Monday, August 13, 2007

Defensive Security: Beyond NSM

I was with the Offensive Security Cloud in the VNSEC Conference, this is the first security conference ever in Vietnam and overall it is good with some of the familiar faces we have seen in HITB. I don't plan to write anything about the security conference as you can find the event write up here. Overall I enjoy the Vietnam trip and may pay for second visit.

I had spent a lot of times studying Defcon presentation slides, and I have feeling of this -

- You will never be the expert in certain subject, unless you don't see "Time" as a factor. Every single subject requires deep interest and continuous efforts to reach "expert" level.

- There are too many vectors that leads to successful attacks, we can't just count on bugs in the software itself, and even if you are, and assuming you are hiring pentester to hunt for the bugs in the software, he or she can find bug A, but he or she may miss bug B(different skill level or just miss it, code auditing is not easy task especially in complex software). Other problem such as human errors, this is not only happening for the social engineering and carelessness part that leads to information leaking, misconfiguration of network assets that leads to compromise should be counted because you are hiring wrong people to do the job.

- Attack and exploit based tools are geared towards automation now to speed up the process of hacking and vulnerabilities discovery. Cracking is possible now with better hardware(fast processors and chunks and chunks of memories), imagine the cyber crime activities that supported and backup by evil organizations.

- Application based exploitation becomes more and more popular. The exploitation techniques that discovered by attackers getting more and more unpredictable and advance. When I say application, it is no longer server side applications(eg. network services) but user side applications too such as browser, flash player and so forth.

- New technology is not always good, look at Voip, NAC, Web 2.0 and IPv6. Don't believe in "HYPE"! Learning from past experience is a need when building new technology but this is not the case.

For the moment it is pretty hard to form a well-defined defence because things are getting more complicated. But I would love to point out few open source applications which can be utilized to form my idea.

Application Level Protection & Monitoring - Why, because front end application is easy target and not well protected, and most of the hackers always go for the easiest route. Currently we hardly see much development on application level protection and monitoring yet, but that doesn't mean they doesn't exist -



Network Assets Profiling - Whatever connected to the network must be profiled and stored in the centralized location, of course this can be done almost passively with something like PADS, but I'm looking at something more advanced, such as -


Network Security Metrics - There's no complete standard for this yet as I don't think network security reaches mature stage yet. But really, we can't avoid this anymore if we are talking about Critical Network Security Infrastructure. Of course I don't see any complete tool for this but look at this -


Logs ..... - I'm not talking about tree but record. Record must be in Human Readable Form, realtime, understandable and provides advance mining functions. I think OSSEC has done a good job -


To counter fast pace emerging threats, I would love to see defensive systems to be built with the ideas below -

- Network intelligence collection, such as baselining of network assets and network traffics. This is the important lead to identify abnormal and malicious activities abruptly.

- Full automation is bullshit, human intelligence must present. The system must require certain level of automation and certain level of examination as well. Why automation, automation can increase time effectiveness and productivities on behalf of analyzt. Why we need to examine it? Because we won't be any good as the expert in the subject when dealing in certain type of the attacks(usually unknown or new to the analyzt especially when they have never encountered it before). Therefore we need other sources to learn about it. For example snort has the reference for its signature rules.

- Relation to the whole organization, and follow up actions, I don't know how to describe this in proper way yet but it is something I have in mind for my new employer which has to do with reporting, classification and priority.

- Supporting Audit Trails, Incident Response and Forensics Operation.

Of course I can't consider this as proactive methodology but I'm now looking at how it can be applied to critical network infrastructure. Richard has very interesting thought in this one.

We can never hopeless!

Peace ;]

No comments: