up info [at] for more information.



Wednesday, September 19, 2012

Attack Research Product Launch

Attack Research, LLC. is proud to announce two new product / services today:

- HERMES: Threat Intelligence, Automated Analysis, Correlation
- APTSim: Advance Persistent Threat Simulation

We all know by now that most of today's defenses are designed to defend against auditors and penetration testers. We also know that penetration tests do not reflect what today's attackers actually do.

AR has decided to try to address this problem and change the way active defense security is currently done. This diagram roughly represents the current process.

At each stage of the current process there is a problem.

* Vendor signatures are broad and cover millions of threats, exploits and malware, causing tons of false positives and can only detect what is broadly "known".

* Penetration testing only occurs once or twice a year and is essentially patch verification at this point.

* Patching does nothing against 0days, configuration and design flaws or lateral attack with valid credentials.

* Real attacks are not being prevented or detected and few organizations have what's needed to address the problem once they have been compromised.

* Attackers change IPs constantly, its a solved problem for them.

* Orgs are buying every tool out there but have no qualified staff to implement and maintain them.

Here is AR's proposed process:

NOTE: We must give a nod here to Mandiant and their IOC concept, which is brilliant.

In this process HERMES covers the first three points. HERMES performs ongoing intelligence collection of APT tools and activities. HERMES also conducts automated dynamic, static, network, and forensic analysis which in turn generates reports, indicators of compromise and defensive signatures. Unlike other products, HERMES can use your companies standard build image for dynamic testing, so you know exactly how the threat affects your environment rather than just a stock WinXP or Win7 image. HERMES replaces much of the expensive and time consuming reverse engineering process.

AR analysts then add in notes concerning actors, victim industries, targeted data, etc. Finally HERMES back end big data system provides correlation so you can see and track connections between attacks, actors, malware and IP a year ago and attacks today. 

Once the defenses for these highly tactical, targeted IOCs have been put into place, APTSim comes into play. AR takes the tools and techniques used by APT actors and creates custom applications that do exactly what they do. We SIMULATE the exact APT attack, seen elsewhere against your colleagues and competitors, in your environment to assure you don't fall victim to it as well. 

These tools are run on your network, in an ongoing, subscription basis rather than a monolithic once a year event. AR provides your security and IT staff with frequent, small 1-3 page APTSim notifications of what was done, when, how, how it should have been detected and all the information necessary to detect it in the future if it wasn't.  This is in stark contrast to the 40 page "here is what isn't patched" reports that traditional penetration tests generate.

All if this means that your organization is in an ongoing circular process of constantly being notified, defended and tested against up to the minute APT attacks, rather than simply scanned and exploited for old memory corruption and XSS bugs.

If you are an organization who has suffered losses from targeted attacks, are wrestling with staffing problems, and know your expensive defenses have proven inadequate, this is what you have been looking for.

Contact info [at] for more information.



Friday, September 7, 2012

Pwn Plug Elite Action Shots

We've been able to use the Pwn Plug on a few LARES Red Team tests.

We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack.  Either way its been great and definitely a value add for us.

Pwn Plug Elite gives you several methods to egress a network

:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.
:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.
:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
  • SSH over any TCP port
  • SSH over HTTP requests (appears as standard HTTP traffic)
  • SSH over SSL (appears as HTTPS)
  • SSH over DNS queries (appears as DNS traffic)
  • SSH over ICMP (appears as outbound pings)
  • SSH over ICMP (appears as outbound pings)
  • SSH Egress Buster (top 10 common egress ports)
  • Out-of-band SSH over 3G/GSM cellular (Elite models)
yak yak, lets see some action shots!

First some shots of the web interface to set up the various tunnels (taken from the web site)

Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.

ok now action shots.

Pwn Plug hanging out in an empty cube hooked up to the network

With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/

Final placement behind some boxes where it hung out for a few days.

Othere useful reading/resources

Thursday, September 6, 2012

Why We Created Offensive Techniques

We are going to be releasing a few blog posts on our thoughts on why we have to better communicate what works in actually securing something! This first post is on why we created our new class Offensive Techniques.

With all the "APT" hype, 0 Day discussions, and endless numbers of intrusions we were having a hard time not screaming at the IT industry and saying pull your head out!  Our good friend Dino Dai Zovi hit the nail on the head of why we created the Offensive Techniques class. He did this with a couple of tweets that read "Oh, I see what you have been doing all of this time. Solving problems that don't exist while ignoring the real ones in front of your face."  Followed shortly by, “For example: defending against pen tests and security researchers instead of actual attacks and attackers. How's that working out for you?"  Countless numbers of times we have either conducted a test or incident response for a business that was decimated by some type of targeted attack. The techniques used by either us or the attacker are usually not what is being taught in traditional penetration testing classes in the industry. The attack didn’t have nessus run against it or some type of vulnerability scanner. They usually didn’t even have nmap (they used a batch file with a for loop and ping/netcat for a quick port scanner). The attacks combined deep operating system level knowledge to circumvent mis-configurations, some good custom tools, and even metasploit!  So why is it with the rise in increased spending with IT security that we see little progression in defending and detecting against attacks that are not pulled off by a trained pen tester? It is because we don't train or watch for these types of attacks, and we never have. They have been going on for decades not just the past 5 years or so. Take a look at the regulations on companies/organizations in relation to securing data. The regulations are just a checkbox game and the results of these regulations really don’t improve security that much, if at all. You can implement everything from NIST 800-53 and we will still get in and wreak havoc! Organizations and companies are bogged down with bureaucracy to even adapt as fast as they need to. We have to change the cultural mind of mid-senior level executives, politicians, and even some system administrators.  Offensive Techniques is teaching how to really conduct offensive cyber operations, not auditor based attacks. Offensive Techniques is one of many Attack Research classes designed to help change how we go about actually providing organizations/companies with real threat based/vulnerability based results on how they are truly vulnerable. It teaches the fundamentals of how to conduct real attacks.   

We are debuting the class in October at Countermeasures 2012, but will be holding a class in the United States in November (more details to come on that). If you are interested in this or any other of our trainings reach out and send us an email at