December 6, 2005 - Invisible Incidents, Invisible Risk
by Jeff Moss
In this issue of the Black Page we will look at incident response. Kevin Mandia, a world recognized leader of incident response research, points out that a responder must have skills at least that of the attacker. One of the challenges to IR is discovering there is an incident to begin with. If we only look for known attacks, we will only find the moderately skilled attackersleaving us exposed to the truly skilled adversaries.
by Kevin Mandia posted December 6, 2005
... If Bruce Springsteen did computer security, he would definitely excel at performing Incident Response.
...Choicepoint, Lexis-Nexis, Bank of America, and then several thousand unnamed victims. I am curious, how many companies in the Fortune 500 are currently hosting a digital cocktail party for foreign intruders? Who are these foreign intruders....They say:
How do we confirm any of these if our incident response skills are not as advanced as the adversary?
...Trust me, the problem is worse than reporters and computer security guys think. We are seeing firms with hundreds, if not thousands of compromised systems.
...Attribution for online incidents is getting more difficult. We are having more difficulty determining who is perpetrating intrusions into US firms, primarily because of self propagating intrusions. We need international cooperation to solve international problems. Russia, Romania, China...
...recently, I saw a situation where a company had outsourced their customer service application at a web-hosting facility and it was compromised by the W32.Spybot.Worm. Disaster ensued. I am witnessing very costly responses, with the loss of client data being of critical concern.
...I have responded to over 50 computer intrusions in the last 4 years. Anti-virus detected one of these events. I think the technology that tries to protect us from an infinite amount of signatures may have to change its marketing to We do the best we can, and protect you from being low-hanging fruit.
...after review of the system time/date stamps, we noticed anomalous activity potentially accessing 50 credit card files. The indicators of compromise were all originating from foreign domains. Are we storing anything encrypted nowadays? And if so, in how many locations is the encrypted data stored on the same media in an unencrypted manner?
...I think it’s time for companies to continue their proactive stance on security, but couple it with a reactive approach and even be proactively reactive (some strange way, that makes sense to me)
Plan first, to include planning your reaction to incidents.
...I’ve witnessed a number of panicked customers when they find out they’ve been compromised. Plan first, to include planning your reaction to incidents.
...wouldn’t it be cool to develop an automated technique for companies to capture necessary data immediately following an incident before the audit trail is unintentionally/intentionally corrupted by poor incident response techniques?
Implications of the Lynn Cisco Research, and Moving Forward
Did you notice that the original issue of the Black Page is missing? I removed it at the request of Mike Lynn and ISS when they were sorting out what Mike's presentation was going to include. It was getting close to the show, and I was getting conflicting signals from ISS. A common theme we will see in this saga... read more
Some of the latest “solutions” to common security problems are proving to hurt as much as they help, if you blindly trust them. The consequences of this blind trust are the focus of this BlackPage. In this issue, we take a look at two countermeasures that could work against you. David Maynor shares his findings on the ineffectiveness of highly regarded buffer overflow solution implemented in the latest “secure” CPUs. Alex Wheeler, Mr. Anti-Anti-Anti Virus, focuses on the world’s largest mandated security countermeasure revealing that an A/V client could be your biggest hole... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us here to learn more about submission rules