Interviews | December 11, 2014

Black Hat Sustaining Partner Interviews: Juniper Networks, RSA, and Palo Alto Networks

Tony Cole

Rebecca Lawson, senior director of security products at Juniper Networks, describes "cyber black markets" and talks about their having a "mature economy with characteristics akin to those of a thriving metropolitan city."

Juniper Networks

Q: Rebecca, you've just enhanced the capabilities of your Next-Generation Firewall (NGFW) saying that it now offers added security while being easier to deploy and manage. Tell me what there is about the NGFW that should make it appeal to enterprises.

Rebecca Lawson: The challenge is that organizations need more control over the applications and traffic on their networks to simultaneously protect their assets against attacks and manage bandwidth usage. Their solution needs to be efficient while still delivering high levels of security assurance. Juniper's new SRX Series Services Gateways deliver next-generation firewall protection with integrated application awareness, intrusion prevention, and role-based user controls, plus best-in-class UTM to protect and control business' assets. All this is centrally managed using Juniper Networks Junos Space Security Director.

Q: Your report, "Markets for Cybercrime Tools and Stolen Data," finds that cyber black markets have a "mature economy with characteristics akin to those of a thriving metropolitan city." That sounds fascinating ... but I'm not quite sure what it means. Can you give me some insight?

Lawson: Sure. We believe one way to think of the hacker economy is less as a cyber-underground and more of a thriving metropolitan city with diverse communities, industries, and interactions. RAND's report asserts that the hacker market was once a varied landscape of discrete, ad hoc networks of individuals motivated by little more than ego and notoriety, but today it has emerged as a playground of financially driven, highly organized, and sophisticated groups.

Like a metropolis, the black market is a collection of skilled and unskilled suppliers, vendors, potential buyers, and intermediaries for goods or services surrounding digitally based crimes. Specifically:

  • Storefronts – Like other forms of e-commerce, many data records, exploit kits, and goods are bought and sold from storefronts which can encompass everything from instant messaging chat channels, forums, and bulletin boards, to sophisticated stores (not unlike an RAND found some organizations can reach 70,000-80,000 people with a global footprint that brings in hundreds of millions of dollars.
  • Service Economy – Not only goods but criminal services are available from the hacker economy. The rise of botnets have made it possible for criminals to sell DDoS and spamming as a service to other criminals. In fact, exploit kits to help with attacks are often "rented" by the week or month. Just as you can pay someone to do your taxes or you can use an online tax service (classic software as a service or SaaS model), the hacker black market now offers many similar paid services.
  • Rule Of Law – There is indeed honor among thieves. RAND found many parts of the cyber black markets are well-structured, policed, and have rules like a constitution. In addition, those who scam others are regularly banned or otherwise pushed off the market. And, as cybercriminals move further up the chain, there is an extensive vetting process to participate.
  • Education and Training – RAND identified widely available tools and resources to teach people how to hack, including YouTube videos and Google guides on topics such as exploit kits and where to buy credit cards. This readily available instruction also helps to facilitate entry into the hacker economy. The RAND study says this access to training – coupled with a generation of digital natives – has accelerated sophistication and a broader set of roles within the economy, from administrators to subject matter experts, vendors, and general members.
  • Currencies – Transactions in the cyber black markets are often conducted by means of digital currencies. Bitcoin, Pecunix, AlertPay, PPcoin, Litecoin, Feathercoin, and Bitcoin extensions, such as Zerocoin, are a few that RAND discusses in its analysis. Although transactions can also be done by means of non-digital currency, many criminal sites are starting to accept only digital crypto currencies due to their anonymity and security characteristics.
  • Diversity – While RAND found cybercriminals from China, Latin America, and Eastern Europe are typically known for quantity in malware attacks, those from Russia tend to be thought of as the leader in quality. RAND also found areas of expertise and focus among cybercriminals from different countries. Many Vietnamese cybercriminals, for example, mainly focus on e-commerce hacks. Cybercriminals from Russia, Romania, Lithuania, and Ukraine focus on financial institutions. Many Chinese cybercriminals specialize in intellectual property. And U.S.-based cybercriminals primarily target U.S.-based systems and target financial systems. In addition to a diverse set of actors, RAND also found more cross-pollination between these cybercriminals than ever before.
  • Hierarchal Society – Much like a legitimate business, the study found it takes connections and relationships to move up the (cyber) food chain. Getting to the top requires personal connections, but those at the top are making the lion's share of the money.
  • Criminals – Even the criminal cyber black market has criminals. Known as "rippers," these specific bad guys do not provide the goods or services they claim.

Q: Juniper was recently recognized as one of the world's most ethical companies for the fourth year in a row. That's quite an achievement! What is there about Juniper that makes it worthy of that distinction?

Lawson: Ethics is in the DNA of our company and depends upon the commitment of every employee across every level of the global organization. Our employees consistently demonstrate Juniper's core values of operating with the highest of ethical standards and we have been rewarded by the ethics award as well as the loyalty of our customers. One of the key attributes of a company, especially a company in the security business, is integrity. If you think about it, if you are going to trust a company with your security, that company sure better be ethical and trusted. Otherwise, you most likely would not choose them.

Q: Juniper Networks is a Black Hat "sustaining partner," which means you sponsor all three of the Black Hat conferences -- Asia, Europe, and USA. Why is Black Hat such an important part of Juniper's marketing strategy?

Lawson: Black Hat is an organization that is passionate about security. Customers who attend Black Hat have that same passion. And we want to meet them. The way Juniper sees it, security is not a bolt-on addition when a company is building out a network, a data center, or a cloud infrastructure. Security must be integrated thinking into the original architecture of a company's core networking backbone. Many of the attendees we have met at Black Hat this year -- and years past -- think the same way that we do. Reaching out, engaging, and hopefully working with these customers to implement Juniper security solutions is what it's all about.

Brian Fitzgerald

Brian Fitzgerald, VP of marketing, RSA, The Security Division of EMC, addresses what he calls the "ethics of active countermeasures" and explains why turning the tables on attackers may be unethical.


Q: Brian, RSA has said that, as mobile channel usage grows, we can expect to see threats targeting organizations originating from mobile devices to increase as well. And, you've said that gaining visibility into the traffic that is hitting Web properties from both the mobile browser and native applications is a key first step. Talk to me about that and why that's so important.

Brian Fitzgerald: We are already seeing major increases in fraud from mobile devices. In fact, we expect online fraud from mobile to surpass that from traditional PCss in the near future. As the mobile devices become increasingly used as the primary interface to consumer and enterprise applications, it is inevitable that fraudsters and other adversaries will focus their efforts on this channel. Since these attacks often involve identify compromise or similar exploits, they are not easily detected using traditional means.

Behavioral approaches are valuable here because no matter how broad the range of mobile platforms and access points grows, or how the device or user is compromised, sooner or later the attacker will have to do something unusual to achieve their goals. By understanding normal user or device behavior, and spotting the variations from that normal behavior, organizations can identify potential threats and mitigate them.

Q: RSA has talked about Heartbleed and what end-users need to do to protect themselves. In a nutshell, what are some of your recommendations?

Fitzgerald: One of the keys to quickly defending against an exploit such as Heartbleed is to move to more advanced, analytics-based approaches to security. These approaches can automate the response to new threats and enable fast, effective defense. Within 48 hours of the identification of Heartbleed, RSA Security Analytics customers, for example, received parsers that could be loaded into Security Analytics to identify where Heartbleed risk existed in their environment, and also to spot attempts to exploit the Heartbleed vulnerability.

Q: RSA has addressed the so-called ethics of active countermeasures implying that turning the tables on attackers may be unethical. Do you really believe that? And why?

Fitzgerald: I don't think of it so much as an ethical issue as a more pragmatic one. In the physical world, if you suspect someone has stolen your TV, you don't go break into their house to steal it back. First of all, you are committing a crime yourself. Second, the thief may get annoyed and cause you even more harm. Third, you might be wrong and be stealing the TV of a perfectly innocent neighbor. You contact the appropriate authorities, give them the information you have that leads you to suspect the thief, and let them handle it.

In the digital world, these mechanisms for law enforcement are not strong today, so there's a lot of temptation to engage in offensive security. The challenges with that approach are well-known and real. It's very possible that you may wind up targeting an innocent party (or one who was unknowingly compromised themselves), and thereby committing a crime yourself. And if offensive security becomes more common, you can be sure the sophisticated adversaries will find ways to dupe organizations into this sort of collateral damage. Also, since cybercrime crosses borders, it starts to raise geopolitical concerns. If a company in nation-state A targets nation-state B as part of an offensive security program, and Nation-state B responds aggressively, will the first company expect its own government to come to its defense?

There are forms of active countermeasures that can be used inside an organization's network that can increase the cost for the attacker or cause them other trouble -- and those make sense. But when organizations start trying to go back up the wire against their suspected attackers, it becomes a problem in my view.

Q: RSA is a Black Hat "sustaining partner," meaning you sponsor all of the Black Hat conferences -- Asia, Europe, and USA. Why is Black Hat such an important part of RSA's marketing strategy?

Fitzgerald: RSA is a global company, our solutions span a large part of the security spectrum, and the Black Hat conferences reach an important component of that market -- the day-to-day security practitioner. Working with Black Hat on a global basis helps us stay connected to that key part of the security community around the world.

Eric van Sommeren Palo Alto Networks

Eric van Sommeren, director of advanced technologies EMEA at Palo Alto Networks, talks about the 21 critical zero-day vulnerabilities affecting Internet Explorer and recommends steps to defend against attack.

Q: Eric, one of your recent reports revealed that cyber criminals in Nigeria have evolved common malware campaigns to infiltrate businesses that have previously been their primary targets. What sort of advice do you give enterprises so they can protect themselves against these campaigns?

Eric van Sommeren: Nigeria-based scammers are now using tools -- which are often deployed by more sophisticated criminal and espionage groups -- to steal business-critical data from enterprises. 419 scammers usually run phishing scams in attempts to collect credit card details or personal information from individuals. However, over the past few years, we've noticed that more and more of their attacks are targets in the business world. To prevent falling victim to scams such as these, it's best to block all attachments in emails from unknown users, as well as be weary of zip and rare archive files. Enterprises can also work to prevent these types of attacks by scrutinizing transmission control protocol (TCP) traffic leaving their networks in order to identify its purpose and origin.

Q: I've read how an Italian holding company that operates several manufacturing businesses saved $2.5 million in IT costs and solved its network issues by standardizing on your next-gen security platform. Talk to me about where those savings came from and how other enterprises can have similar savings.

van Sommeren: Our customer CAME Group was working with a heterogeneous network and they couldn't securely deploy services to all of their branches in a centralized way, nor efficiently manage IT – Web services, trade, and e-commerce around the world were managed and secured by multiple devices and the lack of a standard network technology created problems including manageability, costs, application access and control, network latency, and security. With the implementation of Palo Alto Networks technology, CAME can now stop unauthorized packets from entering the network and get real-time information on attempted intrusions, even those that other vendors' devices were unable to identify beforehand.

By consolidating its IT infrastructure on Palo Alto Networks security platforms, CAME has been able to remove devices from its network -- and expensive consultants from its payroll.

Massimiliano Tesser, group CIO of CAME Group said: "We replaced a total of more than 100 firewalls and proxy devices with just 42 Palo Alto Networks security devices. Over three years, this saves us U.S. $50,000 per branch office or about U.S. $2.5 million which was previously spent on technicians, consultants, maintenance, training IT staff, configuring, and managing a heterogeneous network."

Q: The threat intelligence team of Palo Alto Networks has identified 21 critical zero-day vulnerabilities affecting Microsoft's Internet Explorer. Since that is the most popular browser around, enterprises ought to be concerned about that. What steps do you recommend they take in order to defend themselves from attack?

van Sommeren: Each of these discoveries has a critical rating because it allows full remote code execution using a memory corruption vulnerability in IE. Attacks are most likely to happen through drive by downloads on compromised Web sites or by spear phishing emails which link to malicious Internet pages. Businesses and consumers can protect themselves from such attacks through regular vulnerability protection updates as well as upgrading to the latest patch from Microsoft for those using Internet Explorer. In addition, IPS signatures are useful in order to detect an advanced exploitation technique that takes advantage of ActiveX.

Q: Palo Alto Networks is a Black Hat "sustaining partner," which means you sponsor all three of the Black Hat conferences -- Asia, Europe, and USA. Why is Black Hat such an important part of the marketing strategy of Palo Alto Networks?

van Sommeren: Black Hat is a mighty brand among the world's major cybersecurity conferences and promises an audience that's as committed and engaged to advanced enterprise security as we are. We are excited to participate -- in all regions!

Sustaining Partners