Tag Archives: Mandiant

Comments on Comment Crew

Posted on 2013-02-21 | Leave a comment

Everyone paying any attention to security this week noted Mandiant’s report on the Comment Crew. If you haven’t, go read it first. I’ll wait.

Why You Make Groundless Accusations?Although I work for a competitor[1], I believe Mandiant did the right thing here. Others may disagree to an extent for good reasons, while others simply went too far in their assumptions and criticisms. (And some folks just need to take off the tinfoil hats). I don’t really care that much about what makes the sekrit skwirl cabal happy, and in fact it tickles me when they get frustrated by “outsiders” (inasmuch as Mandiant is one, anyway) not playing by their rules. In any case, healthy skepticism regarding someone else’s conclusions keeps them honest, but don’t miss the big picture out of myopia. The relative prevalence of espionage and APT relative to regular criminal activity remains an open research question and a valid area of debate, but I’ve seen some really smart people this week falling into the cliché of missing the forest for the trees.

Instead, this means the adversary can’t dictate the pace and terms of the conflict, whether or not they completely retool. By driving up the cost to the attacker over time, you start to make headway. That works both ways, of course, and at the moment that balance leans decidedly in their favor. Releasing the IOCs will also allow defenders to discover additional compromises. Remember that opponents make mistakes, and so we can capitalize on the opportunity for ongoing intel gathering as they transition to new infrastructure (assuming they even bother).

Sharing information has more than just tactical value. In my view (obviously not one shared by Congress), this points out that we don’t need the government to get in the way with CISPA or other information-sharing that stays behind walls of overclassification or possibly creates additional privacy and civil rights issues. We can do this the right way and improve things. Partisan politics lies way outside the scope of this blog, but I certainly see this as “we’re from the government and we’re here to help” territory.

[1]: As usual, these represent my opinions only. And that’s only good for today anyway because I may change my mind as new facts come to light or I think about topics more thoroughly.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , ,

Twitter review: 2012-03-23

Posted on 2012-03-24 | Leave a comment

While I’m dissecting the Verizon DBIR and the Mandiant M-Trends report, plus preparing for my talk to the NAISG Dallas chapter next week (“Evolution of an IRT”), I thought I’d take a look at some relevant Twitter data.

Storification

First, I assembled a Storify to document a conversation on Twitter today related to those two reports. Take a look at DBIR and M-Trends: Different Perspectives. Credit to @bond_alexander for kicking it off.

Twitter dataviz

I also generated the below visualization using xefer. It shows activity by hour of the day, by day of the week, and the ratios of tweets / replies / retweets, all in US Central time (GMT-6 or -5 during DST).

Click to enlargeinate

A few things jumped out at me:

  • I usually go offline around 11pm and don’t get going again until 7 or 8am the next day. Typical sleep cycle.
  • Twitter activity declines during the noon (lunch) hour.
  • During the 5pm hour, I have very little to say. This represents the time I wrap up my daily work, drive home, and see my family.
  • Activity drops off during the weekend, when I spend time with the family or generally relax (e.g. gaming).
  • Thursday and Friday evenings slow down considerably compared to Monday through Wednesday evenings. I know why that happens on Friday (going out), but not Thursday.
  • Wow, I chat a lot. But if you follow me, you probably knew that already.

Blocking Trending Topics

Lots of us can’t stand to read the “trending topics” on Twitter. They usually revolve around celebrity “news” and other useless bits. If you have Adblock Plus for Chrome or Firefox, though, just add the following two lines to your filter list:

twitter.com##.trends-inner
twitter.com##.wide-trends

Other tweets this week

A few relevant Twitter postings:

Next time, I’m doing that in Storify.

→ Leave a comment

Posted in Twitter Review

Tagged , , , , , , , , , ,

MIR training class

Posted on 2011-12-09 | Leave a comment
"School" by Jim Potter

Last week, I took the MIR class from Mandiant. Primarily consisting of product training (as expected and desired), this turned out to be one of the better vendor classes I’ve taken in my career. While I’ve used MIR for close to six months now (and its free predecessor for considerably longer), I still got plenty out of it.

The class runs four full days and starts off with the expected topics like installation, deployment, using the admittedly difficult UI, and related tasks. From there, we delved into responding simulated intrusions. While I learned a few investigative tips, in general this mostly highlighted the platform’s strengths. The class also briefly covered counter-forensics and malware analysis, but at a very high level[1]. The art of writing IOCs and sweeping your enterprise took an entire day and included lots of detail and practice.

I appreciated the instructors’ background: professional IR types with good teaching skills rather than career trainers who pretend to know something about what we really do every day. Slide reading just didn’t occur, and the hands-on exercises take up at least half of the class.

More than anything else, I liked the collection of students in the class. We had about eight “outside students” and four to six Mandiant employees on any given day. But unlike some classes that never engage during the “lecture” portions and go their own way during breaks and lunch, we had lots of great back-and-forth during class, informative lunches, and I like to think that I made several solid professional connections that week.

A few things could improve, some of which have more to do with the product than the course. The room felt a little cramped, for example, and we probably could have used even more time dedicated to searching, filtering, and writing IOCs.

In general, I found the class really valuable and will send more of our staff to the class in 2012. Mandiant doesn’t like it when we talk about when they might offer the class again, so keep an eye on their Twitter feed and web site if this seems like something you could use.

1: I have taken the Black Hat edition of their malware analysis crash course and it’s worthwhile for responders who need to understand the basics and have some background.

→ Leave a comment

Posted in Conferences

Tagged , , , , ,

Overview of incident and threat reporting standards

Posted on 2011-12-01 | Leave a comment

"..." by Pom²I’ve spent a lot of time looking into standards for sharing information about incidents as well as detailed threat data lately. As it turns out (and as one would expect), lots of smart people have built some useful tools for sharing this information. So I thought I’d talk a little about what I’ve found and how various standards can work together in a stack.

Lately, the new OpenIOC standard has gotten some discussion. This is an XML schema that one can use to describe specific threat signatures: MD5 hashes, mutexes, registry keys, and the like. If an organization wants to share information categorizing a particular piece of malware, say, or other ways to identify a system that has been compromised by a particular threat, then IOC does that well. It’s the sort of thing that ThreatExpert could use to provide signatures for the malware it analyzes, or an investigator could use to describe artifacts left by a particular attack. I don’t know of other standards that hit this particular pain point, though I’d love for someone to point them out to me.

Now some of us have asked how this compares to IODEF, an IETF standard that describes an entire incident. CIRTs could exchange IODEF information about a particular attack: attacker identities, targeted assets, vulnerabilities and exploits, impact on the affected assets, contact information, etc. In fact, I believe that IOC could fit into IODEF to describe the indicators that can characterize a particular incident, but IODEF includes much more. To use a networking analogy, IOC is to IODEF as HTTP is to TCP. Or to take a law-enforcement approach, IODEF represents the police report for an incident and IOC represents the fingerprints found on the scene.

For those familiar with VERIS, an information-sharing framework originally developed by Verizon. Unlike the other two standards, however, VERIS tries to organize the data into high-level metrics: demographics of the victim (e.g. organization type, industry, staff size), A4 incident classification (agent, action, asset, attribute), and that sort of thing. This doesn’t yield actionable intelligence, but it does help us analyze trends in the overall threat landscape. To carry on the previous analogies, VERIS corresponds more to traffic flow statistics or to the FBI Uniform Crime Reports.

All of these standards, and others like them, have a role to play in helping defenders share useful information and collaborate appropriately. In a future post, I’ll talk about some relevant tools that use these standards.

→ Leave a comment

Posted in Notes

Tagged , , , , , , , , , ,

DFIR fundamentals with Mandiant updates

Posted on 2011-11-22 | Leave a comment
Chew-bach-a

Chewbacha revisits the classics

Today, I had the opportunity to listen to the latest installment of Mandiant’s web series “Fresh Prints of Mal-ware”: The Nutts and Boltz of APT Persistence Mechanisms, hosted by Chris Nutt and Jason Rebholz. (The puns are strong with this one!)

The first part of this discussion consisted of some DFIR fundamentals, like looking at the file system timeline. This should include all eight time stamps in Windows / NTFS (file times and system information metadata). Rather than just start “looking for evil,” the investigator needs to start with a question. My favorite, where applicable, is to look at all system activity around the time of whatever other suspicious activity caused me to look at the system in the first place (e.g. network traffic). Another colleague mentioned using Splunk for forensic timeline research. I’ve not used this technique myself but the concept is solid.

The second part discussed persistence mechanisms in more detail, like autoruns and the various locations. On Twitter, the #m_fp discussion pointed me to two resources, one from Silent Runners and another from Trusted Signal. But they spent a good amount of time on DLL search order hijacking also, given that it doesn’t get a lot of attention but they’ve seen it in use by targeted (as opposed to opportunistic) malware.

I think this approach of revisiting fundamentals with a few new twists to keep things fresh works really well, and I hope to see more of this sort of thing from Mandiant (and whomever else!) in the future.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , ,

Threat intel sharing with OpenIOC

Posted on 2011-11-13 | Leave a comment

Indicator of Compromise by Kool-Aid Man

Mandiant recently announced OpenIOC, “an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.” For example, you might have an IOC listing something as simple as a set of MD5 hashes and file names, or as complex as descriptors of the structure of a particular executable (PE file. The schema includes terms for network indicators as well, like URIs, IP addresses, and strings in network traffic.

Those of us who react to threats every day already know we need to get better at sharing threat intel and acting on it quickly. A number of industry and other organizations exist that help get these data out to folks who can use it, but often the intel comes in the form of a human-written. This means that systems can’t parse the data easily, and in fact the communication sometimes has significant ambiguity on it. When systems and tools can’t parse the data, not only does that introduce delays into the detection process, it also makes validation difficult. So sometimes we get notified of malware with the MD5 sum “d41d8cd98f00b204e9800998ecf8427e” (the hash of the zero or null string), or of “http://google.com?webhp&hl=en”. Both of these have happened to me in the last few months, and while that’s simple human error, allowing tools to do some basic sanity checks would help with this.

This, of course, shows up the weakness with OpenIOC: a classic chicken and egg problem. The XML files don’t serve much purpose until tools can read them, but at the moment the only tools that can read them come from Mandiant: their enterprise commercial product MIR and the free no-cost IOC Finder. (Note that, while OpenIOC is released under the Apache 2 license and therefore qualifies as ‘free software‘, the same does not hold true for IOC Finder.)

For OpenIOC to work well, we need more tools and responders to support it. That could start with truly free tools like Splunk, Sleuthkit, and Snort, but I’d like to see large commercial tools like Arcsight, EnCase, and Sourcefire incorporate it as well. This applies as much to producing IOCs as it does to consuming them, by the way: if FireEye’s malware detection and analysis tools could export an IOC, detection across the network would become much more straightforward. But Mandiant, as much as I love many of the people who work there, has sort of a NIH problem: they like to blaze new trails and do cool new stuff, but working with other vendors has always seemed to stymie them as far as I can tell. Hopefully Doug Wilson, the new point man on OpenIOC, can turn that around.

OpenIOC can solve a key problem, but we will see whether anybody actually uses it to do so.

→ Leave a comment

Posted in Notes

Tagged , , , , , , , , , , , , , , , ,

Michael Chertoff: Addressing APT at MIRcon 2011

Posted on 2011-10-12 | Leave a comment

NB: The below are my notes from Michael Chertoff’s keynote speech at MIRcon 2011. They do not necessarily represent my views, and in some cases are completely opposed to my views.

The Internet was not built with security in mind, and net culture today believes that it’s inimicable to how the Internet works. But we need rules of the road, just like the actual roads. We’ve seen credit card numbers stolen from Wifi networks, and plans stolen from US countries to reproduce our stuff. DDOS attacks on Estonia and Georgia go hand-in-hand with hacktivism against organizations whose politics the attackers don’t like. Most disturbing is the possibility of a disruptive or destructive attack on an industrial control system or key piece of infrastructure. Stuxnet provides a good example though he’s basing his comments on what’s been reported in the newspapers, which he’ll accept as accurate for the sake of argument. If that can be done to Iran, what can be done to the US or its allies?

So everyone’s at risk: not just the above-mentioned groups, but anyone who does business anywhere in the world. Mine companies negotiating with the Chinese found that they had been “peeking into” their systems for additional leverage. This concept can be used to attack trading or financial platforms in order to gain market advantage. If there’s a widespread belief that some folks have that advantage, it will have an overall negative impact on the performance of the entire market. The challenge is that it seems complicated and expensive to those running mom and pop businesses, who don’t think of themselves as targets of “cyber criminals” even though they are. Identifying steps they can take to reduce their risk and deal with this type of fraud is highly valuable.

There isn’t one problem; there are a whole set of problems. There’s not one piece of software or a Maginot line that will fix things, but focusing on those things to the exclusion of all else ignores other key parts of a possible solution set. Layered defense, not a single point of defense, matters, and he doesn’t just mean hardware and software. Airline security has improved tremendously despite the fact that no one part is perfect (screening, airplanes, customs, etc.).

We’re facing threats from different actors: fraud, IP theft, DDOS attacks, destructive attacks. Different groups of people pursue different sorts of objective. Our approach to criminals centers around prosecution, although this fails somewhat for overseas attackers. Others are trying to “rob us of the birthright of our intellectual property”. So part of the solution set isn’t just arresting people (you can’t arrest nation states). You have to implement deterrence to prevent them, unlike with ordinary criminals. Nation states may have to respond at that level, rather than how we deal with criminals.

The vectors for these attacks are in three categories: over the network (the most imagined); the hardware and software in devices and systems (from fabrication of chips all the way to assembly); and the human factor (negligence or malice). Get away from the proposition that there’s a simple fix; there will never be perfect security. Concentrate on risk mitigation and risk management. You have to array all your tools against all your attackers, recognizing that not every tool works against every attack.

This requires a doctrine of cybersecurity. It has to map the landscape, the attackers, the toolset (across all possible actors, including technical, legislative, etc.). These must exist with the boundaries of the Constitution, but Congress can change specific laws subordinate to that. You won’t stop everything, so your best way of mitigating these threats is to live on the network, being aware of what’s going on and knowing what’s problematic. Information sharing also matters, particularly as we get more sophisticated about understanding our attackers. They have “tells”, including simple indicators like IP addresses and more complex indicators like particular techniques. The collection of information about these things is a critical part of building that series of layered defenses. We need to share within and among enterprises.

What role should the government play in this? Americans don’t want the government to have same sort of control that the Chinese government has. But there are certain tools that the government has. How do we share this information in ways that don’t compromise intelligence sources and methods? There’s a unique relationship between the defense contractors and the government. Sharing exists there, but it needs to get better. In other areas, that particular relationship doesn’t exist: power grid, water grid, transportation, financial services, etc. Chertoff advocates a “private party function” for firms who understand what’s going on in many clients and can then provide information. This could include, not just addresses and signature, but techniques. It’s about people, not just bits, and it’s really a counter-intelligence problem.

How do we train people and build the architecture so it’s easier for people to comply with the rules (and find the people who aren’t)? Social engineering defeats some of the verification questions used when passwords are forgotten. Golden questions allow the user to pre-define the questions and answers themselves. Chertoff sees this as an elegant solution, and therefore a good part of the overall solution set along with the things we already do (firewalls, secure software, etc.). Leaving laptops in hotel rooms needs just as much attention, but it requires another set of solutions.

So take a counter-intel approach and focus on the human domain, not just the tech domain. The threats won’t go away, because the value is online now. The notion of destructive and disruptive tools embedded in our control systems will be an important part of warfighting in the decades to come. Intelligence – knowledge about things and people – and sharing of that intel is the key tool in mitigating the risk.

Addressing my question on responding to civil liberties and intelligence failures for national defense in the cyber domain: an Internet kill switch for the President would probably not work, cause more damage, and be unacceptable. The harder issue is what the private sector can do in the area of civil liberties. Some advocate a series of different networks (like .secure that has no anonymity versus .wildwest with plenty of anonymity and no financial transactions). Are privacy and security opposite to each other? Security is an indefensible civil liberty. If the government is unable to secure our tax records, the promise of privacy there is worthless. People need to understand that, without security, they won’t have privacy. Understand that there will be a government on your network: will it be ours or a foreign government?

Naming and shaming can be counterproductive to information sharing. DHS could create a set of standards or metrics, and critical infrastructure organizations that don’t achieve them would suffer some form of disclosure. This has to be crafted in a way not to disclose that a company has had a breach but that they’ve not addressed underlying issues. Don’t penalize somebody for failure but for not trying or taking reasonable steps.

The rules are different for multinational enterprises, because their rules of the road are very different. So the entry point of a compromise can strongly affect how an investigation proceeds. In Europe, this is a challenge because protecting the privacy of one employee may put the privacy of all the other employees at risk. Europeans are historically fixated on data protection against the government and big institutions, not networks or criminals or terrorists, and they need to change.

We can’t take offense: you can’t go follow a burglar back to his house, break in, and take your stuff back. On the Internet, the attribution problem makes this particularly difficult as the hops from which you see the attacker could be a victim itself. This leads to problems with deterrence policies, since you can’t go to war every time you find a spy. But if you suffer an actual attack (disabling the power grid), you might want to respond, but against whom? This requires more discussion leading to public policy. You tend to get wars when you misread the other side, like Saddam Hussein misreading the US when he invaded Kuwait. Developing doctrine and policy in advance helps with that issue.

→ Leave a comment

Posted in Conferences

Tagged , , , , , ,

Richard Clarke: The Year of the Hack

Posted on 2011-10-11 | Leave a comment

NB: These are my notes of Richard Clarke‘s talk at MIRcon 2011 and don’t necessarily represent my own views.

People are beginning to call this the “Year of the Hack”. No need to go into the details, but he believes that we should look separately at the various attackers’ identities and policy solutions. He uses the abbreviation CHEW.

1: Crime

“Cybergang” money rivals some drug cartels, billions of USD. Foreign law enforcement (e.g. eastern Europe) frequently on the take, so that the real ‘bad guys’ operate from “cybersanctuaries”. We can get the mules sometimes, but that doesn’t solve the issue. Policy solution looks like what’s been done about money laundering, so that the crime doesn’t pay. Grow the Budapest Convention into an organization with teeth, otherwise the costs will increase for banks. And while it’s fine for the banks to get screwed, they pass on the costs to us anyway.

2: Hacktivism

Personified by Wikileaks and other similar groups. Hacking because they believe in cybersecurity is like shooting people because you believe in gun control.

The other group believes that there should be no secrets (unless it’s their own secrets). Overclassification is a real problem, but the Foreign Service has done a good job. The cables aren’t revealing nefarious stuff like if this had happened in the 1970s. The cables should never have been revealed, and the Army should never have allowed a private with a questionable background to have access to these data. The DoD facility where he sat had technology to detect and prevent this stuff but it wasn’t installed and operational.

3: Espionage

A cancer that is destroying our economy. We do it, too, but against foreign governments to protect ourselves. The US doesn’t spy on private corporations and research labs to steal proprietary information for competitive business advantage. The WTO should have written rules about what can and cannot be done via espionage. There are rules about intellectual property, albeit often disregarded. China (primarily) has hacked its way into every corporation it can find in the US, Asia, and Europe, sucking out petabytes of data. Even if data isn’t secret research stuff, they will auction off the data (e.g. transactional data and business plans to international competitors).

The attacks are frequently successful and not noticed, so companies believe they haven’t been hit. In the meantime, a factory in China looks just like theirs and produces stuff just like theirs. And the Predator drone plans were stolen years ago, so the Chinese have the “Flying Dragon” drone that is just like it. In a nation with high labor costs, the only way to compete is through knowledge and innovation. Take that away and we can’t compete.

The technology and systems need to catch up. We need a plan to deal with the “cyber-rape” of our time. The Chinese will never stop until we penalize them somehow, either overtly (sanctions, etc.) or covertly. We’re not doing either.

4: War (cyberwar)

Something we’ve never had yet. It’s not hype; if it weren’t real, we wouldn’t have a 4-star general running Cyber Command and the Navy’s 10th Fleet that has no ships.

We’re talking about blowing up the same things in society that we traditionally blow up with missiles: telco facilities, power generators, all communications. We can also do it from data centers in Nevada and Maryland, like the Russians DDOSing Estonia or Georgia.

Then there’s Stuxnet. (China’s not the only company stealing digital certificates.) It looked for very specific sorts of SCADA operating systems, and when it found it, it looked very closely at which particular version and deployment it found. 1000 of the Iranian nuclear centrifuges were physically damaged so badly that they had to be removed and replaced, but without using B2 bombers.

The code is available now, as it didn’t actually wipe itself. People can modify and redeploy it to attack other SCADA systems, including inside the US. Someday, someone will attack us this way. It doesn’t even have to be a nation state like Iran. It could be some “nutcase group” that gets its hands on attack software. Cyber Command defends .mil and .gov but not .com. DHS can offer assistance, but companies have to defend themselves.

This is like asking every company in the Cold War to mount their own anti-air defenses against Soviet bombers. But Washington thinks any new government regulation of any sort is a bad thing. Until regulations require ISPs to filter packets and SCADA systems to disconnect from the Internet, none of these things will happen.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , ,

I can haz MIRcon?

Posted on 2010-10-18 | 1 Comment

TLDR: Ninjas and beer. And security lulz.

Nothing livens up a beautiful fall day more than a bunch of geeks and suits sitting in a DC hotel meeting room talking about finding evil. Who doesn’t live for that sort of thing, amirite? So Mandiant decided that they’d get a bunch of incident response types in a room for two days, throw out some coffee and notecards and a projector screen, and see what happens.

'XIX Party Conference' by fotofreq

After having recovered from the beer tasting, intense questioning of product managers, and the ALDS (let’s go Rangers!), I can tell you that we haz moar ideaz than Taylor Swift has fashionable shoes. And that’s a lot, so some of this stuff will get a Killswitch Engage-style breakdown in future blog posts.

Kevin Mandia looks kind of like Nathan Fillion in a suit. He has nice hair, a rugged jawline, and a never-ending idiom factory lodged somewhere between those two things. (He should definitely get Captain Mal to play him in “Mandia: The Man, The Myth, The Legend.) His keynote speech put all of these on display, and we learned that a greenish-yellow Global Threatcon Severity Indicator means we’re all gonna die, man, game over.

Mandia-Fillion

Separated at birth?

Once we moved on to the panel discussion, things started to liven up. Well, that’s not true. The panel tried to stay away from too much management-speak (yeah, you know what I mean). For example, they talked about visibility and authority for incident response: how do you know if you’re compromised? What happens when you realize you are? You probably won’t reach a 100% solution, so shoot for achievable goals. I mean, I’m really happy for your incident response program, and I’m gonna let you finish, but GE has one of the best CIRTs of all time. OF ALL TIME!

Ahem. So your best threat intel might not come from your sekrit friends in the Illuminati^W military-industrial complex^W^W^W defense industry or critical infrastructure ISAC. Your best intel might come from the cases you’re already working. Pull on the threads you already have, see where they go, and soon your sweater will be undone.

'Loose Threads' by Chris Luckhardt

Then the sparks started to fly. Let me tell you, I thought GE and BAE were in a cage match (“two corporate security directors enter, one corporate security director leaves”). Richard “GE” Bejtlich got all Courage Wolf on us: neutralize the threat, take out the bad guys, RAWRAWRAWR! Then Ron “BAE” Davis was all about “hmmm, maybe that’s a bad idea, you could get the wrong person or go to jail”. And we were all, “ooooh, he TOLD you!” in the audience, and GE was all “ORLY”, and BAE was all “YA RLY”, but then they all smiled and reminded each other that we’re the good guys after all. And we all had ice cream with cherries on top. It was nice.

Michael Graven from Mandiant came up next on behalf of an “anonymous” customer to talk about tool integration. I’m going to call them “Anony Moose” from here on out. See, Mandiant is really proud of this technological terror they’ve constructed called Intelligent Response. It has a RESTful API that spits out well-defined XML and lots of other cool-sounding 2.0 kind of stuff. Anony Moose (wonder if they were in the room at all? nah, too obvious… OR IS IT) has a SEIM that automagically generates trouble tickets when it detects, er, trouble. In paradise. Or something.

So these tickets live in Request Tracker, which has a RESTful API. See some potential there? I guess Anony Moose did, too. They took off for every zig and matched the two of them up. I hear several steps and boxes with holes were involved. And when a ticket comes in, the system reaches out and touches someone^W the target system to gather lots of volatile data like ports, processes, recent audit logs, and all the sorts of things that a super-smart sekrit security agent will want to know. Good stuff and I bet it saves them time so they can kick back in their Fortress of Solitude, laughing at the evildoers stymied by their most excellent planning.

The next talk had ninjas. No, not real ninjas, because we couldn’t have seen them. And since ninjas just flip out and kill people, I’d be dead already. But these were malware reverse engineering ninjas, which is pretty sweet even if it isn’t Real Ultimate Power. They talked about generating Indicators of Compromise, which is how you can talk about targeted malware without actually giving it up to the antivirus vendors and getting useless MD5 hashes and registry key indicators. They do some awesome behavioral analysis in addition to standard sandboxing and static analysis. They can even look at DLL-based malware, and rocking that ain’t easy. When they get super-smart sekrit security agents who find this stuff in the field, then they tear apart the malware until they find the plans. I mean, uh, how it works and how to identify all variants.

'The Urban Ninja' by Tyson Cecka

After we had coffee to clear our heads from the sheer unmitigated awesomeness that was hex dumped assembly code in a screen magnifier, a panel discussion on information sharing ensued. Now, see, everybody wants somebody to love, and if they can’t get that, they at least want somebody to share their interest in a secure operating environment for truth, justice, and the Internet way. This leads to trust issues, because the first rule of the advanced persistent threat is that YOU DO NOT TALK ABOUT the advanced persistent threat. Though I suppose that’s only unless you have clearance, in which case you totally DO talk about the advanced persistent threat.

On that note, Sandia National Laboratories scares me. They have some project where FBI agents arrest the red team and interrogate people with Borg headsets that can totally read your mind. One minute, you’re doing an incident response cyber exercise, and the next minute a man in a black suit is all, “HALLO CAN I VIOLENCE YOUR BRAIN”.

Other organizations were a little more chill. They got back on the question of trusting other folks and maybe punching them in the nose if they talk about the advanced persistent threat (see?!), but then they realized they were harshing everybody’s mellow and just said we shouldn’t share the stuff that can hurt us. And threat data never expires. At least not if you’re a defense contractor.

Ever been playing Minesweeper and, just when you think you’re about to clear it in Expert mode, get that Blue Screen of Death? It’s not all bad. We learned about how crash dumps preserve your integrity. (Apparently that doesn’t work very well on Congress’s computer systems. HEY-YO!) Normally, these dumps of the process memory space and system debug data get sent to Microsoft, but if you don’t like Steve Ballmer getting his grubby paws on your data, you can instead direct all that stuff to an internal share. And hey, maybe you can get some good forensic data out of all those dumps. If you can, then you should probably grab all the dumps and drop them in a debugger. Highly situational, but it’s better than a mudkip.

Then we had beer. It was good.

Next morning, we had a sound check with Heavy D. Not really, but Michael Graven thinks he sounds like him even though he kinda looks more like River Cuomo back when Weezer made the Blue album. (Nothing but love for ya, Mike.)

MIRcon then hosted a real, actual, Man in Black. I don’t remember much except him putting on some sunglasses and asking us to look into his space pen LED. Oh, and that every investigation now relates to cyber (stop snickering, WoW players, you know that’s not what he meant). They want to get “IT” off the network, where I is “intellectual property” and T is your “treasure chest”. The FBI, or at least Assistant Director Gordon Snow, wants a culture shift so we quit putting the good stuff online where the Ebul Doers can get to it. Since the threat isn’t going away anytime soon and vulnerabilities get all the attention already, the best way to reduce your risk is to lower the value of the asset. (I assume he drives a Ford Focus, since his logic also says that the best way to keep your car from getting stolen is to drive a clunker.)

'How did that get here!?' by Purple Wyrm

Finally, Halvar Flake totally blew our minds. Honestly, he had me at “Hello, my name isn’t really Halvar Flake”, but then he set the hook when he went straight into “approximate maximum subgraph homomorphisms”. That is, imagine you have two street maps of different scale and resolution, but they actually represent more or less the same area. You’ll want to stretch and zoom and align and twist the maps until you can see where they overlap, so you can look at your wife and be all, “I told you we weren’t lost.” And that you found new families of malware.

But then, once you cluster these maps together, you can give out different signatures that tell everybody how to match up new maps. Nobody gets the same signatures, though, because (just like eating a Reese’s Peanut Butter Cup), there’s no WRONG way to perform an approximate maximum subgraph homomorphism. See, if it’s wrong, then it wasn’t really a homomorphism after all.

And by splitting things up, you don’t actually have to talk about the advanced persistent threat. That would lead to nose punchings, and anybody who would try to punch Kevin Mandia in the nose will definitely get a “NO WAI”. And probably their OWN nose punched. Because he’s Captain Hammer.

I did sort of lie. That wasn’t the final talk. But that was the last one I really noted, because after that we had a demo of MIR. And then Mandia and Bejtlich showed us their sweet incident response kung fu auditions. “I NEVER LOSE! YOU NEVER WIN!” Then real actual computer scientists handed out the Malies (think “mallies”, not “mailies” because the latter sounds kind of sexist and could create a hostile work environment). That was a one-shot deal, but many memes died to bring us that information.

And some lawyers came on to tell us about the legal costs of data breaches, but I had a plane to catch home.

For the future, I’d just suggest averaging out start times. 10:30am one day, 7:30am the next. Let’s split the difference and keep it at 9am, because ninjas and beer and baseball (let’s go Rangers!) and early mornings don’t mix.

If you want a more serious and professional look at MIRcon, go read Greg Pendergast’s summary over at the SANS Forensics Blog. And buy him a beer, because he’s a mensch.

→ 1 Comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , , , , , , ,