The recent RSA Europe conference in London was unusual. Some of the high-profile security firms exhibiting and presenting have also been victims of serious breaches this year.
RSA, rather notoriously, had its SecurID product compromised by what it insists were state-sponsored hackers. Raytheon admitted to a couple of breaches. And also present at the conference, both in the exhibition hall and in the form of founder & CEO Greg Hoglund, was security firm HBGary.
The assault on hacktivist movement Anonymous by subsidiary HBGary Federal made headlines – mostly because the subsequent backlash led to the breach of the company’s own defences, ultimately resulting in the resignation of CEO Aaron Barr.
Many were surprised when Hoglund engaged directly with Anonymous, even venturing into IRC channels to get a better understanding of what the hackers were doing and to plead with them not to release the email files they’d exfiltrated.
It wasn’t the normal behaviour of a reputable security outfit, but it is of a piece with Hoglund’s philosophy of taking the fight to the hackers, and of treating security as an active, rather than passive, undertaking.
At RSA I got a chance to chat with Hoglund. As you’d expect, he was reluctant to discuss the Anonymous debacle – he must be tired of it by now. All the same, it lingered like a spectre, colouring much of what we discussed, and we touched on it finally.
He was far more interested in talking business. The Anonymous attack killed the HBGary Federal subsidiary, but HBGary itself continues to prosper. Hoglund was in Europe to drum up more business – and possibly flush out a buyer for the company.
It’s all about people
First, though, he wanted to tackle a current bugbear. Hoglund is dismissive of the way some people seem to be obsessed with Advanced Persistent Threats (APTs).
“People just like to call it advanced because it gets through the security that they have, and they need to justify to the board what this is,” he says. “There’s a mentality out there that you can solve the security problem with technology. And that’s entirely incorrect, and it doesn’t work. You can’t buy a magical silver bullet and expect it to solve the security problem … You’re covering your you-know-what, to justify ‘well this isn’t malware, this is APT, this is different, this is why we didn’t detect it’.”
For all the talk of new threats, Hoglund agreed when I suggested our major problem is the inability to solve the problems we’ve already got. “When I talk about threat I’m talking about people,” he says. “The hackers. The mechanism by which they attack, that’s not new. So when you say the threat is evolving, it doesn’t mean the attack, technically, is evolving. What it means is the threatscape, the people – there’s more of them, they’re aware that they can achieve access to incredibly valuable data with relatively small investments – that’s an awareness they have, this year more than ever. So the threat is growing.”
So if the solution isn’t going to be a technical one, how do you tackle the issues?
“People,” says Hoglund. “It’s a counter-intelligence function. So if you’re a large enterprise and you don’t have a full-time security staff, game over. Yeah, it’s expensive … but this is where you have to go. You have to have a human in the loop.”
Taking a human-centric, counter-intelligence approach is specialised stuff. “You have to have access to the data, and you have to have analytics to turn that data into intelligence,” he adds. “Because raw data is not intelligence. If you don’t have a staff that can do that, then your security is already broken at that point. And any small to medium-size company, this is completely out of reach for them. So their only option is managed services.”
So there’s the sales pitch. Nevertheless, he’s convinced that this is how the security industry is going to evolve over the next 10 years.
If you manage to turn raw data into intelligence, what’s it telling you and what do you do with it? This is where the technology comes in, according to Hoglund.
“I like to focus on what I call actionable intelligence,” he says. “Actionable means you can take that piece of information and input it into a security solution you already own – a great example of that is an IDS signature. You see an intrusion in your environment, you examine it forensically and you get a URL that that malware or a remote access capability was using for command and control. You take that and put it into your IDS – you’ve just made your IDS smarter. You did that. No outside vendor, no magical blacklist. This is an attack specific to your environment. And what’s going to happen tomorrow is that same attacker is going to be back again, only this time you’re ready for him. You get smarter and smarter as this cycle continues and your cache of threat intelligence grows.”
Shared intelligence
The RSA show was opened by that company’s executive chairman, Art Coviello, calling for more sharing of infosecurity intelligence data. Ironically, this was followed by what was touted to be RSA sharing the story of its own breach, which turned out to be not quite the case. The firm remained tight-lipped about the details and persisted in describing it as a highly skilled and complex attack and not, for example, the compromise of a poorly patched Windows Server 2003 box.
So, does Hoglund think that information sharing is important? At first he seemed keen, but quickly added caveats.
“It’s a double-edged sword,” he says. “If you share data in a way that it’s public, or easily accessible to the bad guys, then they’re absolutely going to know what you know about them, so that’s the problem and the challenge with threat intelligence sharing. So, at least in the US, a lot of the threat intelligence sharing between the Government and the private sector is done using special relationships, closed forums, and may even be classified. If you’re not in that special circle, you’re not going to get access.”
Is this the only way it can be done? “I do think there have to be a lot of controls. You do need to make an effort so the bad guys can’t get the data. But that’s never going to work perfectly if you’re going to have a sharing system, then it’s going to get out some way or another.”
I asked if he thought sharing would need to be limited among countries, for reasons of national security, or if such pooling of data might be carried out within some existing framework – NATO, perhaps, or at a ‘five eyes’ level. “Sure, that would be interesting. But they’re never going to share everything – they’ll only share select stuff.”
Fight-through capability
You’re going to get breached, is Hoglund’s message for organisations of all kinds. Most security activity is reactive, not proactive. IDS signatures, for example, only tell you about old attacks, not the ones that are coming. Data sharing can help strengthen defences, in this reactive way, and raise the bar for attackers. But someone who’s sufficiently determined and resourced will still get through.
Hoglund likes to talk about a ‘fight-through’ capability. In the RSA panel session preceding our chat, he’d used this military term in the context of the US Air Force Reaper and Predator drone systems that have been infected with malware (widely misreported as being keylogger software).
“The military’s not that excited about it,” says Hoglund. “They know it’s not exfiltrating. The only threat to the system is instability.” He reckons that USAF will have quickly determined that the malware does not pose a threat to the stability of the system and will simply continue to use the infected systems – ‘fight through’ – carrying on with the mission while sorting out the compromise in parallel. This, he believes, is an attitude that commercial and other organisations should adopt.
“That’s the resilience and fight-through capability,” he says. “If you accept that business is just about managing risk, then there has to be some level of acceptance that compromises will occur. And you still have to be able to do business.”
Architectural changes
Indeed, Hoglund’s business prospects are companies that have come to the realisation that they are vulnerable (usually because they have already been breached) and will be compromised. Organisations that believe they can construct impregnable defences require too much education into the ways of the real world for Hoglund’s taste.
As most security vendors know, selling products and services is usually very easy during or immediately after an attack. But is there a need for organisations to take a longer term view and perhaps consider changing their network architectures to be more resilient, perhaps with increased use of air gapping?
“Absolutely,” he says, “because if you have a breach, that doesn’t mean that you’re going to lose data. So you have to make it very hard for them to get the stuff out. You should have your critical data separated from the rest of your network. You should have access control – this is such a basic idea, the principle of least privilege. It’s hard to believe how many enterprises out there simply don’t have that. But in a Windows network it’s entirely possible to implement that – it’s simply a manageability problem. And yeah, that’s expensive. But people will buy a SIEM, and then not use it. A problem with the SIEM is that it doesn’t do your work for you, and a lot of companies will look at it as a cost. The SIEM is giving you exposure to tremendous amounts of real-time data about what’s going on in your enterprise, but you still have to have a human being, an analyst, who can tune that data set, create analytics, so that 100,000 events an hour can be brought down to maybe four events of interest per hour, and that’s a huge problem.”
There’s still the perennial problem of justifying the trouble and expense of doing this. Getting the business to understand the risks is tricky because it’s not easy to convert threats into risk metrics. But Hoglund believes the arguments are there. “What if we lost confidence in the network,” he says. “What if we simply don’t know how many back doors they have and we don’t know if we can detect them all. Then I have to re-architect everything and build it from the ground up. There’s a number that’ll get somebody’s attention.”
Defence in depth
He also believes that more attention needs to be paid to the latter phases of an attack. Perimeter-based defences are all geared to stopping the initial infection phase. But attackers are often most vulnerable in the following interaction phase, which is mostly manual work, getting to know the network and finding the target data, and then the exploitation phase during which data is exfiltrated.
“That’s your window of opportunity,” he says. “They’re actually highly exposed during that time. The bad guys don’t have a lot of stealth at that point. They’re leaving forensics artefacts all over the environment and all you’ve got to do is detect them. And there’s only so many ways to hack a network at that point. You just have to detect that behaviour, and that’s really not that hard, I just think that people aren’t doing it, at least not widely.”
So this is defence in depth in action? “Exactly. That might be your second-last line of defence. The last line is stopping the data as it’s going out over the firewall.”
Reputation and the killswitch
Hoglund has some experience of that. The word ‘killswitch’ was mentioned. And this is where the Anonymous incident couldn’t be avoided any longer.
In the earlier panel session, Hoglund recounted the galling experience of watching Anonymous download Gmail-based email files while he attempted, in vain, to get Google to intervene. Proving he was the account holder took time – too much time. He’s now a keen advocate of making cloud service providers implement a ‘killswitch’ so that an account can be turned off in an instant, with no data allowed in or out.
“In the end, it turned out to be not all that bad,” he claims. “It was shocking and we were scared at first, but then I realised there wasn’t anything bad in my email, it didn’t really matter that much. In the grand scheme of things it was a nit compared to what’s been happening to other companies this year. I was just in the unfortunate position of being the first one.”
I mentioned how some companies believe that reputational damage is short-lived. “It’s true,” he says. “Three to six months. There’s been research done – this is in the retail space: something bad happens and after a year, consumers recognise the logo but don’t remember why. So it’s almost like free publicity in a way.”
That last sentence was spoken with heavy irony and a kind of world-weary humour. HBGary has just posted its best-ever quarter, but in the aftermath of the Anonymous attack, I suggested that he must have had some intense conversations with clients. “Yes,” he admits, “but this wasn’t for reputation reasons. They were worried that, financially, we weren’t able to withstand it. They had orders in the pipeline, and they didn’t want to order if we were going to go under. As it turns out, we actually closed Q1 out above our numbers that we had set prior to the attack. So we were, in fact, still doing quite well. Now, unfortunately, we were doing very much better than that on our pipeline, but the orders that were delayed in Q1 ended up all coming in in Q2. So our Q2 was phenomenal.”
He doesn’t actually reveal the figures involved. But can it really be true that Anonymous – aside from bringing about the demise of HBGary Federal – had so little effect on the business?
“Keep in mind our customers don’t like Anonymous,” says Hoglund. “They view themselves as targets too.”