Sunday, June 12, 2016

My Thoughts On "no internet for the public sector"

What up.

Recently, Singapore government has decided to cut off the internet for public servants for security reasons. It was said that we are one of the prime targets. WHO ISN'T?
To read more, goto:

What are my thoughts on this?
*It was first written on a facebook comment in response to an annoying post with bad analogy. I wanted it to be a sharp and poignant comment but it ended up as a wall of text. So, I've decided to put it up just in case anyone tries to pull off another BS on how it was a good decision to cut off the internet.

No internet but haz email??? 
It's not pragmatic. Attackers will hit the systems which requires internet access and perform lateral movement from there onwards. Exposure is limited, but not eliminated. Moreover, emails are still active and IS a point of entry. AV is good at preventing known threats from entering but most malware are bespoke and mutate faster than an AV can keep up (e.g. it will be weeks before AV gets updated to prevent a APT malware. it will be months before systems get patched for zero-days). It is possible to worm through a network without requiring internet access. Yes, no internet = no beaconing back to C2 (command and control) server, but doesn't mean malware can't work. Malware can still worm through operating system vulnerabilities, performing lateral movement like a human attacker, and it's a matter of time a malware propagates and find exfiltration points to beacon or bring data out. So eliminating Internet keeps employees safe? To a certain point, but you need to truly air gap your systems i.e. no emails from the internet. But no one can truly work pure intranet email can they? Since they rely on AVs for email entry (and they better be), why don't they allow internet via proxy servers (e.g. all HTTP/HTTPS have to go through these machines for internet access.) Keeping email while eliminating internet is like stop eating ice cream to cut down calories but keep going nuts on oreo cookies thinking that they are not as sugary. This is a security architectural problem. Pulling out the WAN cable is at best naive. If government agencies want to be truly secure by this logic, PEN AND PAPER PLEASE.

A Short Note on Defense
So how to defend? Preventive and detective controls. Makes it hard and expensive for attackers to get in and maintain control. Preventive controls - the usual patch management, app whitelisting, host AV, exploit mitigation such as EMET, etc etc. But mistake not, for they will NOT prevent. They are there to be speed bumps and trip wires. E.g. if you got AV, attacker will need to evade and may avoid touching disk. This could mean powershell, dll injection, reflective dll loading, etc. If you are patched up timely, attackers need to spend $$ using their expensive zero-days. When it's used and found during forensics, it's no longer zero-day or as effective. If you got exploit mitigation, attackers need to make exploits that evades exploit mitigation. If you got logging in-place, attackers cannot perform active brute force methods as they may give off their position. If you got..ok you get what I mean. This goes the same with application whitelisting, configuration hardening and other forms of controls both endpoints and servers.

Detective controls - first harden every route except to leave one or two paths for attackers. Why do this? 1) Able to map out likely attack paths for easier detection; 2) Place more sensors on those paths for higher detection rate; 3) Decrease false positives thus allowing analysts to concentrate their effort in hunting down threat actors rather than responding to random events happening all over the network. Going further, implement Honeynet/honeypot within the network - placing systems within the organisation that no one would normally or ever access, which serves the purpose to trigger off alerts whenever a foreign threat actor logs in. This will trip up attackers when they are performing lateral movement. And yes, they WILL perform lateral movements. =) And there are more to talk about such as going beyond network and do endpoint threat detection or EDRs, basically. Hunt for IOCs instead of being event-driven. Yada yada...

The landscape has changed so much - you can no longer expect to keep attackers out. It's not about "if" but "when". Security professionals' job is to give a hard time for attackers to come in and when they do, be able to detect and triage before they do any significant damage (e.g. exfil data, service denial, make watering-hole points.). Most organisations doesn't even know that a threat actor is within their network until 6 months or until a "sale" on the darknet.

We need to do better than pulling out the ethernet cable. Don't you fucking giving up on us!


No comments:

Post a Comment