What I wanted to point out here is that you can’t have attribution with regards to an attack by only analyzing the tool used, no matter how through the analysis. We all know IP’s can be changed, compromised, rented out….so relying on that wont work. Code can be borrowed, stolen, reversed so that isn’t conclusive either. This especially true if we are talking about Nation State sponsored cyber attacks. The tool is only part of the bigger picture. Attribution requires taking a step back and looking at that this bigger picture.  Who received the email? What is their role at the company? Where did the adversary get their email address? What tools did they use once inside? What order did they use the tools? What time of day, week, month did the carry out the attack? How did they exfil the data? What did they do with the data once exfiltrated? These are just examples of data not directly tied to the code in the malware that needs to be analyzed. Threat actors have patterns that they follow just a criminals have M.O.’s. However these cannot be relied upon completely. Misdirection is your friend when you don’t want to be named.  A lot of data needs to be analyzed before you are in the position to claim attribution. I would argue that few organizations have the expertise and experience to do so and fewer still could say conclusively, outside of Defense and Intel circles.

Also remember that not all advanced intrusion are APT just as not all APT intrusions are advanced. What helps constitute the Advanced in APT is their ability to pick the right tool for the job. They are not going to pull out their 0-days unless they have to, in my opinion anyway.

–Chris

[TAGS] APT, RSA [\TAGS]

–Chris

For those Splunk users out there the 2011 Splunk Users Conference will be August 15 – 17 in San Francisco. http://www.splunk.com/view/SP-CAAAFCW

I’ve been a big fan of Splunk for a number of years. Somtimes you just want to search your logs and create / modify the queries on the fly. Splunk gives you the flexibility to do that. A SIEM is a great log tool but it is not always the right tool for the job. Incident Response is one of those processes that I think Splunk is ideally suited.

–Chris

Technorati Tags: Splunk

For those so inclined The sixth annual APWG eCrime Researchers Summit call for papers is out, as part of eCrime ’11.

eCRS 2011 will bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it, Topics of interests include (but are not limited to):

Papers need to be in the IEE format: Submissions should be in English, in PDF format with all fonts embedded, formatted using the the IEEE conference template, found here: http://www.ieee.org/publications_standards/publications/authors/authors_journals.html.

–Chris

Most of you have probably heard that Intel announced that it will acquire McAfee for almost $8 billion dollars. What I find interesting is that Intel paid $48 per share or about 60% more than the $30 per share where McAfee had been trading at. There are a lot of discussions about why Intel did this. Bruce Schneier has an interesting thread on this.

Having used McAfee at several companies I thought this quote particularly interesting.

McAfee may be able to optimize its notoriously performance-hungry software now that it’s a part of the company that provides the CPUs to many computers

Will we see an Intel based “antivirus chip” on mobo’s? Maybe….

–Chris

Technorati Tags: Intel, Mcafee

Technorati Tags: Defcon

Security Twits are people in security related jobs, companies, etc that use Twitter. We can thank Jennifer, aka Mediaphyter, for the name and the original blog post on the Twits. It’s actually a pretty impressive list of security folks using it.

If you have not tried Twitter you should. You may just find it useful if not downright addictive.

– Chris

Technorati Tags: Twitter, Security, Security Twits

I am curious as to what this will do for their NAC strategy, if anything.

–Chris

Technorati Tags: Juniper, switches, NAC

I first learned of Tor while at the NSA, back then it was more commonly known as Onion Routing. Tor is basically a series of servers setup with software that allows the forwarding of packets while hiding the originating IP address. One of the biggest problems with Tor is the “last hop” or exit router. This is the last Tor server (node) that handles the packet before it reaches the destination. This last node sees everything being passed and is not encrypted, unless the connection to the destination is done using SSL / TLS, IPSec, etc. The other issue with the exit router is that anyone can set one up. Since Tor is an open network you just need hardware to run the Tor software and a network connection. This is where Dan came in.</strong>

Dan simply setup several Tor servers and analyzed the traffic passing through these exit servers. All total he was able to gather over 1000 user names / passwords. In the interest of disclosure he did make some attempts to notify the organizations involved. It seems in most cases he was ignored or not understood. He then posted 100 of those accounts on the Internet.

The moral of the story. Encrypt it end to end if you expect any degree of privacy. Transport level and application level encryption is so common place these days it amazes me the number of people that don’t use it. The Wall of Sheep at DefCon is a good representation of this.  Will that solve everything? Of course not but it will definitely help.

–Chris

Technorati Tags: Tor, encryption, Dan Egerstad

http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html

–Chris

Technorati Tags: Hushmail, encrytped email

Yesterday Fred Wilson had a post on the “lead investor”. It was a great description of those VC’s who say they will invest but didn’t want to lead the funding round. Having seen this first hand (from the other side of the table from Fred), I thought it was dead on. My favorite quote:

“If you are raising a financing of any kind, spend all of your time looking for a lead investor. Qualify every meeting upfront. If the investor won’t lead, don’t take the meeting.”

Good article.

–Chris

Technorati Tags: VC, investors, Fred Wilson