In many ways, this year’s RSA conference was overwhelming. In other ways, it was a disappointment in how the market is providing solutions to mitigate our security risks. As several colleagues have pointed out, “remediation” is a huge gaps at 2015 RSA, As Adam Stein pointed out, Remediation is not a dirty word. on the RSA show floor, it seemed that every other booth was showing off “Threat Intelligence.” My colleague Brian Beal points out that RSA was a “battle of the Threat Intelligence GUI.” If you wanted to wow investors and desperate CIOs, have a really cool graphical interface with fancy infographics. But, if you asked vendors about remediation, you get interesting “songs,” “dances,” “distracting statements,” and blank stares. “That is not what we do” is the most common response from these “threat intelligence” vendors.
The absence of remediation is worrying. The market’s “threat intelligence” saturation provides visibility tools looking for the “APT Threat.” But, “intelligence” has no meaning without the remediation tools, incident response processes, or remediation skills/capabilities to counter the threat. In many ways, we are encouraging organizations to build the tools to watch their own victimization. IMHO that is wrong.
Just so everyone is on the same page, remediation in the security space is where you take action to fix a problem. The key is action. This normally has three phases:
Map the Iceberg. Mapping the iceberg is a technique where you look at the initial issue as the starting point. Like an iceberg, any internal penetration should be treated as the “tip” of a much bigger problem. For example, a malware infection of an employee’s computer might be infection or communicating with other computers. An unpatched system might be an indication the miscreant is using unpatched systems to spread the penetration. An exfiltration data flow might be one of many exfiltration feeds leaking data out to the bad guys. An effective remediation plan needs always to look beyond the “tip of the iceberg” and dig into the unseen issue below the water line.
Script the Remediation Dance. It is safe to assume that any violated systems inside your network are controlled by some outside party. It is critical to understand that remediation today is about a competitive showdown with another human. Their goal is to maintain control of the systems they have violated and to complete their mission (criminal, nation state, activities, or other missions). You job is to protect your customer’s and shareholder’s interest. Ever remediation action you take will invoke a response from your opponents(s). Hence, your actions must be like a chess game, where you think of several moves ahead – anticipating the other human’s reaction to your remediation activities. Think, plan, anticipate, and then act. This back and forth interaction with the miscreant might take a while. Network visibility would be necessary – hence threat intelligence would be useful, but within the context of a remediation driven strategy.
Expect the Unknown. It is normal for the human opponent to hide, wait, and then use their backup infiltration after you let your guard down. This is common in combat. It is part of normal tactics in military electronic warfare. It is also to be expected in today’s security battlespace. Given this, look for the sleeper malware and systems that have yet to be checked. Also, deploy techniques that would disrupt any sleeper violations. Waiting a couple of days and the deploying a network work “patch the vulnerability” exercise to catch up on all software patching create positive disruption that could break a hidden malware violation.
Recommendation: start with remediation first with a methodology that fits to your organization. Organizations should not start with “threat intelligence products.” The information overload is a huge distraction. There are plenty of ‘threat intelligence feeds” that will send daily emails of violated systems inside your organizations that are communicating with bad guy C&C. This data is the tip of the iceberg. Some of these are free (i.e. shadowserver.org). You can use this information on real violated/infected systems inside your network to shape a remediation strategy. Each organization’s remediation processes (incident response process) have uniqueness. The business requirement, work culture, staff capabilities, and executive priorities would all be different between organizations. Using the free “threat intelligence” sources to test your remediation processes empowers. It gives you a “threat intelligence” tool that allows for action now, before spending significate capital on new tools that might add value.
Let’s walk through a use case. Company.com has several thousand people in the organization. They have an IT team to support the business with a few part-time “security people.” Executive management is putting pressure on the CIO to ensure they do not have a break in like Target, Sony, and the other “2104” break-ins. The CIO ask the team what the plan should be. The team thinks out of the box, but not calling in vendors or going to security conferences (which all lead to confusion). Instead, they subscribe to a feed like shadowserver.org. Shadowserver.org gives them daily e-mails of systems in their network that are trying to communicate to malware command and control (C&C) systems. The daily E-mails provides the team with real data on the tip of the iceberg. The team now starts to explore what can be done. They start asking the questions:
- Which system is violated?
- Is the system fully patched?
- Is there any flow analytics or firewall logs on that system (i.e. Netflow)?
- How can the team figure out what other systems that violated system are communicating with other potentially infected systems?
- What happens if they system is removed, filtered, or blackholed?
- Can the system be patched and if yes, does that fix the problem?
All of these questions help the IT Team figure out what they need in their organization to remediate the problem. It starts a gaps list of what they need to remediate the problem. This gaps list becomes the conversation piece for all security vendors and consultants. What does it cost? Time. Time to get the shadowserver.org feed started. Time to do all the in-depth “map the iceberg” analysis – exploring the tools that are in the network now.
What’s next? Don’t call the vendors yet! Start looking at the open source tools that are available. There are a range of open source tools that are used in very large networks as part of their security toolkit. For example, if you don’t have flow analytics in your network, pull down Nfdump/NfSen (Open Source). This tool gives you flow analytics at an open source rate. The deployment exercise will provide details network/security information, but also help the team understand what commercial Netflow analytics requirements (aka Threat Intelligence) might be needed beyond the open source. Next look for other open source security tools. Do a Google search, for “open source security tools.” The Bro Network Security Monitor (https://www.bro.org/) and Active Defense Harbinger Distribution (ADHD) (http://sourceforge.net/projects/adhd/) are two tools to get you started.
What do you get with this open source exploration? Security clue at lower cost and a new ability to know what your organization needs to buy to fill out their security battle plan. This battle plan would be based on what you need for effective remediation and incident response. It keeps the organization from wasting money on fancy “GUIs” that do not lead to action.
Bottom line, buying threat intelligence before you have built up your remediation skills is a dangerous distraction. Use the open source threat intelligence and open source security tools to gain the remediation skills. Yes, you most likely would need commercial security products, but you will make better decisions when we have done the investment in time to build the remediation capacity within your team.
Confused or need help? Ask me via Linkedin or via E-mail at firstname.lastname@example.org.