Pyclas on Security

pyclas@xmpp.cm (OTR)

アメリカ国家安全保障局 (NSA) の Tailored Access Operations (TAO)のUSENIX Enigma 2016での講演を訳した

f:id:pyclas:20160313150456j:plain

要点については

TAOによるハッキングへの道 - セキュリティは楽しいかね? Part 2

でほぼ述べられている。インテリジェンスコミニュティーという好奇心を唆る世界をより詳しく知りたいという人向けに全訳を載っけようと思う。(やる気の問題で途中まで)

 


www.youtube.com


 ありがとう、感謝します。デヴィッドが紹介したように私はTAOからきました。確かに変な感じですよね、そんな役職なのに大勢の人々を前にステージに立っているなんて。普段からあることじゃあないです。でも私は広範囲の対外情報作戦を行うTAOでもちょっと独特の役職にあるんですよ。つまり政策決定者にアドバイスしたり情報提供をして、この国の兵士たちを四六時中守ってるわけです。ある意味じゃ国家レベルの攻撃です。だから今日、この場所で私が話すのは、国家レベルの攻撃者として、どうやって皆さんが自分の身を守って私に仕事をさせづらくするかということです。国家レベルで攻撃を行っている人が、攻撃の対象となる人たちに、国に雇われたハッカーを困らせるようなことを話す人はそうそういないですね。

 

 というわけで、皆さんに考えてほしいのは、もしみなさんが本当に守りたいものがあったら、何をしなきゃいけないかってことです。これから私はいろいろ細かいことも話すしますが、全部に共通して皆さんに持って帰ってほしいテーマは「もし本当に自分のネットワークを守りたいと思うなら、自分のネットワークを完璧に知らなきゃいけない」ってことです。デバイス、セキュリティー、テクノロジー、それらに使われているものを知らなきゃいけない。どうやって私たちがうまくハッキングをやっているか?ネットワークを熟知しているのです。そのネットワークをデザインした人よりも、守っている人よりもそのネットワークを知るためにしっかりと時間を割きます。それが絶対条件。大事なんでこれからも何度か出てきますよ。

 

 さて、侵入に関していうと、侵入にも段階があります。だから侵入を妨害するにはそれぞれの段階を切り離して進めなくしてしまえばいい。じゃあどんな段階があるかっていうと最初の侵入は偵察です。誰かが行ってターゲットを理解しようとする。最初はスキャニングみたいなシンプルなとこから始まります。出かけていって物理的に実際のターゲットをスキャンする。誰が重要な人物か?、メールアドレスは?なんてなことを理解します。ターゲットに関する情報を見つけるわけです。ほんとに何を学べるか、何を理解できるか、ってことです。さっきも言ったように、成功への鍵はそのネットワークをつくった人より深く知ることにあります。そういうわけで偵察段階はとても重要です。もういっちょこれに関するキーポイントはあなたがそのネットワークで使おうとしているテクノロジーを知ることです。私たちはそのネットワークで実際に使われているテクノロジーを知ってます。微妙に違うのわかりました?あなたたちは使おうとしている。私たちは実際に使われている。そういう風に考えると、ネットワーク内のデバイスのセキュリティー機能が学べます。それを勉強して、理解して、弱点を見つけるわけです。実際のところ私たちの同僚には実際にデバイスを作成した人よりも詳しくそのデバイスのセキュリティー機能を知ることができる連中がいます。全体的な製品そのものとか、デバイス作成者がやろうとした全部のことを知れるわけじゃないけど、セキュリティーテクノロジーに関しては理解できるし、その知識をめっちゃ深く掘り下げることもできます。セキュリティーの細かい点に詳細な注意を向けるわけです。それもネットワークを理解して、そのスペースを知り尽くして。細かいとこを見るのに集中力とエネルギーを費やす。何か守るものがある皆さんは、ネットワーク、デバイスを理解するのにエネルギーを注入し、被害を防ぐのに適した方法を構築、使用しますよね。

 

 こんな具合の攻撃に対抗するために根本的なアドバイスがあります。何を使うか、何をインストールするかを査定する際の手順を用意しておかなきゃいけません。それに、自分が使っていないものはロックダウンしたり使えなくしたりしなさい。攻撃サーフェスを減らすわけです。別に新しいとかめっちゃすばらしいアドヴァイスってわけじゃないです。でも実際にネットワークにのってることと、皆さんがあるべきだとかんがえていることを比べて見ると皆さん驚きますよ。じゃあどうすればその露出しちゃってるサーフェスを理解できるか?そのネットワークをredteamし、Pentestetをぶちこむ のです。敵がするように攻撃するのです。そのスペースになにがあるのか、何が攻撃されうるのか見つけるために。きっちり働いてるネットワークがあると私たちの仕事は本当に厄介になります。だからネットワークのなかに何があるか理解しに問題点に行きあたったら、pentestをして、結果がでたら、対処しなさい!NSAで情報を守る側にいる私たちは政府のネットワークに対してredteamテストを行うわけです。そうすれば避けようがなくネットワークの中で設計しそこなったもの、セットアップされるべきでないもの、セキュリティホールが見つかります。そしたらレポートをつくってネットワークの持ち主にどこを直さなきゃいけないか伝えるわけです。何度もサイクルをやってって同じネットワークにredteamをやりなおすとこまでやります。オリジナルのレポートにあったセキュリティーホールが二回目にもみつかることはほとんどありません。いつでも最初のオリジナルのレポートに戻ります。以前のレポートで指摘されたことはなおされたか?言語道断で許しがたいことですが、2年ほどして戻ってくると同じセキュリティホールや弱点がみつかります。企業部門でみたこともありますよ。私たちのターゲットでみたことがあるわけです。どっかのスペースに弱点があるって言われたら、そこをとじてロックダウンしましょう。 


 そういう発見をしたりスペースにredteamをしたりしてリソースを調査したら、次に進みましょう。次のキーポイントは、セキュリティ・ホールがちっちゃすぎて気づかれないとか攻撃されないとか絶対に考えないことです。全体を通してpentestをやったらこんな具合に考えるかも。「この97個に関しては完璧。でもこっちの3つはちょっと微妙。まあそんな問題ないでしょ。とりあえずほっとこっか。」それこそが私たちには必要なんです。足がかりがね。最初の割れ目、最初の縫い目、そこをじっくりしっかりきっちり見て、微妙な問題の極端なとこを探し、こじあけてねじ込むのです。だからそういった結果に注目してください。これは一時的なセキュリティーの弱点に関して話すときも同じです。あなたがネットワークを持っていて、trust zoneやネットワーク境界内に問題があり、ベンダーと話しているがどうもうまくいかないとしましょう。そしたらベンダーがこんなことを言う。「ちょっとあけてみてくれませんか。ちょっと入ってみて攻撃してみましょう。いくらかログをとって、それからなおしてあげますよ。週末中にはやっちゃうから大丈夫です。」あなたはそのドアを24時間とか36時間とか開きっぱなしにしておきますか?国家側のハッカーとして言わせてもらいましょう。APT攻撃と呼ばれるには理由があるのです。つまり私たちはつっついてつっついて待って待ってさらに待つんです。私たちは開く機会を、そして任務を完了させる機会を探しているんです。

 

 この偵察段階におけるもう一つ大きな部分は、ネットワーク境界についてわかることです。さっきは皆さんがネットワーク上にもっておこうとしていることについて知ってるって話をしましたね。私たちは実際に皆さんのネットワークにあるものを探すのです。最近ではネットワーク境界がより無定形で浸透的、あるいはその他のことをふくむようになり、これはより難しくなっています。自分のデバイスを持ち歩く風潮とか、IoT、リモートでのお仕事とか。そんなこんなでInterconnect Network要素が変化し続け、管理統制のもとにおかれる状況が現実のものとなったのです。物理的な所在地の統制下で自分のドメインに接続された最低限のネットワークで最低限の機材が使われてるなんて状況もあります。考えてみてください、いまやあなたが信用がおける領域にあなたのドメインの構成要素となっているものがある。クラウド・コンピューティングとは他の誰かのコンピューターにはずいぶん素敵な名前です。あなたが自分のデータをクラウドに持っているとしましょう。あなたはセキュリティープロトコル、物理的なセキュリティー、その他外部的エンティティーを信用しているってことでしょうか。うまくいってるかもしれないし、いってないかもしれない。ひょっとしたらあなたはそのクラウドに何があるか常に追っかけて理解しているかもしれない。でもそのクラウドにあるものはいまやあなたのリスク、責任でもあるわけです。

 

 事態をめんどうにしている風潮はどんどん育ってますし、ネットワーク境界は拡大していってます。信用境界は今はパートナーの個人的なデバイスまで拡大してます。誰だってiPhoneAndroidタブレットを持ちたいし、デバイスをどんどん代えてます。みんなネットワーク上のこれらを信用してるわけです。ヒーターやクーラーのシステムすらあるでしょ。他の要素もインフラやその他たくさんを構築しています。じゃああなたたちは実際にあなたたちが絶対に守らなければいけないものにまつわる信用境界を支えるためになにをしているのでしょうか。私にとってこの質問とはつまりこういうことです。守らなければならない自分の王国への鍵を自分は本当に知っているのだろうか。ツールキット、防衛、王冠の宝石。(権限のこと?)に気をつける。その注意と厳密さこそが私たちに仕事をさせにくくするのです。

 

 さて、偵察をした後にくる段階とは、初期攻撃です。そのネットワーク内に突入する道を見つけなければなりません。試してみて機会をえられるかどうか。標的型攻撃をしてみるのもいいでしょう。水飲み場攻撃も。誰もが行くきちんと防衛されていないサイトはないでしょうか。すでに知られていて、弱点もわかっている脆弱性を攻撃する。さらにすでになされた行動に対する攻撃のレシピもあります。SQL injection、zerodayに対する攻撃、私が思うに、多くの人は国家というものがzerodayというエンジンに則って働いていると考えているようです。マスターキーをもって出かけて、鍵をはずして、中に入る。実際はそんなことありません。巨大な企業ネットワークを見てみましょう。巨大なのならどんなのでもいいです。はっきり言いますが、根気よく集中してやっていれば必ず入り込むことができます。zerodayがなくても攻撃を達成することができるのです。一つの道を突き進むよりも、より簡単で、よりリスクが少なく、そして多くの場合より生産的なベクトルがはるかに多く存在しているのです。根気のいるベクトルを回避するためには、継続して防衛作業にあたらなければなりません。なぜならもしも世界が継続して進みながら既存の製品やサービスのセキュリティホールについて新しい情報を発信しているのなら、あなたも継続してそのスペースの内部でアップデートしたり防衛したりしなきゃならないのです。

 

 さて、ほとんどの侵入は三つの初期ベクトルのうちのひとつから始まります。まずはE-mail。ユーザーがメールを開いてクリックすべきじゃないとこをクリックしちゃった。それからウェブサイト。敵対的なサイトに入っちゃってそのまま進み、実行されるかあるいはユーザーがウェブサイトのコンテンツをつかっちゃった。あるいはリムーバブルメディア。ユーザーが感染したメディアを挿入し、エアギャップ・ネットワーク間をブリッジングしちゃった。おおまかにいって以上の三つが重要な三つです。このスペースの中でどこへ向かうべきか。ユーザーが自動的に正しい選択をするなんてことに頼らないためにもネットワーク自体に行くべきです。時には専門家すら間違っています。じゃあどうすれば事故や凡ミスを防ぐために技術的な強化をなすようなポリシーを作り上げられるのでしょう。どれだけ迷惑メールをクリックしないよう訓練をしたって人間はクリックしちゃうんです。国家のAPTレベルになったって時にはメールがすごくうまく作られててクリックしてもそんなにおかしくなく思えてしまうこともあります。それじゃあどうやって起爆を防ぐのか。皆さんのアーキテクチャーやポリシーは発生しうるユーザー行動に対し防衛しうるか。脅威ベクトルをとめることができるか。もしできるのなら私の仕事はいっそう難しくなります。私が絶対お勧めするのは、脆弱性を緩和するマイクロソフトEMETです。誰もがそれをつけてるでしょ?劇的にそのスペースで起こりうるベクトルの数を減らすことができます。私ならNSAの情報保証局(NSAの発行してるセキュリティのガイド?)を見てみますね。そこにはhost mitigation packageがありますから。ホストのレベルでロックダウンしたりmitigationしたりするのにはいい実践になります。EMETは一つの推奨でしかありません。他にもロックダウンをうまいことやってくれるものはたくさんあります。それがガイドです。アメリカ合衆国政府の機密を守る上でこれ以上の秘密のソースはありません。ガイドを見てみてください。実にしっかりしています。
もう一個やらなきゃいけないことは、ソフトウェアの向上を利用しなければならないということです。CVEと脆弱性についてはもうすでに言いました。もし攻撃されうる既知のバグがソフトウェアにあるのなら、それを直してネットワークから取り除かなければなりません。ユーザーのコントロール外でアップグレードや自動パッチングをしてくれているソフトウェア業界に感謝ですね。これぞ実にすばらしいセキュリティー実施です。新しく閉じられた脆弱性があれば、それは新たにあなたのエコシステムの一部になるのです。これはすばらしいことです。このことによって既知の脆弱性と攻撃とが結びつく機会を減らすことになるわけです。そしてこのことが一年や二年に一度あれば、いよいよ攻撃は難しくなります。


 さらに私がお勧めするのは安全ホスト基準(secure host baseline)を使うことです。ちょうどhost mitigationプランと同じ具合に、IED製品ですね。安全ホスト基準は外郭をロックダウンするのに現在では最上の方法です。これもNSAの情報保証局NSAの発行してるセキュリティのガイド?)のウェブサイトを見てみてください。はっきりいえますが、我々の組織は人々をとても、とても上手く教えて鍛えます。我々は知識を制度化するのです。そして人々が次のレベルに達せられるように教え、彼らが働いたり攻撃をしたりできるようにします。我々が教えていることが最良のことです。ずっと受け渡していき、この最上の方法を使います。私は攻撃にだって最上の方法を使うのです。あなたがたは防衛のために最上の方法を使いますか?結局のとこはそこなんですよ。もしあなたが誰かが狙うようなものを持っているなら、それを守る必要がある。頂点捕食者があなたの情報を奪うために何をしているのか注視する必要がある。彼らは攻撃のために最善の方法を使ってきますよ。あなたたちは防衛のために最善の方法を使わないと。
ほとんど全ての侵入の最初期において、皆さんは認証を得ようとしますね。しばしばきちんとした認証は危険にさらされ、侵入者がネットワークにやってきたきちんとしたユーザーに偽装して侵入できるようになってしまう。あなたのネットワーク内が普段どうなっているかを理解しておくためにプロセスやプランを持っておくことはもはや絶対条件です。誰かが認証を得た時、その認証のための規範に則ってオペレートしているか?その人は本来いるべき場所に向かっているか?やるべきでないことをしようとしていないか?よりよく守られたネットワークにはそのネットワークにアクセスする特別なメソッドが必要です。認証を監視していたり、変則的な振る舞いがないか見張っていたり。二要素認証は認証を盗むのをとても困難にします。奪われた認証の小さな割れ目が後の段階での巨大なアクセスの要にならないようにすることがとても重要なのです。何年にも渡って最上の方法として推奨されてきたものは大量にあります。しかし、アカウントへの権限をより少なくする、王国への鍵を持つアカウントをできるだけ少なくする、特別なユーザーに本当に必要な分だけの権限を与える、といったようなこと。誰もが幸せにそんな世界に暮らせるわけではありませんね。なぜ私が私のサーバーやボックスなんかの管理人になれないのか?このような認証リユースを広げてしまうことが結果として大規模な危険につながってしまうのです。ネットワークの部分部分を分割する、めったに実行されないとことか、whitelistingとか、そういったこと。自分のものを大事だと思うのならこういったことを考えてみてください。こういったものが我々に仕事をしづらくさせています。

 

いくつかポイントだけ紹介する。

  • 攻撃する側 (TAO) はターゲットのネットワークについて、それを設計/構築/運用する人よりも詳しく調べあげる。だから侵入に成功する。防御する側は自分達が使っている技術、製品についてすみずみまでよく知り、導入にあたって評価するための手続きを定め、適切な設定を行い、必要のない機能を止めるということが大事。Attack Surfaceを減らすこと。
  • 高度な攻撃者がいつもゼロデイを利用していると考えるのは間違い。大規模なネットワークはもっと簡単に少ないリスクで攻略できる攻撃ベクトルがたくさんあり、そのほうが効率もよく効果的。防御側は継続的に製品やソフトウェアの脆弱性対応などアップデートが必要。攻撃のハードルを上げること。
  • 侵入にもっとも使われる 3つの攻撃ベクトルは、(1) Eメール (2) Webサイト (受動型攻撃) (3) リムーバブルメディア。(3)はエアギャップを越えるのに使われることもある。
  • 人に頼る対策はだめ。いくら不審なメールを開くなと教育したところで開くやつは開く。そうではなくて、組織のポリシーを技術的に強制するための仕組みが必要。人がミスをしても攻撃を防ぐことができるかが大事。例えば Microsoftの EMETなど Anti-Exploitationの機能を使うことを推奨。IADの Host Mitigation Package (HMP) を読め。
  • Application Whitelistingを活用する。大規模なネットワークで一般ユーザに適用するのは難しいが、本当に守るべきネットワークを分離し、その範囲内において適用する。
  • ウイルス対策ではレピュテーションの機能は有効な防御手段。コンピュータ上で実行されるプログラムに関する情報をクラウドに送信して、レピュテーションデータベースとマッチング。また攻撃ツールがアクセスするサイトのドメイン名に関するレピュテーションも有効。
  • 侵入後の Lateral Movementを防ぐには、境界防御に頼っていてはダメで、ネットワークのセグメンテーションやモニタリングが大事。
  • 攻撃者は単に情報を盗むだけでなく破壊工作をすることもある。Saudi AramcoSony Pictures Entertainmentの事例など。オフサイトのバックアップなどの備えをすること。
  • サイバー犯罪者と国家レベルの攻撃者との違いに注意。サイバー犯罪者は日和見主義だが、NSAや APTはそうではない。ターゲットに侵入できるまでしつこく狙ってくるし、侵入後は長くとどまる。したがって防御側は継続的に対策の評価、改善を行わなければいけない。そうでなければ防げない。

どれも特に奇をてらったものではなく、いわゆるベストプラクティスといわれるセキュリティ対策がなぜ有効なのかを攻撃側の手法とあわせて解説している。講演はとても平易でわかりやすく、かつ有用な内容なので、ぜひご覧になることをお奨めする。

 

TAOによるハッキングへの道 - セキュリティは楽しいかね? Part 2

 


[ Applause ] JOYCE: Appreciate it.
Thanks -- thanks for the welcome.
So -- so, as David introduced, I'm from Tailored Access Operations.
And I will admit, it is very strange, right, to be in that position, appear on a stage in front of a group of people.
It's not something often done.
Um, but -- but I'm, uh, I'm in a -- a unique position in that we produce, in TAO, foreign intelligence for a wide range of missions to include advice to informing policy makers, um, protecting the nation's war fighters 24/7.
And in that space, um, we're doing nation-state exploitation.
And so my talk today is to tell you, as a nation-state exploiter, what can you do to defend yourself to make my life hard, right?
So not many people will stand on the stage and have the perspective of an organization that does exploitation and to be able to talk to those elements that really would disrupt the nation-state hackers.
Um, so in that vein, um, I want you to think about if there's something you really, really want to protect, what do you have to do?
So you'll hear a common theme throughout my talk.
It'll boil down to a couple small things.
The theme I want you to take away is if you really want to protect your network, you really have to know your network.
You have to know the devices, the security, technologies and the things inside it.
So why are we successful?
We put the time in to know that network.
We put the time in to know it better than the people who designed it and the people who are securing it.
And that's the bottom line.
And you'll kind of hear that woven throughout the talk.
So if you think about what goes into an intrusion, there's a series of phases that happen, right?

 


As you walk down through these, um, I'll talk about the things that can...
that -- that we focus on.
Um, and you could break the chain throughout that, uh, throughout that compromise by disrupting the transitions between these elements.
So really the first phase during a targeted intrusion is a reconnaissance phase.
Somebody's got to go out and understand the target.
It starts with simple things like scanning.
Go out and physically scan the actual target.
There's understanding important people or e-mail addresses from that activity.
Going out and looking at the open-source information about that target.
So it really is, what can you learn?
What can you understand?
As I said earlier, our key to success is knowing that network better than the people who set it up.
So in that space, the reconnaissance phase is really important.
I'm gonna move my laptop a little here so I can get to my notes.
So another key point inside this, um, you know the technologies you intended to use in that network.
We know the technologies that are actually in use in that network.
Subtle difference.
Did you catch that?
You know what you intended to use.
We know what's actually in use inside there.
So when we look at that, we will learn the security functionality of the devices inside that network.
We'll study them, understand them, find the vulnerabilities.
In fact, we've got people who will know the security functionalities of those devices better than the people who developed the actual device, right?
So they won't know the whole product.
They won't know every feature that those developers had.
But they'll understand the security technologies, and they'll bring that expertise at a very, very deep level.
So inside that, um, it's minute attention to detail inside that security layer, again, knowing the network, knowing that space.
So what does that mean?
We apply the focus and energy to look at those details.
Um, will you, as people who have important things to protect and hold dear, will you put in the energy to understand the network, understand the devices and configure and use them in the proper way that would prevent exploitation?
So there's a foundational piece of advice to countering these kind of threats, right?
You've got to have procedures to evaluate what you'll use, what you'll install.
You've got to lock down and, uh, disable those things that you're, uh, that you're not using, right?
Reduce the attack surface.
Um, it's not a new or amazingly insightful piece of advice.
Um, but you'd be surprised, as I said, about the things that are running on a network versus the things that you think are supposed to be there.
So what can you do to understand that exposure surface?
Red team that network.
Bring in pen testers.
Poke and prod it, just like an adversary will do, to find out what's inside that space.
Um, find out what's exploitable.
Well-run networks really do make our job hard.
So if you go to the trouble of understanding what's inside a network, you run that pen test, you've got those results, act on it.
So NSA, in our information assurance side, will do red team testing against, uh, against government networks.
So we'll, inevitably, find things that are misconfigured, things that shouldn't be set up inside that network, holes and flaws, and we'll produce reports telling the network owner things they need to fix.
Cycle comes around to the point where we've got to get back and redo a red team against that same network.
It is not uncommon for us to find the same security flaws that were in that original report.
That's the first place we go is to the original report.
Did the things we pointed out previously get fixed?
So, um, inexcusable, inconceivable, but returning a couple years later, the same holes and vulnerabilities exist.
I've seen it in the corporate sector, too.
I've seen it in our targets, right?
People tell you you're vulnerable in a space, close it down and lock it down.
So if you've invested the resources to do that kind of discovery and red team space, um, go ahead and follow through.
Another key point, don't assume a crack is too small to be noticed or too small to be exploited.
So if you go through and do that pen test, and you say, "We look great on these 97 things, but these three things over here, they're kind of esoteric.
They probably don't matter much.
We'll probably ignore them," right?
That's what we need.
We need that toe hold.
We need that first crack, that first seam, um, and we're gonna look and look and look for that esoteric kind of edge case to break open and crack in.
So pay attention to those results.
Same thing in this discussion about -- about the, uh, the -- the temporary security vulnerabilities.
So if you own a network, and you got trouble with an appliance inside your trust zone, inside your network boundary, and you're talking to the vendor and just can't quite make it work.
And they say, "Well, open it up for me.
I'll come in.
We'll poke around.
We'll take some logs.
We'll fix it for you.
We'll do it over the weekend.
Don't worry," right?
Are you gonna open that door for that 24, 36 hours?
So I'll tell you, the nation-state attackers, there's a reason it's called advanced persistent threats because we'll poke and we'll poke.
And we'll wait and we'll wait and we'll wait, right?
We're looking for that opportunity, that opening, and that opportunity to -- to -- to finish the mission.
Another big area, I'd say, in this reconnaissance phase is figuring out about the network boundaries.
So I talked earlier about you know the things you intend to have in your network.
We look for the things that are actually in your network.
Well, that's becoming harder and harder these days as the network boundary gets more amorphous, gets more porous or gets more inclusive of other things.
Um, think about trends like bring your own devices, um, Internet of things, work from home access.
Um, these have really created situations where Internet -- interconnected network elements are under varying administration control, right?
I even see the case where leased facilities come with a leased network that is under the control of that -- that physical location and trusted in Internet...
interconnected to your domain, right?
So think about the things that are now a component of your domain, your trust zone.
Cloud computing, right?
Cloud computing is really a fancy name for somebody else's computer.
If you have your data in the cloud, right, you're trusting the security protocols, the physical security, all of the other elements of trust in an outside entity, maybe done right.
It may not.
You may have varying degrees of understanding about what's inside that cloud.
But they are now part of your risk and liability.
So I see a growing trend that are really making it hard and diffusing the network boundary.
Um, trust boundaries now extended to partners, um, personal devices, right?
All of us love to have our iPhones, Androids, tablets, devices come and go, right?
You're trusting those onto the network.
Um, there's even the heating and cooling systems, right?
Other elements of building infrastructure and more.
So what are you doing to really shore up the trust boundary around the things you absolutely must defend?
And that, for me, is what it comes down to.
Do you really know what the keys to the kingdom are that you must defend, right?
Instrument, defend, pay attention to those crown jewels, um, because that attention and rigor really makes our job hard.
So after reconnaissance, the next phase is getting that initial exploitation.
Got to find a way to get energy inside that network.
Can you go ahead and get some opportunity?
Um, these things can happen from spear fishing.
They can happen from water holing.
Is there a, uh, weakly defended site that everybody goes to?
Um, exploiting a known CVE, right, there's already a vulnerability, and there's a recipe for exploiting that -- that activity already done.
SQL injection, um, exploiting a zero day, other technologies, ways to get in.
I think a lot of people think, you know, the nation-states, they're running on this engine of zero days.
You go out with your master skeleton key and unlock the door, and you're in.
It's not that.
Take these big corporate networks, these large networks, any large network, I will tell you that persistence and focus will get you in, um, will achieve that exploitation without the zero days.
There -- there's so many more vectors that are easier, less risky, and -- and, quite often, more productive, um, than going down that route.
So to ward off a persistent, um, vector, you really need to invest in continuous defensive work, right, because if the CVE world is continuously rolling and pumping out new information about cracks and holes in existing products and services, you've got to be continually updating and defending inside that space.
So most -- most intrusions come down to one of three initial vectors, right?
E-mail, where a user opened an e-mail, clicked on something that they shouldn't have.
Um, a website, where they've gotten to a malicious website and they've gone ahead, and it's either executed, or they've -- they've run content from that website.
Or removable media, where a user inserted contaminated media, um, sometimes even bridging an air gap network, right?
But those three are the big three.
Where do you need to go in this space?
You really need to get the networks not to rely on the users to automatically make the right decisions.
Um, sometimes even the experts get it wrong.
So how can we build and ensure the policies and the technical enforcement of those written policies keep, uh, accidents and slip ups from occurring, right, because I don't care how many times you train people about not clicking on those unsolicited e-mails, um, people do.
And even when you get to the nation-state advanced persistent level, um, sometimes those e-mails can be really well crafted to the point where it's not an unreasonable thing for somebody to click on.
So how do you prevent that from detonating?
Can your architecture and your policies defend against those user actions that are gonna take place?
Can they stop those threat vectors because if they can, it really makes my job hard.
So one thing I'd absolutely recommend, um, is things like anti-exploitation features, Microsoft EMET.
Everybody ought to be turning that on, right?
It really does slow down, um, the -- the -- the amount of vectors that are available for something to execute in that space.
So I'd look at NSA's information assurance directorates.
They have a host mitigation package.
So it's best practices for locking down and mitigating at the host level.
Um, EMET is only one of those recommendations.
There's a whole series of things, um, that really do lock things down well.
That's the guide.
Those are the specificity.
There's not the secret sauce that goes beyond that inside the protection of classified material for the U.S. government, right?
Look at that guide.
It really, really is solid.
Um, the other thing you've got to do, you've got to take care of -- take advantage of software improvement, right?
I -- I mentioned CVEs and vulnerabilities.
Boy, if there's a known bug in a software that's exploitable, um, you ought to be fixing that and getting it off your network.
So I think, uh, um, you know, tip of the hat to the software industry that is making upgrades and automatic patching a background activity that's beyond the user control.
Right?
That is an outstanding security practice where it is just taking care of, every time there is a new, um, there is a newly closed vulnerability, it becomes part of your ecosystem.
That's an outstanding thing.
And that cuts down the opportunity window between known vulnerability and execution.
And if that patch window is months or years...um, again, an inexcusable practice.
So the other thing I'd encourage is use a secure host baseline.
So, again, that kind of goes like the host mitigation plan, um, the -- the IED product.
Um, secure host baseline is the current best practices for locking down configurations.
Um, again, there's some out on the NSA Information Assurance website to look at.
So I'll tell you, our organization teaches and trains.
That's one thing we do really, really well, right?
We institutionalize that knowledge.
We teach people to get them to the next level so that they can work and exploit.
So we train best practices.
We pass those on.
We use those best practices.
So I'm gonna use best practices for exploitation.
Are you gonna use best practices for defense?
Again, it -- it really comes down to that.
If you have something somebody's coming at and you need to defend it, you need to be looking at what is that apex predator gonna be doing to come after your information?
Um, they're gonna be using the best practices for offense.
You've got to be using best practices for defense.
In almost any intrusion at this initial exploitation space, people are trying to get credentials, right?
Often legitimate credentials are compromised, enabling intruders to get in and masquerade as legitimate users, um, coming after the network.
And -- and it's imperative that you have some processes and plans to understand what normal is inside your network.
So if somebody's got credentials, are they operating under the norms for those credentials?
Are they going to the places that they should be?
Are they trying things, um, that they shouldn't be doing, right?
Better-defended networks, um, require specific methods for accessing the resources of that network.
They -- they monitor credential uses.
They look for anomalous behaviors.
Um, two-factor authentication, right, making it that much harder, uh, to, uh, steal credentials.
And -- and it -- it really is important to make sure that that small crack of a lost credential doesn't get turned into a pivot in a later stage into a large access.
Um, there's been numerous security best practices that have been recommended over the years.
Um, but some of the things like making sure lease privileges for accounts, right?
There are only a very small handful of accounts that have the keys to the kingdom.
And you only give the privileges needed, um, to specific users.
Um, not everybody's happy living in that world, right?
Why can't I have admin to my server or my boxes, those kind of pieces?
Those are the kind of wide-ranging credential reuses that wind up turning in to large-scale compromises.
Um, segmenting off portions of the networks rarely implemented, whitelisting, things like that.
If you care about your things, consider those, right?
They really do make your hard -- Make our life hard.
We also really love it when administrator credentials or other system-wide credentials are hard coded into scripts or accessible on the devices.
You know, so I think people are starting to understand the pass the hash vulnerability, right?
If you haven't learned about that, if you don't know what pass the hash is, go -- go understand it.
So that's something where you can get, you know, uh, a domain credential.
And you -- you can grab a credential and move laterally onto other machines and just pivot like mad throughout the network.
So one of the -- the key activities is really thinking about, um, how you manage those capabilities so that you can protect against, uh, against pass the hash.
I mentioned that if things are hard coded and included in scripts, you know, they're vulnerable and -- and likely, um, to be pulled.
Most of the -- most of the modern protocols these days are not passing credentials in the clear.
But do you think nation-states are taking advantage of the ones that are, right?
So you got to look for those older protocols, drive 'em out of your networks.
Um, it -- it -- it's not enough to know about things like pass the hash and making sure that all of the authentications are done only with more modern protocols that keep the passcodes and passwords out of, uh, out of plaintext.
Um, but think about where you've hard coded and -- and enabled one box to log in through an account to another to do an activity.
Um, it really does make yourself vulnerable.
The other big thing I'd recommend, enable those logs but also look at the logs.
You'd be amazed at incident response teams go in and, you know, there's been some tremendous breach.
Yep, there it is right there in the logs.
Great.
You've got logs.
It'll tell you that you've been had.
Um, enable those logs.
Look at those logs.
I'll tell you, one of our worst nightmares is that out of band network tap that really is capturing all the data, understanding anomalous behavior going on.
And somebody's paying attention to it.
So rewind all the way back to the beginning of my talk where I said you've got to know your network, understand your network because we're going to, right?
Those logs, they are just the rock bottom bedrock foundation of understanding if you've got a problem or if you've got somebody rattling the doorknobs to give you a problem.
All right? So somebody's cracked open the door.
They're -- they're on the threshold.
Um, the next thing they've got to do is they want to establish persistence.
It's not good enough just to be in a network.
But if -- if you're really there to exploit, you want to dig in, um, and hold, right?
So work happens at this point.
Privilege escalate, maybe, so that you can get down some tools, um, finding run keys, um, getting into scripts, other technologies to ensure that persistence, um, onto those computers so that you can stay.
One of the things we run into here, um, things that have, uh, implemented application whitelisting makes this world hard.
Um, application whitelisting, it is difficult for generic users in a large network to know exactly what applications you're gonna run, what should be permitted.
There's some good work going on, um, to make this a little more generic and understand what's -- what's routine and what's not inside an organization.
But, again, as I said, you know, figure out early what you need to protect, segment that off.
And that's the place you maybe want to think about whitelisting, right?
Make sure that in that space they can't run a piece of mail where something new or unusual.
Um, your goal needs to be to -- to restrain that malicious behavior, um, keep it from launching in the interim.
So then after you've gotten into the network, um, install some tools, right?
Usually, the first tools down are lightweight, small beaconing things.
Their intent is to establish that beachhead and then bring down the tools that are actually gonna do the work.
Um, so -- so there are things, I think, the AV industry, at times, gets a bad rap for their ability or inability to keep things off.
You know, if your AV is a list of bad things that shouldn't run on your computer, um, that's not a great technique because that just means the unique thing you need to run on that computer needs to be unique, and it will never be in that list.
Um, but the research and the technology's evolving now where, um, reputation services are more the -- more the norm.
So every piece of, uh, software that wants to execute on your machine gets hashed, pushed up into the cloud.
Um, let me tell you, if you've got a reputation service, and it says that interesting executable that you think you want to run in the entire history of the Internet has been run one time, and it's on your machine, be afraid, right, be very afraid.
So reputation services are -- are -- are a growing technology, um, that can make our life hard.
Similarly, most of these tools want to talk out to a domain to get those, um, those further modules.
Um, they want to talk out, um, and, uh, and call back home.
They want to report success or bring data back.
So -- so they'll be wearing a domain name, right?
Reputation services work probably even better in the domain name world, um, because the domain names, um, if -- it's not enough to block bad known bad domains, right?
That's important.
But usually that'll get you the crime where you've got to block the things that are not known good.
It's really hard for an exploiter to get a website created and established that has good reputation.
It's not hard to -- to register a domain and make something call out to it.
But -- but if something is evaluating that reputation, and nobody else is going to it, or the content's stale, it's not updated, um, it will have neutral or negative domain -- neutral or negative reputation.
So, again, reputation services, looking at that, that's a hard thing to overcome in domain names.
So after you're in a network, rarely do you land where you need to be.
At this point, it's important to move laterally and find the things you need to find.
So, um, the big question you need to think about is if you have an intrusion somewhere in your network, can you then defend against this lateral movement?
If you think about it, most networks, big castle walls, hard, crunchy outer shell, soft, gooey center.
How do you get to the point where you know you have an intrusion, and you're gonna keep somebody and make it difficult for them to move from the place they landed, uh, to the -- to the place they need to be?
And so, again, network segmentation, monitoring, uh, caring about your, um, the accesses that allow these privileges, they're all really important pieces.
Um, so advanced attackers really go for the crown jewels, right?
They're gonna go for those domain admins, um, to control the entire network.
You really need to limit the administrator privileges, segment the accesses, enforce two-factor authentication.
Um, nothing is really more frustrating to us than to be inside a network, know where the thing is you need to go get to and not have a path to get over to find that.
So the other thing is, um, you know, poorly considered trust relationships.
I talked earlier about the amorphous edge of your networks, um, allowing any network -- any user or any net computer with, uh, with valid credentials to access the network from anywhere.
Um, that's a poor idea, a huge risk.
Better networks employ things like comply to connect for remote access.
Um, they connect, um, and assure the security of the remote connections, maybe even figuring out physical locations, um, where you're calling from in, um, seeing some really interesting things with dynamic privileges, thinking about you can access pieces of information from inside your network but not from out, inside the state but not out.
Um, so -- so there's ways to limit and consider the segmentation in a creative way.
Um, if you really want to make my life hard, you segment, you manage the trust to the most important places.
Um, you consider who really needs that trust and who should be able to access those things.
I think another key thought that people don't have is consider how, um, consider that you're already penetrated, right?
Do you have the means and methods to understand if somebody's inside your network?
If you -- if you read statistics, Verizon does a great intrusion report every year.
Look at the statistics for how long intrusions go undetected, months or years, right, after people are inside.
So what do you have to understand and contain, um, after that first -- first pieces?
Um, so monitoring and detection inside the networks is just as important as that network boundary.
And -- and many networks, they don't have incident responses -- response plans.
And if they do, they rarely exercise them, right?
Have you ever seen incident response plan exercised inside your network?
So the Internet of things, the boundary conditions, all bringing things that are probably untrusted inside your network.
Um, why go after the professionally administered enterprise network when people are bringing their home laptops that their kids were going out and go and downloading Steam games the night before, right, inside your network and trust unit.
What's that trust boundary?
Um, and then as we mentioned earlier, the Internet of things, there is now getting to be a whole SCADA network running in parallel, sometimes interconnected, to your whole corporate network.
Have we thought about those, uh, those security elements?
Ron Rivest, you know, made a great point earlier today.
Um, have we got those things right?
Do we need to invest more in those -- those technologies to secure and defend there?
Absolutely.
So at that point, we own you.
All that's left to do is collect, exfil and exploit, right?
So once inside a network, the main focus is getting what you need, getting it out and, uh, leaving undetected.
So data theft is one arena, um, but I challenge you to think about a new one, right?
In the wake of Sony attacks, everybody's got to think about, right, I've got my basket of eggs.
I've got my most important things.
I've defended them.
I've instrumented them.
I've packed them ever so carefully in that bubble wrap and kept it off to the side with my best security practices.
Um, what about the destructive attack?
Um, so off-site backups need to be part of your plan.
Figuring out how you're gonna deal with data corruption, data manipulation or data destruction.
Um, it -- it really needs to be something you're thinking about now.
Don't be that Saudi Aramco, that Sony, um, that learns about it afterwards and then is improving.
Um, you've got to think about it now.
So the other thing I'd point out is you've got to differentiate between the cyber criminals and the nation-state intruders.
So last weekend we had the huge snowstorm on the east coast.
Turns out my neighborhood, in the middle of the night, one guy walked through the neighborhood, came through the whole court, checking every car door to see what was unlocked.
Took anything that wasn't nailed down in unlocked cars.
Didn't break a window.
Didn't pick a lock.
Just took, opportunistically, whatever he could, right?
Um, that's a lot of the Internet malware or badware.
It's looking for credit cards and opportunities to use your machine to send spam and make money, to do crypto locker and lock down and extort you for money.
But at that point, um, you know, they're opportunistic.
They're looking for the back, weak gazelle in the pack to pick off, right?
If you're looking at the nation-state hackers, we're gonna be persistent.
We're gonna keep coming and coming and coming.
So you've got to be defending and improving and defending and improving and evaluating and improving, right?
The static person is gonna float to the back of the pack and not for the crimeware, but for the nation-state advanced hacker, um, they're gonna find those CVEs, those things that are not patched.
They're gonna find ways in that aren't monitored.
They're gonna steal credentials.
They're going to get to those pieces.
So don't be that easy mark.
Anybody holding up the camera?
Who's gonna scan the QR code from the NSA guy?
All right.
[ Applause ] So that is a link.
It's a real link.
It's not a rickroll, I promise.
Trust me.
Um, so -- so -- so I'd encourage you to go to the NSA website.
There is some awesome material that keeps you from being at the back of the herd, right?
It -- it is tough to defend against that nation-state advanced persistent threat.
But -- but you really can make a huge, huge difference.
So you ought to be tightening down and learning some of these lessons, right?
So thank you for your time and attention.