MIRcon 2013 - What Really Happened
My first MIRcon is in the books and I have to say it was a great experience from start to finish. The agenda, food, staff, accommodations, and attendees were all top notch. Some people may complain based on the fact that this year’s conference was the first year they started charging, however I would find it very hard to believe it was for any profit, but more to slightly offset the costs which I think far exceeded any registration fees. I also really love the fact that the conference is relatively small. I believe this is want people want compared to the horribly overcrowded RSA & Blackhat experience. I also heard they were considering adding a more technical 3rd track and I think that would be a great idea. Also, how about hosting a capture the attacker event? How cool would that be.
Richard Bejtlich, Chris Bream, Kevin Mandia, and Grady Summers all brought their A game and delivered a home run in terms of their speaking and moderating. Everything ran smoothly, great questions were asked, and I never noticed any audio/video problems that plague many other conferences. My only complaint was that a certain privacy fanatic, who anyone who was following twitter knows who he is, kept submitting anti-NSA or anti-gov questions over and over, drowning out potential questions that may have been more relevant and insightful. My response to him is, please take that to a privacy or EFF conference. While I value constitutional rights as much as anyone, this was an incident response focused event.
My first night there I was able to attend an excellent dinner for the North/Central Mandiant customer base at Old Ebbitz Grill. I highly recommend the crab cakes, but that’s pretty much my staple meal while in the DC area. I got to have some great discussions with a lot of Houston based energy people and even some large financials. They are doing a lot of great proactive things and it’s always good to talk with like minded people passionate about security. I also learned a new term(Sidecar) for people who run their own MIR in addition to Managed Network Defense.
Following a kick off from Richard Bejtlich, Kevin Mandia detailed some very timely ideas. We must learn to cope with our IT posture eroding over time. How do we address that in an ongoing, programmatic way? IT is proliferating exponentially faster than our security frameworks ability to protect it. He also implored the audience to adopt a community driven approach. Don’t hunt alone; hunt in packs and good things will follow.
Grady Summers then lead a panel talking about some new trends emerging in the last year. They are seeing an increased use of encrypted C2 and C2 taking advantage of public services. For example proxying your encrypted C2 configuration file through a google or bing translate service. This can and should be detected by analyzing the URL contained in the URI of the GET request. Use of the gmail calendar and msn chat were other C2 methods discussed. They did state they are seeing a reduction in the use of malware, however I’m not sure I agree with that. Perhaps it’s a sign that the attackers are spending less time on the initial foothold and more time moving about your infrastructure with legit credentials. There was time spent on discussing how attackers are more easily able to blend in with the noise by backdooring SSH or hijacking outlook via the MAPI. And of course, the old reliable vector of partner VPN access. They did highlight the fact that Mandiant customers over the last year have been able to reduce their time to detect a compromise from ~416 days to ~243 days. While not anywhere remotely good, at least it’s a large improvement. Someone also recommended Raytheon’s SureView product.
Eric Hutchins gave a nice overview and demo of the iPython Analyst Notebook. The primary driver for this is to effectively share tools and analysis between team members. The goal is to improve your depth of documentation. He highlighted the key attributes as Results, Methodology, and Means. This would be useful in any team, but especially in large, geographically disperse teams with people of differing skill levels. iPython is not multi user yet, however it is on the roadmap. I believe the killer feature of the app, was the ease with which you can share your scripts and have others use, improve, and validate your work. He is has released his scripts on github and nbviewer.ipython.org has some other examples.
Next I attended a talk on Rapid Response by Shanna Battaglia and Mike Scutt, both of Mandiant. The key questions they are trying to answer upfront in order of speed are:
- How is the adversary communicating?
- How did they get in?
- What are they going to do next?
Some of their favorite techniques include getting command line strings from CSRSS and CONHOST, reviewing prefetch, and looking for explicit logons.
Zane Lackey of Etsy (codeascraft.com) had some great ideas in his talk on Attack Driven Defense. Key recommended operations goals included:
- raising the cost to the attacker
- increasing your odds of detection
- defending based on real attack data
He said we can save ourselves a lot of pain by analyzing which Certificate Authorities your company are actually using regularly and removing the ones used rarely. This could possible prevent a DigiNotar type compromise. I loved his quote on using laziness as a weapon to make it harder for people to use insecure technologies, but easy to use secure software. He also highly recommended finding ways to incentivize users to report suspicious activity.
Jennifer Kolde gave a great talk on the Art of Threat Intel. Threat Intel is not 10yr old attack data, not hypothetical, and must be something existing or emerging. Some of the key benefits of Threat Intel include faster identification of the enemy and being able to successfully anticipate their next moves. Indicators vary in uniqueness, proximity, and fidelity. Proximity was a very important concept. The farther away your data point is away from the actual attack, the less relevance or confidence it might have. Primary indicators include raw data directly involved in the attack, such as the spearphish email or malware binary. We don’t need to “Attribute All The Things”. That’s just silly and futile. Mistakes are a part of the process and always will happen. It’s important to review your previous attributions and reanalyze them for changes. I was very excited that my question was selected and asked to Jennifer. It was “What are key requirements or capabilities for a small, non-DIB company to start an effective threat intelligence program?” Her answer was:
- At least 1 dedicated person to review and analyze attack data
- Have a primary focus on your attack data, not other publicized attacks
- Identify and track relevant indicators
- Correlate those indicators to see where patterns of behavior overlap
I really liked this presentation; however I can’t wait until people (anyone), starts talking trade craft. The non-security and non-dib companies need your help.
Robert Mueller gave an interesting talk. I had no idea he was never an agent and came up through the legal system. He said it’s important to remember that behind every computer there is a person. And you cannot fight cyber problems with just cyber capabilities. You need to integrate other areas of expertise and tools. He had some very great advice for dealing with bureaucracies. Ignore peoples embellished job titles and focus your energy on the people respected in the organization who get things done. He often jumped to the bottom line and said “What is the issue?” point blank to the people coming into his office needing a decision. Also how and when you delegate is often your most important decision. Sometimes micromanaging is absolutely required until you build trust. His primary example was the failed FBI VCS system, which was ultimately cancelled and delivered by a new contractor. I did get the impression that cyber issues were a very distant third to the other top two priorities of Counter Terrorism and Counter Intelligence. He did close by stating that complete destruction of data was his biggest fear when it comes to cyber-attacks, which surprised me because I expected something with kinetic damage to come from him.
Of course the Mandiant Code of Arms reception that followed was amazing. There was great food and even better beer. The beer snobs were happy. I also got to catch up with some old buddies and meet new friends. A nice after party followed over at the top of the W, where Mandia made a surprise appearance.
The next morning, General Hayden gave an impressive keynote. Everything he said was dead on and insightful. He conjectured that the Cyber Revolution is the most disruptive event since the Europeans discovered the western hemisphere. Some people believe that our entire brain cognitive functions and the way we interact with people is in a state of flux. Spending 8hrs a day with a computer literally changes the pathways in your brain according to some scientists. He gave a great summary of all the cybercrime activity in the post-soviet space. Confirming what we all know, that the Russians allow them to operate as long as they attack outwards and do their bidding when asked. He also pondered what will happen when the hactivists start to increase their skills and expertise? That isn’t going to be good for anyone. It will likely get worse before it gets better. The US government is chronically “late to need”. In its current form, timely help is unlikely. He recommended reading published works from Stewart Baker, his former General Counsel at the NSA. General Hayden said we have not made it clear what we want or will allow the federal government to do to defend US cyberspace. For instance, GCHQ in the UK has significantly more authority to defend cyber interests than the US. We have advanced capabilities that are sitting on the sidelines until authorization and legislation clears a path forward. In a post Snowden era, nothing productive will occur for the next few congressional sessions. This includes improving government and private information sharing. He did say that awareness to cyber threats has clearly risen however. 5 years ago they had to call CIOs. Today CEOs are calling them for help. The new standard is assumption of breach and survival while penetrated. Good threat intel, can stop you from having to defend against everything, because you have more details to focus on the specific threats aligned against you. I left this talk thinking not only is this guy extremely smart, but grateful that he was in a position to protect us.
Next I attended a very different talk by Lhadon Tethong of the Tibet Action Institute. The state of affairs in Tibet is horrible, where Chinese oppression and violence goes largely unreported. In fact, no media is allowed to enter Tibet. This is notable because even North Korea allows journalist to visit. Tibet has been occupied for over 60 years and photos of the Dali Lama are illegal. Because they had little technical expertise and even less funding, they endorsed a very aggressive and broad-based user awareness campaign. The sample video clip she played for audience was funny and memorable. I can see it working and would love to play that for my users. Some notable things that came out of the talk, were that at one point, the Chinese had tampered with their smartphones. During the lead up to the Olympics all their phones got stuck in a loop calling each other. Or sometimes playing horrible torture sounds. The CitizenLab group they work with believe the intrusion set they are dealing with are trainees looking to gain experience before moving on to more advance operations and more well defended targets. Also mentioned was that both WeChat and TomSkype have Chinese backdoors. They have also done analysis to map out which keywords in conversations trigger further surveillance. Knowing this can add some protection. When asked by the audience on how we could help I was surprised by the answer. I felt like there was some fear in the answer and not being able to trust and vet anyone that might want to help them. Overall this was a great story to hear and really drives home the point that in this particular cyber conflict, there is a definite life or death risk.
My last talk that I attended was by Liam Randall covering uses for Bro in the ICS/SCADA space. He stated that there is a lot of FUD in the industry, and yet few are talking about details of actual attacks. At the end of the day, most of these devices are simply computers running embedded linux. Checkout CVE-2013-2802. BuildRoot can be used to create and embedded linux appliance quite easily. The Carna Botnet aka The Internet Census 2012 was a publicized attack on video cameras. His new code snippets will be published on github.
The next day I had the pleasure of attending the Customer Advisory Board meeting. This was a tremendous opportunity for me to help influence the direction of product development and also hear what my peers think. A lot of people are creating customizations and integrations to extend the capability of MIR and I only see good things to come with MSO and future Mandiant products.
In conclusion, I would highly recommend this conference to others. From c-levels to front line responders, it provides a lot of value and direction. I hope the conference continues to remain small and I look forward to attending in the future.