Dailydave mailing list archives
Re: The monetization of information insecurity
From: "J. Oquendo" <joquendo () e-fensive net>
Date: Tue, 9 Sep 2014 08:28:34 -0500
On Mon, 08 Sep 2014, Brad Spengler wrote:
Hi Dave, How to avoid repeating the mistake of AV: this is a difficult problem. I don't have much experience in defense, so if I were to ponder a solution to this problem, I would look toward the paradigm-shifters in the infosec industry. Being an avid reader of Wired and other such online magazines, my immediate thought was Google's Project Zero. We've learned from the failure of AV that ex post facto detection and remediation of single pieces of malware is a losing battle given the ever increasing number of malware samples in the wild. It seems like for every malware detected, two more take its place.
This is/was one of the main reasons why I choose to avoid doing static malware analysis. Once upon a 4-6 years ago, I was tasked to analyze a sample (Qakbot/Qbot/YourNameHere). Initially, I was able to pick this little needle out of a haystack pretty easy. As time went on, those responsible for it made some heavy duty modifications. To the point where, every 15 minutes of so, another iteration was sent (via C&C) and the whole structure changed. Waste of time.
That's why I really admire Project Zero's approach -- it took these lessons to heart, producing a real game-changer. They're focused on ex post facto detection and remediation of single bugs, a highly effective approach given the ever increasing number of bugs in the software today.
Software bugs are one thing however, malware makes use of other bugs (network related misconfigurations, human error) so patching/finding all bugs is not going to solve the problem either.
What's really unique about Project Zero's approach though, is that unlike AV, Project Zero pairs its work with copious quantities of self-advertisement -- because when one's goal is making the world a safer place, one needs to make sure everyone knows it. We need to change course. Let's resolve to put the monetary focus of the industry to where it really belongs: bug bounties. Let's ensure fuzzers are employed for the next decade while we reap the bountiful rewards of their endless trickle of bugs. If we make sure this strategy dominates, we can be sure we don't hamstring the industry by focusing efforts on what produces real improvement. We know bug bounties work because their associated monetary offerings continue to increase -- the market has spoken.
With all due respect, you're looking at a single segment of security. Fix all the bugs you want: "You can't fix stupid." Where stupid is arrogant me calling someone horrible names. One of the things I love doing when doing red teaming, is shoving java into flash, then shoving flash into a PDF, then controlling what I send, via mod_security to a target. There is NO bug that is exploited with the attack and I have a HIGH exploit ratio. This is due to human error (opening a file) not any 0day (exploitation of a browser, IE, office).
If we take our cues from such visionaries, I think we can avoid the parasitic growth of the infosec industry and break the chain of strategies that haven't worked for their entire reign. Respectfully submitted for your consideration, -Brad
I believe based on experience that the solution lies in the network PERIOD. A while back, I watched a show about the precious metals at West Point Military Academy. They got into a brief discussion about the security there. Getting in, involved typical show your ID, walk through the metal detector, etc. What I found kick ass cool was when it was time for the employees to go home. The entire facility was locked down. EVERY SINGLE ounce of precious metal was then accounted for, weighed, etc., before ANYTHING was to leave the building. What is the one thing you CAN CONTROL in your network? What leaves. Whether you're implementing firewalling, or filtering, analyzing. I believe the proper way to tackle the problem is figuring out a way to do so before traffic LEAVES. Because of the fact malware works (iterations, etc) it's a waste of time analying (only to find out 5 mins later things changed), OR... you go bug hunting only to have someone stupidly fall for something that I do with PDFs (where no exploit is involved)... The ULTIMATE common core with ANY virus, or malware writer, or even Joe Blow APT (or is that Wang Chung APT?) is... They all need to get data OUT of the network. An extrusion mitigation/filter/doo-hickey is what I opine is the best bet. However that too becomes cumbersome since it would HAVE to be IP based, EVERYONE would have to run it (in the world) otherwise it wouldn't work based on any kind of blacklisting. The reason it wouldn't work unless everyone used it is simple... If I owned say Microsoft, and you went and trusted Microsoft, I could just xfer to MS, and take it from there. I have the ultimate answer but I'm not telling unless In-Q-Tel offers me a billion for the solution. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The monetization of information insecurity dave aitel (Sep 08)
- Re: The monetization of information insecurity Brad Spengler (Sep 09)
- Re: The monetization of information insecurity J. Oquendo (Sep 09)
- Re: The monetization of information insecurity Dennis Groves (Sep 10)
- Re: The monetization of information insecurity Michal Zalewski (Sep 10)
- Re: The monetization of information insecurity Dominique Brezinski (Sep 11)
- Re: The monetization of information insecurity Parity (Sep 12)
- Re: The monetization of information insecurity Brad Spengler (Sep 09)
- Re: The monetization of information insecurity John Strand (Sep 10)