A little background: When Shmoo Group forms like Voltron, Bruce (aka gdead) happens to be the head. The big, loud, talking head. Bruce is also a consultant at Booz Allen, one of the ShmooCon organizers, and one of the most entertaining speakers working the *Con circuit today (he's like Johnny Long with IRC cred). I'm a fan of what Bruce has to say, generally.
So back to his DefCon talk. On slide #6 (going from the PDF on the DefCon CD, which is different than the slide deck he actually used), Bruce announced that "Defense In Depth is Dead." Naturally, I disagree. Defense in depth is hardly dead, in fact it's pretty much the only chance you have. And so I present to you, dear readers...
I'm going to use the case of the ecard worm outbreak to disprove Bruce's assertion that defense in depth is dead.
- We start with bad code
- Then we added firewalls
- ...but still bad code
- Then we added AV, IDS, and anti-spam
- ...still bad code
- Then we added 2-factor auth and single sign-on
- ...bad code again
- Then we added application firewalls
- ...code is still bad, plus we have LOTS MORE code now
- We have lots of security controls, environmental complexity, and mad technology, but we still get owned because of bad code. So fix the code, stupid.
- Didn't exploit code vulnerabilities in your OS, browser, or anything that runs code
- Front of shirt: "SOCIAL ENGINEERING SPECIALIST"
- Was delivered by sending e-mail messages with links in them that got users to download and run the dropper, which did all of the mass pwnage.
- Wasn't blocked by most firewalls because it used inbound SMTP and outbound HTTP
- Kicked my AV vendor's ass for several weeks by repacking binaries
- Schooled really stupid spam filters by changing it's delivery message and download URL
- Got past IDS until the vendors wrote signatures for it
- BUT couldn't install on machines where the user wasn't a local administrator
- It WAS found by monitoring firewall logs in the SIM
- AND was stopped when the application firewall was configured to block "http://*/ecard.exe" requests
- AND when Group Policy disallowed the execution of files named ECARD.EXE
- PLUS NOW my spam vendor has decent filters that catch it
- AND my AV vendor is detecting the first 8 of 13 variants... OK, they still suck
- BUT we don't have ecard problems because we had a variety of defensive measures available to protect local and mobile users until the storm subsided.