TLDR: Ninjas and beer. And security lulz.
Nothing livens up a beautiful fall day more than a bunch of geeks and suits sitting in a DC hotel meeting room talking about finding evil. Who doesn’t live for that sort of thing, amirite? So Mandiant decided that they’d get a bunch of incident response types in a room for two days, throw out some coffee and notecards and a projector screen, and see what happens.
After having recovered from the beer tasting, intense questioning of product managers, and the ALDS (let’s go Rangers!), I can tell you that we haz moar ideaz than Taylor Swift has fashionable shoes. And that’s a lot, so some of this stuff will get a Killswitch Engage-style breakdown in future blog posts.
Kevin Mandia looks kind of like Nathan Fillion in a suit. He has nice hair, a rugged jawline, and a never-ending idiom factory lodged somewhere between those two things. (He should definitely get Captain Mal to play him in “Mandia: The Man, The Myth, The Legend.) His keynote speech put all of these on display, and we learned that a greenish-yellow Global Threatcon Severity Indicator means we’re all gonna die, man, game over.
Separated at birth?
Once we moved on to the panel discussion, things started to liven up. Well, that’s not true. The panel tried to stay away from too much management-speak (yeah, you know what I mean). For example, they talked about visibility and authority for incident response: how do you know if you’re compromised? What happens when you realize you are? You probably won’t reach a 100% solution, so shoot for achievable goals. I mean, I’m really happy for your incident response program, and I’m gonna let you finish, but GE has one of the best CIRTs of all time. OF ALL TIME!
Ahem. So your best threat intel might not come from your sekrit friends in the Illuminati^W military-industrial complex^W^W^W defense industry or critical infrastructure ISAC. Your best intel might come from the cases you’re already working. Pull on the threads you already have, see where they go, and soon your sweater will be undone.
Then the sparks started to fly. Let me tell you, I thought GE and BAE were in a cage match (“two corporate security directors enter, one corporate security director leaves”). Richard “GE” Bejtlich got all Courage Wolf on us: neutralize the threat, take out the bad guys, RAWRAWRAWR! Then Ron “BAE” Davis was all about “hmmm, maybe that’s a bad idea, you could get the wrong person or go to jail”. And we were all, “ooooh, he TOLD you!” in the audience, and GE was all “ORLY”, and BAE was all “YA RLY”, but then they all smiled and reminded each other that we’re the good guys after all. And we all had ice cream with cherries on top. It was nice.
Michael Graven from Mandiant came up next on behalf of an “anonymous” customer to talk about tool integration. I’m going to call them “Anony Moose” from here on out. See, Mandiant is really proud of this technological terror they’ve constructed called Intelligent Response. It has a RESTful API that spits out well-defined XML and lots of other cool-sounding 2.0 kind of stuff. Anony Moose (wonder if they were in the room at all? nah, too obvious… OR IS IT) has a SEIM that automagically generates trouble tickets when it detects, er, trouble. In paradise. Or something.
So these tickets live in Request Tracker, which has a RESTful API. See some potential there? I guess Anony Moose did, too. They took off for every zig and matched the two of them up. I hear several steps and boxes with holes were involved. And when a ticket comes in, the system reaches out and touches someone^W the target system to gather lots of volatile data like ports, processes, recent audit logs, and all the sorts of things that a super-smart sekrit security agent will want to know. Good stuff and I bet it saves them time so they can kick back in their Fortress of Solitude, laughing at the evildoers stymied by their most excellent planning.
The next talk had ninjas. No, not real ninjas, because we couldn’t have seen them. And since ninjas just flip out and kill people, I’d be dead already. But these were malware reverse engineering ninjas, which is pretty sweet even if it isn’t Real Ultimate Power. They talked about generating Indicators of Compromise, which is how you can talk about targeted malware without actually giving it up to the antivirus vendors and getting useless MD5 hashes and registry key indicators. They do some awesome behavioral analysis in addition to standard sandboxing and static analysis. They can even look at DLL-based malware, and rocking that ain’t easy. When they get super-smart sekrit security agents who find this stuff in the field, then they tear apart the malware until they find the plans. I mean, uh, how it works and how to identify all variants.
After we had coffee to clear our heads from the sheer unmitigated awesomeness that was hex dumped assembly code in a screen magnifier, a panel discussion on information sharing ensued. Now, see, everybody wants somebody to love, and if they can’t get that, they at least want somebody to share their interest in a secure operating environment for truth, justice, and the Internet way. This leads to trust issues, because the first rule of the advanced persistent threat is that YOU DO NOT TALK ABOUT the advanced persistent threat. Though I suppose that’s only unless you have clearance, in which case you totally DO talk about the advanced persistent threat.
On that note, Sandia National Laboratories scares me. They have some project where FBI agents arrest the red team and interrogate people with Borg headsets that can totally read your mind. One minute, you’re doing an incident response cyber exercise, and the next minute a man in a black suit is all, “HALLO CAN I VIOLENCE YOUR BRAIN”.
Other organizations were a little more chill. They got back on the question of trusting other folks and maybe punching them in the nose if they talk about the advanced persistent threat (see?!), but then they realized they were harshing everybody’s mellow and just said we shouldn’t share the stuff that can hurt us. And threat data never expires. At least not if you’re a defense contractor.
Ever been playing Minesweeper and, just when you think you’re about to clear it in Expert mode, get that Blue Screen of Death? It’s not all bad. We learned about how crash dumps preserve your integrity. (Apparently that doesn’t work very well on Congress’s computer systems. HEY-YO!) Normally, these dumps of the process memory space and system debug data get sent to Microsoft, but if you don’t like Steve Ballmer getting his grubby paws on your data, you can instead direct all that stuff to an internal share. And hey, maybe you can get some good forensic data out of all those dumps. If you can, then you should probably grab all the dumps and drop them in a debugger. Highly situational, but it’s better than a mudkip.
Then we had beer. It was good.
Next morning, we had a sound check with Heavy D. Not really, but Michael Graven thinks he sounds like him even though he kinda looks more like River Cuomo back when Weezer made the Blue album. (Nothing but love for ya, Mike.)
MIRcon then hosted a real, actual, Man in Black. I don’t remember much except him putting on some sunglasses and asking us to look into his space pen LED. Oh, and that every investigation now relates to cyber (stop snickering, WoW players, you know that’s not what he meant). They want to get “IT” off the network, where I is “intellectual property” and T is your “treasure chest”. The FBI, or at least Assistant Director Gordon Snow, wants a culture shift so we quit putting the good stuff online where the Ebul Doers can get to it. Since the threat isn’t going away anytime soon and vulnerabilities get all the attention already, the best way to reduce your risk is to lower the value of the asset. (I assume he drives a Ford Focus, since his logic also says that the best way to keep your car from getting stolen is to drive a clunker.)
Finally, Halvar Flake totally blew our minds. Honestly, he had me at “Hello, my name isn’t really Halvar Flake”, but then he set the hook when he went straight into “approximate maximum subgraph homomorphisms”. That is, imagine you have two street maps of different scale and resolution, but they actually represent more or less the same area. You’ll want to stretch and zoom and align and twist the maps until you can see where they overlap, so you can look at your wife and be all, “I told you we weren’t lost.” And that you found new families of malware.
But then, once you cluster these maps together, you can give out different signatures that tell everybody how to match up new maps. Nobody gets the same signatures, though, because (just like eating a Reese’s Peanut Butter Cup), there’s no WRONG way to perform an approximate maximum subgraph homomorphism. See, if it’s wrong, then it wasn’t really a homomorphism after all.
And by splitting things up, you don’t actually have to talk about the advanced persistent threat. That would lead to nose punchings, and anybody who would try to punch Kevin Mandia in the nose will definitely get a “NO WAI”. And probably their OWN nose punched. Because he’s Captain Hammer.
I did sort of lie. That wasn’t the final talk. But that was the last one I really noted, because after that we had a demo of MIR. And then Mandia and Bejtlich showed us their sweet incident response kung fu auditions. “I NEVER LOSE! YOU NEVER WIN!” Then real actual computer scientists handed out the Malies (think “mallies”, not “mailies” because the latter sounds kind of sexist and could create a hostile work environment). That was a one-shot deal, but many memes died to bring us that information.
And some lawyers came on to tell us about the legal costs of data breaches, but I had a plane to catch home.
For the future, I’d just suggest averaging out start times. 10:30am one day, 7:30am the next. Let’s split the difference and keep it at 9am, because ninjas and beer and baseball (let’s go Rangers!) and early mornings don’t mix.
If you want a more serious and professional look at MIRcon, go read Greg Pendergast’s summary over at the SANS Forensics Blog. And buy him a beer, because he’s a mensch.