My feature from the Aug 2011 issue of Network Security.
Interview: Greg Hoglund - a fight-through capability
The recent RSA Europe conference in London was unusual. Some of the high-profile security firms exhibiting and presenting have also been victims of serious breaches this year.
RSA, rather notoriously, had its SecurID product compromised by what it insists were state-sponsored hackers. Raytheon admitted to a couple of breaches. And also present at the conference, both in the exhibition hall and in the form of founder & CEO Greg Hoglund, was security firm HBGary.
The assault on hacktivist movement Anonymous by subsidiary HBGary Federal made headlines - mostly because the subsequent backlash led to the breach of the company’s own defences, ultimately resulting in the resignation of CEO Aaron Barr.
Many were surprised when Hoglund engaged directly with Anonymous, even venturing into IRC channels to get a better understanding of what the hackers were doing and to plead with them not to release the email files they’d exfiltrated.
It wasn’t the normal behaviour of a reputable security outfit, but it is of a piece with Hoglund’s philosophy of taking the fight to the hackers, and of treating security as an active, rather than passive, undertaking.
At RSA I got a chance to chat with Hoglund. As you’d expect, he was reluctant to discuss the Anonymous debacle - he must be tired of it by now. All the same, it lingered like a spectre, colouring much of what we discussed, and we touched on it finally.
He was far more interested in talking business. The Anonymous attack killed the HBGary Federal subsidiary, but HBGary itself continues to prosper. Hoglund was in Europe to drum up more business - and possibly flush out a buyer for the company.
It’s all about people
First, though, he wanted to tackle a current bugbear. Hoglund is dismissive of the way some people seem to be obsessed with Advanced Persistent Threats (APTs).
“People just like to call it advanced because it gets through the security that they have, and they need to justify to the board what this is,” he says. “There’s a mentality out there that you can solve the security problem with technology. And that’s entirely incorrect, and it doesn’t work. You can’t buy a magical silver bullet and expect it to solve the security problem … You’re covering your you-know-what, to justify ‘well this isn’t malware, this is APT, this is different, this is why we didn’t detect it’.”
For all the talk of new threats, Hoglund agreed when I suggested our major problem is the inability to solve the problems we’ve already got. “When I talk about threat I’m talking about people,” he says. “The hackers. The mechanism by which they attack, that’s not new. So when you say the threat is evolving, it doesn’t mean the attack, technically, is evolving. What it means is the threatscape, the people - there’s more of them, they’re aware that they can achieve access to incredibly valuable data with relatively small investments - that’s an awareness they have, this year more than ever. So the threat is growing.”
So if the solution isn’t going to be a technical one, how do you tackle the issues?
“People,” says Hoglund. “It’s a counter-intelligence function. So if you’re a large enterprise and you don’t have a full-time security staff, game over. Yeah, it’s expensive … but this is where you have to go. You have to have a human in the loop.”
Taking a human-centric, counter-intelligence approach is specialised stuff. “You have to have access to the data, and you have to have analytics to turn that data into intelligence,” he adds. “Because raw data is not intelligence. If you don’t have a staff that can do that, then your security is already broken at that point. And any small to medium-size company, this is completely out of reach for them. So their only option is managed services.”
So there’s the sales pitch. Nevertheless, he’s convinced that this is how the security industry is going to evolve over the next 10 years.
If you manage to turn raw data into intelligence, what’s it telling you and what do you do with it? This is where the technology comes in, according to Hoglund.
”I like to focus on what I call actionable intelligence,” he says. “Actionable means you can take that piece of information and input it into a security solution you already own - a great example of that is an IDS signature. You see an intrusion in your environment, you examine it forensically and you get a URL that that malware or a remote access capability was using for command and control. You take that and put it into your IDS - you’ve just made your IDS smarter. You did that. No outside vendor, no magical blacklist. This is an attack specific to your environment. And what’s going to happen tomorrow is that same attacker is going to be back again, only this time you’re ready for him. You get smarter and smarter as this cycle continues and your cache of threat intelligence grows.”
Shared intelligence
The RSA show was opened by that company’s executive chairman, Art Coviello, calling for more sharing of infosecurity intelligence data. Ironically, this was followed by what was touted to be RSA sharing the story of its own breach, which turned out to be not quite the case. The firm remained tight-lipped about the details and persisted in describing it as a highly skilled and complex attack and not, for example, the compromise of a poorly patched Windows Server 2003 box.
So, does Hoglund think that information sharing is important? At first he seemed keen, but quickly added caveats.
“It’s a double-edged sword,” he says. “If you share data in a way that it’s public, or easily accessible to the bad guys, then they’re absolutely going to know what you know about them, so that’s the problem and the challenge with threat intelligence sharing. So, at least in the US, a lot of the threat intelligence sharing between the Government and the private sector is done using special relationships, closed forums, and may even be classified. If you’re not in that special circle, you’re not going to get access.”
Is this the only way it can be done? “I do think there have to be a lot of controls. You do need to make an effort so the bad guys can’t get the data. But that’s never going to work perfectly if you’re going to have a sharing system, then it’s going to get out some way or another.”
I asked if he thought sharing would need to be limited among countries, for reasons of national security, or if such pooling of data might be carried out within some existing framework - NATO, perhaps, or at a ‘five eyes’ level. “Sure, that would be interesting. But they’re never going to share everything - they’ll only share select stuff.”
Fight-through capability
You’re going to get breached, is Hoglund’s message for organisations of all kinds. Most security activity is reactive, not proactive. IDS signatures, for example, only tell you about old attacks, not the ones that are coming. Data sharing can help strengthen defences, in this reactive way, and raise the bar for attackers. But someone who’s sufficiently determined and resourced will still get through.
Hoglund likes to talk about a ‘fight-through’ capability. In the RSA panel session preceding our chat, he’d used this military term in the context of the US Air Force Reaper and Predator drone systems that have been infected with malware (widely misreported as being keylogger software).
“The military’s not that excited about it,” says Hoglund. “They know it’s not exfiltrating. The only threat to the system is instability.” He reckons that USAF will have quickly determined that the malware does not pose a threat to the stability of the system and will simply continue to use the infected systems - ‘fight through’ - carrying on with the mission while sorting out the compromise in parallel. This, he believes, is an attitude that commercial and other organisations should adopt.
“That’s the resilience and fight-through capability,” he says. “If you accept that business is just about managing risk, then there has to be some level of acceptance that compromises will occur. And you still have to be able to do business.”
Architectural changes
Indeed, Hoglund’s business prospects are companies that have come to the realisation that they are vulnerable (usually because they have already been breached) and will be compromised. Organisations that believe they can construct impregnable defences require too much education into the ways of the real world for Hoglund’s taste.
As most security vendors know, selling products and services is usually very easy during or immediately after an attack. But is there a need for organisations to take a longer term view and perhaps consider changing their network architectures to be more resilient, perhaps with increased use of air gapping?
“Absolutely,” he says, “because if you have a breach, that doesn’t mean that you’re going to lose data. So you have to make it very hard for them to get the stuff out. You should have your critical data separated from the rest of your network. You should have access control - this is such a basic idea, the principle of least privilege. It’s hard to believe how many enterprises out there simply don’t have that. But in a Windows network it’s entirely possible to implement that - it’s simply a manageability problem. And yeah, that’s expensive. But people will buy a SIEM, and then not use it. A problem with the SIEM is that it doesn’t do your work for you, and a lot of companies will look at it as a cost. The SIEM is giving you exposure to tremendous amounts of real-time data about what’s going on in your enterprise, but you still have to have a human being, an analyst, who can tune that data set, create analytics, so that 100,000 events an hour can be brought down to maybe four events of interest per hour, and that’s a huge problem.”
There’s still the perennial problem of justifying the trouble and expense of doing this. Getting the business to understand the risks is tricky because it’s not easy to convert threats into risk metrics. But Hoglund believes the arguments are there. “What if we lost confidence in the network,” he says. “What if we simply don’t know how many back doors they have and we don’t know if we can detect them all. Then I have to re-architect everything and build it from the ground up. There’s a number that’ll get somebody’s attention.”
Defence in depth
He also believes that more attention needs to be paid to the latter phases of an attack. Perimeter-based defences are all geared to stopping the initial infection phase. But attackers are often most vulnerable in the following interaction phase, which is mostly manual work, getting to know the network and finding the target data, and then the exploitation phase during which data is exfiltrated.
“That’s your window of opportunity,” he says. “They’re actually highly exposed during that time. The bad guys don’t have a lot of stealth at that point. They’re leaving forensics artefacts all over the environment and all you’ve got to do is detect them. And there’s only so many ways to hack a network at that point. You just have to detect that behaviour, and that’s really not that hard, I just think that people aren’t doing it, at least not widely.”
So this is defence in depth in action? “Exactly. That might be your second-last line of defence. The last line is stopping the data as it’s going out over the firewall.”
Reputation and the killswitch
Hoglund has some experience of that. The word ‘killswitch’ was mentioned. And this is where the Anonymous incident couldn’t be avoided any longer.
In the earlier panel session, Hoglund recounted the galling experience of watching Anonymous download Gmail-based email files while he attempted, in vain, to get Google to intervene. Proving he was the account holder took time - too much time. He’s now a keen advocate of making cloud service providers implement a ‘killswitch’ so that an account can be turned off in an instant, with no data allowed in or out.
“In the end, it turned out to be not all that bad,” he claims. “It was shocking and we were scared at first, but then I realised there wasn’t anything bad in my email, it didn’t really matter that much. In the grand scheme of things it was a nit compared to what’s been happening to other companies this year. I was just in the unfortunate position of being the first one.”
I mentioned how some companies believe that reputational damage is short-lived. “It’s true,” he says. “Three to six months. There’s been research done - this is in the retail space: something bad happens and after a year, consumers recognise the logo but don’t remember why. So it’s almost like free publicity in a way.”
That last sentence was spoken with heavy irony and a kind of world-weary humour. HBGary has just posted its best-ever quarter, but in the aftermath of the Anonymous attack, I suggested that he must have had some intense conversations with clients. “Yes,” he admits, “but this wasn’t for reputation reasons. They were worried that, financially, we weren’t able to withstand it. They had orders in the pipeline, and they didn’t want to order if we were going to go under. As it turns out, we actually closed Q1 out above our numbers that we had set prior to the attack. So we were, in fact, still doing quite well. Now, unfortunately, we were doing very much better than that on our pipeline, but the orders that were delayed in Q1 ended up all coming in in Q2. So our Q2 was phenomenal.”
He doesn’t actually reveal the figures involved. But can it really be true that Anonymous - aside from bringing about the demise of HBGary Federal - had so little effect on the business?
“Keep in mind our customers don’t like Anonymous,” says Hoglund. “They view themselves as targets too.”
Sony: just another victim
One of the most interesting aspects of the Anonymous/LulzSec hacking of Sony is the opportunity to observe what effects it might have over time. Now a legal decision in Australia has placed Sony in a position that, I suspect, it finds very agreeable - as a victim.
While most security analysts seem to agree that the hacks themselves were fairly trivial - from both a technical perspective and in terms of immediate damage - the true significance, we were led to believe, would be the effect on Sony’s brand.
Indeed, various Anonymous and LulzSec mouthpieces were keen to point out the reputational damage they had wrought. Time after time, with both the Sony hacks and other high-profile attacks mounted by the groups, we were informed that the whole point was to sully the reputations of the organisations under assault so that customers would think twice about doing business with them.
One Anon told me, in an IRC chat, that the desired result will be that, “people will think twice before they hand over their identities online. That people will stop and say ‘Do I KNOW this data is safe? Do I KNOW no one can hack into this system and use my information against me?’ “
However, this effect relies on one critical factor: it’s important for the general public to believe that Sony was culpable in this matter - that its poor security (and it certainly was poor) was a major contributor to the leak of its customers’ data. In that scenario, hackers such as LulzSec are more of a catalyst than a cause, or at worst the final link in a chain of insecurity for which the hacked company is partly, if not largely, responsible.
But…
I found, when researching an article on hacktivism for Network Security (available on Science Direct - subscription or payment required), that this is not a perception of the Sony hacks that is universally shared. In fact, I concluded that LulzSec’s desire to taint Sony by leaking the company’s databases faced a number of hurdles.
The first is that people forget. Try asking your friends (at least those who aren’t followers of hacktivism) about the incidents and you’ll probably find that many have forgotten all about the hacks, even if they knew about them in the first place.
Sony customers, especially members of the PlayStation Network (PSN) may be more inclined to remember. But I don’t think it’s too cynical to suggest that most of those will be inclined to forgive and forget just as soon as the next cool game comes out. I’ve certainly not heard of any large-scale abandonment of the PS3 platform.
Of course, many people will simply not understand that Sony was in any way culpable in this matter. IT security is a complex and arcane issue. Poor security is hard to explain to lay people. Yet everyone’s heard of hackers, a term now (alas) largely synonymous with ‘criminal’ in the public’s perception.
And so most people who remember that Sony was hacked will simply assume that the poor company was maliciously attacked by bad guys.
The Australian Privacy Commissioner, Timothy Pilgrim, agrees. He’s just ruled that one of the victims of the PSN breach was … wait for it … Sony. His investigations have concluded that Sony was not in breach of the country’s National Privacy Principles - that it was the nasty old hackers who ‘disclosed’ the company’s data, not Sony itself.
As time goes on, the number of people who remember that Sony was hacked will diminish. Given that those who realise the company was partly to blame will be a small subset of that number, and that those who care enough not to give Sony their business is a smaller group still, then Sony can probably rest assured that it is already over the worst.
At least, that’s as far as reputational damage goes. The firm is still facing lawsuits, including several class actions. But all that’s at stake there is money…
When is #Anonymous not Anonymous?
Not for the first time, the Anonymous activist collective is suffering some brand issues. It turns out that claiming you are ‘leaderless’ and ‘decentralised’ is something of a two-edged sword.
It’s also a lie, of course.
The concept is that anyone can operate under the Anonymous banner. There are no committees to attend, no leader from whom you need to seek approval. If you want to mount an operation and call it an Anonymous action … well, go right ahead.
Or maybe not. We’ve just seen two examples of where that causes some problems.
The one currently grabbing headlines is the so-called OpFacebook. A YouTube video by ‘Anonymous’ promises that everybody’s favourite personal data aggregator will be “destroyed” on Nov 5. And the video has all the classic hallmarks of Anonymous - it’s sufficiently pretentious and bombastic that you can’t help wondering if it’s meant to be funny.
Only it turns out that ‘Anonymous’ isn’t Anonymous, if you see what I mean. The ‘real’ Anonymous (the one, remember, with no leaders or centralisation) has been denouncing this operation as a fake. ‘Sabu’ (@anonymouSabu), the non-leader of Anonymous (and also, as it happens, LulzSec) has been especially active in denouncing this as a fraud and is practically begging the media to pay no attention to it.
So how does that work, exactly? Surely the whole concept of Anonymous is that, if I call myself an Anon, that’s enough. Who is Sabu to call this a fake? By what authority can he assert that this is not an Anonymous operation?
I’ve recently completed a long feature about Anonymous and LulzSec for the journal I edit, Network Security. During the research, I had a couple of IRC chats with Anons, via the irc.anonops.li server. Part of this touched on the ‘leaderless’ nature of the movement. I wanted to know how that assertion can be supported when there is clearly some direction from a core group. For example, the channels found on irc.anonops.li are regarded by pretty much everyone as the ‘official’ IRC channels. Some of the channel topics are used to set targets for the Low Orbit Ion Cannon (LOIC) - the DDoS tool used by Anons that has turned out to be so dangerous for its users. There are also channels used for co-ordinating operations that are not open to the likes of you and I - strictly invitation only. I wanted to know how this meshes with the leaderless concept.
I chatted with joepie91 who was at pains to point out that he did not speak in any official capacity, but just as one of many Anons. He did, however, have channel admin privileges in the #reporter channel set up to talk to the media, and most other people in the channel appeared to defer to him.
I asked him to explain a comment he made that, “anonymous =/= anonops”.
joepie91: anonops is just one network that is populated by Anons
joepie91: Anonymous is not a centralized entity
joepie91: there’s no member list, no ‘official representatives’, no leaders
So far so good. But I pointed out that someone gets to set targets in channel messages. The answer felt a little evasive, in that he largely just stated the obvious - that channel ops get to set the topics. But he also enlarged:
joepie91: if you don’t like operation payback, noone stops you from setting up a similar operation with similar targets but a different structure … if you disagree you can just walk away and set up your own … and noone will stop you
It seems that’s exactly what someone has done with OpFacebook. And now Anonymous seems not to like it.
But that’s not the only spat that’s been going on. When various Anonymous accounts were kicked off Google+, because they contravened the service’s rules on using real names, some Anons vowed to set up a social networking site just for Anons. It’s hard to see how the mechanics of social networking would fit with the idea of being Anonymous, but selah.
The result was AnonPlus, which has so far had a very sorry history. It started out using bog-standard forum software, but has mutated many times, shifting domains and hosting, constantly promising great things to come. With amusing irony, it has been hacked numerous times (as in the example above) and this led to a blow-up between Sabu and ‘higochoa’. Sabu, it seems, was particularly incensed at people believing that he, personally, had been hacked every time AnonPlus was defaced.
<Sabu> I am getting sick of hearing that *I* get hacked every week
In a more telling moment, Sabu says:
<Sabu> I suggest you either kill the project / stop using anonymous’ name
That suggests to me that Sabu feels at least some sense of proprietorship over the Anonymous brand. Maybe it’s time for Anonymous to decide whether it is genuinely going to embrace an anarchic policy of no enforced structure, or whether it should grow up a little and become a more organised activist force. The latter would be more interesting because, currently, its disorganised and chaotic approach is achieving very little.
Just in it for the lulz?
Supporters of Wikileaks are dedicated to freedom of speech - until, that is, someone disagrees with them.
“Humankind,” wrote Eliot, “cannot stand very much reality”. And so it is with a bunch of self-styled net buccaneers calling itself LulzSec.
The US Public Broadcasting Service (PBS) - normally the darling of those with anti-corporate leanings - has suffered the ire of these ‘hacktivists’. Apparently, it screened a documentary about Wikileaks that was not entirely flattering. Such insults are not to be borne.
There is a distinct whiff of Anonymous about LulzSec - the same whimsical self-regard, the same adolescent posturing. (There is, for what it’s worth, a #lulzsec channel on irc.anonops.in. It’s unlikely to be any kind of official hangout - I was the only person in there when I checked it out.)
Denial of service attacks and website defacement are the preferred forms of protest for Anonymous. They are high-profile acts that require little effort, minimal skill and involve relatively little risk. There is, of course, the unfortunate side-effect that the downing of a website effectively denies the legitimate owner of free speech. This form of hactivism is a way of shutting up those whose opinions differ from yours.
It seems that LulzSec is gearing up for more attacks on Sony - the target du jour of Anonymous. Meanwhile, the group is basking in the attention garnered by the PBS stunt - and getting attention was probably half the point in the first place.
The Internet is a powerful medium for activism and deserves to be used as such. But hacktivism needs to be driven by more than petulance. If the Internet is to serve as a place for taking a principled stand, it’s important that it does not acquire a reputation for immature pranks. Vandalism is not an effective way of engaging in complex debates about political responsibility, freedom of information or digital rights.
LulzSec has yet to elucidate any meaningful principles or agenda, other than a desire to show off in public. Assuming it has a genuine ethical purpose behind its behaviour, perhaps these will be spelled out on a forthcoming website. Let’s hope so.
