Infosec: Too Many Questions

Wednesday, June 20, 2012

Wendy Nather


As an analyst, I have too many things I'd love to research and can't.  I'm in a target-rich environment (then again, so was Custer). 

It doesn't stop me from coming up with questions, though, and hoping someone else will want to answer them.

Take the discussion I just had on Twitter with @jeremiahg, @chriseng, @attritionorg, @dakami, @rybolov and others.  I objected to the claim that everyone in the Fortune 500 is hacked, in the absence of two things:

  1. A clear definition of "hacked," and
  2. Some data supporting the assertion that everyone in the F500 fit that definition.

So we got to talking about what data would constitute proof, and I suggested that having one host in your IP range detected as being a member of a botnet could qualify as "hacked." 

This could theoretically be straightforward to determine, if you had access to enough threat intelligence feeds and/or had enough sensors to compile a list yourself.  Now, there are some open source feeds, but for the most part companies that create their own feeds want to monetize them.

(One laudable exception is Microsoft, which has been testing a feed that it would offer free of charge to law enforcement, CERTs, foreign governments and private corporations.) 

If you have one machine on a botnet at some point in time, that could designate you as hacked, at least until you scrubbed it. 

But is it the tip of the iceberg?  Does having a bot automatically mean that more nefarious things are going on besides just selling V1agr4 or perhaps DDoSing the Anonymous target of the week?  This is the risk calculation that we need more data to perform, and it's one that the C-suite would really appreciate.

So I'd love for someone to comb through their incident response data and present statistics on what, if anything, followed after an initial malware infection. 

If you could say that (for example) 70% of the time, it was simply used to grab CPU without necessarily trying to grab passwords or data, and 20% of the time it led to password compromise for financial theft, and 10% of the time it led directly to IP theft, those would let us infer probability.  It would depict in a more concrete way just why being part of a botnet is a symptom of something more dangerous.

By association, any company that found itself with membership in a botnet could reasonably suspect that it was even more compromised than that.  It might take the time to look further.  (There are plenty of enterprises that just wipe the affected machine, re-image it, and go back to work.)

The other question is whether membership in a botnet should be considered public data.  If anyone on the Internet can discover it, you could argue that it's the kind of compromise that anyone can report.  The fact of an enterprise's system interacting with another host on the Internet isn't confidential; it (like a public posting) is just assumed to go unnoticed. 

Would a company have grounds to complain if its membership in a botnet were revealed, based entirely on publicly available information outside of its private network?  I am not a lawyer, but sometimes I want to ask lawyerly questions like this.

Following this chain of thought, anyone could set up sensors, collect data on botnet membership, and publish it widely.  Someone could collect statistics on just how many of a company's systems were in a botnet at any given time. 

In the absence of any other data, could this be used as a poor man's Compromise Index?  It would be like someone noting how many broken windows you could see in a building: one indication of a breach, but without any way to know what, if anything, happened or was taken after the windows were broken.

And armed with that data, someone could actually make a substantiated claim that the whole Fortune 500 is hacked, without hearing the clackety-clack sound of thousands of eyes rolling.

After that comes the question, "So what?"  Would this kind of naming and shaming prompt any additional diligence on the part of these organizations?  Would it make regulators sit up and take notice? 

Call me a skeptic, but I suspect that botnet membership is so widespread that people would assume it happens to everybody -- just like ant invasions -- and it wouldn't be condemned except within the security echo chamber.  I could be wrong. 

Either way, I'd love to find out.

[DISCLAIMER: I am not encouraging anyone to compromise any systems themselves without the permission of the affected organizations.  I am not suggesting that anyone collect data that can only be gathered directly from those systems.  I am certainly not recommending that anyone leak confidential data, even if it's with the best of intentions.  Do not try this at home.  Ask your parents before calling.  And so on.]

Cross-posted from Idoneous Security

Possibly Related Articles:
Information Security
Enterprise Security Disclosure Botnets Incident Response Network Security hackers Infosec infection Threat Intelligence
Post Rating I Like this!
Jayson Wylie I am more of a security researcher so a lot of my time is spent trying to figure things out. I do not know which environment you are in so I can't make helpful suggestions vs generalizations I've noticed.

I hope as a security industry we have moved on from considering malware infections as much of an incident. The global trend is moving away from Viruses and Worms and onto custom kit Trojan Variants.

Instead of notoriety or destruction as in most Worm or viral infections, these Trojan's will help steal things like bank account information. To me, that would be considered a hack if someone got the corporation bank accounts.

I realize the White House is on a crusade to kill botnets and I'm surely not an expert on the benefits of running a botnet but this is a minor concern of mine as a major detection control in my environment.

I am more worried about a business user click-jacking a Remote Access Tool(RAT) into the network and pulling PII from us. I seem to feel botnets are used more for distributed computing like spam or DDoS.

People can banter about the definition of Hacked and the necessary controls to make the C's group sleep better at night.

My definition is the extraction of private information, the denial of availability of networks or systems, the destruction of data or systems or code insertion to be used to get 6 layers deep into the network.

Malware doesn't cross my mind because the dangerous stuff won't have a signature. The zombie-bots I monitor, which may be rouge victims without C&C and surely not P2P, are more of an annoyance to keep record than a problem for a DLP solution.

There's too much diluting of the word hack but remember the vast majority of compromise comes for SQLi on public facing nodes. The only cure for this is quality Appsec professional getting granular with the QA and fuzzing.

From what I can tell there are a few major botnets in action and it's very heavy traffic and something like a thousand different ones contained in the USA.

Since hackers love to build and rent out their botnets, it's hard to tell the purpose for all of them. If you are in an organization that keeps a DB tied to a Public Web server with PII or IP information in then focusing on SQLi at every vector would prove as a better approach than malware chasing.

In the big scheme of thing the US does not have as much botnet traffic as area such as the EU and CN.

I may be wrong but the biggest attack vector by far is Web based through SQLi, PHP, MYSQL, Browser vulns and everything else in the middle. All I can say to that is keep patching and disclose compromise to the FBI or similiar institution.

If CN steals a private companies designs or IP that is only sold to the DoD. There should not be an justification as if since the company only does business with the DoD and the DoD would not purchase the stolen IPs product from CN then the disclosure is not important or needed.

True story and the fact is if CN has DoD design meant to be classified. Well so does CN and now they can make a competing military application or better find holes and it becomes a hack and moreso an issue of National Security.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.