Cyber Espionage“The Internet is God’s gift to spies”

Plus: The New Security HeroesAlan PallerThe SANS Instituteapaller@sans.org

Topics for today

The Public Is Awakening editorial on Jan 26Why the 'China virus' hack at US

energy companies is worrisome by John Yemma, Editor

“The stakes in the global cyber-war are at least as high as those in the global war on terror.”

Four years building to public outrageAugust 29, 2005: Titan Rain

August 17, 2006: Gen. Lord Confirms

Titan Rain“They hit hundreds of computers that night

and morning alone “At 10:23 p.m. PST, they found

vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona.

“At 1:19 am PST, they found the same hole in computers at the military's Defense Information Systems Agency in Arlington, Virginia.

“At 3:25 am, the Naval Ocean Systems Center, a defense department installation in San Diego, CA.

“At 4:46 am PST, the United States Army Space and Strategic Defense installation in Huntsville, AL.”

What kind of data did they take?“a huge collection of files had

been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force.”

Major General William Lord“China has downloaded 10 to 20 terabytes of data from the NIPRNet”

“They’re looking for your identity so they can get into the network as you,”

“There is a nation-state threat by the Chinese.”

Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of

Warfighting Integration and Chief Information OfficerAugust 21, 2006 Government Computer News “Red Storm Rising”

October 6, 2006: Commerce BIS DivisionThe federal government's Commerce Department admitted Friday that heavy attacks on its computers by hackers working through Chinese servers have forced the bureau responsible for granting export licenses to lock down Internet access for more than a month.

Four years building to public outrageDec 1, 2007: 300 British Companies

Apr 8, 2009: The Grid

Four years building to public outrageJanuary 15, 2010Google & more

January 25, 2010: Oil Companies

Subcommittee on Emerging Threats, Cybersecurity, and Science and TechnologyApril 17, 2007 Chairman: Jim Langevin (RI)"We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."

State Dept witness: Don Reid, Senior Coordinator for Security Infrastructure

Commerce Dept witness: Dave Jarrell, Manager, Critical Infrastructure Protection Program

Setting the stage

Two responsesCommerce1. No idea when it got it

in, how it got in, or where it spread

2. Took 8 days to filter (ineffective)

3. Unable to clean the systems; forced to replace them

4. Do not know whether they have found or gotten rid of the infections

State1. Detected it

immediately2. Put effective filter in

place within 24 hours; shared filter with other agencies

3. Found two zero-days4. Helped Microsoft and

AV companies create patches and signatures

5. Cleaned infected systems, confident all had been found

What was the difference?Was it tools? No

◦Almost same commercial tools – Commerce had more commercial IPS/IDS

Was it skills? Yes◦Commerce – only experience was firewall

operations not even firewall engineering. No training other than prep for Security + and later for CISSP

◦State – experience and training in forensics, vulnerabilities and exploits, deep packet inspection, log analysis, script development, secure coding, reverse engineering. Plus counter intelligence. And managers with strong technical security skills.

How critical is the shortage of technical security skills? Jim Gosler (first director of CIA’s CITO –

Clandestine Information Technology Office) in a meeting in the Pentagon (10/08) with Bill Studeman, Lin Wells, Bob Lentz, Melissa Hathaway and several others:

“The US has nomore than 1,000 people with the advanced security skills to compete in cyberspace at world class levels – we need 20-30,000!”

No one disagreed

Other evidence of the shortage: “fratricide” among the integrators serving the Intelligence Community

Why these skills matterWicked Rose

Key weapons in the next war will be people with advanced, technical cyber security skills

Emerging Consensus in Military Cyber Skills DevelopmentOffense and defense need the same

deep technical skills but may diverge in late stages of development

Training should be phased with significant on the job experience between training elements

Team composition is equally important: different people will be better at some tasks than others; Model is special forces teams

The New Security HeroesAlan Pallerapaller@sans.org

Bringing about broad based change when no one works for you

The problem: CISOs are accountable for IT security

BUT.

directly supervise only a small part of the systems actually in use.

17

What makes a security hero? Radically improves security in ways that

can be measured reliably, and replicated Ensures operational people are not

asked to do the impossible. Ends the security wars with IT operations and with the audit staff.

Teaches others organizations how to do the same thing or provides the catalyst to allow others to do even more

Results in 12 Months

19

0.0

200.0

400.0

600.0

800.0

1,000.0

1,200.0

6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009

Domestic Sites

Foreign Sites

89% Reduction

90% Reduction

Proof: Federal Aurora ResponseGoogle Hack IE Vulnerability – zero day IAVA and government noticesWhat percent of systems were

reported patched at DoD in four months?

What percent were actually patched at State in the first 9 days?

Google - Aurora Attack

2-Apr 4-Apr 6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-Apr0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%MS10-018 Patch Coverage

Date% B

oth

of a

pplic

able

hos

ts R

epor

ting

an

d

Patc

hed

40 points : April 3 – 9, 201040 points : April 3 – 9, 201040 points : April 3 – 9, 201040 points : April 3 – 9, 2010

Risk scoring escalation from 40, 80, 120, 160 and then 320 points

21

Quantify Special Threats

MS10-012 Patch Feb- March 2010

He never visited any of the 200+ foreign sites

So how did he do it?

Continuous monitoring and high level data reporting

Also known as: Continuous C&A and Continuous FISMA Compliance

What allows continuous monitoring to work?It combines:• Reliability and fairness in the metrics• Authoritative consensus on what is

important enough to need to be measured

• But where did the consensus come from?

• And what else makes metrics effective?

23

Authoritative and ImportantHow can you prove you meet those criteria?

The big idea:

“Offense informs defense!”

Who understands offense?

NSA Red Teams NSA Blue Teams DoD Cyber Crime

Center (DC3) US-CERT (plus 3

agencies that were hit hard)

Top Commercial Pen Testers

Top Commercial Forensics Teams

JTF-GNO AFOSI Army Research

Laboratory DoE National

Laboratories State Dept.

Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make?

Result: Twenty Critical ControlsConsensus Audit Guidelines (CAG)

The twenty key controls1. 15 subject to automation: examples

1. Vulnerabilities2. Inventory3. Wireless4. Configuration

2. 5 that are important but cannot be easily automated

15 critical controls can be automated

Return

CAG ID Consensus Audit Guidelines NIST-800-53 CIRT Events11 mo

1 Inventory of authorized and unauthorized hardwareCM 1, CM 2, CM 3, ‐ ‐ ‐

CM 4, CM 5, ‐ ‐CM 8, CM 9 ‐ ‐ Multiple Tools

< 6%< 22%2 Inventory of authorized and unauthorized software CM 1, CM 2, CM 3, CM 5, CM 7, ‐ ‐ ‐ ‐ ‐

CM 8, CM 9, SA 7‐ ‐ ‐

3 Secure configurations for HW and SW, if available

CM 6, CM 7, CP 10, ‐ ‐ ‐IA 5, SC 7‐ ‐ Nominal

4 Secure configurations for network devices such as firewalls and routers

AC 4, CM 6, CM 7, ‐ ‐ ‐CP 10, IA 5, ‐ ‐RA 5, SC 7 ‐ ‐ Nominal

5 Boundary Defense AC 17, RA 5, SC 7, SI 4‐ ‐ ‐ ‐ < 7%

6 Maintenance/Analysis of complete security audit logs

AU 1, AU 2, AU 3, AU 4, AU 6, ‐ ‐ ‐ ‐ ‐AU 7, AU 9, AU 11, AU 12, CM 3, CM 5, CM 6, SI 4 ‐ ‐ ‐ ‐ ‐ ‐ ‐ ‐ Nominal

7 Application software security AC 4, CM 4, CM 7, RA 5, SA 3,‐ ‐ ‐ ‐ ‐ SA 4, SA 8, SA 11, SI 3 ‐ ‐ ‐ ‐ Decentralized

8 Controlled use of Administrative Privileges AC 6, AC 17, AT 2, AU 2 ‐ ‐ ‐ ‐ Nominal

9 Controlled access based on need to know AC 1, AC 2, AC 3, AC 6, AC 13‐ ‐ ‐ ‐ ‐ < 1%

10 Continuous vulnerability testing and remediation CA 2, CA 6, CA 7, RA 5, SI 2 ‐ ‐ ‐ ‐ ‐ Nominal

11 Dormant account monitoring and control AC 2, PS 4, PS 5 ‐ ‐ ‐ Nominal

12 Anti-malware defenses

AC 3, AC 4, AC 6, AC 17, AC 19, ‐ ‐ ‐ ‐ ‐AC 20, AT 2, AT 3, CM 5, MA 3, ‐ ‐ ‐ ‐ ‐MA 4, MA 5, MP 2, MP 4, PE 3, ‐ ‐ ‐ ‐ ‐

PE 4, PL 4, PS 6, RA 5, SA 7, ‐ ‐ ‐ ‐ ‐SA 12, SA 13, SC 3, SC 7, SC 11, ‐ ‐ ‐ ‐ ‐

SC 20, SC 21, SC 22, SC 23, ‐ ‐ ‐ ‐SC 25, SC 26, SC 27, SC 29, ‐ ‐ ‐ ‐

SC 30, SC 31, SI 3, SI 8 ‐ ‐ ‐ ‐

< 60%

13 Limitation and control of ports, protocols and services AC 4, CM 6, CM 7, SC 7‐ ‐ ‐ ‐ Not yet graded

14 Wireless device control AC 17‐ Nominal

15 Data leakage protection AC 2, AC 4, PL 4, SC 7, ‐ ‐ ‐ ‐SC 31, SI 4 ‐ ‐ Pending

But: “We don’t have a lot of money; how can we get started doing what State did ?”

John Gilligan’s answer: You already have most (70%) of the tools you

need to automate security risk measurement. The State Dept. will give you the software they

use to measure and display risk. This isn’t a money issue or a technology issue.

It’s a leadership issue. You don’t have to wait for someone to tell you to do it.

There is no other path available to CIOs and security managers to escape from the “compliance morass” and make a measureable difference in security.

A relevant story..Dog chases truckTruck stopsDog thinks:“Now what do I do?”

Now What Do We Do?

We measure risk continuously and radically reduce the vulnerabilities (following the State Dept. model)

We build a cadre of skilled security architects We buy products/systems with security baked in We increase the rewards for security people with

key technical skills (licensing) We train system administrators to become the

human sensor network We support colleges only if they teach

programmers how to code securely We find and nurture young (and not-so-young)

people with extraordinary technical skills to become the cyber guardians/warriors for the future

How Automated Continuous Monitoring Works

Results in 12 Months

32

0.0

200.0

400.0

600.0

800.0

1,000.0

1,200.0

6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009

Domestic Sites

Foreign Sites

89% Reduction

90% Reduction

State Used the “20 Critical Controls” CAG ID Consensus Audit Guidelines NIST-800-53 CIRT Events

11 mo

1 Inventory of authorized and unauthorized hardware

CM 1, CM 2, CM 3, ‐ ‐ ‐CM 4, CM 5, ‐ ‐CM 8, CM 9 ‐ ‐

Multiple Tools < 6%< 22%2 Inventory of authorized and unauthorized software CM 1, CM 2, CM 3, CM 5, CM 7, ‐ ‐ ‐ ‐ ‐

CM 8, CM 9, SA 7‐ ‐ ‐

3 Secure configurations for HW and SW, if available

CM 6, CM 7, CP 10, ‐ ‐ ‐IA 5, SC 7‐ ‐ Nominal

4 Secure configurations for network devices such as firewalls and routers

AC 4, CM 6, CM 7, ‐ ‐ ‐CP 10, IA 5, ‐ ‐RA 5, SC 7 ‐ ‐ Nominal

5 Boundary Defense AC 17, RA 5, SC 7, SI 4‐ ‐ ‐ ‐ < 7%6 Maintenance/Analysis of

complete security audit logsAU 1, AU 2, AU 3, AU 4, AU 6, ‐ ‐ ‐ ‐ ‐

AU 7, AU 9, AU 11, AU 12, CM 3, CM 5, CM 6, SI 4 ‐ ‐ ‐ ‐ ‐ ‐ ‐ ‐ Nominal7 Application software security AC 4, CM 4, CM 7, RA 5, SA 3,‐ ‐ ‐ ‐ ‐

SA 4, SA 8, SA 11, SI 3 ‐ ‐ ‐ ‐ Decentralized8 Controlled use of Administrative Privileges AC 6, AC 17, AT 2, AU 2 ‐ ‐ ‐ ‐ Nominal9 Controlled access based on need to know AC 1, AC 2, AC 3, AC 6, AC 13‐ ‐ ‐ ‐ ‐ < 1%

10 Continuous vulnerability testing and remediation CA 2, CA 6, CA 7, RA 5, SI 2 ‐ ‐ ‐ ‐ ‐ Nominal11 Dormant account monitoring and control AC 2, PS 4, PS 5 ‐ ‐ ‐ Nominal

12 Anti-malware defenses

AC 3, AC 4, AC 6, AC 17, AC 19, ‐ ‐ ‐ ‐ ‐AC 20, AT 2, AT 3, CM 5, MA 3, ‐ ‐ ‐ ‐ ‐MA 4, MA 5, MP 2, MP 4, PE 3, ‐ ‐ ‐ ‐ ‐

PE 4, PL 4, PS 6, RA 5, SA 7, ‐ ‐ ‐ ‐ ‐SA 12, SA 13, SC 3, SC 7, SC 11, ‐ ‐ ‐ ‐ ‐

SC 20, SC 21, SC 22, SC 23, ‐ ‐ ‐ ‐SC 25, SC 26, SC 27, SC 29, ‐ ‐ ‐ ‐

SC 30, SC 31, SI 3, SI 8 ‐ ‐ ‐ ‐

< 60%

13 Limitation and control of ports, protocols and services AC 4, CM 6, CM 7, SC 7‐ ‐ ‐ ‐ Not yet graded14 Wireless device control AC 17‐ Nominal

15 Data leakage protection AC 2, AC 4, PL 4, SC 7, ‐ ‐ ‐ ‐SC 31, SI 4 ‐ ‐ Pending

Portrait of a security hero!

37

0.0

200.0

400.0

600.0

800.0

1,000.0

1,200.0

6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009

Domestic Sites

Foreign Sites

89% Reduction

90% Reduction