No One is Liable for My Stolen Personal Information

The main victims of any data breach are actually the people, the customers, whom their personal information has been stolen and oddly?they don?t get the deserved attention. Questions like what was the impact of the theft on me as a customer, what can I do about it?and whether I deserve some compensation are rarely dealt with publicly.

Customers face several key problems when their data was?stolen, questions such as:

  • Was their data stolen at all? Even if there was a breach it is not clear whether my specific data has been stolen. Also, the multitude of places where my personal information resides?makes it impossible?to track whether and where my data has been stolen from.
  • What pieces of information about me were stolen and by whom? I deserve to know who has done that more than anyone else. Mainly due to the next bullet.
  • What are the risks I am facing now after the breach? In the case of a stolen password that is used in other services I can go manually and change it but when my social security number was stolen, what does?it mean for me?
  • Whom can I contact in the breached company to answer?such questions?
  • And most important was my data protected properly?

The main point here is the fact companies are not obligated either legally or socially to be transparent about how they protect their customers? data. The lack of transparency and standards as for how to protect data creates an automatic lack of liability and serious confusion for customers. In other areas such as preserving customer privacy and terms of service the protocol between a company and its customers is quite standardized and although not enforced by regulation still it has substance to it. Companies publish their terms of service (TOS) and privacy policy (PP) and both sides rely on these statements. The recent breaches of Slack and JPMorgan are great examples for the poor state of customer data protection – in one case they decided to implement two-factor authentication and I am not sure why didn?t they do it before and in the second case the two-factor authentication was missing in action. Again these are just two examples that present the norm across most of the companies in the world.

And what if each company adopted a customer data protection policy (CDPP), an open one, ?where such a document would specify clearly on the company website what kind of data it collects and stores and what security measures it applies to protect it. From a security point of view, such information can not really cause harm since attackers have better ways to learn about the internals of the network and from a customer relationship point of view, it is a must.

Such a CDPP statement can?include:

  • The customer data elements collected and stored
  • How it is protected against malicious employees
  • How it is protected from third parties which may access to the data
  • How it is protected when it is stored and when it is moving inside the wires
  • How is the company expected to communicate with the customers when a breach happens – who is the contact person?
  • To what extent the company is liable for stolen data

Such a document can increase dramatically the confidence level for us, the customers, prior to selecting to work with a specific company and can serve as a basis for innovation in tools that can aggregate and manage such information.

Cyber Tech 2015 – It’s a Wrap

It has been a crazy two days at Israel?s Cyber Tech 2015?in a good way! The exhibition hall was split into three sections: the booths of the established companies, the startups pavilion and the Cyber Spark arena. It was like examining an x-ray of the emerging cyber industry in Israel, where on one hand you have the grown-ups whom are the established players, the startups/sprouts seeking opportunities for growth, and an engine which generates such sprouts?the Cyber Spark. I am lucky enough to be part of the Cyber Spark?growth engine which is made up of the most innovative contributors to the cyber industry in Israel?giants like EMC and Deutsche Telekom, alongside Ben-Gurion university and JVP Cyber Labs. The Cyber Spark is a place where you see how ideas are formed in the minds of bright scientists and entrepreneurs which flourish into new companies.

It all started two days ago, twelve hours before the event hall opened its doors, with great coverage by Kim Zetter from Wired on the BitWhisper heat based air-gap breach, a splendid opening which gauged tremendous interest across the worldwide media on the rolling story of air-gap security investigated at Ben-Gurion university Cyber Research center. This story made the time in our booth quite hectic with many visitors interested in the details, or just dropping by to compliment us on our hard work.

Startups

I had enough time to go and visit the startups presenting at the exhibition which were the real deal?as someone living in the future?and I wanted to share some thoughts and insights on what I saw. Although each startup is unique and has its own story and unique team, there are genres of solutions and technologies:

Security Analytics

Going under the name of analytics, big data or BI there were a handful of startups trying to solve the problem of security information overload. And it is a real problem; today security and IT systems throw hundreds of reports every second and it is impossible to prioritize what to handle first and how to distinguish between what is important and what is less important. The problem is divided to two parts: the ongoing monitoring and maintenance of the network and managing the special occasions of post-breach?the decisions and actions taken post-breach are critical since the time is pressing and the consequences of wrong actions can damage the investigation. Each startup takes its own angle at this task with unique advantages and disadvantages and it is fairly safe to say that the security big data topic is finally getting a proper treatment from the innovation world. Under the category of analytics, I also group all the startups which help visualise and understand the enterprise IT assets addressing the same problem of security information overload, in their own way.

Mobile Security

Security of mobile devices?laptops, tablets and phones?is a vast topic including on-device security measures, secure operating systems, integration of mobile workers into the enterprise IT and risk management of mobile workers. This is a topic that has been addressed by Israeli startups for several years now, and finally this year it seems that enterprises are ready to absorb such solutions. These solutions help mitigate the awful risk inherent in the new model of enterprise computing which is no longer behind the closed doors of the office?the enterprise is now distributed globally and always moving where part of it can be on the train or at home.

Authentication

We all know passwords are bad. They are hard to remember and most of all insecure and the world is definitely working toward reinventing the ways we can authenticate digitally without passwords. From an innovative point of view, startups of authentication are the most fascinating as each one comes from a completely different discipline and aims to solve the same problem. Some base their technology on the human body, i.e., Biometry, and some come from the cryptographic world with all kinds of neat tricks such as zero-knowledge proofs. From an investor’s point of view, these startups are the riskiest ones since they all depend on consumer adoption eventually and usually, only one or two get to win and win big time while the rest are left deserted.

Security Consulting

Although it is weird to see consulting companies in the startups’ pavilion, in the world of security it makes a lot of sense. There is a huge shortage in security professionals globally and this demand serves as the basis for new consulting powerhouses that provide services such as penetration testing, risk assessment, and solution evaluation – the Israelis are well-known for their hands-on expertise which is appreciated across the world by many organizations.

Security in the Cloud

The cloud movement is happening now, with a large part of it and enabler to it being security?and startups of course do not miss out on that opportunity as well. Cloud security is basically the full range of technologies and products aimed to defend the cloud operations and data. In a way, it is a replica of the legacy data center security inventory simply taking a different shape to adapt better to the new dynamic environment of cloud computing. This is a very promising sector as the demand curve for it is steep.

Security Hardware

This was a refreshing thing to see with Israeli startups which tend to focus, in recent years, mostly on software. A range of cool devices starting from sniffers to backup units and wifi blockers. I wonder how it will play out for them as the playbook for hardware is definitely something different from software.

SCADA Security

SCADA always ignites the imagination thinking to critical infrastructure and sensitive nuclear plants?a fact which has definitely grabbed the attention of many entrepreneurs looking to start a venture in the interest of solving these important issues. Problems such as inability to update those critical systems, lack of visibility with regard to attacks on disconnected devices, and the ability to control the assets in real-time in the case of attacks. The real problem with SCADA systems is the risk associated with an attack that anyone would try to avoid at all costs, while the challenge for startups is the integration into this diverse world.

IoT Security

IoT security is a popular buzzword now and hides behind it a very complicated world of many devices and infrastructures in which there is no one solution fits all resolution. Although there are startups that claim to be solving IoT security, I project that with time, each one of them will find its own niche?which is sufficient as it’s a vast world with endless opportunism. A branch of IoT that was prominent in the exhibition was car security with some very interesting innovations.

Data Leakage Protection

As part of the post-breach challenge, there are quite a few startups focusing on how to prevent data exfiltration. From a scientific point of view, it is a great challenge consisting of conflicting factors?the tighter the control is on data, the less convenient it is to use the data on normal days.

Web Services Security

The growing trend of attacks on websites which has taken place in recent years and the tremendous impact this makes on consumer confidence, i.e., when your website gets defaced or is serving malware, grabbed the Israeli startups’ attention. Here we can find a versatile portfolio of active protection tools that prevent and deflect attacks, scanning services that scan websites, and tools for DDOS prevention. DDOS has been in the limelight recently and with all the botnets out there, it is a real threat.

Insider Threats

Insider threats are one of the biggest concerns today for CISOs where there are two main attack vectors: the clueless employee and the malicious employee. This threat is addressed from many directions, starting with profiling the behavior of employees, profiling the usage of data assets, and protecting central assets like Active Directory. This is definitely going to be a source for innovation for the upcoming years as the problem is diverse and difficult to solve, in that it involves the human factor.

Eliminating Vulnerabilities

Software vulnerabilities were, is, and will be an unsolved problem and the industry tackles it in many different ways, ranging from code analysis and code development best practices, vulnerability scanning tools and services, and active protection against exploitations. Vulnerabilities are the mirror reflection of APTs and here again, there are many unique approaches to detect and stop these attacks, such as endpoint protection tools, network detection tools, host-based protection systems, botnets detection, and honeypots aiming to lure the attacks and contain them.

What I did Not See

Among the things I did not see there: tools that attack the attackers. developments in cryptography. containers security. security & AI and social engineering-related tools.

I regret that I did not have much time to listen to the speakers?I heard that some of the presentations were very good. Maybe next year at Cyber Tech 2016.

A Brief History on the Emerging Cyber Capital of the World: Beer-Sheva, Israel

6a010536b66d71970c01b8d0e90a0b970c-pi

The beginning of the cyber park

There are very few occasions in life where you personally experience a convergence of unrelated events that lead to something?something BIG! I am talking about Beer-Sheva, Israel?s desert capital. When I started to work with Deutsche Telekom Innovation Laboratories at Ben-Gurion University 9 years ago it was a cool place to be, though still quite small. Back then, security?which was not yet referred to as cybersecurity?was one of the topics we covered, but definitely not the only one. At that time, we were the first and only activity related to cyber in this great desert. No one knew, or at least I didn’t, that it was going to be a blossoming cyber powerhouse. Actually, when imagining the Beer-Sheva of yesterday, it was unthinkable that the hi-tech scene of Tel Aviv would make its way southward.

Now, fast-forward to the last three years, and well, it has been a rollercoaster. Deutsche Telekom has strengthened its investment in security, and together with the emerging expertise of Ben-Gurion University in the field of cyber, other large, leading security companies have caught the inspiration and followed suit. Major players have opened branches in Beer-Sheva?s Cyber Spark area: EMC and Lockheed Martin, an IBM research lab, and numerous important others as well. The growing interest and recognition of BGU’s expertise in cyber have prompted many organizations and companies to cooperate with the university?leading eventually to the emergence of the Cyber Security Labs at Ben-Gurion University. I’m referring to the same lab that was behind the Samsung Knox VPN vulnerability disclosure?and the breaking of air-gap security via AirHopper. In parallel, JVP, the most prominent VC in Israel, has opened the JVP Cyber Labs which started pumping life into the many ideas that were up in the air?giving everyone a commercial point of view of innovation. The Israeli government also started backing this plan, and together with the local authority, really transformed the ecosystem into a competitive place for talent. Most of all, the university has been a real visionary, backing this emergence from the very beginning in spirit and action alike.

This brief summary of events led to a tipping point of no return where Beer-Sheva can be defined with confidence as the emerging cyber capital of the world. You can find a mix of professors, young researchers, entrepreneurs, venture capitalists, and large corporations all located in the same physical place, talking and thinking about cyber and converging into this new-born cyber industry. Of course, this is my personal story and point of view, and others have their own angle. However, Beer-Sheva as a cyber capital is undeniable, take for example David Strom?s impressions?from his recent visit.

6a010536b66d71970c01b8d0e90a17970c-800wi

A view to the future of the cyber park

One very special person obligatory to mention here, whom I perceive as the father of this entire movement, is Professor Yuval Elovici, the head, and creator of Telekom Innovation Laboratories and the cybersecurity labs at Ben-Gurion University. I am grateful to him both personally and collectively?first and foremost, for pursuing the development of the process in Beer-Sheva. He had this vision from the very early days, a very long time ago, when the term “cyber” was only known for the crazy shopping done on Cyber Monday. The second reason, which is a personal one, is for pulling me into this wonderful adventure. Before joining the university labs, I never imagined having anything to do with the academy?as I am a person who never even properly graduated from high school:)

6a010536b66d71970c01bb08036bda970d-pi

The movers and shakers of the cyber capital

Life is full of surprises.

So, I suggest that anyone in the area of cyber?in Israel or abroad?keep a very close eye on what is happening in Beer-Sheva, because it is happening now!

P.S. If you are around on the 24-25th of March at the Cyber Tech event, please drop by and say “hi” at our beautiful Cyber Spark booth.

???????

Distributed Cyber Warfare

One of the core problems with cybercriminals and attackers is the lack of a clear target. Cyber attacks are digital in nature and as such, they are not tied to specific geography, organization, and or person – finding the traces to the source is non-deterministic and ambiguous. In a way, it reminds me of real-life terrorism as an effective distributed warfare model which is also difficult to mitigate. The known military doctrines always assumed a clear target and in a way, they are not relevant anymore against terrorism. The terrorists are taking advantage of the concept of distributed entities where attacks can hit anything, anytime and can originate from everywhere on the planet using an unknown form of attack. A very fuzzy target. The ways countries tackle terrorism mostly rely on intelligence gathering while the best intelligence is unfortunately created following a specific attack. Following an attack it is quite easy to find out about the identity of the attackers which leads eventually to a source and motivation – this information leads to more focused intelligence which helps prevent other future attacks. In the cyber arena, the situation is much worse since even after actual attacks are taking place it is almost impossible to trustfully trace the specific sources and attribute them to some organization or person.

It is a clear example of how a strong concept like distributed activity can be used for malicious purposes and I am pretty sure it will play out again and again in favor of attackers in future attack scenarios.

Taming The Security Weakest Link(s)

Overview

The security level of a computerized system is as good as the security level of its weakest links. If one part is secure and tightened properly and other parts are compromised, then your whole system is compromised, and the compromised ones become your weakest links. The weakest link fits well with attackers? mindset which always looks for the least resistant path to their goal. Third parties in computers present an intrinsic security risk for CISOs, and in general, to any person responsible for the overall security of a system. A security risk is one that is overlooked due to a lack of understanding and is not taken into account in an overall risk assessment, except for the mere mention of it. To clarify, third-party refers to all other entities that are integrated into yours, which can be hardware and software, as well as people who have access to your system and are not under your control.

A simple real-life example can make it less theoretical: Let?s say you are building a simple piece of software running on Linux. You use the system C library, and in this case, play the 3rd party role. If the C library has vulnerabilities?then your software has vulnerabilities. And, even if you make your software bulletproof, it still won?t remove the risks associated with the C library which becomes your software weakest link.

Zooming out on our imaginary piece of software then, you probably already understand that the problem of the 3rd party is much bigger than what was previously mentioned, as your software also relies on the operating system and other installed 3rd party libraries, and the hardware itself, and the networking services, and the list goes on and on. I am not trying to be pessimistic, but this is how it works.

In this post, I will focus on application integration-driven weakest links for the sake of simplicity, and not on other 3rd parties such as reusable code, non-employees, and others.

Application Integration as a Baseline for 3rd Parties

Application integration has been one of the greatest trends ever in the software industry, enabling the buildup of complex systems based on existing systems and products. Such integration takes many forms depending on the specific context in which it is implemented.

Mobile World

In the mobile world, for example, integration serves mainly the purpose of ease of use where the apps are integrated into one other by means of sharing or delegation of duty, such as integrating the camera into an image editing app?iOS has come a long way in this direction with native FB and Twitter integration, as well as native sharing capabilities. Android was built from the ground up for such integration with its activity-driven architecture.

6a010536b66d71970c01b7c754ea16970b-pi

Enterprise Systems

In the context of enterprise systems, integration is the lifeblood of business processes where there are two main forms of integration: one-to-one such as software X ?talking? to software Y via software or network API. The second form is many-to-many, such as in the case of software applications ?talking? to a middleware where later the middleware ?talks? to other software applications.

6a010536b66d71970c01bb07f8b814970d-pi

Personal Computers

In the context of a specific computer system, there is also the local integration scenario which is based on OS native capabilities such as ActiveX/OLE or dynamic linking to other libraries ? such integration usually serves code reuse, ease of use, and information sharing.

6a010536b66d71970c01b8d0de35f0970c-pi

Web Services

In the context of disparate web-based services, the one-to-one API integration paradigm is the main path for building great services fast.

6a010536b66d71970c01b7c754ea7f970b-320wi

All In All

Of course, the world is not homogeneous as is depicted above. Within the mentioned contexts you can find different forms of integration which usually depend on the software vendors and existing platforms.

Integration Semantics

Each integration is based on specific semantics. These semantics are imposed by the interfaces each party exposes to the other party. REST APIs, for example, provides a rather straightforward approach to understanding the semantics where the interfaces are highly descriptive. The semantics usually dictate the range of actions that can be taken by each party in the integration tango and the protocol itself enforces that semantics. Native forms of integration between applications are a bit messier than network-based APIs where there is less capability to enforce the semantics allowing exploits such as in the case with ActiveX integration on Windows which has been a basis for quite a few attacks. The semantics of integration also includes the phase of establishing the trust between the integrated parties, and again, this varies quite a bit regarding implementation within each context. It varies from a zero-trust case with fully public APIs such as consuming an RSS feed or running a search on Google with an Incognito browser up to a full authentication chain with embedded session tokens.

In the mobile world where the aim of integration is to increase ease of use, the trust level is quite low: the mobile trust scheme is based mainly on the fact that both integrated applications reside on the same device such as in the case of sharing, where any app can ask for sharing via other apps and gets an on-the-fly integration into the sharing apps. The second prominent use case in mobile for establishing trust is based on a permission request mechanism. For example, when an app tries to connect to your Facebook app on the phone, the permission request mechanism verifies the request independently from within the FB app, and once approved, the trusted relationship remains constant by use of a persisted security token. Based on some guidelines, some apps do expire those security tokens, but they last for an extended period. With mobile, the balance shift remains between maintaining security and annoying the user with many too many permission questions.

Attack Vectors In Application Integration

Abuse of My Interfaces

Behind every integration interface, there is a piece of software that implements the exposed capabilities, and as in every software, it is safe to assume that there are vulnerabilities just waiting to be discovered and exploited. So the mere existence of opening integration interfaces from your software poses a risk.

Man In The Middle

Every communication among two integrated parties can be attacked using a man in the middle (MitM). MitM can first intercept the communications, but also alter them to either disrupt the communications or exploit a vulnerability on either side of the integration. Of course, there are security protocols such as SSL which can reduce that risk but not eliminate it.

Malicious Party

Since we don?t have control of the integrated party, then it is very difficult to assume that it has not been taken over by a malicious actor which now can do all kind of things: exploit my vulnerabilities, exploit the data channel by sending harmful or destructive data, or cause a disruption of my service with denials of service attacks. The other risk of a malicious or under attack party is about availability, and many times with tight integration your availability strongly depends on the integrated parties’ availability. The risk posed by a malicious party is amplified due to the fact trust is already established, and many times a trusted party receives wider access to resources and functionality than a non-trusted party, so the potential for abuse is higher.

Guidelines for Mitigation

There are two challenges for mitigating 3rd party risks: the first one is the visibility that is easier to achieve, and the second is what to do about each risk identified since we don?t have full control over the supply chain. The first step is to gain an understanding of which 3rd parties your software is reliant upon. This is not easy as you may have visibility only over the first level of integrated parties?in a way this is a recursive problem, but still, the majority of the integrations can be listed out. For each integration point, it is interesting to understand the interfaces and the method of integration (i.e. over the network, ActiveX), and finally, trust establishing a method. Once you have this list, then you should create a table with four columns:

  • CONTROL – How much control you have over the 3rd party implementation.
  • CONFIDENCE – Confidence in 3rd party security measures.
  • IMPACT – Risk level associated with potential abuse of my interfaces.
  • TRUST ? The trust level required to be established between the integrated parties before communicating with each other.

These four parameters serve as a basis for creating an overall risk score where the weights for each parameter should be assigned at your discretion and based on your judgment. Once you have such a list, and you?ve got your overall risk calculated for each 3rd party, then simply sort it out based on risk score, and there you’ve got a list of priorities for taming the weakest links.

Once you know your priorities, then there are things you can do, and there are actions that only the owners of the 3rd party components can do so you need some cooperation. Everything that is in your control, which is the security of your end in the integration and the trust level imposed between the parties (assuming you have control of the trust chain and you are not the consumer party in the integration), should be tightened up. For example, reducing the impact of your interfaces towards your system is one thing in your control as well as the patching level of dependent software components. MITM risk can be reduced dramatically with the establishment of a good trust mechanism and implementation of secure communications, but not completely mitigated. And lastly, taking care of problems within an uncontrolled 3rd party is a matter of specifics that can?t be elaborated upon theoretically.

Summary

The topic of 3rd party security risks is a large one to be covered by a single post, and as seen within each specific context, the implications vary dramatically. In a way, it is a problem which cannot be solved 100%, due to lack of full control over the 3rd parties, and lack of visibility into the full implementation chain of the 3rd party systems. To make it even more complicated, consider that you are only aware of your 3rd parties, and your 3rd parties also have 3rd parties?which in turn also have 3rd parties?and on and on?so you can not be fully secure! Still, there is a lot to do even if there is no clear path to 100% security, and we all know that the more we make it hard for attackers, the costlier it is for them, which does wonders to weaken their motivation.

Stay safe!

The Emergence of Polymorphic Cyber Defense

Background

Attackers are Stronger Now

The cyber-world is witnessing a fast-paced digital arms race between attackers and security defense systems, and 2014 showed everyone that attackers have the upper hand in this match.? Attackers are on the rise due to their growing financial interest?motivating a new level of sophisticated attacks that existing defenses are unmatched to combat. The fact that almost everything today is connected to the net and the ever-growing complexity of software and hardware turns everyone and everything into viable targets.

For the sake of simplicity, I will focus this post on enterprises as a target for attacks, although the principles described here apply to other domains.

The complexity of Enterprise: IT has Reached a Tipping Point

In recent decades, enterprise IT achieved great architectural milestones thanks to the lowering costs of hardware and accelerating the pace of technology innovation. This transformation made enterprises utterly dependent on the IT foundation, which is composed of a huge amount of software packages coming from different vendors, operating systems, and devices. Enterprise IT has also become very complicated where gaining a comprehensive view of all the underlying technologies and systems has become an impossible mission. This new level of complexity has its tolls, and one of them is the inability to effectively protect the enterprise digital assets. ?Security tools did not evolve at the same pace as IT infrastructure, and as such, their coverage is limited?resulting in a considerable amount of ?gaps? waiting to be exploited by hackers.

The Way of the Attacker

Attackers today can craft very advanced attacks quite quickly. The Internet is full of detailed information regarding how to craft those with plenty of malicious code to reuse. Attackers usually look for the least resistant path to their target, and such paths exist today. Although, after reviewing the recent APT techniques, some consider them not to be sophisticated enough. I can argue that it is just a matter of laziness, and not professionalism?since today there are so many easy paths into the enterprise, why should they bother with advanced attacks? And I do not think their level of sophistication, by any means, has reached a barrier that can make the enterprises feel more relaxed.

An attack is composed of software components and to build one; the attacker needs to understand their target systems. Since IT has undergone standardization, learning which system the target enterprise use?and finding its vulnerabilities is quite easy. For example, on every website an attacker can identify the signature of the type of web server, and then investigate it within the lab, to try to look for common vulnerabilities on that specific software. Even more simple is to look into the CVE database and find existing vulnerabilities, which have not been patched on it. Another example is the active directory (AD), which is an enterprise application that holds all the organizational information. Today, it is quite easy to send a malicious document to an employee in which once the document is opened, it exploits the employee’s Windows machine and looks for privileged vulnerability into AD. Even the security products and measures that are applied to the target enterprise can be identified by the attacks quite easily, and can later bypass them, leaving no trace of the attack. Although organizations always aim to update their systems with the latest security updates and products, there are still two effective windows of opportunities for attackers:

  • From the moment that a disclosure of a vulnerability in specific software is identified to the moment in which a software patch-up is engineered, to the point in time in which the patch is applied to the specific computers running the software. This is the most vulnerable time frame since the details of the vulnerability are publicly available, and there is always enough time before the target covers this vulnerability?greatly simplifying the job of the attacker. Usually, within this time frame attackers can also find an example exploitation code on the internet for reuse.
  • Unknown vulnerabilities in the software or enterprise architecture that are identified by attackers and used without any disruption or visibility since the installed security products are not aware of them.

From a historic point of view, the evolution of attacks is usually tightly coupled with the evolution of security products aiming to bypass them and mainly the need to breach specific areas within the target. During my time as VP R&D for Iris Antivirus (20+ years ago) I witnessed a couple of important milestones in this evolution:

High-Level Attacks ? Malicious code written in a high-level programming language such as Visual Basic or Java, which created a convenient platform for attackers to write PORTABLE attacks which can be modified quite easily since it is written in high-level language making virus detection very difficult. The basic visual attacks created, also as an unintentional side effect, an efficient DISTRIBUTION channel for the malicious code to be delivered via documents. Today it is the main distribution path for malicious code, via HTML documents, Adobe PDF files, or MS Office files.

Polymorphic Viruses ? Malicious code hides itself from signature driven detection tools, and only at runtime is the code deciphered and executed. Now imagine a single virus serving as a basis for so many variants of ?hidden? code and how challenging it can be for a regular AV product. Later on, polymorphism evolved to the dynamic selection, and execution of the ?right? code where the attack connects to a malicious command and control server with the parameters of the environment and the server returns an adaptive malicious code, which fits the task at hand. This can be called as runtime polymorphism.

Both ?innovations? were created to evade the main security paradigm which existed back then, mainly that of the anti-viruses looking for specific byte signatures of the malicious code. Both new genres of attacks were very successful in challenging the AVs ?because signatures have become less deterministic. Another major milestone in the evolution of attacks is the notion of code REUSE to create variants of the same attack. There are development kits in existence that can be used by attackers, as if they were legitimate software developers, building something beneficial. The variant phenomena competed earnestly with AVs in a cat and mouse race for many years?and still, does.

State of Security Products

Over the years malicious code related security products has evolved alongside the threats, whereas the most advanced technology applied to identify malicious code was and still is behavioral analysis. Behavioral analysis indicates the capability to identify specific code execution patterns. An approach to the signature detection paradigms, which mainly addresses the challenge of malicious code variants. Behavioral analytics can be applied at runtime to a specific machine tracing the execution of applications or offline via a sandbox environment such as FireEye. The latest development in behavioral analytics is the addition of predictive capabilities aiming to predict which alternative future execution patterns reflects a malicious behavior and which is benign to stop attacks before any harm is done. Another branch of security products that aim at dealing with unknown malicious code belongs to an entirely new category that mimics the air-gap security concept, referred to as containment. Containment products?there are different approaches with different value propositions, but I am generalizing here?are running the code inside an isolated environment, and if something were to go wrong, the production environment would be left intact in that it was isolated and the attack had been contained. It is similar to having the 70?s mainframe, which did containerization, but in your pocket and a rather seamless manner. And of course, the AVs themselves have evolved quite a bit, while their good old signature detection approach still provides value in identifying well-known and rather simplistic attacks.

So, with all these innovations, how are attackers remaining on top?

  1. As I said, it is quite easy to create new variants of malicious code. It can even be automated, making the entire signature detection industry quite irrelevant. The attackers have found a way to counter the signatures paradigm by simply generating a large amount of potential malicious signatures.
  2. Attackers are efficient at locating the target’s easy-to-access entry points, both due to the knowledge of systems within the target, and the fact that those systems have vulnerabilities. Some attackers work to uncover new vulnerabilities, which the industry terms zero-day attacks. Most attackers, however, simply wait for new exploits to be published and enjoy the window of opportunity until it is patched.
  3. The human factor plays a serious role here where social engineering and other methods of convincing users to download malicious files is often successful. It is easier to target the CFO with a tempting email with a malicious payload, then to find your digital path into the accounting server. Usually, the CFO has the credentials to those systems, and often there are even excel copies of all the salaries on their computer, so it is a much less resistant path toward success.

Enter the Polymorphic Defense Era

6a010536b66d71970c01b7c74a1d69970b-800wi

An emerging and rather exciting security paradigm that seems to be popping up in Israel and SV is called a polymorphic defense. One of the main anchors contributing to successful attacks is the prior knowledge that attackers benefit from about the target, including which software and systems are used, the network structure, the specific people and their roles, etc. This knowledge serves as a baseline for all targeted attacks across all the stages of attack: the penetration, persistence, reconnaissance, and the payload itself. All these attack steps, to be effective, require detailed prior knowledge about their target?except for reconnaissance?which complements the external knowledge with dynamically collected internal knowledge. Polymorphic defense aims to undermine this prior knowledge foundation and to make attacks much more difficult to craft.

The idea of defensive polymorphism has been borrowed from the attacker’s toolbox where it is used to ?hide? their malicious code from security products. The combination of polymorphism with defense simply means changing the “inners” of the target, where the part to change depends on the implementation and its role in attack creation. This is done so that these changes are not visible to attackers, making prior knowledge irrelevant. Such morphism hides the internals of the target architecture so that only trusted sources are aware of them?to operate properly. The ?poly? part is the cool factor of this approach in that changes to the architecture can be made continuously and on-the-fly, making the guesswork higher by magnitudes. ?With polymorphism in place, attackers cannot build effective repurposable attacks against the protected area. This cool concept can be applied to many areas of security depending on the specific target systems and architecture, but it is a revolutionary and refreshing defensive concept in the way that it changes the economic equation that attackers are benefitting from today. I also like it because, in a way, it is a proactive approach?and not passive like many other security approaches.

Polymorphic defenses usually have the following attributes:

  • Solutions that are agnostic to covered attack patterns which makes them much more resilient.
  • Seamless integration into the environment since the whole idea is to change the inner parts?changes that cannot be made apparent to externals.
  • Makes reverse-engineering and propagation very difficult, due to the “poly” aspect of the solution.
  • There is always a trusted source, which serves as the basis for the morphism.

The Emerging Category of Polymorphic Defense

The polymorphic defense companies I am aware of are still startups. Here are a few of them:

  • The first company that comes to mind, which takes polymorphism to the extreme, is Morphisec*, an Israeli startup still in stealth mode. Their innovative approach solves the problem of software, and it achieves that by continuously morphing the inner structures of running applications, which as a result, renders all known and potentially unknown exploits as useless. Their future impact on the industry can be tremendous: the end of the mad race of newly discovered software vulnerabilities and software patching, and much-needed peace of mind regarding unknown software vulnerabilities and attacks.
  • Another highly innovative company that applies polymorphism in a very creative manner is Shape Security. They were the first one to coin the term of polymorphic defense publicly. Their technology ?hides? the inner structure of web pages which eventually can block many problematic attacks such as CSRF, which rely on specific known structures within the target web pages.
  • Another very cool company also out of Israel is CyActive. CyActive fast forwards the future of malware evolution using bio-inspired algorithms, and use it as training data for a smart detector which can identify and stop future variants,?much like a guard that has been trained on future weapons. Their polymorphic anchor is in the fact they outsmart the phenomena of attack variants by creating all the possible variants of the malware automatically and by that increase detection rate dramatically.

I suppose there are other emerging startups that tackle security problems with polymorphism. If you are aware of any particularly impressive ones, please let me know, as I would love to update these posts with more info on them. J

*Disclaimer ? I have a financial and personal interest in Morphisec, the company mentioned in the post. Anyone interested in connecting with the company, please do not hesitate to send me an email and I would be happy to engage regarding this matter.

History

The idea of morphism or randomization as an effective tool for setting a serious barrier for attackers can be attributed to different academic developments?and commercial ones. To name one commercial example, take the Address Space Layout Randomization (ASLR) concept from operating systems. ASLR is a concept that aims to deal with attacks that are written to exploit specific addresses in memory, and ASLR changes this assumption by moving around code in memory in a rather random manner.

The Future

The polymorphic defense is a general theoretical concept which can be applied to many different areas in the IT world, and here are some examples off the top of my head:

  • Networks ? Software-defined networking provides a great opportunity for changing the inner-networking topology to deceive attackers and dynamically contain breaches. This can be big!
  • APIs ? API protocols can be polymorphic as well, and as such, prevent malicious actors from masquerading as legitimate parties or man in the middle attacks.
  • Databases ? Database structures can be polymorphic too, so only trusted parties could be aware of a dynamic DB scheme and others cannot.

So, polymorphic defense seems to be a game-changing security trend which can potentially change the balance between the bad guys and the good guys?and ladies too, of course.

UPDATE Feb 11, 2015: On Reddit I’ve got some valid feedback that it is the same as the MTD concept, Moving Target Defense, and indeed that is right. In my eyes, the main difference is the fact Polymorphism is more generic in the sense it is not specifically about changing location as means of deception but also creating many forms of the same thing to deceive the attackers, but it is just a matter of personal interpretation.

To Disclose or Not to Disclose, That is The Security Researcher Question

Microsoft and Google are?bashing each other on the zero-day exploit in Windows 8.1 that was disclosed by Google last week following a 90 days grace period. Disclosing is a broad term when speaking about vulnerabilities and exploits – you can disclose to the public the fact that there is a vulnerability and then you can disclose how to exploit it with an example source code. There is a big difference between just telling the world about the vulnerability vs. releasing the tool to exploit it and that is the level of risk created by each alternative. In reality, most attacks are based on exploits that have been reported but have not been patched yet. Disclosing the exploit code without a patch that is ready to protect the vulnerable software is in a way helping the attackers. Of course, the main intention is to help the security officers which want to know where is the vulnerability and how to patch it temporarily but we should not forget that public information also falls in the hands of attackers.

Since I have been at Google’s position in the past with the KNOX vulnerability we uncovered at the cybersecurity labs @ Ben-Gurion University I can understand them. It is not an easy decision since on one hand, you can’t hide such info from the public while on the hand you know for sure that the bad guys are just waiting for such “holes” to be exploited. Within the time I understood a few more realities:

  • Even if a company issues a software patch still the risk is not gone since the time window from the moment a patch is ready to be applied up to the time it is actually applied on systems can be quite long and during that time the vulnerability is available for exploitation.
  • Sometimes vulnerabilities uncover serious issues in the design of the software and solving it may not be a matter of days. Of course, a small temporary fix can be issued but a proper well thought of patch taking into account many different versions and interconnected systems can take a much longer time to devise.
  • There is a need for an authority to manage the whole exploit disclosure, patching, and deployment life cycle which will devise a well-accepted policy and not just a single-sided policy such as the one Google Zero devised. If the intention eventually is to increase security then without the collaboration of software vendors it won’t work out.

And I am not into the details but I truly believe Google has acted here out of professionalism and not for other political reasons against Microsoft.

Google Releases Windows 8.1 Exploit Code – After 90 Days Warning to Microsoft

Google Project Zero has debuted with the aim of solving the vulnerabilities problem by identifying zero-day vulnerabilities, notifying the company which owns the software, and giving them 90 days to solve the problem. After 90 days they publish the exploit. And they just did it to Microsoft.

I remember quite a while ago when we decided at the cyber labs at Ben-Gurion University to adopt such a policy following our discovery of a vulnerability in Samsung KNOX. The KNOX vulnerability eventually turned into Google’s Android vulnerability with the help of some political juggling between the two companies. We disclosed the exploit to Google on the 17th of Jan 2014 and we got a notice that a patch was ready on the 27th of Feb so their fast response was good enough to expect others to deliver the same level of service. I would not go into the topic of how long it takes such a patch to really by applied on users’ devices but at least expecting a patch to be delivered in 90 days is a good start. We eventually did not release the exploit code because we understood it will take some time until users will be protected with the patch and since the vulnerability was quite serious (VPN Bypass) then we decided not to disclose it.

Disclosing the exploit too early is a double-edged sword where on one hand you want the good guys to be aware to the problem in-depth while on the other hand you give a weapon into the hands of the bad guys and it is well known that published exploits are highly used by attackers relying on the time window between publishing the patch to applying it on the system.

Anyway, I think Project Zero is a good step forward for the security industry!

Counter Attacks – Random Thoughts

The surging amount of cyber attacks against companies and their dear consequences pushes companies to the edge. Defensive measures can go only so far in terms of effectiveness, assuming they are fully deployed which is also far from being the common case. Companies are too slow to react to this new threat which is caused by a fast-paced acceleration in the level of sophistication of attackers. Today companies are at a weak point. From a CEO perspective, the options available to mitigate this threat are running out especially considering the addition of state-sponsored attacks to the game and the unclear role of the government and their inability to effectively intervene.

So what can companies do? Attack back.

Attacking the attackers were and are always an option that remained in the heart of people and maybe spoken out very quietly due to the very simple reason of legality. Unlike self-defense in the real world which may allow you to use violence in order to stop an offender in the cyber world, you can only defend yourself passively and wait for law enforcement to come to the rescue.

What attacking back actually means? Many times you don?t know where the attack came from and who is behind it so whom to attack? It depends on the type of attack and the events happening after the attack. In many cases, there is a good chance a counter-attack can help minimize the damage or maybe eliminate it. In Sony’s case, there was later a counterattack (allegedly) by Sony (allegedly) trying to disrupt the download of the stolen files. From an offensive point of view, the low amount of servers serving the stolen files is a weakness and it is possible to try to stop it. It is not always true where if the files are to reside on another big company’s data center then stopping it can be impossible and definitely problematic in terms of getting into a fight with another company. So in order to have an effective counter-attack, you need to find a weakness. And many times it is not difficult. For example, in a phishing attack where the web pages holding the impersonating website a weakness can be found and it is the servers who hold those pages – taking them down should not be a problem. Another example of attacking back is responding to a DDOS or a spam attack with a counter DDOS and ultra spam attacks. In DDOS which is a distributed denial-of-service attack, it can be a bit more problematic since it is distributed by nature and run on many servers though I can easily imagine a cloud-based elastic service that response back effectively. Same for spam, why can?t someone send 100 emails back for each one received – let’s see them handling the volume of incoming mail. Symantec had a very nice cover from a technical perspective on counter-attacks, although from 2006, 8 years ago, still it is valid on many points.

The benefits of attacking back are three:

Prevention – To stop an ongoing attack were leaking the stolen data from my point of view is just another lateral step in the same attack. As a side note, everyone says the attack of Sony has ended (not everyone) but as long as files are still leaked out then it is still going on from my point of view. The bad guys have not been stopped yet. In terms of prevention also delaying an attack using counter strikes can be valuable.

Remedy – In cases where the stolen data can be identified to be located in a certain place then attacking back to retrieve it or just delete it is definitely an option.

Revenge – The sweet taste of revenge although doesn’t sound very business savvy is something that exists because we are all human.

Waiting for government help can take a long time and this raises the question of what is moral to do in between when you are at high risk with no protection and no one can help you and you can?t respond.

Government & the private sector

The problem with governmental intervention has several aspects (just to be clear, it is not that they don?t do anything, on the contrary, they do a lot but it is just far from being enough):

  • The government may have more tools and better access to interesting data but still, they are very limited since they get into the picture very late and they don?t know the internals of each company IT so they have a steep learning curve and a very short time to respond.
  • Regulation is something discussed and regulation on required security measures can be effective but only to some extent. Many times the problem with security in organizations is not whether they have the best tools or not, most of the holes are created due to human error, lack of knowledge, and lack of enforcement. It will take a really long time until a regulation can have some real impact on how companies protect themselves.
  • Integration – In order to effectively react to an attack you need to respond as close to real-time as possible when the damage is lower and the chances of finding traces are higher. The only party which can respond at such speed is the organization itself which controls and knows its IT. The government is not integrated into companies IT and as such, they can?t be aware of attacks and respond effectively to attacks as required. Needless to say, enterprises are very diverse in their IT architectures so even assessing the target security capabilities and weaknesses by the government will take a long time. Another problem with integration is that it raises also the issue of privacy which is unrelated but tightly connected to the topic concerning governments connected to companies IT.
  • Reach – The government has a limited reach to attackers not residing in the US. Naturally like any other country. Of course, the US has much more control over the internet infrastructure but still it far from full control.
  • Attribution – Due to the latency of the investigation attributing the attack to someone is difficult for everyone including the government. In the future, I will write a standalone post about attribution which is a fascinating topic and is very challenging in the world of cybercrime.

There is another point to consider in regards to government and enterprises and that is the idea of accessing the government intelligence systems by the enterprise. The enterprise is naturally limited in their view of the attack sources and maybe the solution is to allow the security team of the enterprise to extend their view with the data available by the government. Of course, this requires deep thinking about isolation and privacy but still, it is an option which can be a basis for devising a prompt response.

Of course is in any other unsolved problem there are those who try to make money out of it. ?There are several companies or entities offering attack back services though due to legality issues they don?t stay public for too long. I am pretty sure there are quite a few services like that which are off the radar. I tried to look for some open-source counter-attack projects but could not find such and to be honest, it is surprising there are none.

To summarize, it is a complicated matter and a lot is going on behind the scenes so we are far from knowing the full dynamics. But definitely, something to contemplate on.

A small disclaimer, this post is not aimed to suggest people attack back, it is just meant to raise the awareness on different aspects of cyber warfare.

Cutting Down North Korea’s Internet

Could be interesting to understand whether cutting down North Korea from the internet was a defensive measure due to a huge amount of ongoing attacks or was it just a preventive measure.

Definitely cutting down the internet has become another weapon in the war chest of the US.

The question is now: do other countries have such power of cutting down areas?

The net infrastructure should be evaluated for such attack vector.

A Tectonic Shift in Superpowers or What Sony Hack Uncovered to Everyone Else

Sony hack has flooded my news feed in recent weeks, everyone talking about how it was done, why, whom to blame, the trails which lead to North Korea, and the politics around it. I?ve been following the story from the first report with an unexplained curiosity and was not sure why since I read about hacks all day long.
A word of explanation about my “weird” habit of following hacks continuously, being a CTO of the Ben-Gurion University Cyber Security Labs comes with responsibility, and part of it is staying on top of things:)

Later on, the reason for my curiosity became clear to me. As background, to the ones who are deep in the security industry, it is already well known although not necessarily spoken out loud that attackers are pretty far ahead of enterprises regarding sophistication. The number of occurrences of reported cyberattacks in the recent two years shows a steep upward curve and if you add to that three times non-reported incidents than anyone can see it is exploding. And although many criticized Sony for their wrong security measures still?I don?t think they are the ones to blame. They were caught in a game beyond their league. Beyond any enterprise league.

The reasons attackers have become way more successful are:

  • They know how to better disguise their attacks, using form changing techniques (polymorphism) and others.
  • They know quite well the common weaknesses in enterprises IT. You can install almost any piece of software in your lab and just look for weaknesses all day long.
  • They have more money to pour into learning the specifics of their targets and thanks to that they build elaborated and targeted attacks. In the case of state-sponsored attacks, the funds are unlimited.
  • Defensive technologies within the enterprise are still dominated by tools invented ten years ago, back then?attacks were more naive if such can be said. Today we are in a big wave of new emerging security technologies which can be much more effective though enterprises enough time to get adopted.

So it is fair to say that enterprises are in a way sitting ducks for targeted attackers and I am not exaggerating here.

And the Sony story was different than others for two main reasons:

  • The source of an attack is allegedly originated and backed by a specific nation. And I am saying allegedly because unless you found the evidence in the computers of someone you can?t be sure and even then that person could have been entrapped by the real attackers. Professionals can quite easily cover up their traces, and the attackers here are professionals.
  • The results of the attack are devastating, and their publicity turned them into a nightmare for any CEO on earth. Some warning sign to the free world.

And Sony due to their bad luck got caught in the middle.

6a010536b66d71970c01bb07cb8c50970d-800wi
Image is taken from http://www.politico.com/story/2014/12/no-rules-of-cyber-war-113785.html

The End of Superpowers

From a high-level view, it does not matter whether it was?North Korea or not. The fact that such an event happened where potentially a state attacked a private company and its consequences and lack of ramifications are quite clear then this opens the path for the future to happen again and again and that what’s makes it a game-changer. Every nation in the world understood now they have got a free ticket to a new playground with different rules of engagement and more importantly different power balance.

In the physical world, power has always been attributed to the amount of firepower you?ve got, and naturally, the amount of firepower has a tight correlation with the economic strength of the nation. The US is a superpower. Russia is a superpower. In the cyber world, these rules do not necessarily apply where you can find a small group of very smart people, and with very simple cheap tools they can wreak havoc on a target. It is not easy but possible. The attackers many times are only limited by their creativity and nothing else. In the cyber world, size matters less.

Our lifestyle and lifeblood have become dependent on IT, our electricity, water, food, defense, entertainment, finance, and almost everything else is working only if the underlying IT is functioning properly. Cyberwarfare means attacking the physical world by digital means and the results can be no less devastating than any other type of attack. They can be worse since IT also presents new single points of failure. So if cyberwars can cause harm as real wars and size matter less wouldn?t that mean the rules of the game have changed forever?

Question of Responsibility

As soon as I heard that North Korea might be responsible for the attack I understood that Sony was caught into an unfair game and the big question is about the role of the government in defending the private sector, how and to what extent. Going back again to the physical world, in the case of a missile that is launched from North Korea onto the headquarters of Sony then the story and reaction were very much different and predictable. This comparison is valid since the damage which can be caused by such missile to the company is probably lesser from the economic perspective, not taking into account, of course, human casualties. I am not saying cyberattacks can?t cause casualties; I am just saying that this one did not.

So why is there a difference in the stance of the US government? Why did Sony not ask for help and nationwide defense?

The era of cyber warfare removes the clear distinction between criminal acts vs. nation wise offensive acts and a new line of thought should emerge.

So what the future holds for us?

  • A big wave of cyber attacks coming from everywhere on the globe. The ?good? results of this attack will surely provide a sign of hope for all the people in the world who felt inferior from a military perspective. The attackers always go to the weakest links, so we will see more enterprises being attacked like Sony in a more severe way. A long, complicated, stealthy war.
  • A big wave of security technologies which aim to solve these problems, coming from the private and government sector. Security startups and established players in a way ?enjoy? these developments where the need for new solutions is uprising steeply. I know personally, some startups in Israel which can take the current advantage attackers enjoy technologies such as polymorphic cyber defense. I will elaborate on that in a future post since it deserves one on its own.
  • A long?debate about who is responsible for what and what measures can be taken meanwhile – cutting down the internet across the globe won?t help anyone since there are today many ways to launch attacks from different geographic places, so location doesn?t matter anymore. It won?t be easy to create a solution that will be effective on the one hand and not limit the freedom to communicate on the other hand.

Meanwhile, you can gaze a bit at the emerging battleground

6a010536b66d71970c01b7c7271f5c970b-800wi

Taken from a live attacks monitor on IPVKing

Why CEO should blog – my personal experience

relates to USAToday article on Blogging and CEO on a post Blogs and Feeds: CEO Blogs — Where Angels(?) Fear to Tread. I am a of a new venture company and a for the last four months and I wanted to write down what do I get from it:

1) Feedback on my thoughts – As a CEO and a person in general I have different opinions on various subjects related whether to my industry, other industries, innovation, regulation, and other market conditions. Through blogging these opinions get the most candid responses that truly reflect what other people think. I rather listen to these thoughts than not.

2) As a blogger people are more open towards me and are less intimidated by the CEO curtain – a plus for me.

3) People know that I am accessible and that they have the option to communicate with me at any time they like if they see it fit. These give customers/partners/prospects more confidence in the company and its products and services. Good for business.

4) As for the fear of making mistakes – I write the content for myself so I control what to write and what not to write and mistakenly exposing secrets is not higher risk than the one that exists in other public engagements. Actually, it is lower. I do agree that this is a platform that lets you talk more than I used to do before it and that naturally creates a risk for doing mistakes.

5) Audience that hears me – after building your audience you have an unparalleled public relations tool that is accessible in real-time for any announcement.

6) Time – the only disadvantage I find in blogging is the time it takes to do it right. I hope that within time blogging tools will become more convenient and easier to use to save some time.

Although I am talking from the hat of a new venture CEO and not as a CEO of an established company I do think that these points are valid to any kind of CEO and other top management.

Is Microsoft the Big Bad Wolf?

I am writing many times on strategies and competition related to Microsoft and I wanted to clear the reason why I relate to this company a lot and why I am not on their side with my advice especially when it comes to competition with new ventures:

1) To put it up front I think that Microsoft is an excellent company with many strong core capabilities and deep strategic thinking that makes them a very worthy competitor.

2) Many times their core competencies are too tough for new ventures to handle and the immediate response of "lose the fight" before engaging it becomes more prevalent. This is a state of mind that is a killer for innovation and innovation is something dear to me in person. Microsoft of course is not the one to blame for doing a great job for themselves actually we should thank them for raising the bar.

3) Microsoft according to my experience and not based on "hard" statistics is the number one news generator in the IT industry. They do a lot and they talk about what they do a lot; this makes it just naturally to relate to them a lot.

That's all.