Thursday, February 24, 2011

RSA / BSides 2011 And Why The Prevailing Cloudburst Scenarios Are Simplistic

I spent Monday and Tuesday going back and forth between RSA and B-Sides which had some good talks including Andrew Hay’s panel titled Attacking Cyber Security Marketecture which examined the hype surrounding a variety of buzzwords including the celebrated term ‘advanced persistent threat’. The talk was replete with war stories that illustrate the ongoing struggle between security teams and structured threats which seems to often lead to consideration of offensive security practices as the “best defense is a good offense”. I found myself wondering if we’re indeed going to need to more law enforcement, government and perhaps even military roles in the fight against structured threats. The state, after all, has exclusive jurisdiction on the use of force, and the rank-and-file victims of structured threats tend to have limited capabilities for offensive action. Later
during RSA Deputy Defense Secretary William Lynn III proposed greater military involvement in defending civilian networks. This was covered by CNET at

I think Richard Bejtlich is correct in his conjecture that the reason topics like these are not often discussed by policymakers publicly, for the most part, is to keep control of policy with policy experts where it belongs. Public debate on subjects like ‘cyberwarfare’ quickly spirals out of control as we saw in 2009 when members of congress made calls for retaliation against denial of service attacks whose attribution had not been determined.

Bejtlich made a closing remark that was quite thought provoking; he asked, “How many people came here in a Kevlar vest today? Riding in an armored vehicle? How many live in fortresses with bars on the windows?” He went on to expound that we practice threat-centric security in the physical world while we practice vulnerability-centric security in the IT world, toiling to eliminate all vulnerability when we should be focused more on detecting and responding to threats.

There we a number of legal and regulatory talks at RSA and it seems clear that these aspects of the ‘cloud’ will need significant attention. Guidance from the lawyers included exhaustively addressing all eventualities and assumptions in contract language, including fundamentals like ownership of the data, which had not occurred to me.

Brian Sniffen from Akamai gave a talk about finding subtle hooks to malware in HTML titled "Scanning the Ten Petabyte Cloud: Finding the malware that isn't there” and released source code of Akamai’s malware detection tool; more information at

On Friday I saw Hacking Exposed - Exploiting the Cloud and Virtual Machines where George Kurtz and Stuart McClure showed some of the backdoors and RATs that featured in the so-called “Night Dragon” incidents. I commented afterward that this penetration scenario, like the similar scenario featured in the recent NSA video promoting attestation technologies, is interesting but not entirely relevant in real-world environments for a few reasons that I will summarize here and will explain further in another blog posting;

• Type 2 hypervisor. Both the RSA and NSA penetration scenarios utilize the cloudburst exploit on type 2 hypervisors which is exactly what we’re not running in production virtualization and ‘cloud’ environments. Cloudburst does not work, to my knowledge, on a shipping type 1 hypervisor.
• Reverse shell from a hypervisor management interface. In a defensible virtual environment, a hypervisor’s management interface cannot call the Internet; its connectivity is limited to management or substrate networks and accessible from specific points. Such a connection attempt should also be detected by netflow or firewall events, in a defensible network, and investigated.

Also on Friday Ed Skoudis and Johannes Ullrich gave a briefing on the threat landscape. Skoudis reports seeing increasing use of memory scraping techniques in data breaches to go after crypto keys or just grab data out of memory where it is cleartext; this talk has received some coverage including this

Skoudis commented that DLP tools are only effective at stopping accidental data leaks and ineffective against structured threats (something I have believed for a while). He observed that pervasive encryption, no matter how good, is obviously ineffective against memory scraping. Potential responses include just-in-time decryption and using tokenization where possible. Another possibility is using a file encryption tool with a trust boundary between userland and kernel mode that yields only encrypted data to a rogue process, provided it is using the file system and the kernel remains intact. Another possibility is extreme host security like whitelisting of images in both filesystems and memory which Kurtz and McClure advocated. Whitelisting is notoriously difficult to do on a general purpose OS in a modern enterprise but might be more practical in ‘cloud’ environments where machines have more quantifiable and predictable functions.

On the subject of the ‘cloud’, Skoudis noted that many tend to think first about guest escape threat models - which are important and interesting despite a dearth of examples - but that he “would encourage [us] not to think about them for now” as the first battle of the cloud will be fought along the primary management services (something I also believe).

Ullrich discussed the increasing pervasiveness of IPv6, a surprise to network operators, due to its on-by-default status in modern operating systems. IPv6 is increasingly being used for lateral movement as attackers realize they can work their way deeper into networks using IPv6 which is subject to little or no control or monitoring in many networks.

On the vendor side, the initial reports that the VMsafe program is ending seem to have been premature. What I understand is that the program is continuing with some major changes; vendors will no longer develop VMware certified kernel modules, which proved unwieldy, but will instead call VMsafe APIs of VMware provided modules. There are now three enterprise-grade VMsafe layer three products with both firewall and intrusion prevention/detection capabilities from three vendors – Checkpoint, HP and Juniper. This is good news for people like me who need enterprise-class layer three capabilities for virtual networks. I plan to blog about these in more detail.

On the crypto front, there are now two crypto products I can automate sufficiently to do full-disk encryption at the guest OS level with keys under a tenant's control rather than substrate admins. The vendors are Safenet and Winmagic; more to come on this. At the hypervisor layer I can do file encryption under Xen and Hyper-V with the Vormetric product (and of course file encryption can be done inside the guest, if you know where the data lives).

Also worth watching are Intel’s TXT and AES-NI technologies; these are pretty interesting and seem to have the potential to shorten my list of security problems. See

Also on my list of things to look at is the HyTrust product which seems very useful for securing virtual environments and placing additional checkpoints on substrate access.

No comments: