Archive for August, 2012

What is OFAC? Why is it important for Information Security? OFAC Countries.

Thursday, August 23rd, 2012

OFAC stands for Office of Foreign Assets Control.

Office of Foreign Assets Control (OFAC), a department of the U.S. Treasury, administers and enforces economic and trade sanctions primarily against:

1. Govt’s of countries targeted by OFAC Regs
2. Terrorism
3. International Narcotics Traffickers
4. Proliferation of WMD’s

The list of countries below have been sanctioned against for Trade:

Balkans
Belarus
Burma
Ivory Coast
Cuba
Liberia
Democratic Republic of the Congo
Iran
Iraq
North Korea
Sudan
Syria
Zimbabwe

In my opinion, we should not be selling

1. Any information security assets or information to them

2. Information security tools and techniques including forensics, SIEM, malware detection, DLPs, Antivirus etc.

3. Information security services including cyber security strategy, security incident management and response,  cyber security defense and cyber security attack

What does APT and Sandboxing technology mean?

Wednesday, August 15th, 2012

APT stands for Advanced and Persistent Threat. This usually is an Cyber attack waged on one country by another. Very recent Example being the recent ‘Stuxnet‘ malware inception by NSA(US) along with Israel on Iran’s Uranium Enriching plant.  Click here for more information and about how the secret malware Stuxnet worked towards Cyber war.

Why am I talking about Sandboxing technology? Click here.

As the name says, Sandboxing would mean segregate a set of items (in this case, network traffic) and bind them together separately for later preview, without having to affect the other traffic.

One of the company,  GFI, quoted online, sells Sandboxing techology. Per GFI, one way of implementing Sandboxing technology is to run on a virtual machine along with operating systems and business applications, watching files for unusual activity. When a suspicious file is spotted, the technology alerts security pros while logging unusual behavior, such as application changes and unusual network traffic. It is then up IT staff to decide what to do. (I have not interacted with GFI in the past but looks like Sandboxing is done by few companies named below)

There are new wave of security companies that promise you tools and techniques (such as Sandboxing technology) that thwart the Advanced threat. To name a few, Radware, Damballa, etc.  I will call these tools  as Anti-APT. Anti-APTis a device that reads the packets in depth and looks for a set of behaviors such as Malware connecting back to home. If such a behaviour is seen, the Anti-ATP will not block but will segregate the traffic and sandbox them so that the IT can review, explore the damages and quarantine/use for forensic data. There could be few more behaviours that I am not aware of but in essence, they segregate suspicious traffic, sandbiox them and keep the data stored for forensics/evaluation for a possibility of an attack.

Can a SIEM such as RSA Envision or Arcsight be effectively used to Thwart the advanced and persistent threat? Maybe not!  Let me know if I am wrong -  I would like to know.

What is it that a SIEM such as Arcsight, cannot do?

Monday, August 13th, 2012

SIEM (Security Information  and event management)  such as Arcsight ( Now part of HP offerings), RSA Envision, Q1Labs ( Now part of IBM offerings) - all have the common goal of identifying attacks, determining the actions to be taken for most type of events (remember the early days of ‘Conficker’ worm attack?)  and also thwarting attacks - in short, ‘incident management’. They give you infinite possibilities of creating policies/rules that thwart attacks or track tracks to the extent of preying for the attackers and get them to the court (in few instances).

But, there is one thing that any SIEM cannot do bec’ of the beauty of the beast - Identify_and_thwart attacks from Jump-off source and Spoofed source (multiple levels).

Attacks from Jump-off source: Attackers are very creative in spreading the worm or what have you, with the sources of the attack seemingly coming from several servers in diverse locations, say for example, attacks coming from servers in Israel, Iran, etc, although, in reality, the server in Israel, Iran,etc would just bump-off the incoming packets to the attacked destination - seeming as though the attack came from  a server in these locations.  This is similar to what we see in movies where police tracking villain’s call would seem that its coming from one location a minute ago and it changes to another diverse location the next minute. Ideally, SIEM would have to be intelligent enough to fingerprint packets and find a common signature between the attacking packets.

Also, one common behavior of any malware is to ‘contact home’ - meaning, once infected a computer, the malware sends status or contacts the source server for next steps. Would that mean the  ‘jump-off servers’ send these packets back to the original source? I am not sure about that but theoritically this bounce-off back to source attacking server should happen. Let me know what you think!

Attacks from Spoofed source - As the name says, the source address is a spoofed address, not the true source IP address.

For both of the above, unless there is data such as a CAM table of the network switches at the source network (why would somepne share this info??) and/or a signature that indicates the geo-location of the source of the attacker, it would be next to impossible to figure the source.

In practice, once SIEM identifies a malware ( Microsoft took over 4 years to identify ‘Flames malware’ ), attacked servers are either

  1. Contain this inside a Vlan (using Arcsight TRM or ) or
  2. Quarantined (’Refresh’ - The hard drive is scrubbed and a new installation that is hardened according to the corporate policy)
  3. Or, the most recent talk of containing the malware attack is to  ‘Sandbox’ the traffic.

Sandbox technology runs on a virtual machine along with operating systems and business applications, watching files for unusual activity. When a suspicious file is spotted, the technology alerts security pros while logging unusual behavior, such as application changes and unusual network traffic. It is then up IT staff to decide what to do.

While sandboxing doesn’t actually quarantine the file, the technology does spot threats before they can do significant damage.

I am not aware of SIEM Sandbox technology capability as of today but we can expect this in the near future.

Please let me know your thoughts on this.