Under attack – security operations

While working for security, I’ve faced several challenging situations, working with management, researchers, foresics, police –  but only 3 where I will think of after retirement (so far ;-)).

I would like to express them here and share some lessons I learnt…

a) LoveLetter

The story is simple: I think I was one of the first finding the code. When I came to the office in the morning the mailserver hang and was full of spam email trying to send out (which was blocked on Checkpoint Firewalls by the way).

I analysed the email attachment (encrypted VB script which I decode by writing my own functions for analysing it) and I sent my findings to our partner – Kaspersky Labs. Half an hour later they respond to me that this was known and old and I don’t need to take care of. As I was young and had a high respect towards the „experts“, I called myself stupid…

2 hours later heise published an article about a guy somewhere else in Germany who found a critical worm called „LoveLetter“…

That could have been my starting point towards a brilliant career in security and could have build a great reputation… 😉 I missed it and guess what? I’m still doing security and I’m still good…

b) MSSQL-Worm

When this came up I had a day off at the company I worked for. I was at a drivers training with my own car… This was the time I did a hard call completely disconnecting an international company from the internet for several hours until we got the situation under control – by the way, we don’t get infected, we were quick enough.

To be correct, it was not my call alone, my manager agreed, but it was the first time I realized the responsibility towards a company infrastructure and the importance of balance and the right strategy.

The other learning to took out of this scenario was the fact that not all systems can be patched due to financial constrains. This was the time when I reduced to talk about security as burden, as something nobody want to take attention to. Instead I changed my message towards the term „Risk Management“ – as it’s always the question on how much risk you are willing to take.

c) Emotet

Risk, and how much you want to take, is the driver for successful emotet attacks. There are software solutions and (more important) process and training ideas to reduce the probability of a successful cyber attack, but they do cost work, time and money.

Seeing a screenshot showing an anti-virus software that it found a virus, is nothing important. But if it comes from a client computer and the executing user was a domain admin – well – than you realize, you have a problem…
Emotet – with the consequence of taking a company down for weeks and with all the fear and wild running people – this is what your personal stress-test is about.

An experience you don’t want to go for again. Because – independent how good you have acted, how secure you operated, how creative your team was to find secure operational ways – there will be always someone from external claiming to be better – and, of course, faster.

And believe me: the big consultant companies (KPMG, PWC, BearingPoint, Deloitte etc) they know how to sell their view to your C-level – even when they never had talked to you. The challenge is to bring the attention to the dynamic of these attacks, the affected underlying infrastructure and the time you need to keep your company secure. The physical limits of the infrastructure cannot be expanded in the short term by more manpower.

The simple fact about Emotet? We defend it, no encryption happened, only some passwords stolen, etc… Yes, they came in, but we were fast and hard enough to do the right calls! And we had a setup which was robust enough. We kicked them out! This time.

The end

In summary, modern security operation has not yet achieved the level it can be. There are still skilled security experts required, to do the correct judgement and get the right conclusions. I’ve meet serveral companies – splunk for instance – claiming that they do have KI technology in place. They might be right, but this KI is not what I expected.

Behaviour based detection and analytics in combination with existing multi-layered protection approaches and and indeep view into the environment should be basic. The same level of importance should be raised towards the need of playbooks and general operational standards. But any technology will fail if there is not the rigth level of attention from c-level to this. This includes the need of a dedicated security team lead by a CISO.

I’ve seen people being completely convinced on their systems, on their approaches, that they could not imagine that an attacker could find another way. These are the one who will fail – at a point in time.

This leads finally to some sentences driving this part of my life:

1. The last limit is your imagination.

2. The only way to be safe is to never be secure. (Benjamin Franklin?)

3. They all cook with water only.

Happy hunting!

Outsourcing

Outsourcing and Inhousing is often described as a curve which over the years continiously move between maximum outsouce and inhouse activities. It sometimes seems, that nobody find the balance between these both areas.
First of all, we need to look at the goals of both types. Outsourcing is often argued by big cost savings and better business focus on companies key business. Because our outsourcing partner want to get payed as well, the savings are calculated with hardware-,licence-, maintainence and headcount money. It is sometimes questionable if we really have these savings, if we don’t follow an outsource really everything path, because if we keep parts inhouse, we still have parts of the costs. The big saving, the headcount cost is a saving which may cost us later even more money – wait and read.

Outsourcing by definition means, that we loose control in our envrionment and let our outsource partner deliver everything to us. This also means, that we build a dependency to our partner.
The simple truth here is, that our partner has the same goal as we have. Earn money.
Outsourcing could be win-win situation, but seing the out-in-curve shows, that this is most likely not the case.

Inhousing on the other site is argued with too expensive outsourcing costs and flexibility issues to react to business requirements. Inhousing normally follow after a couple of years of extreme outsourcing with more and more minor issues. These issues are often started with the fact, that local knowledge has gone and we have nobody left anymore being able to read and understand all details of the initial outsourcing contract. Unfortunately we also have lost the detail knowledge we needed to challenge our outsourcing partner. The frustration is raising and at a point someone opens a calculation explaining, that inhousing is cheaper.

While outsourcing is more linked to cost saving arguments inhousing often happen when the hudge amount of outsourcing costs get realized. At the beginning of an outsourcing effort, potential cost savings have been seen by reducing internal headcount. This is a direct contradiction, which is so easy to see, that it get argued with other reasons and this truth isn’t seen.

Now looking at the terminology of outsourcing we easily find the reason: We have lost control over our environment, because we lost our internal skills.