Saturday, June 27, 2015

Hearing Witness Doesn't Understand CDM

This post is a follow up to this post on CDM. Since that post I have been watching hearings on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OPM breach.

On Wednesday 24 June a Subcommittee of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 House Committee on Homeland Security held a hearing titled DHS’ Efforts to Secure .Gov.

A second panel (starts in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness.

During his opening statement, and in his written testimony, he made cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following comments:

"The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN focusing on keeping threats out of federal networks and CDM identifying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are inside government networks.

EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .com space that have responsibility for critical infrastructure. EINSTEIN functions by installing sensors at Web access points and employs signatures to identify cyberattacks.

CDM, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, is designed to provide an embedded system of sensors on internal government networks. These sensors provide real-time capacity to sense anomalous behavior and provide reports to administrators through a scalable dashboard. It is composed of commercial-off-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365-shelf equipment coupled with a customized dashboard that can be scaled for administrators at each level." (emphasis added)

All of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 text in bold is false. CDM is not "identifying [threats] when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are in inside government networks." CDM is not "an embedded system of sensors on internal government networks" looking for threat actors.

Why does Dr. Gerstein so misunderstand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDM program? The answer is found in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next section of his testimony, reproduced below.

"CDM operates by providing

          federal departments and agencies with capabilities and tools that identify
          cybersecurity risks on an ongoing basis, prioritize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se risks based upon
          potential impacts, and enable cybersecurity personnel to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
          most significant problems first. Congress established cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDM program
          to provide adequate, risk-based, and cost-effective cybersecurity and
          more efficiently allocate cybersecurity resources." (emphasis added)

The indented section is reproduced from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DHS CDM Website, as footnoted in Dr. Gerstein's statement.

The answer to my question of misunderstanding involves two levels of confusion.

The first level of confusion is a result of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDM description, which confuses risks with vulnerabilities. Basically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDM description should say vulnerabilities instead of risks. CDM, now known as Continuous Diagnostics and Mitigation, is a "find and fix flaws (i.e., vulnerabilities) faster" program.

In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDM description should say:

"CDM gives federal departments and agencies with capabilities and tools that identify cybersecurity vulnerabilities on an ongoing basis, prioritize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se vulnerabilities based upon potential impacts, and enable cybersecurity personnel to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most significant problems first."

The second level of confusion is a result of Dr. Gerstein confusing risks with threats. It is clear that when Dr. Gerstein reads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CDM description and its mention of "risks," he thinks CDM is looking for threat actors. CDM does not look for threat actors; CDM looks for vulnerabilities. Vulnerabilities are flaws in software or configuration that make it possible for intruders to gain unauthorized access.

As I wrote in my CDM post, we absolutely need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 capability to find and fix flaws faster. We need CDM. However, do not confuse CDM with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operational capability to detect and remove threat actors. CDM could be deployed across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire Federal government, but it would be an accident if a security analyst noticed an intruder using a CDM tool.

Essentially, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government needs to implement My Federal Government Security Crash Program to detect and remove threat actors.

It is critical that staffers, lawmakers, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public understand what is happening, and not be lulled into a false sense of security due to misunderstanding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se concepts.

7 comments:

Unknown said...

Hi Rich,

I disagree that CDM should be used to find vulnerabilities in known software. Unauthorized laptops, outdated versions of Windows XP and zero-day malware don't have CVEs associated with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, yet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can all be reported on in near realtime with popular CDM vendor providers, such as Tenable's SecurityCenter.

Ron

Richard Bejtlich said...

Thanks for your comment Ron. Can you give an example of finding zero-day malware with Tenable?

Unknown said...

The zero day malware means lots of things to many people, but a quick list to show what I'm talking about would be:

- a running process that has an unknown hash (Nessus plugin 70768 or one of our agents)
- a malicious windows autorun or task found from sandbox testing (Nessus plugin 74442)
- a host with a radically different config (new browsed port, open port, service, .etc) [Nessus plugin 70943 tells you this from scan to scan for Windows for example]
- a host communicating to a known botnet, performing DNS lookups to known bots, .etc or IOC
- a change in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user-agent string (I don't like that, but some folks think that is useful)
- having a system configured to speak with a known boted DNS server (plugin 58429)
- a change in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 active DNS server used (seeing you have 1000 systems using your internal DNS server and one making queries directly to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet)
- a host dramatically changing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ratio of clients and servers it communicate with
- a web site distributing known bad executables (plugin 52670)

We see lots of examples where a customer will say its's "zero day" malware, but its' been on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network for a while and detected by AV software not on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network.

We also see lots of examples where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insider is moving though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network with regular tools like psexec or valid credentials. Finding psexec where you don't expect it is really zero-day malware, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of reason why you have a compliance standard and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n look for deviations.

Richard Bejtlich said...

Hi Ron,

These are good comments -- I would characterize what you listed as "indicators of compromise." These would be useful indeed.

Anonymous said...

Richard - I wonder to what degree Phase 3 will provide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opportunity for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 government to procure Hunting tools. Phase 3 is still to be defined, but I am holding out hope that hunting platforms like Sqrrl will fit in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re.

Anonymous said...

Seems a little nit picky to say CDM is detecting vulnerabilities when vulnerabilities can be risks. Threat actors exploit vulnerabilities but don't you accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk of that vulnerability, or better yet, accept cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existence of that vulnerability in your system based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk associated with its existence. Just seems like you were splitting hairs on this one.

Richard Bejtlich said...

I totally agree that enterprises should patch vulnerabilities. However, it's more important to address intruders already inside an organization.