Hack.Lu 2019 / 2019-10-23 Public / Tlp:White Disturbance the Sorry State of Cybersecurity and What We Can Do About It

SAÂD KADHI, HEAD OF CERT-EU.

HACK.LU 2019 / 2019-10-23 PUBLIC / TLP:WHITE DISTURBANCE THE SORRY STATE OF CYBERSECURITY AND WHAT WE CAN DO ABOUT IT

v1 IN THE BEGINNING IN THE BEGINNING, A CYBERSECURITY PRODUCT WAS BORN

THE ANTIVIRUS IN THE BEGINNING, IT PROTECTED US (TO SOME EXTENT)

FILELESS MALWARE RANSOMWARE SLAMMER (2003) BRAIN POWELIKS (1986) (2015) WORMS AIDS (1989) ILOVEYOU (2000) REVETON (2012) CODE NIMDA RED (2001) THE ANTIVIRUS (2001) CRYPTOLOCKER (2013) CONFICKER (2008) TROJANS & RATS PETYA (2016) EGABTR (1989?) POTENTIALLY UNWANTED APPLICATIONS WANNACRY (2017) NETBUS MIMIKATZ DARKCOMET (1998) (2011) (2012)

FINFISHER (2011?) IN THE BEGINNING, IT PROTECTED US (TO SOME EXTENT)

FILELESS MALWARE THIS SLIDE (NOR RANSOMWARE MY LIFE) WILL SLAMMER SUFFICE TO LIST (2003) BRAIN (1986) THEM ALL POWELIKS (2015) WORMS AIDS (1989) ILOVEYOU (2000) REVETON (2012) CODE NIMDA RED (2001) THE ANTIVIRUS (2001) CRYPTOLOCKER (2013) CONFICKER (2008) TROJANS & RATS PETYA (2016) EGABTR (1989?) POTENTIALLY UNWANTED APPLICATIONS WANNACRY (2017) NETBUS MIMIKATZ DARKCOMET (1998) (2011) (2012)

FINFISHER (2011?) Source: Wired HOW WE ENDED UP HERE?

CYBERINSECURITY: THE COST OF MONOPOLY HOW THE DOMINANCE OF MICROSOFT’S PRODUCTS POSES A RISK TO SECURITY DAN GEER, SEP 24, 2003

THESE EXAMPLES ARE ALL TELLTALE SIGNS OF THE DOMINATING MONOCULTURE

BUT… A MONOCULTURE HAS ADVANTAGES

(AND THE SECURITY OF MS PRODUCTS HAS SIGNIFICANTLY AND STEADILY IMPROVED) HOWEVER, CLASS BREAKS ARE TOO COSTLY TO IGNORE CLASS BREAKS 101

TARGETS A CERTAIN COMPROMISES A PIECE OF SOFTWARE CERTAIN DEVICE

COMPROMISES HUNDREDS IF NOT THOUSANDS OF DEVICES

DEVICE DEVICE

MONOCULTURE & STANDARDISATION DEVICE DEVICE

TARGETS A WIDELY DEPLOYED PIECE OF SOFTWARE DEVICE DEVICE

DEVICE DEVICE Source: Google's Project Zero CLASS BREAKS: EXAMPLES

SYMANTEC ENDPOINT PROTECTION (2016)

2012-2018: GOOGLE’S PROJECT ZERO FOUND SEVERAL HIGHLY CRITICAL VULNERABILITIES IN MANY OTHER AV PRODUCTS (KASPERSKY, ESET, COMODO, TRENDMICRO, SOPHOS…)

Source: The Register Source: imgflip.com FROM SUPPLY-CHAIN ATTACKS TO CLASS BREAKS

COMPANY X IS A COMPROMISES TARGETS COMPANY X SUPPLIER OF COMPANY A (SECONDARY TARGET) COMPANY A (PRIMARY TARGET)

Source: Reuters

COMPROMISES TENS IF NOT HUNDREDS OF COMPANIES

COMPANY A COMPANY B

COMPANY C COMPANY D

TARGETS COMPANY X COMPANY X IS A (SECONDARY TARGET) SUPPLIER OF MANY ORGS COMPANY E COMPANY F

COMPANY G COMPANY H THIS IS NOT THEORETICAL

2016 ?

2019

Source: Twitter

Source: Arstechnica MARCHING TOWARD FAILURE IN THE BEGINNING…

INSUFFICIENT (COVER ONLY A CERTAIN CLASS OF THREATS) FAILLIBLE (FAULTY SIGNATURES, BSOD)

THE ANTIVIRUS EXCELLENT VECTOR (FOR A NICE CLASS BREAK INSECURE ATTACK) (TOO MANY PARSERS, BAD CODING) WITH GROWING DIGITALISATION COMES PRODUCT PROLIFERATION

UBA UEBA UTM SANDBOX 2FA

NETWORK VPN ANTI-MALWARE FIREWALL (WITH DPI) NIDS THREAT FEEDS

VULNERABILITY WAF THE ANTIVIRUS SCANNERS NIPS TIP

ANTI-SPAM SOAR SIEM EPP

PERSONAL PROXY FIREWALL (WITH DPI) DLP EDR Source: RSA Conference LIKE THE ANTIVIRUS, THESE ‘SOLUTIONS’ ARE ALL PART OF THE ATTACK SURFACE

10 Oct 2019, Source: ZDNet

7 Oct 2019, Source: thebestvpn 2019 Source: TechCrunch

2011, Source: CSOOnline … RUNNING ON TOP OF VULNERABLE PROCESSORS

Source: https://meltdownattack.com

Source: https://foreshadowattack.eu

Source: https://zombieloadattack.com AND THEY NEED HUMANS & €€€ TO INSTALL, USE AND MAINTAIN

CONFIGURE LOGGING PROPERLY (NO, IT’S NOT A FIRE & FORGET TASK) BUY THREAT FEEDS MONITOR THE HEALTH OF THE SYSTEM (ARE YOU SURE YOU ARE NOT MISSING LOGS?) BUILD AND MAINTAIN TRAIN PEOPLE USE CASES (TO USE SOME OBSCURE QUERY BUY A TIP BUY SOFTWARE LANGUAGE) BUY AN SIEM ADD-ON FOR YOUR COMPLIANCE NEEDS

HIRE DATA BUY HARDWARE MAKE CLUSTERS & BACK-UPS SCIENTISTS RECRUIT SYSADMINS BUY AN INCIDENT RESPONSE PLATFORM BUY SUPPORT BUY PRO SERVICES (BECAUSE YOU NEED NEW PARSERS AND BUY PRO SERVICES YOUR EXISTING PARSERS WILL CONFIGURE ALERTS (BECAUSE THERE ARE ALWAYS ‘EDGE BREAK) (AND HOPE YOUR ANALYSTS WON’T DIE OUT OF CASES’) FALSE POSITIVE FATIGUE) HOUSTON, WE HAVE A SERIOUS LAYER 8 PROBLEM

TRENDING!

THE PERFECT RECIPE FOR INFOBESITY DOOM TOO FRUSTRATION (& BURNOUTS) MANY THINGS TO LEARN FEAR OF THE HUMAN MISSING OUT BRAIN IS NOT A TOO COMPUTER MANY THINGS TO DEFEND CONTINUOUS DISTRACTIONS & CONTINUOUSLY INTERRUPTIONS CHANGING TECH

TOO LITTLE TIME CONTINUOUSLY TO INVESTIGATE CHANGING THREAT LANDSCAPE HANG ON APOLLO! HELP IS ON ITS WAY!

NOPE, ARTIFICIAL INTELLIGENCE IS NOWHERE READY TO HELP US

BREAKING DEEP NEURAL NETWORKS (DNNs) IS VERY EASY

Further reading: Adversarial Reprogramming of Neural Networks, Cornell University

ALGORITHMS ARE CREATED BY ‘FLAWED' HUMANS & TRAINED ON DATA OF VARYING QUALITY WHILE RUNNING ON VULNERABLE PROCESSORS

Source: Nature BREAKING THE FAILURE CYCLE THERE IS NO SILVER BULLET

GROWING TIME TO COMPLEXITY MARKET NO LIABILITY (USE AS-IS BUT DON’T FORGET TO PAY)

(SECURITY) BUGS ARE A DIRECT BYPRODUCT OF MODERN SOFTWARE LIMITED OR DEVELOPMENT NON-EXISTENT REGULATION FLAWED VC MODEL BAD CODING PRACTICES MARKETING IS LACK OF KING TRANSPARENCY AND THINGS ARE GETTING WORSE

The over-complexiﬁcation of provisioning and deployment pipelines is a dangerous trend. I don't trust the layers upon layers of scripts and tools to not break randomly, and I worry the maintenance cost is getting out of hands. Yes, I'm looking at you, k8s.

Source: Julien Vehent, Firefox Operations Security at @Mozilla, Author of Security DevOps http://securing-devops.com; coder & speaker. WE KNOW THE SOLUTIONS AND THEY REQUIRE COURAGE & HARD WORK

ASK FOR MORE TRANSPARENCY FROM DEMAND EASY-TO-USE VENDORS & SUPPLIERS SOLUTIONS PUSHBACK! LOBBY FOR SOUND REGULATION & LIABILITY DEMAND INTEROPERABILITY LEVERAGE THE POWER OF THE CROWD EMPOWER & HELP LAW ENFORCEMENT (THOSE CRIMINALS MUST BE USE & CONTRIBUTE TO ARRESTED) FREE, OPEN SOURCE SOLUTIONS (WHEN APPLICABLE) PARTICIPATE IN VARIOUS INVEST IN PEOPLE & SKILLS COMMUNITIES & FOSTER TRUE SHARING HELP EACH OTHER OUT (SHOW ME HOW TO DO THIS & I’LL SHOW YOU HOW TO DO THAT) IDENTIFY THE CROWN JEWELS IN YOUR IMPLEMENT PROPER LEARN TO USE WHAT YOU NETWORK (YOU CAN LOSE A LEG BUT NOT A CYBER HYGIENE ALREADY HAVE HEART) (IT REALLY HELPS A LOT!) (AND STOP USING WHAT YOU DON’T NEED) THINK CONSTITUENT

CREATE VALUE