Hack The Planet

Because if you don't, who will?

Thursday, March 21, 2024

Lack of Visibility slows the Zero Trust Journey

Visibility is key to Zero Trust

In the ever-evolving landscape of cybersecurity, the concept of Zero Trust Architecture (ZTA) has emerged as an incredible buzzword, but also as a beacon of hope in the battle against sophisticated cyber threats. The fundamental premise of ZTA is to distrust everything, both inside and outside the organization’s perimeters, and to verify every user and device attempting to connect to the network before granting access. However, the journey towards implementing ZTA has significant challenges, and one of the most significant obstacles organizations face is the lack of visibility.

Visibility, in the context of cybersecurity, refers to the ability to monitor and understand all activities and traffic within an organization’s network, including user behaviors, device interactions, and data flows. It is the cornerstone of effective security operations, enabling analysts and engineers to detect anomalies, identify potential threats, and respond quickly to incidents. However, achieving comprehensive visibility has become increasingly difficult in today’s complex, and bloated cybersecurity environments.

The proliferation of cloud services, the adoption of remote work, and the rise of IoT devices have expanded the attack surface and blurred the boundaries of traditional network perimeters. As a result, organizations struggle to gain real-time insights into their digital assets and activities, making it challenging to enforce the principles of ZTA effectively.

Here are some key ways in which the lack of visibility impacts organizations’ moves to Zero Trust Architectures:

  1. Incomplete Asset Inventory: This has been an issue for as long as I have been in the IT and cybersecurity space. Without full visibility into all devices and assets connected to the network, organizations cannot accurately assess their security posture. Shadow IT, where employees use unauthorized applications and devices, further complicates the situation. As a result, implementing ZTA becomes akin to building a fortress without knowing all the entry points.
  2. User Behavior Analysis: Zero Trust relies heavily on continuous monitoring of user behaviors to detect and prevent unauthorized access. However, without visibility into user activities across different platforms and applications, organizations cannot effectively distinguish between legitimate users and potential threats. This lack of insight increases the risk of insider threats and credential-based attacks going undetected.
  3. Network Traffic Monitoring: Effective ZTA implementation requires granular visibility into network traffic to identify anomalies and potential security breaches. However, the distributed nature of modern IT infrastructures, with data flowing between on-premises systems, cloud environments, and remote endpoints, makes it challenging to monitor and analyze network traffic comprehensively.
  4. Data Protection: Zero Trust aims to protect sensitive data by enforcing strict access controls and encryption mechanisms. However, without visibility into data flows and usage patterns, organizations cannot effectively identify and classify their critical data assets. This blind spot hampers their ability to apply appropriate security controls and encryption measures, leaving valuable data vulnerable to theft or manipulation.
  5. Incident Response: Timely detection and response are essential components of any ZTA strategy. However, without real-time visibility into security incidents and breaches, organizations struggle to contain and mitigate the impact of cyber attacks effectively. Delayed or inadequate incident response can result in prolonged downtime, financial losses, and reputational damage.

Some Ideas to Address the Visibility Gap:

To overcome the challenges posed by the lack of visibility and facilitate the successful implementation of Zero Trust Architectures, organizations must adopt a holistic approach to cybersecurity that integrates advanced technologies, robust processes, and skilled personnel. Here are some strategies to consider:

  1. Comprehensive Endpoint Protection: Deploy endpoint detection and response (EDR) solutions to gain visibility into endpoint activities and behaviors. Implementing advanced threat hunting capabilities can help proactively identify and mitigate potential threats before they escalate.
  2. Network Traffic Analysis: Invest in network monitoring tools that provide deep packet inspection and behavioral analytics capabilities. By analyzing network traffic patterns and anomalies, organizations can detect and respond to suspicious activities in real-time.
  3. User and Entity Behavior Analytics (UEBA): Leverage UEBA platforms to analyze user behaviors across multiple IT systems and applications. By establishing baselines of normal behavior and flagging deviations indicative of potential threats, organizations can enhance their ability to detect insider threats and account compromise.
  4. Data-centric Security: Implement data loss prevention (DLP) solutions to classify and protect sensitive data wherever it resides. Encrypt data both at rest and in transit to ensure confidentiality and integrity, regardless of the visibility into underlying network infrastructure.
  5. Continuous Improvement: Regularly assess and update security policies, controls, and technologies to adapt to evolving threats and business requirements. Foster a culture of cybersecurity awareness and collaboration across the organization to empower employees to play an active role in defending against cyber threats.

While Zero Trust Architecture offers a promising shift in cybersecurity, its effectiveness hinges on an organizations ability to leverage visibility into their environments. By addressing the visibility gap through a combination of technology, process, and skilled personnel, organizations can strengthen their security posture and navigate the complexities of today’s threat landscape with confidence.

Remember, in the realm of cybersecurity, what you can’t see can hurt you. Embrace visibility to illuminate the shadows and move towards a more secure future.

posted by holliday at 1:00 pm  

Monday, August 2, 2021

Another year, not like any other Defcon

As I prepare for another year of BlackHat and Defcon, this being the 15th year or so that I have attended, it has a completely different feeling than previous years. Last year, when the COVID pandemic was still in full swing, the conferences went virtual and I was relieved that both conferences were taking it seriously. I wanted to be onsite with my friends and hacker family, but it was the right thing to do to remain virtual and wait for the next year when we could be together.

Now we are in another upswing of the COVID pandemic, after it has started to tail off, and both conferences are in a hybrid mode. I scheduled myself to be onsite, after being vaccinated and taking extreme precautions for the last 18 months. I keep telling myself, I am taking the precautions necessary to attend and be safe. I am vaccinated, wear a mask, and have plenty of hand sanitizer. I still have concerns, but my desire to see my hacker family is overriding my fear.

With the time I have had to prepare, I think that I will be safe, but understand the number of folks that are cancelling their trips. Everyone needs to do what they feel is right, and with the COVID numbers spiking around the country, it is hard to feel safe anywhere.

So, this year at Defcon, will be like no other year, and hopefully like no future year. I will be in person, meeting up with the folks that are still going to be in person, and giving elbow bumps when appropriate and missing the folks that aren’t there with us in person, though I know they are there in spirit.

Hopefully next year we will be through the spikes of this pandemic and can all be together in person. Until then, Hack the Planet!

posted by holliday at 4:34 pm  

Monday, January 11, 2021

A new year, but what has changed…

As the clock struck 00:00 on January 1st, 2021, I felt a sense of hope. The year 2020 will be in our history books as one that tested the human spirit, and saw the best and worst of mankind. From a global pandemic, to some of the largest, and most high profile hacks, how could 2021 not be better? Well, I guess this is where the hold my beer meme should go.

Within a week we are not just talking about hacks, or politics, but full blown insurrection in the USA. When the armed mob of right wing domestic terrorists stormed the Capitol, it put an end to the idea that 2021 would be the gentler year that the previous. There continues to be more and more information being released on this attack on democracy, so we will see what these next few weeks bring.

One of the threads on this attack that has received attention on the InfoSec Twittersphere is that there were many unlocked workstations in pictures taken by the insurrectionists, and a laptop was stolen that may have included sensitive information. While there were a lot of takes on this, Jack Daniel made the most important one, pointing out that the safety of the people was the priority. We can sit back behind our keyboards thinking, “If an angry mob was storming my building I would definitely lock my workstation”, but let’s not kid ourselves, we would be fleeing.

There are measures that can be taken to get the human out of the loop, and with our threat model severely modified after the Capitol attack, here are a few to think about. Faster inactivity locks, so that if you aren’t actively working on the computer it will lock itself in a shorter time frame. This isn’t perfect, but it is easy and low impact. There is also proximity devices, that automatically lock a computer once the device is out of range. There are other options as well, and I am sure we are going to see them becoming more normal after Jan 6th.

When we look forward to the rest of the year, I think it is important to make sure we are trying to find ways to make security easier, to make it a default state.

Stay safe out there.

posted by holliday at 12:41 pm  

Thursday, May 14, 2020

A Brave, New World…

I have not kept up with my writing as much as I would have liked, and I thought maybe with a world changing pandemic I would finally find the time. Well a few months into social distancing and I am just now sitting down to write. #covidlife

It seems like a long time ago, but it was just March when I had my wings clipped and was no longer traveling. At the time admittedly I didn’t think it would be too long until I was back in the air and to business as usual. Now I see that we will won’t be going back to “usual”. It is good though, because we can find a better way to move forward and not rely on doing things a certain way “because that is how it has always been done.”

There have been many blogs and write-ups on how to work in our new, fully remote environments. We weren’t great at defending our networks when they were within our walls. Just looking at all of the breaches we’ve suffered tells us that much. How were we going to handle going remote?

Well, luckily George at Splunk put together a nice list of things we can do today to help protect our workers and our organizations while we adjust to this brave, new world of work. From monitoring our endpoints, to monitoring who is moving data they shouldn’t, it is a good guide for those that are looking for something that they can start doing today.

Dark Reading also put out an article on patching in a pandemic. Many of the ideas, like making sure you have a solid asset inventory, and patch prioritization are things that I think we should have been doing before we were thrust into this remote world world. Sadly, I think this has shown many that the IT Emperor had no clothes, and we are being forced to change our behavior and really start protecting our orgs because the light has been shined on us.

As we all work together on this journey, let’s remember that this is a trying time for everyone. So be kind, be safe, and Hack the Planet!

posted by holliday at 4:23 pm  

Friday, May 3, 2019

Lowest Cost, Technically Unacceptable

I have helped with many sales opportunities where there are Request For Proposals (RFP), or other types of questionnaires that are supposedly written to let the purchaser find out which products can meet the projects, or programs requirements. If you have been through this yourself, you know these are rarely written by the people that will actually be operating the tools. It is a very similar experience to reading job requirements written by an HR team that doesn’t know what they are really hiring for, but they have a template and a passion for filling it out.

“Wanted, a Junior Software Developer. Must have a Master’s Degree in Computer Science, 10 years experience in the newest technologies, and be a champion Samba dancer.”

When you read a lot of these you start to recognize what is really being asked for, or at least which direction you need to go. At this point you buckle down, answer the questions to pass the first set of eyes that is only looking for any “no” responses, but you also add clarifying terms to make sure the folks that originally requested the information or proposal get the depth they need to make a decision.

At this point you may be thinking, that’s great. You answered their questions. But hold on. It isn’t about being able to actually do the thing that was originally requested. It is about being able to almost do it, and also be cheaper than any other solution out there, even solutions that don’t actually meet the requirements but that made it through the first set of eyes, so it must work because they said yes to everything. As in, “Yes, we would like to be able to solve this problem someday.”

The saying, “Lowest Cost, Technically Acceptable” (LC;TA) may be the cause of more failures and breaches than any other accepted practice in Information Security. This lines up with compliance being the bar to hit, and not the bare minimum. When you build out an environment to check a box, but not to perform the actual task required, you will inevitably fail. If you build a fighter jet with the LC;TA mentality, you will have them falling out of the sky, unable to complete their mission. The same holds true for Information Security.

Let’s stop building things to fail by default. Let’s stop accepting that “Technically Acceptable” is…well, acceptable. Let’s push back on the powers that be, and let them know if they want to truly secure their environments against adversaries that are motivated, highly skilled and have time on their side, we need the right tools, the right people and freedom to build them. If they don’t, we may need to start walking away from the keyboard and find organizations that will.

/rant

posted by holliday at 7:39 am  

Sunday, February 17, 2019

Everyone else knows more…

I have a theory. I believe it is shared by many others, and I have probably written on it before, but just in case, here it is. The more someone says they know, the less they do, and the opposite. This is my Imposter Syndrome thesis. There are many blogs on this phenomenon, and we discuss it regularly as a community. That is not what this post is about though.

There are also many people trying to help new people get into the information security industry despite this feeling. While we work to recruit more people, one of the things I try to make sure they understand is that this is not a static field. You can not learn something once and feel confident that it will not change as soon as tomorrow.

So how do you keep up with all of the changes and advances in Information Security and our adversaries tactics and techniques? There are many approaches to this, but here is mine.

I find that I have to use multiple technologies and communities to keep myself abreast of what is going on, and where I need to spend more time and focus. I use RSS, Twitter, online groups and in-person meetups, with each providing different things to my overall understanding of what is going on.

For those unfamiliar with RSS, it is basically a way to compile updates from websites you are interested in. There are different RSS readers or applications you can use to bring your feeds together, and after the death of Google Reader I don’t know that any one is better than another. I have everything from corporate sites/blogs, personal InfoSec blogs, to news sites, so I don’t have to go to each one to see if there is anything new for me to see. There are a ton of sites out there, so having one dashboard to view them all in saves me a lot of time.

I also use Twitter pretty heavily to find updates that aren’t on my RSS, and also for things that are more current. It is kind of like email (RSS) versus text message (Twitter). Find people that are part of the community and start following. You will find more and more people and companies to follow that can help you keep up with the latest in vulnerabilities, data breaches and adversary techniques.

I also am a big believer in IRL (In Real Life) meetups, and community sharing. As you build up your relationships and friendships you may find that you join slack or keybase groups that share your interests. These can be incredibly helpful in helping you learn and stay current in Information Security, or whatever field you are interested in.

If you have a Defcon group, or other InfoSec group near you, attend the meetups. I have not been to an InfoSec meetup yet that was full of great people who were willing to help out people they had just met. Attending conferences helps with this as well. The BSides conferences are run across the planet and we are at a point where it is harder to find conferences not to go to, because there are so many available.

To wrap this up, there are so many ways to keep yourself up to date and learning everyday that you don’t have to pick just one. Find what works for you and don’t forget to engage with the community. There is no shortage of people willing to mentor and help others grow and learn.

posted by holliday at 7:25 pm  

Monday, February 4, 2019

Where have all the good guys gone…

It wasn’t very long ago that I was reading a report from Cylance researchers that there was a new nation-state APT group that they had dubbed, White Company. The researchers commented on how the group was located in the Middle East, but had tendencies, or tactics, that led the researchers to believe they were ex-US Intel. It is concerning to think that the Tactics, Techniques and Procedures (TTPs) that have been created inside the US Intel community were being used for a foreign power.

The White Company was caught using an unwitting Belgian locksmiths website (and I am assuming other sites) to go after the Pakistani Air Force. Some of the TTPs the group use are adding anti-debugging code to their shellcode, using publicly available malware, and preprogrammed dates for discovery by antivirus software to distract analysts. All of these together show a level of sophistication not common outside of specific nation-state actors.

It was a few weeks later that Reuters published reports on Project Raven, a group of ex-US Intel operatives that worked with the UAE to engage in surveillance of militants, human rights activists, and other governments. This revelation should have been more shocking, but with the previous report from Cylance it just solidified the evidence that ex-US cyber warriors were going to work for the highest bidders. This is very sad news as Bob Anderson, exec assistant director of the FBI, is quoted in the Reuters report as saying, “There’s a moral obligation if you’re a former intelligence officer from becoming effectively a mercenary for a foreign government.”

One of the tools that Project Raven used was detail in another Reuters investigation, named Karma, helped the operatives hack into iPhones of diplomats and foreign leaders for the benefit of the UAE. This tool is special in that it did not require the targets to click on phishing links to gain access.

With the knowledge that US Intel operatives and analysts have it is no wonder that those outside the US would target them for recruitment. What is surprising is how many allow themselves to be recruited. As Tawakkol Karman said in the report, these people should “not be a tool in the hands of tyrannies to spy on activists and to enable them to oppress their peoples.”

We all need to take a look at ourselves and ask if the work we are doing is helping others, and at the very least not hurting them.

posted by holliday at 11:16 am  

Thursday, January 24, 2019

Curiosity…

As I was interviewing a candidate for a Information Security job, and helping a friend prepare for an interview at another company, I kept thinking of what attributes makes the best, and worst, security professionals. There are probably a lot of studies out there with different statistics to prove one key attribute over another, but I am just writing from my gut.

When I interview folks, I am usually looking for intangibles over current skillset. I caveat that with I normally am interviewing people for more senior positions so they have a background in Information Security or a related field. The intangibles I usually probe for are teamwork, a growth mindset and curiosity.

I think of curiosity as the desire to learn, an inquisitive mind, and a joy for discovery. Individuals who think they know everything, don’t want to learn and who aren’t passionate, are not going to last long in this ever changing field. I know that the best folks I have ever worked with had a natural curiosity around technology, and knowledge in general, and will go down the rabbit hole to find answers.

So, if you ask me what it takes to be successful in Information Security I may answer, “Are you curious enough to be a hacker?”

posted by holliday at 3:50 pm  

Thursday, November 22, 2018

Being Thankful

With all of the madness going on in the world, it is nice to have a day to sit back and practice gratitude for all of the good (and bad) things in my life. We often think of only being grateful for the good, but usually the bad is what really shapes us. Here are a few things I am thankful for today.

Being laid off twice in one year during the internet bubble burst of 2001 helped my career more than I could have known at the time. In 2000 I was sure I was going to be at a startup that was going to make me “rich”. I had shares, every company that went public went big, or at least seemed that way to me, so I was set. Then the bubble burst and reality set in. I was handed a severance package and was on my way to another startup.

With all of 14 of us in the entire company, and the economy still reeling it wasn’t a surprise when I was let go again, and then later the company folded. This could have really driven the nail into my IT career. There I was, straight off of being let go for a second time, living on a friends couch because I had burned through my severance and not knowing if things would turn around.

I was lucky to get another opportunity at a larger company that had more stability and an incredibly gifted team from a friend and mentor from a previous company. The skills I learned at this new company, and the people I worked with helped propel my career forward in ways I couldn’t imagine at the time. If I had not been let go, I would not have been open to working for a larger organization, I would have not met some of my closest friends, and I would probably not be working in the career field I am. Sometimes a little hardship opens the door to much greater rewards.

Struggle also helps reset what you are willing to do and can be a great ego check. After being let go I was willing to do whatever job was required. Overnights? Check. Overtime? Please, Sir, can I have some more? Everything and anything I could do, I would do. If I hadn’t gone through the hard times, I would have missed out on a lot.

I am also grateful for the good times. Working for and with great people throughout my career makes me feel very lucky. Many of my best friends are people who started as coworkers, and some of those coworkers started off as High School classmates, which makes me even more thankful to have had wonderful people around me throughout my life.

As you move through your career, be it Information Security or something else, surround yourself with good people and you will always be able to work through any hardship or struggle.

I hope everyone has had a Happy Thanksgiving, and a safe holiday season.

posted by holliday at 9:27 pm  

Wednesday, June 27, 2018

What is in a name?

An ongoing conversation in the Information Security community, or hacker community, or Cyber Security community, is all about what we should call things, people, etc. You can see this in the first sentence. I have written about this before I am sure, but over the last few weeks I have seen an uptick in what this or that word means and what words we should use instead. As an example we have recent LinkedIn conversations about the use of the word “hacker”.

The word “hacker” is constantly being debated, as well as if they wear black hoodies (hint: just like everyone else, some do, some don’t). I am going to try, as many others have before me, to add some context to the ongoing discussion.

An early reference to the word “hacker” comes from gnu.org, and says that a hacker is someone that enjoys playful cleverness. It doesn’t call out computers, networks or any technology. You can be a food hacker, or a film hacker, or anything else. I think this use of the word was behind the movie Hackers from 1995. The characters were playful, creative, and just wanted to have fun.

Another reference to hackers comes from the “The Conscience of a Hacker”, or as it is commonly known “The Hacker Manifesto”. In it, Loyd Blankenship, aka The Mentor, explains what it means to him to be a hacker. He describes the freedom, curiosity, connections and unity of being a hacker, “after all, we’re all alike.” I find it still relevant today.

Bugcrowd put out a blog this week in which they try to define the word hacker. I think they do a good job of summing up a lot of the issues, and I appreciate their Burglar/Locksmith == Cybercriminal/Hacker analogy. We as an industry and community have tried to find alternatives to the word “hacker” for the media and others to use when describing cybercriminals. Sadly, hacker is sexier than cracker and will always get more clicks.

To add more to our naming crisis, we run into hurdles describing what we do as hackers. In a recent Paul’s Security Weekly there was a discussion about pentesting, red teaming and others and what they all actually mean. When engaging with customers I also find that not all of them understand the differences between penetration testing and red teaming. Because the industry is always evolving we see new companies coming out claiming to do one thing, but really it is something else but because they can sell off of the misunderstanding they do.

We see the same confusion over EDR, Threat Intelligence, Machine Learning and Artificial Intelligence. It is no wonder that people outside our industry have no idea what we do, when those of us inside it can’t agree on what to call our solutions or even ourselves. I am not even going to get into the issue with our job titles because the “Am I an Engineer? Am I an Architect? Senior? Principal? Staff?” debate, which leaves our customers and peers with no idea of what we do drives me crazy.

In the end, what is in a name? A lot! Use your words carefully, because they can mean many different things to many different people.

Updated: Motherboard has also commented on the word “hacker” and wants to change the definition of it. From their glossary:

“Hackers can now be used to refer to both the good guys, also known as white hat hackers, who play and tinker with systems with no malicious intent (and actually often with the intent of finding flaws so they can be fixed), and cybercriminals, or “black hat” hackers, or “crackers.””

I have a feeling this won’t be the last article we read about the definition of hacker.

posted by holliday at 4:00 pm  
Next Page »

Powered by WordPress