Your SlideShare is downloading. ×
0

Why defensive research is sexy too.. … and a real sign of skill

735

Published on

A presentation from BSides London 2014 on why defensive cyber security is a real sign of skill and one of the most rewarding things to do.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
735
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Why defensive research is sexy too.. … and a real sign of skill"

  1. 1. Why defensive research is sexy too.. … and a real sign of skill and 21 subliminal* facts about NCC
  2. 2. Before we begin… Hopefully not a lesson in sucking eggs
  3. 3. Before we begin… Who is NCC? • 100 million GBP revenue FTSE company • Cyber Security Assurance Practice • 180 UK technical assurance consultants • applied research • technical security assessments • cyber forensics incident response • 50 UK risk / audit consultants • 90 US technical assurance consultants • Escrow & Software Assurance = sister BUs
  4. 4. Offence v Defense
  5. 5. Why Offensive Research is Easy* • Time, money, capability • Usability • Technology diversity / fragmentation • Technology mono-cultures / near mono-cultures • Technology life-cycles • Developers • Implementers / Integrators • End-users Fact 1: NCC has games consoles and/or arcade machines in all technical offices!
  6. 6. Why We do Defensive Research • Drive down costs • Keep aggressors out • system / software design, build and operate • Minimize the impact when that fails • defence in depth / resilience / aid clean-up • Know what happened and clean up • audit, forensics, loss measurement and recovery • Understand what is happening • threat intel / exposure etc. Fact 2: the author of !exploitable v2 works for NCC in Cheltenham
  7. 7. Applied Defensive Research can be* Reactive • Tangible threat / needs • organisations / users feeling pain • demonstrated financial / data loss / compromise • Easiest to demonstrate ROI for • addresses concerns / gaps • known market to sell solutions for • Pro-active • academia** • domain of the few Fact 3: author of the browser hackers handbook works for NCC in Australia
  8. 8. Applied Defensive Research is Broad • Hardware • Operating systems • Programming languages • Compilers • Libraries / frameworks • Features / integration • Human sciences • Models and data analysis • Algorithmic • Standards • Design patterns • Implementation • Build • Deployment • Sustainment Fact 4: we have a massive UK tech team (> 150) which only results in awesome!
  9. 9. Examples of the Arms Race Defence v Offense
  10. 10. XSS • Types • traditional (basic?) XSS • domXSS – example of refinement • Game of: source v sink • Solutions thus far: • Internet Explorer XSS protection feature* • Content Security Policy* • DOMPurify** Status: PARTIALLY SOLVED Fact 5: NCC works on everything from SCADA to ATMs to cars to web apps
  11. 11. SQL Injection • Input validation • black-listing / white-listing • Non verbose error messages* • blind etc. • Parameterisation • Abstraction / NoSQL Status: PARTIALLY SOLVED Fact 6: 1K GBP bonuses for publishing whitepapers at NCC
  12. 12. Malicious Code • Malicious code arrives • Signature AV • metamorphism / packers • rootkit / bootkits • Signature AV, unpackers, rootkit detection • signing of binaries • in process injection • Behaviour monitoring • fragmented behaviour • Reputation – stolen identity Fact 7: you get utilisation credits (like client work) for research at NCC
  13. 13. Memory Corruption • Stack • cookies / variable re-ordering / multi stack / NX • Heap • cookies / out of band* / NX • SafeSEH • compatibility holes • ASLR • compatibility holes • weak entropy / exhaustion • information leaks* Fact 8: NCC loves publishing its tools as open source - http://github.com/nccgroup
  14. 14. Memory Corruption • Kernel executing code from userland • SMEP – Supervisor Mode Execution Prevention* • Kernel access data in userland • SMAP – Supervisor Mode Access Protection* • ROP • call flow analysis • gadget less code • Plus many more • PaX, EMET, BlueHat prize etc. Fact 9: suits are for client sites not our offices.. unless you want to of course!
  15. 15. Code Review • Grep / Lint • comedy basic, false positives, noisy • Taint analysis • compilation / parsing of code • procedural / intra-procedural • Gamification • formal verification • http://www.cs.washington.edu/verigames/ Status: PARTIALLY SOLVED Fact 10: the early Samba domain protocol breakthrough was done by an NCCer
  16. 16. Sandboxing • Constrain a process not to do bad stuff* • chroot escapes etc. • Many levels • File system • Network • IPC • System calls • Whilst maintaining compatibility* Status: PARTIALLY SOLVED Fact 11: we employed 7 graduates last year, we’re aiming for 20 this year
  17. 17. Protective Monitoring • IDS / IPS • stream reconstruction • OS specific fragmentation behaviours • many methods of encoding • encryption • maintaining pace with network speeds • .. etc Status: PARTIALLY SOLVED Fact 12: we have internal training for infra to web apps to threat modelling to code
  18. 18. Response / Threat Intel: Forensics • Physical versus logical acquisition • many devices OS • Memory forensics • Structured / unstructured data analysis and correlation • Application of expert systems / inference engines • Non fancy name of AI (includes knowledge bases) Status: PARTIALLY SOLVED Fact 13: we don’t have time sheets! and our expenses are electronic!
  19. 19. Threat Intel: Honey Pots • Make them discoverable • darknets / seeding • Make them attackable • network, web, mobile etc. • Make them look real enough • emulate, real-tin, simulate, virtualize • Make them tempting enough • Make them indistinguishable Fact 14: all of the first two grades of management are ex technical doers*
  20. 20. Hot Patching • How to patch security vulns without restarts • Research • Code injection* • Compiled function structure • MOV EDI, EDI – two byte NOP • Security Status: PARTIALLY SOLVED Fact 15: we work with our US and Australian teams jointly on projects
  21. 21. DRM • Software based DRM • cracks • Geography specific based DRM • cracks but constrained • Hardware augmented DRM • crack • Hardware DRM / CAC • cracks / duplication Status: PARTIALLY SOLVED Fact 16: NCC has tech offices in Manchester, Leatherhead, Chelly and Milton Keynes
  22. 22. Brain Food …
  23. 23. Challenges • User and consumer cyber security awareness • Practical cyber security in start-ups and other resource constrained environments • Cyber incident remediation, clean-up, impact measurement and quantification Fact 17: we have two service-lines launching this year designed by consultants
  24. 24. Phishing • Human science • Humans just want to get stuff done • Humans are nosey • Humans like flattery • Smart(er) technology • When baysien filters fail etc.. Fact 18: each office has a monthly techy presentation afternoons & social evenings
  25. 25. Forensics • Storage Reduction for Network Captures • High Performance Captured Network Meta Data Analysis • Network Capture Visualization • Automated Net Flow Heuristic Signature Production • Forensic Memory Resident Password Recovery • Application of Location Services in Data Forensics Investigations Fact 19: you get free fruit* at work - *we wish it was chocolate
  26. 26. Throw Away Home Automation • Cheap embedded systems • some shown to have backdoors • Range of impacts if owned • danger to life* • privacy • security • financial Fact 20: we may be big but that comes with certain benefits (e.g. lab admins)
  27. 27. …. everything else .… • stopping Terry from using sprintf* • automatic CSP generation and refinement • attack surface mapping / visualisation • micro virtualized OS secure design • defensive software defined networking • anti-anti-forensics • making Linux security features useable for low skilled vendors etc.. Fact 21: we love CVs e-mail colin.gillingham@nccgroup.com (he’ll thank me later)
  28. 28. The Reward for Doing Defensive Research… …many… • No BBC articles • Frustration when people don’t use it and then get owned • Maybe 200k from Microsoft Bluehat* • No trips to Vegas • No world wide con tour • People complaining when it does work because they didn’t read the manual
  29. 29. Summary • Defensive research is one of the most rewarding areas • you don’t need to be an academic • you don’t need to solve world hunger • Lots of defensive ideas come and go • The trick is making / getting them: • implemented • practical • scalable • cost effective • adopted
  30. 30. An Example TL;DR: Intel implements UDEREF equivalent 6 years after PaX, PaX will make use of it on amd64 for improved performance. http://forums.grsecurity.net/viewtopic.php?f=7&t=3046
  31. 31. Liked this? BSides Manchester is coming..
  32. 32. Almost Final Thought “We may be at the point of diminishing returns by trying to buy down vulnerability, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self- limit” the damages inflicted upon them” Gen. Michael Hayden (USAF-Ret.), former head of the NSA and the CIA
  33. 33. Final Thought start small, learn, practice, improve, fail, start again, get better, fail again, start once more, get even better and maybe win!
  34. 34. The future (in an alternate universe) Defendercon 2015 Showcasing applied defensive research with the pizazz of offensive including the defend2spend competition…
  35. 35. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Austin Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland Thanks? Questions? Ollie Whitehouse ollie.whitehouse@nccgroup.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×