It is fascinating how we are moving to a greater awareness in the security community that nation-state actors are actively developing and purchasing malware and exploits. Stuxnet was one of the first internationally recognized state malware specimens and it seems this trend is growing.
What does this mean to information security? Well, there are a couple of things that we have to get straight in our heads. First, traditional detection and prevention technologies are not going to work against this type of threat. We are talking about groups of people (i.e. nation states) that are putting a significant amount of time and resources into not only creating these programs, but doing robust reconnaissance on the target environments before launching their attacks. This should drastically change the way you architect your environment to deal with these threats. You should no longer be just worried about self-propagating worms. These were an annoyance and they were all the rage a few years ago. Granted, there is still a risk, but most likely self-propagating worms like Conficker will not bring your business or organization down. No, we should all be worried about attacks like Aurora, Stuxnet and things like FinFisher.
How do we best prepare? First, if you are a vendor and you are sending out emails about how your product "beat down Stuxnet" (we are looking at you CoreTrace) please stop. Just stop.
Look, we at PaulDotCom love Application Whitelisting products. We feel they are a class of product that every company should be looking at to get away from the traditional black list approach. However, when you say your product can “beat down” malware like Stuxnet and other highly targeted malware, you are not telling the whole story.
Why? Well, I cannot help but think that if a nation state was targeting an organization and they were running something like CoreTrace, they would find a way to bypass it. That is the nature of the threat that many organizations are facing today. Highly targeted attacks using custom malware to bypass your existing security support structure.
If the FinFisher incident shows us anything it is revealing how much some nation states and organizations are willing to spend on custom malware. 287,000 euros is not chump change. By the way, that is about $393,000USD.
Moving forward we need to start looking at how we can baseline our networks, systems, and applications. Then we need to start watching for deviations from the norm. There is no shiny box or product that is going to "beat down" all malware and attacks for you. It is just like health. We all know what it takes to be healthy. It requires a good diet and exercise. But that is hard. We would much rather buy a pill, which never has worked. But, it looks easy, so we give it a try anyway. Maybe, just maybe this time it will work. It is the same with security. We know what we have to do: know your network, your systems, your applications, test, test and retest. Then, when you are done testing, do it some more then hire an organization to do a pentest for you that actually knows what they are doing. Then, start over again.
Sure it is hard… But if it was actually easy we would all be out of a job.
p.s. We have nothing against CoreTrace. Their product looks solid and whitelisting rocks. It is just that their marketing department insists on making the company look like tools.
Originally discussed during episode 234
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 - 23.