President Obama’s $19 Billion Cyber-Defense Budget and Plan is a Bold and Necessary Step

/by

“The federal government is finally taking bold steps to fulfill what the Constitution says in its preamble – ‘to provide for the common defense,’ in this case, the common cyber defense.

The actions and budget announced today are an important recognition and investment in the defense of the critical information infrastructure of the United States, and provides an example for governments, businesses, and NGOs worldwide.

The plan recognizes that it is critical to implement platforms with analytics and capabilities to understand complex networks and assist in prioritizing what needs to be done first to improve resilience.

As the president writes in a Wall Street Journal op-ed, ‘we are still in the early days of this challenge.’ Networks will only grow more complex, creating opportunities for hackers and challenges for defenders.

The federal government’s new Chief Information Security Officer should be asking talented agency teams, ‘how are we measuring our cyber results and defenses? How are we thinking about resilience? And how are we determining the first step to take to make our digital infrastructure more resilient?’

Networks were not designed with cyberattacks in mind, so they are not resilient to them.  But it’s not too late. Building digital resilience into networks before attacks is the only way to get ahead of the ongoing, automated, and ever more sophisticated attacks.

The proposal by the President can be an excellent step in leading the world to a more cyber resilient future.”

Closing (and bolting) the back door in ScreenOS

/by

by Dr. Mike Lloyd, CTO RedSeal

The recently disclosed back door in Juniper’s ScreenOS software for NetScreen firewalls is an excellent reminder that in security, the first and foremost need is to do the basics well.  The details of the vulnerability are complex and interesting (who implanted this, how, and what exactly is involved?), but that is not what matters for defenders.  What matters is knowing whether or not you have basic network segmentation in place.  This may sound counterintuitive – how can something as routine as segmentation solve a sophisticated problem like this?  But this is a textbook example of the benefits of defense in layers – if you think too much about only one method of protection, then complex things at that layer have to be dealt with in complex ways, but if you have layers of defense, you can often solve very complex problems at one layer with very simple controls at another.

The vulnerability in this instance involves a burned-in “skeleton key” password – a password capable of giving anyone who can use it potentially catastrophic levels of control of the firewall.  To compromise your defenses when you have this particular version of software installed, an attacker needs only two things – 1) the magic password string itself, which is widely available, and 2) ability to talk to your firewall.  For point 1, the cat (saber-toothed in this instance) is long since out of the bag, but point 2 remains.  If someone can talk to your firewall and present a credential, they can present the magic one, and in they go, with full privilege to do whatever they want (for example, disabling all the protections you bought the firewall for in the first place).  No amount of configuration hardening can prevent this, since the issue is burned in to the OS itself.  But what if the attacker cannot talk to the firewall at all?  Then the magic password does no good – they cannot present a credential if they cannot talk to the firewall in the first place.

So note that someone who relies on strong password policies has a real problem here.  If you think “it’s OK to allow basic access to my firewalls, nobody can get in unless I give them a credential”, well, that’s clearly not true.  Unfortunately, many network defenses are set up in this way.  If you think about this problem at the password or credential layer, the situation is a disaster.  But if you think about multiple layers, something more obvious and more basic emerges – why do you need to allow anyone, coming from anywhere, to talk to you firewalls at all?  You should only ever need to administer your infrastructure from a well-defined command and control location (using “C&C” in the positive sense used by the military), and you can lock down access so that only people in this special zone can say anything AT ALL to your firewalls and the rest of your infrastructure – you can effectively reduce the attack surface for an attack, directly mitigating the huge risk of this kind of vulnerability.  Thinking in layers moves the question from “how do I prevent someone using the magic password?” (Answer: if you have the vulnerable software, you can’t), over to the easier and better question, “How do I limit access to the management plane of the firewall, to only the zone I run management from?”

2015 Alamo AFCEA Chapter Event (ACE) Speakers Focus on Solving Root Causes of Cybersecurity

/by

For the third time in a row, I flew down to Texas at the end of the year.

The reason? To attend the important Alamo ACE event presented by the local San Antonio AFCEA chapter. With multiple sessions over three days covering primarily cybersecurity and ISR, the event draws 1500 military and industry leaders.

My takeaway? RedSeal’s cybersecurity analytics platform and approach to proactive digital resilience was validated by a series of senior leaders on the front lines of protecting our nation’s most high value assets. Each of them is shifting focus to solving the root causes of cyber insecurity, rather than deploying a patchwork of tools. They realize that:

  • End users can’t manage their own security
  • A global black market has resulted in low prices for hacking toolsets
  • Commercial IT has a multitude of defects that create cyber risk

These military leaders equate mission assurance with security. This means:

  • The network must be survivable against all attacks and available 24×7
  • Users can have different authorizations for data access.
  • The DoD’s cyber supply chain interdependencies must be equally protected or the entire mission is at risk.

The first session I attended featured Steve Brown, the Vice President of Operations and Cyber Intelligence Center in the Global Cyber Security organization at Hewlett Packard. A former Navy and Wells Fargo senior security leader, Steve saw three big similarities across military and commercial organizations:

  1. The same critical data targets across DoD and commercial
  2. The same end user issues
  3. The same need to balance reward with risk

What keeps Steve up at night? Globally, 30 billion cyber events per day and 1.4M on his networks! Steve works to make cyber investments about risk and reward. For example, to shorten time lag between attack and response he split up his Red Team and created a Cyber Hunting team. Gathering and sharing intel wherever he can to see risk earlier and proactively take action.

On the same panel was Lt. Gen. (retired) Michael J. Basla now Senior Vice President of Advanced Solutions for L-3 National Security Solutions (L-3 NSS) and former CIO of the US Air Force. According to him, the key challenges for US cybersecurity are:

  • No matter how well secured we are, they will get to us. Plan for it.
  • Focus on access rather than security
  • We must find successful hacks faster
  • We need to not only have a map of our digital infrastructure, but also know the terrain — including sections in the Cloud.

Later on, I sat in on a session featuring Maj. Gen. Burke E. “Ed” Wilson. He is the Commander, 24th Air Force and Commander, Air Forces Cyber, Joint Base San Antonio-Lackland, Texas.

Gen. Wilson gave a quick overview of the US Air Force’s cyber terrain, including an emphasis on securing their network, base infrastructure and weapons systems. This is a change from the past when the USAF was focused primarily on network defense. Now they also focus on base infrastructure and weapons systems. They struggle with how to provide mission assurance from cyber risk.

On the flight home, reflecting on this conference, I realized the DOD cyber security conversation has changed dramatically. The past focus on audit and inspections has given way to a realization that networks are critical to national security. They deliver the mission. Our military leaders understand the cyber threat to their missions and are now putting their focus behind creating the strongest possible defense.

Cyber Concerns Dominate 2015 AFCEA TechNet Asia Pacific

/by

by Derek Heese, RedSeal’s director, Department of Defense RedSeal

I recently returned from Hawaii where I attended the AFCEA TechNet Asia Pacific trade show for the fifth time in a row. It’s always a good opportunity to hit a couple of birds with one stone: meet with some customers, develop relationships with new prospects and hear which issues and initiatives are getting the highest attention.

It wasn’t a surprise given the events of the past few years, but I was pleased to hear the deputy commander of the Pacific fleet, Rear Admiral Phillip G. Sawyer say, “If you’re not resilient in communications, you’re not relevant.” Of course, this applies to the traditional communications infrastructure as well as to cyber security.

As another speaker, Maj. Gen. Dave Bryan, USA (Ret.), pointed out, “We’re at war in cyberspace, and this has been a hard lesson to learn.” He added that the threat lies not to network access or to the network itself, but to the data. “It’s the database, stupid,” he said. “Look for the technologies coming out that protect the database.”

Adm. Dick Macke, USN (Ret.), former commander, U.S. Pacific Command, offered deductive reasoning to set a high priority for cyberspace. “Cyber equals C2 [command and control], C2 equals victory. Therefore, victory needs cyber,” he stated. Adm. Macke called for the ability to beat the enemy at its own game. “We’re going to be attacked, and we are going to lose some part of our C2,” he warned. “I’m a warfighter, and I want rules of engagement that allow me to attack [cyber] before I have to defend.”

Needless to say, we had a steady stream of visitors drop by our booth, mostly new prospects, asking how RedSeal could provide solutions to their various problems. Network mapping. Vulnerability identification.  Automating security controls. As one Navy officer said, “If you have to do it more than twice, automate it.”

I agreed. And we scheduled a demo of RedSeal for his team this week.

BLUE vs RED – Leveling the playing field

/by

Blue vs Red. No, not the Rooster Teeth series for the Halo fans out there. For those that do not know how the reference pertains to cyber security: Blue teams can be looked at as the good guys (cyber defenders) and Red teams are the bad guys (attackers). Not to say the Red teams are “bad guys”; their job is to identify weaknesses in order to teach and improve the capabilities of the Blue teams.

The U.S. military runs Red vs Blue cyber war games, and I had the opportunity to participate in them during my time in the Intelligence Community. I quickly learned that all war games (whether simulated kinetic wars or simulated cyber wars) are rigged to make it impossible for the Blue team to win. Reminiscent of Star Trek’s Kobayashi Maru scenario that Captain Kirk had to participate in at the Star Fleet Academy. Why on earth would you do that? So when the real thing happens you won’t be surprised and you’ll know how to handle it.

The only thing that was a shock to the U.S. military during the war of the Pacific in World War II was Kamikazes. The U.S. military had war-gamed every scenario to include a sneak attack on Pearl Harbor. They never imagined suicide attacks in that day and age so it wasn’t part of the games. But, with that single exception, they were prepared to deal with everything that occurred.

I often describe how RedSeal can help Blue teams when I give demonstrations. RedSeal’s native ability to calculate every possible access path and attack vector is basically a cheat for Blue teams. Just as Kirk defeated the Kobayashi Maru scenario by changing the rules (or cheating.) Historically, Blue teams have had to find every possible path into the network and every possible attack vector or exposed vulnerability in order to defend the network. This takes vast amounts of time and effort, and many times is impossible to achieve. The Red team only has to find one way in, and they have all the time in the world to do it.

A lot of Blue team personnel attend our conferences where they get energized about the possibilities RedSeal can open up for them. RedSeal allows the Blue teams to identify the most critical or highest risk access paths and attack vectors in the network, automatically, every day. There are other Blue teams who are known as auditors or vulnerability assessment teams. They look at snapshots of a network’s security posture and network resiliency. Typically these audits are manual, labor intensive and time consuming efforts that consist of collecting and reading network configuration files, reviewing vulnerability scan data, and performing analysis to merge the data into actionable reports. RedSeal can automate this process, turning what could take weeks or months into just a few days, so Blue teams can cover greater portions of the enterprise faster.

Then there are those sneaky Red team people.  Remember them? They only have to find one way in. I don’t get many of them openly announcing themselves at conferences but they do pop up from time to time. They ask, “Can we use RedSeal to automate the analysis to find ways in and pivot or leapfrog through the network?” Well, the answer is yes. As you move through the network and collect data, you can feed it into RedSeal to figure out your next move or moves. There is a misconception that breaches are blitzkrieg style attacks — meaning that once the attacker is in, it is game over. In fact, most of the time they have to continue to move through the network to achieve their objective — and then get out with the data without being detected. If you have a model of the network that shows where access is and is not and what vulnerabilities could be leveraged as you push deeper into the enterprise, it removes the unknowns and allows you to move with more certainty towards your goal.

RedSeal is a tool to defeat an impossible scenario. Whether it’s faster time to exploitation or to identification and remediation, RedSeal allows both Red and Blue teams to accomplish their goals faster and with more accuracy through automation. Live long and prosper!

Reluctant Recipient to Willing Participant: Operationalizing RedSeal

/by

by Wayne Lloyd, Federal CTO RedSeal

Not too long ago I had a customer, “Joe”, explain to me how he overcame organizational challenges and got his network team to operationalize the findings from RedSeal.

Joe started by taking advantage of RedSeal features that can be leveraged immediately upon deployment, such as the Best Practice and STIG checks. He generated a report and sent it over to the transport team, convinced that they would recognize the findings’ importance and promptly start remediation efforts.

Unfortunately for Joe, the transport team was busy with their own operational tasks, and he’d just dumped a phonebook worth of problems in their lap.  The first issue they had: More work! More importantly, they had no idea where the data came from and didn’t trust its accuracy. They reacted the same way the people I’ve worked with did; they ignored it. They had to focus on their own priorities. It’s hard to justify overriding operational or mission requirements with new (not mandatory) tasks.

Joe is not the type to be ignored or take no for an answer; he chose another tactic.  He printed three high priority findings and personally showed them to the most receptive network team members. He didn’t present the findings as issues that needed immediate attention but instead, he asked for help in verifying the findings. They reviewed the three findings, validated them as real issues that needed immediate resolution, then thanked Joe for sharing them.

A few days later he did the same thing with the same result.  After weeks of this, the network team came to trust the findings and wanted to know where they came from. He told them it was RedSeal, and they jumped at his offer to have the reports automatically emailed to them. They wanted to learn what else RedSeal could provide.

What I learned from this is if you want to gain acceptance, you can’t just dump mountains of work on an unwitting team that is already over tasked.  You have to slowly gain their trust a little bit at a time.  Show them that you’re really on their side and not there to tell them they are doing things wrong.  Once they have confidence in the data, they will ask for more. Once they gain trust in the results, they will operationalize it into their own workflow as a willing participant… rather than a reluctant recipient.

Using inflight entertainment systems to hack into commercial airline controls?

/by

Recent headlines tell us that “Feds Say That Banned Researcher [Chris Roberts] Commandeered a Plane.” As always, there is more to the story. In fact, there are claims and counter-claims about what Chris Roberts actually did.  The FBI search warrant says he did actually send control commands that impacted the flight path of the aircraft, but this is currently unproven.  The whole incident brings focus on the issue of what is called lateral movement – can someone with access to, for example, the inflight entertainment system of an aircraft use that toe-hold to reach further in to the network to do actual harm?

Once, aircraft control machinery was effectively offline, not connected to any outside networks. But, as we’ve seen in recent coverage (including the loss of Malaysian Airlines Flight 17) aircraft are much more inter-connected than they used to be.  They connect to the outside world in several different ways, ranging from satellite-based networks for flight telemetry to networks used to provide Internet access from passenger seats.  As these networks proliferate, they inevitably touch; and any touch point is something an attacker can use.  The number of possible weak points multiplies over time.

The questions raised by this story are the current frontier of security, and apply well beyond aircraft.  We rely more and more on networks that we cannot easily see or understand.  Defects in one network can open up access to another. Attacks can work upwards like grass through cement, finding weak points and cracking hard defenses.  What all defenders need to learn to do is to use technology to monitor technology. As our networks grow larger than we can understand, human effort and good will are not enough. This is why the current emphasis in security is on automated testing of defenses. We look for lateral movement opportunities, so we can isolate the truly critical things – say an aircraft’s control network – from the far less important, such as the inflight entertainment systems.

What SendGrid can teach us about dependency

/by

The watch-word for the SendGrid breach is “interdependence”.  In the online world, we may think we’re dealing with one company, but we’re actually dealing with them and with every other company they choose to deal with.  This makes an ever-widening attack surface.  (The breaking news about the Chinese “Great Cannon” software shows similar patterns.)  These days, if you visit a website, you can be confident you are actually talking to a huge variety of other organizations who may provide ads, services, traffic monitoring, or any other legitimate services.  One recent study of a popular news site showed that reading a simple news story meant your browser spoke to 38 distinct hosts, spread across no less than 20 different organizational domains!  The problem is that this array of services is very large, and a chain is only as strong as its weakest link.  Attackers only need to find one weak point to start an attack.

KCBS Interview on Obama’s information sharing initiative

/by

I recently recorded an interview with KCBS, on Obama’s announcement of the Cyber Threat Intelligence Integration Center.  I do believe this is good news, but I confess, I worry about the way all these proposals indicate how data will go in to the government, with very little said about how anything will ever come out.  In the scope of a 5 minute live interview, there wasn’t a lot of time for that kind of subtlety!

The Next Manhattan Project

/by

Just participated in The White House Summit on Cybersecurity at Stanford.  The President and all the participants focused on the fact that cyber is the threat of the 21st century, that government alone can’t protect us, and that no company has the resources to completely protect themselves.  Recent history confirms this.  Thus to collaborate, to share, and to work together is our real only solution.  There was plenty of head nods to the Constitution and privacy.  Tony Earley, CEO of PG&E, said that we need to work together like we did on the Manhattan Project.  Now that is big thinking, and a big call to action.  I couldn’t agree more.