Unseen Malware

What if malware on your network has never been seen before?

Malware writers are getting better and better about creating custom software to steal data from your network. The malware at Home Depot had never been seen before. Therefore, it could not be detected by traditional anti-malware programs. IDS programs would not be able to detect it. In fact the only way you could detect the attacks would have been through reviewing the log data and uncovering the suspicious activity.

Anti-virus, Anti-malware, IPS, and IDS systems rely on known signatures to detect know vulnerabilities, or their variants. They cannot, by design, detect something they don’t know about.

Reviewing logs from all network sources (servers, firewalls, switches, desktops, SAN’s) is the only way to know what is really happening on your network.

Book Reccomendation

I thought this week I would recommend a great new book by Brian Krebs called SPAM Nation. If you ever wanted to know why we deal with SPAM and malware this is the book to read. He goes into the reasons why, who is buying these offers, and what the business model is.

Check it out on Amazon

The Search for Automatic

It isn’t what vulnerabilities you have or what defenses you have in place, but how easily these systems can be circumvented.

There will always be a new vulnerability in software that pops up (application or operating system related).  The quest to keep everything patched is endless.  People, or companies, or departments, love automatic.  We like to have everything just run for us and send us a report at the end of the month.  Automatic scans, patching, etc..

People who want to get into your network are willing to work at it a lot harder than most companies work at keeping them out.  They aren’t using automatic tools to break in.  They rely on human intelligence to develop the tools to circumvent the controls you put into place.  Software can be programmed to turn left or right at an intersection but not think critically given the circumstances that it doesn’t know about.  A hacker can look at each route and proceed down each path, back-up if needed, and try again until he finds the best route to his destination.


The Wall Street Journal reported today that the United States government has a fleet of Cessna planes in at least five US airports that are equipped to track and aid in pinpointing of specific mobile phones.

The technology dubbed Dirtbox (Digital Receiver Technology), which was developed by a subsidiary of Boeing, mimics a cell tower tricking mobile phones. The planes fly over an area and can attempt to locate specific phones via the unique IMEI number, however all phones in the area will respond to the signal. Each phone is logged and labeled as “Of Interest” or “Not of Interest”. If a phone of interest is located they can perform additional steps to triangulate the specific location of the person or phone of interest. All encryption has been turned off so the government can obtain personal information such as what numbers were called from any of the phones. The FBI has used similar technology for years with a program dubbed Stingrays.

I am not an expert but it seems that a criminal or terrorist would not use a cell phone that could be tracked to them and switch phones often. We all know there are stupid criminals out there though.

For the vast majority of people in this country this is a direct violation of our privacy and civil rights. Who defines “Of Interest” and “Not of Interest”? If I don’t vote for a particular candidate or donate to the President’s opponent do I get on the list?

Chip-and-Pin vs Chip-and-Signature

As the news has reported for nearly a year, credit card security is getting ready to be improved by the rollout of Chip-and-Pin technology.  This technology is considered to be harder to steal thus leaving clients more secure.  Retails have gone down the road of implementing this technology over the last few years but these preparations have sped up in the last 12 months after the Target breach.

Recently, the Obama Administration has issues an executive order on the use of Chip-and-Pin for Federal Agencies.  This is a link to a great article describing the difference in Chip-and-Pin versus Chip-and-Signature.


Marketing of Security Products

Security product vendors often say that their products will block malware or trojans from getting into your network.  This is slightly misleading.  They should say that these products can block malware and trojans.  To get them to actually block threats into your network they have to be configured properly.  This is one area where you don’t want them deployed by someone that can figure it out or fumble through it.

Recently the thermostat in my house stopped working 100%.  It worked just fine if you wanted air conditioning.  However, if you wanted heat you were out of luck.  Before we knew it was the thermostat we contacted a local heating and air company.  We figured it was the heater.  We weren’t experts on HVAC systems but it seemed reasonable if the heater wouldn’t come on and the AC would that the heater was out.  Once they inspected everything we learned that it was the thermostat.  It took hiring the right people to make the determination and what our proper path was to restore heat to the upstairs.  I had no idea what to do with a heater.

As an American male I understand the desire to give it a shot myself first.  We look at a problem or a situation and our brains immediately go to how can we do it ourselves or with a group of buddies.  If there is a tree down in the backyard our first thought is how soon can we get to the store and purchase a chain saw.  We have it all worked out in our head that we need to cut here and there and we fast forward all the way through the project.

With data security things can’t be done with the same attitude.  In the network security field we have to change our approach from reactive to proactive based.  It isn’t what we will do once the tree falls down, it is what can we do to keep the tree from falling.

Flaws in Automated Security Products

Most security products are reactionary.  They respond to an event based off of a signature they already know about.  This in and of itself is not that difficult for a product to do.  Firewalls, anti-virus, intrusion prevention, etc. all use this model.  Some manufacturers tout their products ability to train itself, or to learn about emerging threats.  This model is also flawed.  Network security products can be purchased by an attacker and they can figure out very easily how to bypass this device.  Additionally, the truth is these products do not learn all that quickly.

There is a quest in the network security world to find products that can automatically detect and respond to an attack.  When the device or software detects an abnormality in a packet it can perform an action like shut down the firewall port or disable the workstation.  That sounds so cool on paper.  After all don’t we love automation?

Blindly following the advice of an autonomous product can be a costly venture.  One of two things will happen.  First, you are putting your trust into a device that can only detect what it knows about.  If the device doesn’t know about it nothing will happen.  Think about this from an outsiders perspective.  We know instinctively that Target, Home Depot, K-Mart, and Dairy Queen all had firewalls, AV, and IPS.  Yet they were still hacked and data was extracted from their networks.  The reason is the malware was morphed so the typical automatic tools wouldn’t catch it.  These attackers knew what they were doing and found a way to beat the system.  You can finger point all day long if it was a third party or failure of this or that…all of that is irrelevant.  The tools on the network failed.

The second problem with automation is that the device could overreact.  I recall several instances where a client was using a firewall that was set to detect and block malware on a network.  If the device saw strange activity from an internal device it was set to block that device so IT would have to look into the problem.  All of that would be great except the day when they were really busy and the amount of DNS requests was legitimately higher.  The firewall thought it was malware and shut down the DNS server stopping all traffic on the network.  I could name numerous others where an overzealous security product stopped traffic on the network and shut off internet requests for everyone.  The common reaction to this one is to shut off the security product (that statement is typically preceded by a four letter word) and stop using it all together.  Now the network has little to no protection.

Automation and reaction-only based security model is not the key to safe data and will lead companies down a bad road.  I think these products can be used but only in conjunction with human analytics and in a controlled format.  Log management, log review, assessments, and training for the entire company.  Getting real insight and advice on a network is critical to securing your data.  Before submitting your 2015 budgets take a look at what you are spending on these analytical approaches to security and what you are spending on the automated tools (Firewalls, IPS, AV, IDS, Managed Security).  Automation-only isn’t working for anyone.


Get every new post delivered to your Inbox.