Friday, August 17, 2007

Bruce Potter vs. ecard

At Defcon 15, Bruce Potter gave an awesome talk titled, "Dirty Little Secrets of Information Security" that I certainly hope makes its way to YouTube soon. Especially for those folks that were asked to leave the far-too-tiny room in which Bruce was speaking.

A little background: When Shmoo Group forms like Voltron, Bruce (aka gdead) happens to be the head. The big, loud, talking head. Bruce is also a consultant at Booz Allen, one of the ShmooCon organizers, and one of the most entertaining speakers working the *Con circuit today (he's like Johnny Long with IRC cred). I'm a fan of what Bruce has to say, generally.

So back to his DefCon talk. On slide #6 (going from the PDF on the DefCon CD, which is different than the slide deck he actually used), Bruce announced that "Defense In Depth is Dead." Naturally, I disagree. Defense in depth is hardly dead, in fact it's pretty much the only chance you have. And so I present to you, dear readers...



I'm going to use the case of the ecard worm outbreak to disprove Bruce's assertion that defense in depth is dead.

Bruce says...
  • We start with bad code
  • Then we added firewalls
  • ...but still bad code
  • Then we added AV, IDS, and anti-spam
  • ...still bad code
  • Then we added 2-factor auth and single sign-on
  • ...bad code again
  • Then we added application firewalls
  • ...code is still bad, plus we have LOTS MORE code now
  • We have lots of security controls, environmental complexity, and mad technology, but we still get owned because of bad code. So fix the code, stupid.
  • Didn't exploit code vulnerabilities in your OS, browser, or anything that runs code
  • Was delivered by sending e-mail messages with links in them that got users to download and run the dropper, which did all of the mass pwnage.
  • Wasn't blocked by most firewalls because it used inbound SMTP and outbound HTTP
  • Kicked my AV vendor's ass for several weeks by repacking binaries
  • Schooled really stupid spam filters by changing it's delivery message and download URL
  • Got past IDS until the vendors wrote signatures for it
  • BUT couldn't install on machines where the user wasn't a local administrator
  • It WAS found by monitoring firewall logs in the SIM
  • AND was stopped when the application firewall was configured to block "http://*/ecard.exe" requests
  • AND when Group Policy disallowed the execution of files named ECARD.EXE
  • PLUS NOW my spam vendor has decent filters that catch it
  • AND my AV vendor is detecting the first 8 of 13 variants... OK, they still suck
  • BUT we don't have ecard problems because we had a variety of defensive measures available to protect local and mobile users until the storm subsided.
So there are two take-aways from this. First is that defense in depth still works today as long as you are monitoring and managing it. Just buying products and plunking them in won't save you. And your super-cool security gadgetry won't always be the most effective tool for addressing a new threat. Second is that despite proving Bruce Potter wrong about defense in depth, ecard proves him right about his second point, "You Can't Train Everybody." So there you go.

No comments: