Top Technical Mitigation Strategies (from the Australian DSD)

June 2, 2015 Comments off

There are few solid pieces of empirical evidence on what works in security. The Australian Defense Signals Directorate (DSD) Strategies to Mitigate Targeted Cyber Intrusions is one of those. We at Stratigos Security think a lot of what they do. So does just about everybody else who has come into contact with the documentation.

This post examines some of the assumptions, implications, and a conceptual framework to better understand the document. Let’s start with some of the stated background and assumptions.

  • Investigation based – That the mitigations are a result of analysis of investigations carried out by the DSD, primarily in the government sector.
  • Adversary focused – That the mitigations are meant to counter adversarial attack.
  • Targeted attacks – That the adversaries are motivated to target the victim organization, specifically.
  • High value information – That the adversaries’ objective is to steal intellectual property, national defense secrets, or other highly sensitive documents.
  • Exhaustive application of mitigations – That mitigations will be applied to 100% of systems, not just a subset.

There are 35 total mitigations listed, almost all of which are specific technical controls. At Stratigos Security we tend to like to bundle technical controls into a higher level framework. This is more digestible for our clients, and allows for a better understanding of why these mitigations work. That’s the key to long-term success in design, implementation, operation, and maintenance of a security program.

Stratigos has aligned most of these mitigations into a few core objectives. In doing so, we seek to harmonize them so each builds on the others. The set works together much better than the sum of each of the individual ones. Our objectives are as follows, as well as examples of mitigations from the DSD document.

  1. Execute only trusted code – Authorized software packages, components, and functions are defined and enforced.
    • Whitelisting
    • User application configuration hardening
    • Restrict administrative privilege
    • Workstation and server configuration management
  2. Ensure code is trustworthy – Software is free from known defects.
    • Patch applications
    • Patch Operating System vulnerabilities
  3. Ensure trusted input – Information and commands are legitimate, meaningful, and non-malicious.
    • Host and network firewall
    • Email and web content filtering
    • Education and awareness
  4. Manage access – Access proceeds only through known mechanisms, which validate authorization and identity.
    • Multi-factor authentication
    • Enforce a strong passphrase policy
  5. Contain failure – Security failures in one system or network segment do not affect other systems or segments.
    • Network segregation and segmentation
    • Anti-Virus
    • Host and network IPS
    • Operating System generic exploit mitigation
  6. Eliminate anomalies – Causes of unknown and unexpected events are identified and eliminated, as appropriate.
    • Logging of successful and failed system events
    • Logging of successful and failed network events
    • Capture network traffic

Astute readers will notice that there is a large gap between the objectives and the underlying mitigations. The mitigations are tools, or supporting technologies, that help achieve the objectives, but they do not ensure the objectives will be achieved. This underscores one of the major mistakes most organizations make when they go to implement such a set of mitigations. It’s worth going back to the background and assumptions and identify some of their consequences. Of course this is far from an exhaustive list.

  • Limited applicability – These mitigations come from investigations of Australian government organizations. Other organizations may have different experiences.
  • Accidents are excluded – Security risks which result not from adversarial attack, but from accidents are not included. (One of the most common is data breach caused by theft or loss of a mobile device, laptop, or backup tape.)
  • Mobile devices are specifically excluded – The mitigations apply to workstations and servers, but not to mobile devices.
  • Governance, process, personnel are poorly covered – The mitigations do not include non-technical approaches, which can significantly affect security, risk, and cost.
  • Alternate risk mitigation – Risk mitigations available to corporate entities – such as insurance – are not available.
  • Cost considerations – Corporations typically require some measure of value justification, associating costs and risks to profitability, rather than to national security or human life.
  • Impacts – Impacts should be analyzed in the context of the specific solution in the proposed environment.
  • Implementation quality – Poor implementation of the mitigations would result in reduced effectiveness.
  • Implementation completeness – Implementing mitigations to fewer than 100% of systems would change effectiveness and cost estimates.

Knowledge of the underlying assumptions, their consequences, and unstated assumptions is key to implementing them appropriately. You can only fill in the missing pieces when you recognize they exist, and where. Some of these missing pieces can help you greatly reduce cost, not just add more to the shopping list.

But we’re diverging from the point here. These six objectives are not the only ones that can be derived from the Australian DSD’s guidance. They have worked for our clients and they allow a fairly complete mapping to the 35 mitigations. This superset also naturally aligns to strategic initiatives to develop processes to take full advantage of these tools. Maybe we’ll add more on that in a future post.

How to Write a Great Resume

February 16, 2015 Comments off

Lately we’ve working with people to help them improve how to present themselves. Some of the people we know well as great security consultants present themselves very poorly. This is to be understood, as most of these folks have reputations that speak much louder than resumes. But it always helps to have a version of you on paper that will wow anyone who doesn’t already know you by reputation.

I always like to see a submission knock me over with why the candidate not just qualified, but why I’d be an idiot for not hiring them. Make me want to shelve all the other resumes and call this person as fast as my fingers can dial. To do that, a resume must focus not on what the candidate did, but why I should care, then support those claims through the story of their history. 

A “perfect” resume is one where as I read over it I get more and more excited. Every new line adds to the perceived quality and relevance of the candidate. No lines leave me wondering why I care or asking if it’s a liability. There is a clear progression and/or I can see how all of the experience contributes something to the value presented.

This can only mean a document specific to whatever you’re looking for. That is, what you want to do rather than what you have done. Highlight leadership, strategy, and management experience and skill building. It doesn’t matter as much what you did (tasks, technologies, responsibilities), as how you did it, and why you were successful. But these need not be created each time for each job you apply for – that’s what the cover letter is for.

The cover letter can make or break a candidate, write a custom one each time. Often this is all a hiring manager ever reads, and it can be the quickest way to the top of the stack or the bottom of the bin. Treat this as a roadmap to your resume. Bring out specific highlights from your career that are precisely what the role calls for, in the way it’s been written. Shorten the distance between job requirements and your qualifications to near-zero. Reuse and customize your best bits from other cover letters, but make sure it is specific to the job you’re applying to.

On your resume you might lead with 3-5 bullets that highlight your best outcomes and experience. 

  • Advanced degrees, security industry presentations, OWASP or other community participation and involvement shows you are hoping to be a leader, not just in it for the money.
  • Categorize your experience through the lens of whatever you’re aspiring to so I can instantly see that you can do and have done what you will be asked to do.
  • An outcome you helped generate that ties into the story of your work history, particularly if you can relate a statistic or specific accomplishment.
  • Tell me how I will know you can do the non-technical parts of your job, like communicating to management, working in a team, hitting deadlines, etc.
  • Relate an extracurricular activity to how you can excel at your role, how it relates to security, or makes you a better employee.

Then tell a story with your professional and academic history. Expose a clear narrative, with each plot point building on the next over the course of your career, with the logical conclusion resulting in you having all the prerequisites. Make sure that the story doesn’t get confused and that it all ties into the overall plot line. Career or job changes are twists – if done correctly they strengthen the story. Be your own editor and ruthlessly cut out ancient history and tangential detail, rewrite to make the lines clear to the reader, bridge gaps or multiple short chapters so they don’t distract, and make the major points explicit rather than implied.

Having a great cover letter and resume will reduce your work, not increase it. You’ll cut the time spent looking from weeks to days. You’ll spend less time trolling craigslist, Monster, LinkedIn, and other sources. And you can land a much more competitive role (think about it, would you want to work for someone who accepts candidates who look weak?).

Schadenfreude and Shame in Security

December 23, 2014 Comments off

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

  • Opportunism and fear mongering by politicians and our own industry.
  • Vandalism portrayed as terrorism.
  • The inadequacy of traditional investigative methods in cybercrime.
  • Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.
  • Pre-determined attribution in hacking and geopolitics.
  • A geopolitical reaction to issues stemming from poor corporate oversight.
  • The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).
  • The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.

Can you be too secure?

July 31, 2014 Comments off

When I hear someone say “you can never be too secure,” I assume they don’t understand the implications of that statement. Perfect security can be seen as the absence of risk. This sounds like a tradeoff most people will want. But that’s not always the case. In fact in most business that’s the opposite of what you really want.

Risk is at the heart of the capitalist system. Without risk there is either no room for profit except through exploitation and collision. So businesses must take risks. If there were no risk competitors could easily enter the market and disrupt the industry.

So risk is necessary; risk is good. There is value in risk just as there is in security. Understanding and undertaking smart risks allows you to balance concerns with ambitions. Balance gives health; imbalance can lead to total collapse.

OWASP Mobile Security Project: Top 10 Risks Presentation

July 14, 2013 Comments off

Over the weekend, Beau Woods presented to OWASP Korea on the OWASP Mobile Security Project. The presentation focused on the OWASP Top 10 Mobile Risks, elaborating on the published list as well as outlining application boundaries and considerations based on differences between mobile and traditional devices, platforms and applications.

We have published the OWASP Top 10 Mobile Risks slides under a Creative Commons Attribution license, see details below.


Creative Commons License
OWASP Mobile Top 10 Risks Presentation by Beau Woods, Stratigos Security is licensed under a Creative Commons Attribution 3.0 Unported License.

Enhance Innovation and Improve Security like Zappo’s

March 28, 2013 Comments off

Zappo’s is known for having a culture that spawns innovation. They do this in unconventional ways for an online retailer, such as asking their employees to come into the office rather than working from home all the time. But their methods seem to get pretty good results, as they’re one of the newest and most highly regarded companies. A recent article on Fortune Magazine reveals other Zappo’s productivity and innovation secrets.

But one of their innovation secrets is a great boost to security too! Zappo’s requires all employees to go through the front door. “Even though it’s more inconvenient, we believe this helps our culture because it creates more opportunities for employees to have serendipitous interactions by colliding with each other in the main lobby.” That lets you cut costs and improve physical security by letting everyone monitor for tailgaters and those who don’t belong. It’s a great way to sell security as business friendly when you need a quick win in your security program!

South Korean Media and Banks under Cyberattack

March 20, 2013 Comments off

Update March 22, 2013 18:00 (UTC+9): New information from the Korean Communications Commission (KCC) said that the earlier report connecting attacks to a Chinese IP address was wrong. Instead the IP address was used by an employee of Nonghyup bank. Reports claim that Shinhan and Jeju banks are fully operational, Nonghyup is partially recovered and the broadcasters are only about 10% recovered. Also it appears that 20% of Nonghyup ATMs are still offline after the attack. There’s an interesting first-hand account of the events from a MBC employee.

On March 20, 2013, several banking and media sites in South Korea came under attack. The attacks knocked critical systems offline at banks and media outlets. Initial suspicion pointed the finger at North Korean government, but it now appears that a hacking group may be behind the attacks. Reports are still coming in and some details may change as better understanding is gained. We will update the situation as it evolves.

At approximately 2:20PM in Seoul, computers at three media outlets – KBS, MBC, YTN – and two banks – Shinhan and Nonghyup – froze or rebooted. The banks’ ATM networks were affected, and companies using them for processing credit cards reverted to cash-only transactions. At the media outlets the computer problems did not prevent television broadcasts, but many employees were unable to use their computers. It’s estimated that an estimated 32,000 computers were infected with destructive malicious software.

Many of these computers – maybe all of them – will not come back online without lots of work. The malicious software is reported to make all the data inaccessible, either by deleting it directly or by destroying the Master Boot Record (MBR) – the table of contents, so to speak. South Korean officials and people within the affected companies are largely calling these events a “network paralysis” rather than a cyberattack or a Distributed Denial of Service (DDOS).

There has been a suggestion that the attack may be related to suspicious files discovered last week that appear to target KBS and MBC.  SBS, another Korean broadcaster, may have also been targeted but is not reported to have suffered damage yet. Some of the malware may have the ability to damage Unix systems as well as Windows.

The South Korean government has raised cyber alert status in the country. The South Korean Army has changed their INFOCON (Information Operations Condition) from 4 to 3, indicating higher threat of attack. The normal status is 5. The Korean Computer Emergency Response Team (KrCERT) changed their status from 2 to 3, reflecting a “substantial” risk of attack.

A subsidiary of the technology maker, LG, called U Plus provides Internet service to all of the affected organizations. It is not known whether this link is related to the attack or whether it is coincidental. Initial reports claimed that U Plus claimed their systems were hacked – some stories quoting an unnamed spokesperson for the company and some attributing the information to social media posts claiming to be from an employee. CNBC quotes a U Plus spokesperson named Lee Jung-hwan as saying that no attacks were detected on their network. It may be that an attack on U Plus happened but was unrelated to the attacks against the media and banking companies.

There were likely several ways that the malicious software spread. Security systems detected and blocked the malware as it came through email. Analysis of the malicious code itself reveals a mechanism for spreading the malware within the affected companies through a Software Management Server used to distribute updates to computers. It is likely that multiple methods of propogation were used.

Initially most reports suggested that North Korea may be behind the attack. Yesterday Pyongyang derided the joint military actions of the US and South Korea and recent rhetoric from the North has been very aggressive. Last week North Korea suffered Internet outages, the cause of which are still not publicly known. But they claimed to be victims of a US and South Korean cyberattack. The South Korean government earlier claimed that the malicious code had been traced back to a location in China. However they have retracted the claim, saying that the data they had was misleading and the system was related to Nonghyup bank.

However, evidence is starting to emerge pointing to a hacking group called Whois Team. A website was posted by the group claiming to have stolen all the information and deleted it from the computers. At the moment no official reports from the US or Korean governments have identified the group they think is responsible for the attack. However Seoul has said no Korean government computers have been affected.

These aren’t the first cyberattacks on South Korean institutions. In 2009 DDOS attacks hit several companies, including the banks affected today. And in 2011 DDOS attacks again hit Seoul. However, these are different in that they are not tying up the Internet resources, but are knocking out computer systems in a way that will keep them offline for a while. Analysis of the malicious software revealed the word HASTATI – the first line of attack in the Roman army. A new variant appears to have been found with the word PRINCIPES embedded, which is the second of three waves in a Roman army.


The information above is all from press reports. But there is doubtless much more to the events than has been reported. Most of this is likely because of the confusion that surrounds the early stages of these kinds of events. We are going to try to do some analysis, but because of language and knowledge barriers in media reporting we may come up with some conclusions that aren’t quite right. We apologize in advance and will try to be conservative with our analysis. Here are our hypotheses.

This was not an APT. Several reports have suggested that this attack was perpetrated by an Advanced Persistent Threat (APT). We suspect that this attack is one that was targeted at the victims specifically, but that the techniques were not all that advanced. Truly advanced attackers typically do not destroy the assets they have taken control of within a week of breaking in. Instead, they try to remain undetected for months or years and take information or affect normal operations for some more strategic advantage.

This was probably not North Korea. Several reports have suggested that this attack was carried out by North Korea. We suspect that this is not the case. The value to North Korea is not in shutting the systems down, but in gaining intelligence from them. And if the attack were their doing, then the “skull” website would either be unrelated or a false flag. That doesn’t seem likely. Instead, we believe that this attack was carried out by a group of amateur hackers. The allusions to Roman army structure, however, may be a sign that this activity is a military action but it seems implausible that North Koreans would use a Roman term, given their level of nationalism. But it is entirely plausible that North Korea enticed the Whois Team to carry out the attack.

There may be a Middle-Eastern and North African connection. The type of malicious software used, called “wipers”, has been seen in other attacks. Two of these attacks highlighted by Kaspersky have a Middle-Eastern connection. The skulls image that the Whois Team used has also been used in other attacks against Middle Eastern targets by French-speaking Muslim groups Xrapt0r and Mauritania Hacking Team (links withheld). It’s too early to say if there is a link, but circumstantially it appears that there is. If there is a connection, it may be that the attackers were hired by others in order to cover their tracks. It is also possible that the link is a false flag, designed to throw investigators off.

The LG U Plus link is significant. We don’t believe it is a coincidence that the same service provider counted all of the victims as customers. There are hundreds of ways that an attacker could use this relationship to infect customers with malware. It may not be related to Internet services, but others such as desktop maintenance or server administration. It’s too early to say. But that link could be a red herring. It’s not clear to us whether LG U Plus provides services for other major Korean banks and media outlets or not. It may, in fact, be that LG U Plus is simply the largest Internet and Computer Services company in Korea and that everybody uses them.

This event will end up costing hundreds of millions of dollars. The way in which these computers were affected means there will likely have to be a lot of work that goes into fixing them. That means lost productivity – the largest cost – as well as time from the IT department and other cleanup costs. And there will doubtless be outside investigations to pay for, government oversight questions to answer and purchases made to prevent this kind of thing from happening again. The companies will undoubtedly lose revenue because of these attacks. And any data that isn’t backed up will be lost or will have to be recreated.

There may be more waves of attack. The second (PRINCIPES) variant found strengthens the case that the attacks will proceed in waves. As of yet it is not known if the second variant was a part of the first wave or whether it will cause an impact later. To complete the Roman military structure a third variant should be expected, using the word TRIARII.

Incident Response to Data Breaches and Schrodinger’s Cat

March 19, 2013 Comments off


Are sloppy security controls actually beneficial to a company during a breach?  This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times.

A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly imposes penalties that are legally unenforceable and in violation of contracts. Genesco had a security breach, but claims that there’s no positive evidence that any credit card data was breached. Here’s Genesco’s logic, from what I can tell:

  • Whenever our server rebooted previously logged card numbers were removed.
  • Our server reboots. A lot. So often that no credit card numbers were ever in the log files.
  • We don’t have Network Security Monitoring that could say whether the credit card numbers were exfiltrated.
  • We can prove that some of the card numbers Visa said were breached couldn’t have been. No details provided.

This is the Schrodinger’s Cat of information security. In the lack of good evidence either way, a breach both has and has not occurred. In the vacuum of that ambiguous information, whether or not the data has been breached is as much a question of philosophy as physics…or Incident Response. So poor security monitoring actually help companies by giving them options on whether to declare a breach or not. This is an interesting cocktail party discussion topic for your next Infosec meeting and can make for some great conversations.

But the lawsuit probably won’t be decided on the technical security details of the case. The lawsuit seems to be more about how and when Visa can assess fines and penalties. There may be some technical talk during the proceedings, but it’s doubtful that a court would open its judgement up to questioning by letting the decision rest on what is sure to be conflicting testimony by each side’s experts.

Still, this will be interesting to watch as it has a lot to do with implementation of Payment Card Industry security standards. Genesco seems to be saying that they were compliant with the PCI-DSS at the time of the breach. That’s a frequent claim after breaches, but that status is often revoked after the fact by the card brands. And that’s bound to bring out heated discussions around the Infosec community and potentially in the courtroom.

Security Advisory: Bambuser Mobile Application

October 3, 2012 Comments off

Security Advisory: Bambuser Mobile Application

  • Advisory Title: Bambuser Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-002
  • External ID: CVE Pending
  • Date discovered: August 10, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Vendor fix is in place
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Bambuser (
  • Affected product: Bambuser mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Vulnerable Version: 1.9.3 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Bambuser mobile application and reported the issue to Bambuser on August 10, 2012. Bambuser quickly responded, provided estimated timeline for the fix and notified Stratigos Security when the updated version was published. Stratigos Security has confirmed that this vulnerability has been fixed in the updated version.

The formal advisory is published here: Security Advisory STRAT-2012-002 Bambuser Mobile Application Information Disclosure Vulnerability

Security Advisory: Ustream Mobile Application

October 3, 2012 Comments off

Security Advisory: Ustream Mobile Application

  • Advisory Title: Ustream Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-001
  • External ID: CVE Pending
  • Date discovered: August 6, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Reported to Vendor, not yet fixed
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Ustream (USTREAM.TV)
  • Affected product: Ustream mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Version: 2.3.1 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.

The formal advisory is published here: Security Advisory STRAT-2012-001 Ustream Mobile Application Information Disclosure Vulnerability