Sunday, June 20, 2010

Who's on...uh, at...FIRST?

I attended the FIRST conference in Miami last week. My employer is not a member of FIRST, but we were a sponsor, and we hosted the "Geek Bar"...a nice room with two Wiis set up, a smoothie bar (also with coffee and tea), and places to sit and relax. One of my roles at the conference was to be at the Geek Bar to answer questions and help sign folks up for the NAP tour on Thursday, as well as mingle with folks at the conference. As such, I did not get to attend all of the presentations...some were going on during my shift at the Geek Bar, for example.

Note: Comments made in this blog are my own thoughts and opinions, and do not necessarily reflect or speak for my employer.

Dave Aitel's presentation hit the nail on the head...defenders are behind and continue to learn from the attacker. Okay, not all defenders learn from the attacker...some do, others, well, not so much. Besides Dave's really cool presentation, I think that what he said was as important as what he didn't say. I mean, Dave was really kind of cheerful for what, on the surface, could be a "doom-and-gloom" message, but someone mentioned after the presentation that Dave did not provide a roadmap to fixing/correcting the situation. I'd suggest that the same things that have been said for the past 25 years, the same core principles still apply...they simply need to be used. My big take-away from this presentation was that we cannot say that defensive tactics, or the tactics, techniques, and strategies used by the defenders have failed, because in most cases, they haven't been implemented properly, or at all.

I really liked Heather Adkins' presentation regarding Aurora and Google, and I think that overall it was very well received. It was clear that she couldn't provide every bit of information associated with the incident, and I think she did a great job of heading off some questions by pointing out what was already out there publicly and could be easily searched for...via Google.

Vitaly Kamluk's (Kaspersky/Japan) presentation on botnets reiterated Dave's presentation a bit, albeit not in so many words. Essentially, part of the presentation was spent talking about the evolution of botnet infrastructures, going through one-to-many, many-to-one, C2, P2P, and a C2/P2P hybrid.

Unfortunately, I missed Steven Adair's presentation, something I wanted to see. However, I flew to Miami on the same flight as Steven, one row behind and to the side of his seat, so I got to see a lot of the presentation development in action! I mean, really...young guy opens up Wireshark on one of two laptops he's got open...who wouldn't watch?

Jason Larsen (researcher from Idaho National Labs) a good talk on Home Area Networks (HANs). He mentioned that he'd found a way to modify firmware on power meters to do such things as turn on the cellular networking of some of these devices. Imagine the havok that would insue if home power meters suddenly all started transmitting on cellular network frequencies. How about if the transmitting were on emergency services frequencies?

The Mandiant crew was in the hizz-ouse, and I saw Kris Harms at the mic not once, but twice! Once for the Mandiant webcast, and once for the presentation on Friday. I noticed that some parts of both of Mandiant's presentations were from previous presentations...talking to Kris, they were still seeing similar techniques, even as long as two years later. I didn't get a chance to discuss this with Kris much more, to dig into things like, were customers against which these techniques used detecting the incident, or was the call to Mandiant the result of an external third party calling the victim organization?

Richard Bejtlich took a different approach to his PPT! If you're read his blog, you know that he's been talking about this recently, so I wasn't too terribly surprised (actually, I was very interested to see where it would go) when he started his time at the mic by asking members of the audience for questions. He'd had a handout prior to kicking things off, and his presentation was very interesting because of how he spent the time.

There were also a number of presentations on cloud computing, including one by our own Robert Rounsavall, and another on Fri morning by Chris Day. It's interesting to see some folks get up and talk about "cloud computing" and how security, IR, and forensics need to be addressed, and then for others to get up and basically say, "hey, we have it figured out."

Take Aways from FIRST
My take aways from FIRST came from two sources...listening to and thinking about the presentations, and talking to other attendees about their thoughts on what they heard.

As Dave Aitel said, defenders are steps behind the attackers, and continue to learn from them. Kris Harms said that from what they've seen at Mandiant, considerable research is being placed into malware persistence mechanisms...but when talking about these to some attendees, particularly those involved in incident response in some way within their organizations, there were a lot of blank stares. A lot of what was said by some was affirmed by others, and in turn, affirmed my experiences as well as those of other responders.

I guess the biggest take away is that there are two different focuses with respect to business. Organizations conducting business most often focus on business and not so much on securing the information that is their business. The bad guys have a business model, as well, that is also driven by revenue...they are out to get your information, or access to your systems, and they are often better at using your infrastructure than you are. The drive or motivation of business is to do business, and at this point, security is such a culture change that its no wonder that victims find out about so many intrusions and data breaches after the fact, due to third party notification. The road map, the solutions, to addressing this have been around for a very long time, and nothing will change until organizations start adopting those security principles as part of their culture. Security is ineffective if it's "bolted on" has to be part of what businesses do...just like billing and collections, shipping and product fulfillment, etc. Incident responders have watched the evolution of intruder's tactics over the years, and organizations that fall victim to these attacks are often stagnant and rooted in archaic cultures.

Overall, FIRST was a good experience, and a good chance to hear what others were experiencing and thinking, both in and out of the presentation forum.

No comments: