Zero Day Exploits, 0-Day, custom malware, tailored malware, infected humans. All things we have no way to protect against using signatures.
Signatures have been our life in security for a long time. Virus update packs, signature updates. Vendors like Cisco even helped build complex and expensive security reach task forces like TALOS – amassing over 250+ researchers who look for new malware, take it apart and then build protection against it – in almost real time. This means we are reasonably well protected from things we know about
I still wash my hands
What? That is because I don’t trust licking my palms when they are not clean. If I trusted that I had all of the immunizations and that new “flu” vaccine gave me everything I needed – I could run around never washing my hands, but we all know that the flu vaccine only covers last years and SOME of what is coming.
Then why are firewall IPS signatures, and virus signatures enough for many corporations and end users?
” Sorry boss, but there’s only two men I trust. One of them’s me. The other’s not you.” – Cameron Poe (Character in Con-Air played by Nicholas Cage)
Anyone that knows me, knows I tend to use movie quotes a lot. Customers look at me funny when I say something similar. Trust nobody, don’t even trust me. Every person, machine or connected object could become ‘Weaponized’. The minute you start trusting you are opening the door. We all lock our front doors, but we do not lock our interior doors, but if you found out someone else MIGHT be running around with a universal set of keys – you might start locking that bedroom, and maybe do it with a different kind of lock so that the person with the universal key has a harder time. So why do we rely on traditional firewalls so much and then leave our interior networks wide open?
Vault7 – Wikileaks
The latest release from the team at Wikileaks proves the need for Zero-Trust models. If the CIA was accessing vulnerabilities that were not publicly known, that means hackers and bad actors in your networks could be using them as well. The CIA is very well funded, and this release provides a glimse into how well organized and funded they are. I want to be clear, this isn’t a negative comment towards the CIA, in actual fact I would have been surprised if they were NOT doing everything they could to protect the country.
This is a very good glimpse into the inside of an organized cyber activity program, and what we need to learn from this is – zero-trust or bust.
There is a small silver lining to such a leak – this view into an organized and well funded cyber program and the tools, tactics, and methods they used will help organizations learn about how to protect themselves. Not that we didn’t know much of this before, but this will help harden and strengthen networks as a whole. A wake up call, a chance to learn and a chance to realize that when they are well funded (which organized crime organizations are) they can mount cyber campaigns of significant complexity and capability.
Bad Actors Are Everywhere
Do not think for a second others around the globe are not doing the exact same thing, foreign governments and organized crime are very much involved in these types of activities as well – it is just that in this case Wikileaks is calling out the CIA because that is the leak data they received. We can learn from this, we can become a more security information technology industry
Zero Trust Design
A new world of security products has started to emerge in recent times, and new design philosophies are being suggested, but it does require a paradigm shift in thinking, and the realization that security will start to impact users day to day lives a bit. No different than when seatbelts became mandatory.
Encryption In The Way
On a recent podcast (Cisco Champion Radio) Peter Jones from the Cisco Catalyst team tossed out this quote (sorry I do not have the original writers name) “The days of scratch and sniff on packets is over”. Everything is encrypted. Google requires any site with a login to be HTTPS by Jan 2017 otherwise you are flagged, and the majority of network traffic is encrypted.
That means technologies like NBAR and other deep packet inspection – DPI technologies are going to cease to function, which makes managing our networks more difficult.
Technologies like TOR allow telescoping encryption tunnels to anonymize traffic as it flows across transport networks, DPI is useless there.
Network-As-A-Sensor / Enforcer
Technologies like Cisco StealthWatch (previously LanCope) provide analysis of NetFlow data, which does not require payload to detect network traffic, scanning for deviations in standard network traffic and then providing analysis.
Tetration collects network flows and then build connectivity patterns looking for deviations from baselines, similar to StealthWatch but has a component of unsupervised machine learning.
Cisco ACI operates under the guides of micro segmentation between object groups in the data centre, locking down interactions (assuming you implement it correctly) between objects in the network. The way I explain ACI to my clients is simple – the network is turned on it’s head from “trust everything” (in a typical switch/router arrangement) to “Trust Nothing) where every interaction requires a rule (or Contract)
Then we have break out companies like Illumio who are thinking a little different, in their mind each system already has great security technologies, and without changing the network at all they orchestrate the packet protection engines within the operating system to provide Micro Segmentation. Great content on Illumio can be found on Tech Field Day 12 – Click Here for that.
Final Thoughts – What Does This Mean?
This should be a wake-up call – stop thinking traditionally, start realizing the threats are out there. Realize that security exploits are spending years in the wild without detection and that ZERO TRUST is the only model that matters anymore. Do not rely on signatures and definitions to protect you. A layered approach to security is your only defense against a growing world of threats, but firewalls and intrusion prevention is no longer good enough. You need a strategy, and a plan to protect yourself because it is not a matter of if, it will be when – and you better be ready to respond.