Over the course of several years I’ve written a lot about network security and effective strategies. Mostly I’ve kept this blog, a sort of journal, as my own documentation. But as the popularity of blogs grew, my intentions morphed more towards a contribution to the community.

The aim of this document is to wed all of my observations on network security to produce a single document that hopefully defines the nature of network security so that one can understand the very nature of the struggle and thus gain empowerment. Delusions of grandeur? Sure, why not?

Default Disadvantage

The defender of the network is at a near-constant disadvantage for various reasons. The conflict between attacker and defender is asymmetrical. The two parties don’t meet on the Internet; two opposing networks squared off for battle. Instead, the attacker uses guerilla tactics, such as compromising one node, then using it to compromise the next, or using psy-ops (social engineering) to leverage users to aid the attack.

The attacker ultimately chooses where, when, and how to engage. The defender, by definition, can do nothing more than wait, anticipate, and then try to fend off the attack. This requires the defender to have at least some basic knowledge about a huge range of attacks, whereas the attacker can be specialized.

There is inherit chaos in the network that the defender must contend with and conversely, the attacker can leverage. Often there are many factors of a given network that are unknown to the individuals charged with its defense. For example, there is likely a wide range of system types and roles within the network, all of which must be known and understood before they can be properly defended. There is also likely to be various generations of a given operating system, each with unique vulnerabilities and defense requirements.

Disproportionate Costs

The cost of defense is immensely disproportionate to the cost of offense. This is due to many factors. For example, the knowledge requirements that must be met by the defense come at a cost in training, cost to travel to the training, and cost in lost man hours while attending the training. Another example is the broadness of defensive systems adds to their cost. For example, a HIPS infrastructure incurs the cost of licensing for numerous hosts. Many solutions incur yearly maintenance fees and/or support fees. Penetration tests or audits are also rather expensive. This is not to say that the cost of attacking is trivial, but I argue that it’s nowhere near the monetary investment required for a solid defense.

The attacker has an ethical advantage over the defender because the attacker, by definition, need not abide by ethics or morals. The defenders are rarely able to ethically initiate an attack or even ‘attack back’. The exceptions to this would of course be legal action (which is still hit-or-miss, the legal apparatus needs to catch up) or in the event the attacker is physically located on the network owned and operated by the defender, in which case all bets are off. Call it the Castle Law of the network.

Arms Race

Zero day attacks are an interesting topic for debate and I find they have an integral, necessary function in the evolution of defensive tactics. For the sake of argument, I’ve defined a zero day attack as one for which there is currently no patch available to correct. Because the vulnerability can’t be programatically corrected (because no patch is available), it forces other countermeasures, which often push the envelop and thus create new defensive techniques not previously needed or known by the defense. This defines the arms race between attacker and defender and the successful defender is one which is agile and flexible in their techniques and able to adapt to any situation.

Based on the fluidity of the network and the constant evolution of the attack and its defense — the arms race — we can conclude that the best defense is not a product or combination of products. It’s a process; a collective knowledge, a learned behavior, and an efficient, learned method of learning. The best defense becomes the ability to adapt.

Network security is a game of chess stuck in a perpetual state of middlegame. Just as in chess, its important to know how to best lose an asset and to always learn from the loss.

Now that we know the nature of the conflict, how do we proceed?

That’s the topic for the next installment.

I am loved!

And to prove it, my secret admirer has some tasty malware for me. Holy shit she’s a keeper.

I took the Presidential Candidate Quiz and below are my results. Keep in mind that in order to keep the quiz succinct they had to limit the options. There were many questions that I felt should have more options, like health care and immigration.

74% Rudy Giuliani
73% Mitt Romney
70% John McCain
65% Fred Thompson
64% Mike Huckabee
62% Bill Richardson
59% Tom Tancredo
55% Hillary Clinton
53% John Edwards
50% Barack Obama
48% Ron Paul
45% Chris Dodd
44% Joe Biden
37% Mike Gravel
30% Dennis Kucinich

2008 Presidential Candidate Matching Quiz

I posted an article back in April of ‘07 bemoaning the piss-poor performance of current antivirus technology and it looks like the mainstream guys are slowly picking it up as well.

According to this article by PCWorld.com, their tests showed that “the best performer detected only one in four new malware samples.” Catching 25% of new malware is actually a very good percentage given the reactive nature of current AV technology. That might have been great in the 90’s, when the top threat was viruses who’s propagation was largely limited to the local host but viruses are a threat of the past. Worms, trojans and bots are the current soup de jour for the bad guys and reactive countermeasures are simply inadequate at preventing them. Yes, I said prevent. I want my antivirus software to stop the attack before it becomes an infection. Once it’s an infection, it’s an incident and I have to spend time, and more importantly, money to fix it and that’s after I’ve already spent time and money on AV software and its maintenance.

As I’ve said before, AV technology needs to get their peanut butter stuck in IPS technology’s chocolate. AV should be more aware of malicious behavior as well as known malicious content. Most AV software already hooks into the kernel. Why not leverage that low-level awareness more effectively? Snarf those memory calls. Sniff that NIC access. New listener? I think not! Shut that process down and quarantine it.

‘But Michael, that’s the job of your HIPS’ you say? That’s exactly my point.
(more…)

Going through our HIPS logs I see where employees allowed their children to use their laptops over the holiday. Applications such as uTorrent were installed and used to download songs and movies. TeamSpeak was installed for online gaming, etc.

Who knows what malware these machines will bring to the network, so keep them at arms length and have a big stick ready to club any malware that comes charging onto your network today.