Here in Heidelberg we are already gearing up for TROOPERS16 (taking place from 14th to 18th March 2016!). While you are preparing for our Call for Papers or waiting eagerly to sign up for your spot in one of our legendary trainings take a look at our newest blog series “Beyond the Thunderdome: A Review of TROOPERS15”. It may offer some inspiration, help you kill time while waiting for next year’s TROOPERS, or for those that are new to our conference, give you a taste for what TROOPERS is all about. See you soon at TROOPERS16!
The first of our series is a combination of talks from our Management Track with the focus on Defense topics. Each summary comes complete with video and slides for your viewing pleasure. 😉
“Defender economics” talk created and given by Andreas Lindh
A great talk was given by Andreas Lindh, security analyst and computer security philosopher, on the first day of the Troopers15 conference. The topics covered in his talk spanned the difference between hackers and attackers, capabilities and constraints of the attackers, and how this understanding actually helps to make more effective defensive solutions.
At first sight, the situation nowadays doesn’t look any good for the defenders: attackers are constantly developing their skills, and while the attacker need to find only one weakness, defenders have to protect all possible exploits, which is obviously impracticable, as you can not protect from everything.
But do you really need to protect against everything? Although attackers might rapidly evolve, none of them can get infinite resources. They also have a budget, and this is the key point for the defender to understand.
While hackers can be extremely good at understanding the systems’ logic and can spend time on trying to come up with something new, attackers have to focus on the “economic” sense of their attacks: motivation, willingness to spend resources depending on it, and then procedures (designed for efficiency, re-usability, and scalability). The bottom line is to keep it within budget (if attack cost is less than value of the info, it’s worth it). On the other side, understanding of these limitations allows to “upgrade” defense: raise the cost of attack and break the attacker’s budget, so it will simply become disadvantageously for the latter to perform any action.
The speaker gives two different examples: Google Chrome vs. Malware, and Big Company X vs. APT groups.
Google Chrome has a big market share, considerable amount of vulnerabilities and should be an attractive infection vector for malware. What can be said about malware? It is volume driven, requires a file system, and depends on supply chain (exploit kits). Chrome, on the other hand, has strong security architecture, rapid patch development and delivery, and silent security updates. Breaking the budget of the attack in this case is raising the cost for exploit developers (usually requires multiple chained vulnerabilities for file system access) and for exploit kits (there are few publicly available exploits and no market for those only effective for few days).
The Big Company X has centrally managed IT, low security awareness among employees and no rapid patching. In addition, it has an APT problem. Considering APT groups’ strengths and weaknesses should help. So, they are professional, their presence is stealthy and post-intrusion activity is being performed, but the attack vector is predictable, and initial intrusion is unsophisticated. There are different options for the Company X. One-way would be cheap and effective exploit mitigation with secure software configurations (for example, not allowing Adobe Reader to execute JS). Another way, that is more expensive but still effective, can be adding an unknown layer 3rd party sandbox.
The last option, that is very expensive and just possibly effective, is some email security product (while no one knows what exactly it does).
So, summing everything up, it is not about being absolutely secure, but analyzing and understanding the attacker’s limitations. Then the key to having better and more effective defensive solutions is to raise the cost of the attack accordingly.
Please feel free to download the slides here
“The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization” talk created and given by Jacob Torrey
In his Intro, Jacob, who worked with many CISOs, explained what he sees as the biggest problems for InfoSec in companies: First, InfoSec is often seen as a cost of doing business rather than a benefit. Bringing an attackers perspective to the table, which is his approach when doing consulting, might result in an increasing ROI, as we will see later on. Secondly he sees a huge gap between the goals of the InfoSec community and attackers: while the latter ones usually focus on convenience and the biggest effect with the least afford, InfoSec focuses on elegance and very specialized attacks.
He went on introducing the central terms of his talk: “Trusted Computing Base”(TCB) and “technical debt”. The TCB can be seen as the body of code (and humans) that executes as a part of the “privileged container”; in order to reduce attack surface, it should be shrunk as small as possible. This again is not an easy task, especially when looking at the implicit trust relationships even in a simple computer: when it’s started and the BIOS is loaded, one has to trust the BIOS vendor; afterwards the ISA/PCI option ROMs are loaded, whose vendors one has to trust again, this chain could be continued for a very long time. Jacob introduced technical debt as the trade-off that has to be made when a product is released: if it’s held back for too long, it will probably reach the market too late, but if it’s released too early, it will probably be full of bugs and problems.-
After describing some low-level attacks on corporate networks, Jacob introduced three different types of attackers: Those who will go “for the low-hanging-fruits”, simple thieves that are looking for quick money, and targeted attackers. In order to avoid breaches, he recommended to look at an organization from an attacker’s point of view and to take the appropriate steps. To prevent non-targeted attacks, it might be enough to be more secure than competitors; facing a targeted attacker on the other hand, one can be almost sure, that they’ll find a way into your network.
When it comes to selling InfoSec to the management Jacob, identified several needs:
– Communicate in a language that will be understood by all stakeholders and steer dialogues towards positive “win themes”
– Use metrics (!) and make sure, that everybody understands them
– Provide a holistic view at InfoSec
– Predict costs out 1-5 years and find a balance between security and usability
– Never invest more than your data is worth
– Measure and track your technological debt in order to be able to defend security costs to organizational stakeholders
Following these suggestions might turn the InfoSec department from a cost-factor, to a value-adding part of a company.
It has been a great talk and we hope to welcome Jacob again at Troopers16! To view the slides from this talk please click here
“Weapons of Mass Distraction” talk created and given by Azhar Desai and Marco Slaviero
What effects could be realized with user-generated content? The two Thinkst guys answered this question in a very interesting way.
They presented approaches, which can be used to influence the awareness of user-supplied content via different communication channels. For their research they tried to manipulate mailing lists, news sites as well as comment systems.
There are two major approaches, which can take place. The first one will be used to increase the attention on something you like, for example a specific mail on a mailing list. To increase the attention on a specific mail they used so called “sock puppets”, which are basically false online identities. These sock puppets were used to send several replies to generate a longer discussion thread.
The second approach is, to decrease the attention on something you don’t like. Also in this case sock puppets were used, but this time for sending several separate emails to start new threads.
The results related to the mailing lists showed that both approaches are working very well and user generated content can be used to manipulate communication channels.
If you want to see all examples download the slides here
Next up in our “Beyond the Thunderdome” series; Cloud Security….stay tuned!
And as always feel free to check out our website at https://www.troopers.de/troopers/