Sisyphus and The Attribution Rock
In the wake of the release that Anthem has been hacked I have been taking stock of where we are today where information security is concerned. It seems that if you just look at the industry through the lens of the news media, we are all under constant assault by so called advanced actors out to steal us blind, spy on us, or take our personal data by exotic means that are inscrutable. The realities though are far from the truth where it concerns the advanced nature of the attacks that play into the media and marketing blitzkriegs by companies like Crowdstrike or Mandiant/FireEye are hawking.
The realities are that today we have businesses selling intelligence wholesale to corporations that are not mature enough to use the data they are being sold. On average, the data being sold by these companies is nothing you cannot get from open source arena’s for free and on the whole are overly focused on attribution of groups and actors. While a mature organization might have use of these feeds and reports on various groups the average company out there today just cannot use the data because they lack the practices and people to truly understand the information as well as apply it to their orgs.
Clearly the business model today is intelligence centric and completely lacking in the areas of not only showing companies how to use their intelligence feeds to help in detection but also how to fortify their environments against the attacks to start. Richard Bejtlich was recently on a panel in front of the Senate when he made the comment that many times after his company Mandiant, had been on an engagement with a client they were once again compromised shortly after they left. This comment alone shows just how little these companies like Mandiant are having any effect on teaching these companies how to at least detect if not halt attacks. Attacks mind you, that are not necessarily advanced as the APT moniker implies.
Let’s face the fact that most attacks today do not come from exotic 0day and sneaky DMZ hacks. No, instead these hacks happen through social engineering and phishing attacks. Sure some hackers may be using 0day within their phish attacks but it has been my experience along with many others, that it does not require a 0day to hack a corporate network today. The problems with many corporations stem from a lack of security awareness as well as presence within the org to instil secure practices like patch management and employee awareness on what a phish looks like and how to detect them. Neither of these skills are things that Mandiant or Crowdstrike offers as a primary service. After all, if they did and it really caught on, where would they make their money?
Still however, it is not Mandiant or Crowdstrikes problem is it? They are in the business of incident response and threat intelligence right? No, the real issue here is that both of these companies perpetuate the idea that attribution is the key to stopping all your hacking woes and not so much about having the proper security infrastructure to mitigate these attacks. And by infrastructure I do not mean just hardware and software, I also mean people with skill sets and an organization that understands security from the CEO down. This is the primary issue that I have seen throughout my career in penetration testing and information security. Frankly, it is one of the biggest reasons that pentesters love doing what they do, the corporations make it easy for them because they don’t have a security mindset.
I cannot tell you how many times over the years I have seen orgs that had grossly misconfigured systems as well as a lack of processes or policies that would mandate that things be run securely. Add this to the notion that these companies also lack real telemetry to track incursions and you have an org without any insight into how it operates as well as what traffic is going in and out of their domain. This is endemic in corporate America and anyone who tells you any different has an agenda to cover their own ass. Collectively corporate America should be totally afraid of what POTUS has proposed in the way of intelligence sharing and not because they should be worried about PII. The real fact of the matter is that they are all going to be worried that they will have to actually perform due diligence, spend money, and have actively operational security programs to feed that information to the sharing program to start.
I would like to change the rhetorical argument then from caring about the who so much and more about the how a hack happens. How did the adversary get in? How did they leverage the vulnerabilities within the company to steal the data without being seen? How did the company miss all of this ex-filtration of data in the first place? These are questions I would be asking first say about Sony than who did it? Was it North Korea? Instead, let’s talk about the organizations failures in security and how they can better shore them up to stop the next attack instead of banging the attribution gong so loudly.
With the announcement today of approximately 80 million records being stolen from Anthem and the usual buzz words of advanced attack ringing in the air, I for one had to say something about the realities we face in security. Simply put, it is too often the case that organizations place security in the category of red headed step child and relegate them to the sub basement as a necessary annoyance. Security is a cost centre and is troublesome all of which is anathema to business as usual. Security causes things to perhaps move slower, make people take a little more time to think, and generally feel like a drag on the hyper-kinetic business model so many corporations feel they need to be today. As such it is always a battle to insure that basic security practices are carried out like patching and hardening of systems. It’s a sad truth and you all must have run into this if you are a blue team player.
How do we fix it all? I have no idea. All I do know is that we are losing the battle and it is not because China is hacking us all with advanced malware on par with Stuxnet. We all need to understand that what we see out of the media is hype and what we see out of the vendors is marketing and not necessarily what we really need. Until such time as all organizations out there understand security and it’s nuances we, the workers within the security field as blue team members will be Sisyphus.