Wednesday, January 23, 2019

What is a SOC?

In a recent conversation I said that I have SOC experience, and then I had to explain what a SOC is. So what is a SOC and what do they do?

In many large companies a SOC ("Security Operations Center") is a team of people that are like firefighters for security threats. Their job is to detect and respond to incidents (aka "Incident Response"), and ideally to contain or mitigate the threat as quickly as possible. Detection of threats can be done through a SIEM (Security Information and Event Management), IDS (Intrusion Detection System), or simply via word of mouth. It is important that the SOC is easy to contact in the event that someone notices something strange they can report it to the SOC for a closer look.

It is a common misunderstanding that a SOC is able to prevent a company from being hacked. In reality no one is hack proof, and any attacker with enough time, energy, motivation, and money can succeed. The job of a SOC and the Information Security team is to reduce the company's risk level and to "raise the bar" for attackers so that a compromise is less likely.

How do they raise the bar for attackers? They build defenses in layers so that if any one of them fails, another is there to back it up. For example, phishing is a common method of attack hackers use every day. Because of this, user awareness training is vital to the security of any organization. In the event that a phishing email succeeds in compromising a computer, ideally that computer will have an isolated network so that the hacker cannot use that computer as a launching point to jump to other computers.

When a SOC analyst isn't reacting to incidents, they can be proactive by doing things like verifying systems are being patched regularly, running internal and external vulnerability scans to identify and resolve issues before attackers can find them, building and revising a threat model for the companies most sensitive assets, and constantly improving the detection tools they rely on.

Another key piece is Threat Intelligence (aka "intel"). Intel is a report of Tactics Techniques and Procedures ("TTPs") used by attackers that have been known to target your industry or even your company specifically. If you don't know what kind of attackers are targeting you, and how they do it, you can't effectively mitigate that threat.

Me (right) working in a SOC
What does a SOC look like? The image here features me and my colleagues working in a SOC. The screens on the wall feature many different dashboards that provide useful metrics on everything we deemed important. For example we had a dashboard that showed us which user accounts had the most failed login attempts. This allowed us to see what might be a brute force attack, but was often just someone's script using an old password. Another dashboard would show us recent alerts from our IDS and AV systems. so we could easily identify and follow up on potential issues.


Tuesday, November 20, 2018

The qualities of a good team

We're all part of a team in some capacity, and we all depend on each other for success. In my professional experience the better the team, the more successful the outcome of that team, and the happier the individuals on that team are. A good team can be hard to come by, and in my opinion should consist of these qualities:
  • Teammates should feel like friends that hang out during work hours, friendly banter is common and sometimes they even become friends outside of work.
  • They support each other in their goals. Example: You want to be better at "X"? Cool I can help with that, have you read these resources or tried these things?
  • Knowledge is shared freely and without judgement. This way everyone can benefit from each other's strengths and weaknesses, and the "fear of asking a stupid question" isn't an issue.
  • Honest feedback is shared between everyone (openly or in private depending on the content). This is essential to improving yourself and each other. Being the recipient of feedback shouldn't make you defensive, take it as an opportunity to improve and thank them for the feedback.
  • Have each other's backs. If you hear someone complaining about a colleague, maybe you could suggest they share that feedback with them directly? How can they improve if they aren't aware of any issues?
  • Trust should be default. This means assuming the best until confirmed otherwise.
  • They openly collaborate and don't just work in silos.
  • Conflicts are resolved in a professional manner.
  • From the perspective of outsiders, the team should "speak with one voice". None of this "but I talked to Joe and he said something else".
For me many of these qualities define a good or bad team, manager, or colleague. As you read this, do you think you are part of a good team?

Tuesday, May 29, 2018

Hackers: Who are they?

Hollywood Hacking
(image credit: inkmedia.eu)
In a recent conversation with my mom she was concerned that I had recently gone to a hacker meetup. She thought all hackers were criminals, and I don't blame her for thinking that after reading about them in the news and seeing them in movies. It's usually a guy in a hoodie, typing fast, with complicated text scrolling by (check out hackertyper!). He has an aura of mystery and probably some malicious intent. I went on to explain the white hat / black hat concept. For those of you that aren't aware, in old cowboy movies the bad guy often wore a black hat, and the good guy wore a white hat. These are terms that we've adopted to distinguish between the good and bad hackers of today's world.

The tools and techniques used by white hats and black hats are the same, the big difference is in the intent. I wanted to review a couple different types of hackers and the things that motivate them:

Penetration Tester - A white hat hacker with good intentions that works to identify flaws and get them fixed. Sometimes they are part of an in-house security team, or a third party hired to test software or networks. Pen tests are essential to any modern security program, because I guarantee that black hats are looking for vulnerabilities to exploit, so you should hope a white hat finds them first. Their actions are limited by the scope of a test, and the time the testing is scheduled for.

Bug Bounty Researcher - A white hat hacker, usually with good intentions, that also works to identify flaws and report them to companies in exchange for money, swag, or "kudos" (street cred). These are often individuals with a pen testing background that do it on the side for extra income, or if they are really good they can do it full time. Some consider it fun and like to practice their hacking skills on real systems where permission is given via a bug bounty program's scope and rules (Example: Google's bug bounty rules). Some of them are not seen in the best light, see "Grey Hat" below.

Red Team - A term that is used to describe a team of white hat hackers, usually well intentioned, with the goal of simulating a real attack. They use Tactics, Techniques, and Procedures (TTPs) similar to those used by real world attackers. Some of these techniques could include making phone calls to social engineer someone into giving up useful information, wearing janitors clothes to sneak into a building to insert an infected USB drive, or launching an attack on a holiday when the defenders aren't around.

Blue Team - A term used to describe the defensive white hat hackers working as Incident Responders in a Security Operations Center (SOC). These are the white knights of the security world, doing everything they can to secure the environment they protect, although they are at a significant disadvantage having to secure potentially thousands of computers at all times, where an attacker only has to find one entry point. They will often use a Security Information and Event Management (SIEM) to help them monitor the health of their network, computers, and overall infrastructure. This could mean monitoring for failed login attempts that indicate a brute force attempt, looking for port scans that might indicate the first stages of an attack, or just reviewing recent malware alerts for uncontained threats. Additionally they will work with the people in the company to educate them on threats like phishing emails and unfamiliar USB drives, and notify them of current events and recommend defensive actions they can take to protect themselves.

Advanced Persistent Threat (APT) - APT's are teams of black hat hackers, often state sponsored, with goals like espionage for political or business gain. Historically they have been behind attacks such as the Stuxnet worm built to damage Iran's nuclear program, the 2014 hack on Sony Pictures, and the 2013 Target breach where malware was installed on point of sale devices to steal credit card information. I recently found a Google Doc with a nice summary of known APT's and their TTPs. They have names like "Fancy Bear", "Unit 121", and "Hurricane Panda". I would classify them as having malicious intent, but with a laser focused goal in mind.

North Korea's Hacker Farm - Bloomberg recently wrote a great article on North Korea's Hacker Farm where hackers are worked up to 15 hours a day and are required to make money for the government by any means necessary. This can mean hacking online gambling sites allowing them to cheat, compromising ad servers to deliver malware to distribute cryptocurrency miners, or distributing ransomware at hospitals and demanding a payout to return their data. These guys are black hats, but I can't help feeling sorry for their situation.

Grey Hat Hackers - Grey hat hackers live in the moral gray area. Some of the previously mentioned hackers can be considered grey hats. I've met bug bounty hunters that used aggressive tactics that border on blackmail to negotiate for a bigger payday for a bug they reported. While the intent was to fix an issue to secure the company, the tactics were a little dirty. One time Mark Zuckerberg's Facebook page was hacked to prove a security flaw, this is against the concept of responsible disclosure and was considered a "grey hat action".

As you can see, the world of hackers is a diverse group of individuals with various motives and techniques, and I find it endlessly fascinating! :)

Saturday, March 17, 2018

What happens when you type google.com into your browser and hit enter?

This is a question I heard often while interviewing engineer candidates, and it sounds so simple that most people would say something like: "It loads Google, duh!". However, to a good engineer, this question can take over an hour to answer. Computers are extremely complex, this is not a surprise to anyone. It's easy to take it for granted that it all works so seamlessly every time we sit down and load a website like Google. I wanted to challenge myself and try to answer the question from memory as best I can (mistakes and all!), and possibly re-visit the question in the future as I learn more.
  1. Hitting enter on the keyboard completes a circuit that sends a signal to initiate loading of the website into the browser.
  2. The operating system has to allocate memory for the incoming data to be stored locally and displayed by the browser (an application, itself running in RAM).
  3. All of the code is broken down into 1's and 0's for the processor to compute the data. There are a lot of registers, caches, and a specific instruction set, which is like a language used only by that type of processor.
  4. Computing uses power and generates heat, which is dissipated by heatsinks and fans in most modern desktops and laptops, or by passive cooling in mobile devices.
  5. The computer's NIC (Network Interface Card) communicates with the local router/gateway and switch to establish a stream of data. A TCP packet is assembled with a header specifying where it wants to go, with a return address for where the data should return, and the payload carrying the data.
  6. The router changes the recipient address to itself, this happens for every hop of the network between the client and server. This is like a mailman carrying a letter to the post office, and intentionally labeling the letter with that post office's address so the next recipient of the letter knows where to send it back.
  7. The communication happens over copper CAT5 cables with 8 smaller cables that are called "Twisted Pair", with four of them being RX (receive) and four of them being TX (transmit). These are all twisted slightly differently so that there isn't any interference. The long distance communication happens over fiber optic cables at the speed of light. I once heard that a single fiber optic cable can handle enough bandwidth for the entire world to call one place. The limitation is the hardware on both sides, which is always improving.
  8. Computers don't know how to load websites by name without relying on DNS (Domain Name Service) to resolve it to an IP address. So a request is sent to your local DNS server asking "What is the IP Address for Google.com?". DNS will likely have this in it's cache and can answer very quickly, otherwise it has to ask the parent DNS server for the address.
  9. Once it has the IP Address, the browser will utilize the network stack of the operating system to open a socket on the high end of the port spectrum (probably 50000-65000 for TCP IPV4) and initiate a TCP (Transfer Control Protocol) connection with Google's web server with a SYN, SYN-ACK, ACK (Synchronize, Acknowledge Synchronize, Acknowledge).
  10. The TCP protocol is designed so that received data is always verified, and any missing data is re-transmitted.
  11. The initial connection will load on port 80 (HTTP), but the web server will automatically redirect it to port 443 (HTTPS).
  12. The SSL/TLS handshake begins with a "CLIENT HELLO". It asks the server which ciphers it supports and the client will choose the most secure cipher it can support. Additionally, the client will examine the server's SSL Certificate for validity and authenticity, by asking the issuing CA (Certificate Authority): "Is this really Google?".
  13. CAs are the issuers of SSL Certificates. It is their job to verify the people requesting a certificate are really who they say they are. With EV (Extended Validation) certificates, the CA will take it a step further and verify their phone number and address.
  14. Once a session key is negotiated using some amazing math (basically magic to me at this point) with prime numbers, encrypted data can be sent to and from the server where only the client and server can decrypt the data. The client uses his private key and Google's public key to encrypt the data, which can only be decrypted by the server with his private key and the client's public key. A man in the middle cannot easily decrypt and read the data without a TLS proxy or having already compromised one of the endpoints. Ideally it will be using a cipher with FS (Forward Secrecy), which adds another layer of encryption to each request. This means that even if the original key is identified, all of the data cannot be decrypted with it.
  15. The browser communicates with the web server via the HTTP protocol by sending a GET request. The server replies with data the browser can use to display the website.
  16. The HTML/XML/Javascript is rendered into a human readable format that we all see every day.
  17. Some additional data is exchanged for analytics, advertisements, and session cookies
  18. The information is displayed on a monitor that has hundreds of pixels per inch, at it's most basic level a pixel is a combination of Red, Green, and Blue that is mixed differently to display different colors.
This is not a perfect picture of everything that happens under the hood. You would get a different answer from every engineer you asked, and their answers would highlight their areas of expertise. I think about this question all of the time, and strive to learn more every day. The most amazing thing about this process is that it happens in milliseconds, billions of times every day, with reliability that we've learned to depend on.

Friday, February 2, 2018

Webcam privacy - Should you hide behind tape?

I was recently researching webcam options for some video conferencing and was sad to see that a built-in privacy cover doesn't appear to exist in any new cameras. I used to have a Logitech C600 which had it built-in.

Logitech C600 with built-in privacy cover
It was a simple camera that had my favorite privacy feature. While searching Newegg and Amazon I found that about 3/4 of all webcams are made by Logitech, and while scrolling through pages and pages of new cameras, none had this feature. It's easy to assume this is some high level NSA conspiracy to allow for easier spying... but without evidence to support that it's just some tinfoil hat thinking.

I was recently at an AppSec conference and given a webcam privacy cover that I thought was really cool. Once I had it I started noticing everyone with something similar, or just a piece of tape covering their cameras. Mark Zuckerberg and James Comey even cover their cameras.

Admittedly Zuck and Comey likely have more serious targets on their back and thus their paranoia is probably justified. But my question is this: If a hacker already has enough access to your computer to spy on you, shouldn't your camera be the least of your concerns? I'd be more concerned about my passwords being keylogged, or a man-in-the-middle attack that exposes all of my traffic that's normally encrypted in transit.

Sliding privacy cover
Back to the tinfoil hat thinking, if you Google for webcam covers you'll find lots of companies offering cheap solutions to give people peace of mind. If I were a popular webcam manufacturer like Logitech, wouldn't I take notice that this is a feature that customers want, and build devices like the C600 with it built-in? They could use it as a marketing technique to sell to the privacy concerned masses. I recently Tweeted to Logitech and asked them to share my feedback with their product development team. I don't think I'll single handedly change their minds, but it does make you wonder why they're ignoring such an in-demand feature that they used to offer.

Thursday, September 28, 2017

How to: prevent breaches with proactive security

I haven't posted recently due to a move to Germany from Los Angeles, I'm still settling in but I really like it here already. During my move I read a lot about the Equifax breach that impacted over 100 million people's personal information, exposing them to identity theft and whatever else bad guys think of using their information for. This breach had a lot of similarities to other breaches I'd read about over the years, such as Anthem, Target, OPEC, and many more. Hackers find vulnerabilities in their systems and exploit them to exfiltrate sensitive information, and they only need to find one hole to exploit, whereas those responsible for plugging the holes have the never-ending challenge of finding and plugging all of the holes before they are found and exploited.

Blue teaming is hard! (image credit: Geoff Pryor)
I can speak from personal experience from my time as an InfoSec professional working on the "blue team" (defensive hackers), trying to prevent the "red team" (offensive hackers) from accessing sensitive information. I wanted to share a high level overview of what basic things should be done to try to prevent a big breach.

First tip on that list is accepting that you cannot prevent all hacks. An attacker with enough time, motivation, and resources will eventually succeed. These are also known as APT's or Advanced Persistent Threats. The advice on how to deal with APTs can fill many books and is beyond the scope of this blog post.

Second tip is to build a regular patching process, usually weekly. All software has vulnerabilities, and it is essential that all software your company uses is patched to the most recent version.

Third tip is to educate everyone in your company on basic threats like phishing emails, plugging in unfamiliar USB drives, and installing unapproved software (assuming they have install rights to begin with). Specialized education should be given to developers in your organization to make sure they are writing secure code and testing it before it goes into production.

Fourth tip is to scan all of your assets for vulnerabilities, weekly if possible, and send automated reports to the system owners responsible for addressing those vulnerabilities. Ideally you will have regular contact with these system owners and can review the reports together to validate they have a process in place for addressing the high severity vulnerabilities and understand the risk level they present to the organization. It is useful to keep track of trending vulnerability data to help monitor which teams are on top of their patching, and who needs to pick up the slack.

Fifth tip is to segment your network as much as possible to prevent lateral movement. If someone does click a phishing email and their system is compromised, your network should limit that compromised system's access to even more sensitive systems that might have databases like those leaked by hackers in some of the previously mentioned breaches.

Sixth tip is to consider adopting a bug bounty program, and/or hire third party penetration testers to test your defenses. Learn from the issues they find and adapt your environment to become more secure. Reward your bug bounty hackers well and word will spread that you value their efforts and before long you'll have a small army of whitehat hackers competing to find and report issues. It's better to pay a whitehat $10,000 for reporting an SQL injection vulnerability in a sensitive database, than to have a blackhat find and exploit it so you end up on another breach list. Related to this is to have a reliable contact method for reporting security issues, usually a security@ email address that goes to your InfoSec team.

Seventh tip is to have a reliable inventory of assets on your network, and a regularly updated contacts list for those assets and for all business units. I can't tell you how many times I've found a vulnerability in an asset on the network, but I can't easily identify who's responsible for that system.

I'd consider this a short list of low hanging fruit, and not at all comprehensive. Security is hard, but usually you just have to make some effort to not be so easy to hack that any low skilled attacker can compromise you in minutes. I hope this list helps someone out there, and if you have questions feel free to reach out to me on Twitter.

Friday, July 7, 2017

OpSec And Why It Matters To You

OpSec, or Operational Security, is the practice of keeping information secure through awareness of ones daily actions. We've all learned it at one time, imagine planning a surprise party and getting everyone involved to keep it a secret. Some (mostly funny) examples of OpSec failures:

What I really want you to take away from this is a little voice in your head that asks "How can this be used against me?" before posting a photo or walking away from your computer unlocked in a public area.