<Added July 26/16 – The hackathon challenge is complete, and none of the participating Red Teams were successful.>
The Trustifier GOV2COM Hackathon 2016, – the “Irongoats Initiative”, otherwise known as, “Exe..cuse me, your dirty bits are way too close to my MMU” is getting going this week.
The challenge is set up as a 2-month (real-time) role-playing scenario where a simulated business environment will be protected by Trustifier trusted computing and other defensive technology. Over a dozen highly skilled Red Teams from defence contracting companies and DOD will concurrently be trying to breach the target. By role-playing, I mean the participants are going to have social media profiles, and are going to behave like typical staffers. Some of the employees at Irongoat Inc., will behave like the Carl Clickers of the world, and are going to click on bad links, open attachments, and so on. Then some advanced protections will have to kick in, right?
Underlying all of these kinds of cyber security challenges is an uncomfortable but accepted position, that attackers always have the upper hand and given enough time and resources, will usually succeed. A post written by Dr. Anton Chuvakin of Gartner a few years ago on “Defender’s Advantage”, asked how defenders could gain advantage over adversaries. This question still deserves consideration, especially in light of on-going mega-breach disasters that are ongoing since he first posed that question.
That post discussion started with,
“ The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.”
It’s actually not always quite that simple, but it can be, and the general meaning is understood.
In warfare generally, the ability for defenders to “dig in” and fortify defences has always been an advantage.
“The entire 5000+ year history of warfare, teaches us about the unambiguous defender’s advantage.”
Anton questioned whether this advantage also holds true for infosec. He thought it did, but it’s usually squandered. I would strongly disagree. What passes for prevention and defence is extremely weak. We have to consider that practical realities of limited time and resources typically exist for defenders, and not an ultimate ideal of what might be possible if everything was done perfectly by them.
Generally, there is just too much broken, and too much attack surface. Every new platform, service, system/appliance, app, or fix generally increases it. Gary McGraw informs us that even every new security appliance adds to attack surface and makes things worse, here. Detection technologies have suffered inherent design flaws due to langsec violations of first principles of computing science.
Marty Roesch’s BDA (Before, During, After)
This is summed up by a proposed integration evolution of the status quo model,- Marty Roesch’s BDA (Before, During, After) to Keep BAD Things from Happening as discussed in the Security Current interview with Richard Stiennon. Marty Roesch is known from Snort and Sourcefire.
“Before a breach you ‘build a castle and thicker walls’ by deploying firewalls, IPS, encryption, vulnerability management and access controls. During a breach you use IDS, content filtering, and network monitoring, and after a breach you use forensics, IDS, SIEM, and other tools to contain and clean up.”
Get the picture? On top of attack surface and poor detection, mix in complexity and problems of integration and interoperability. Then sprinkle problems of transitive trust, insecure APIs, lack of context awareness and network visibility and poor credential and privilege management for all users, on top.
So to Anton’s question, “… why are defensible networks so rare?” I can only say…,
… you’re kidding right?
It’s pretty well established that Red Teams and penetration testers rarely fail to meet their objectives. So what would the expectations be regarding Trustifier taking on 15 or so Red Teams in this challenge? Most people would probably bet against us, and if those folks were unfamiliar with KSE, and trusted computing in general, that’s mostly understandable. The odds wouldn’t look to be in our favour.
Interestingly, Trustifier KSE did hand one highly skilled Red Team their first fail to breach in over 8,000 challenges. What was interesting about that event was that exploitable vulns were left purposely unpatched, there were no conditions on tools allowed, and when they couldn’t breach, they were signed in as first a regular user, and finally given admin passwords. They still failed to reach their objective. You can read our commentary on the event here. I’ll also be posting some interesting details about the behind-the-scenes to that event.
There is no doubt though, that defender advantage enabling resilient and reliable critical infrastructure and business networks is needed more than ever, for both economic stability and national security. However, there is just too much broken in networks to flip the advantage using conventional solutions. More of the same-old, what’s failing now, won’t start doing the trick now.
The mathematically verified KSE implementation of trusted computing tilts the playing field, morphs the game board, and delivers defender advantage. This is what it was designed for.