Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    how do you quantify "more data than usual" and configure your alerts to avoid alert fatigue?

    If we push 500 Gig a night, with 10% variance, Russia can push 50G of "other" data before raising an alert.

    We use calculated rolling baselines for lots of performance alerting, and found those systems get "gamed" accidentally far to often.

    A few dropped packets, not enough to raise an alert, but enough to shift the baseline...

    a few more dropped, not enough to raise an alert (against the new baseline) but enough to shift it again.

    All of a sudden, users are complaining, but everything is green across the board.
     
  2. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,232
    Location:
    Brisbane
    I'm not super familiar with the process of uploading that data to Azure, I would have assumed you'd have some kind of POI into your service though, in which case it would be pretty straightforward to spot anomalies because in lieu of going to your usual data happy place it's off to another possibly less happy place.

    It's a fair question though which I probably haven't addressed above, once this **** of a headache passes hopefully I'll be back to reality and bring something more substantial than words to the table.

    / Equifax as well, forgot to chuck that one in :p
     
  3. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    4,952
    Location:
    qld.au
    So you don't browse the web or use any service at all without individually whitelisting the IP's? If so, I don't believe you :)

    Again, as bad as the compromise is we're not talking classified data here. It's basic commercial information. The procedures for classified information are very, very different.

    This hacker had 3 months of access, even if you drip feed 30GB over a week I doubt you'd notice.

    Not going to see it. The only way you're going to see it is if you're doing deep packet inspection and blocking any SSL you can't get the firewall to MITM. I've worked with a number of different tools over the last 7 years and none of them have provided that level of granularity (nor can it). There are so many tools (SIEM being the latest buzzword to extract $$$) but I'm yet to see one deliver.

    I'm currently processing large amounts of network data with about 5 different tools at present, including systems which use holt winters, machine learning etc to use anomaly detection. Nothing works well enough yet because traffic patterns on a low level will never conform to a predicable pattern. Think about mapping user traffic, on a large scale it's trivial to see patterns (ie busy 8am onwards, drops off at 5pm) but if you had to write an algorithm to map out 100% of user behaviours per 5 minutes it's impossible.

    Hackers aren't dumb and people seem to forget how clever they can be. They know usage patterns and they know what firewalls do. Rate limiting brute force and spam etc is something which most of their scripts do these days, it's much more effective for them.
     
  4. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,232
    Location:
    Brisbane
    Interesting observations to chuck in, cheers!

    To be honest it's all a bit of a moot point really, the amount of confidential stuff that staff leak accidentally or uploading to stuff like virustotal etc is probably a way bigger risk!

    I was impressed at one org I worked with, captured every DNS request generated globally on their workstations and analysed them looking for data exfiltration over DNS. A truly gigantic amount of data to sift through, and overall probably pretty limited value :p

    As you say though, tiny bits of data getting leaked are nigh on impossible to detect.

    I never fail to be amazed at how the concept of jumping between networks via jump hosts for malicious gain just doesn't easily resonate with people.
     
  5. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    3,993
    Location:
    Briz Vegas
    Of course not, because surfing the web is downloaded traffic not uploaded traffic which the 30GB was upload somewhere else. I hope this helps you understand the 2 differences in classification of traffic.

    EDIT I understand your viewpoint, lets put it into perspective.

    I have worked in places where you weren't allowed to do the following;
    1) Take any communication device with you.
    2) Take any portable storage devices with you.
    3) Send any information outside of the internal network.
    4) Searched on entry and exit for stuff.

    If we need external information we had to use a specific workstation segmented from the internal network.

    Security huh who would have thought.
     
    Last edited: Oct 12, 2017
  6. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    9,791
    Location:
    Canberra
    Not to be that guy, but aren't #censusfail #absfail the same thing?

    Also aircraft design files aren't classified very high or cared about.

    The stuff they actually care about(war fighting) is on networks that dont have links to the internet/ one way data diodes.
     
  7. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,232
    Location:
    Brisbane
    Based on phone calls I received vetting a mate of mine who was doing aircraft maintenance for the military, I would assume they're classified at around the Secret level or higher.
     
  8. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    4,952
    Location:
    qld.au
    Let me know however how you determine the difference when there's constant websocket streams to hundreds of servers across a 50 user network how you'd differentiate a drip fed exfil to a distributed system?

    What system would you use to detect the anomaly?

    Again, only the most immature hacker will be simply chugging the data out at full speed and those sorts are rarities. Even the 1/2 way clever ones are going to limit the bandwidth to stay under the noise floor and they know non-HTTP based ports are generally blocked. It's so trivial to stream data over a HTTP connection which looks exactly like other traffic and the programs to do so are easily available.

    I used to design and get the places you probably worked in to those standards, including SCIF's. I understand security very well and hence I know exactly why classified systems have an air gap in place.

    It doesn't mean a thing however when it comes to a standard business network, other than financial and commercial embarrassment.

    You're not going to detect exfil done correctly, it's as simple as that. If they've already gained access to your network then it's a case of game over. I have worked on and had to analyse the root cause for hundreds of compromised systems where the company / government entity wasn't aware. Even when they've had someone employed in an ITSM / CSO roles, UTM, SIEM etc all deployed it's still not enough. It's the equivalent of trying to catch a bullet after someone's shot at you, to think you can do anything effective is just fanciful.

    Commercial data only, not classified data.
     
    Last edited: Oct 12, 2017
  9. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,232
    Location:
    Brisbane
    That is of course where having a good threat model kicks in, and designing controls appropriately. If you assume data can be exfiltrated undetected, and adversaries will be using 0days to pivot, you go from there. It's all layers. Any sufficiently advanced adversary is going to be almost impossible to detect, look at Kaspersky with their infection. Almost entirely resident in memory, relied on kernel 0days for infecting systems, bugger all comms.

    Once the Mossad is on the table all bets are off, and with the ever increasing amount of automation happening the attack surface will continue to increase.

    Though as evidenced in the USA, people walking out with data seem to continue to be the bigger threats :tongue:
     
  10. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,071
    Location:
    Sydney
    You're pretty much describing how random walk works in financial markets. So if your ML can detect events in your data you probably should get outta IT and work for a hedge fund
     
  11. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    9,910
    *Cough* Or Kaspersky to the KGB *Cough*

    How many false positives were generated... One of our endpoints used DNS for its signature lookups... Your DNS request checking system would have probably generated a fucktonne of alerts for it :).

    What was in place as far as DLP goes for this.

    Right now, I'm sending the text of this post "outside the internal network". Could you post to forums.

    Could you make GET Requests to https sites? or did it simply have no internet connection?


    NotPetya demonstrated that getting caught in the cross fire of state actors performing cyberwarfare IS going to happen, You don't need to be a target of Russia, to find yourself up against high level state sponsored cybersex.
     
  12. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    9,155
    Location:
    _Rocky Status:_Folding!
    ................................

    [​IMG]
     
  13. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    9,791
    Location:
    Canberra
    Nope not really, remember a platform is a bunch of really highly protected black box devices connected together. the manuals for that bit that connects everything together isn't that important.

    You then have the black boxes, the strategic and tactical information. Defense likely doesn't have any access to many of the black boxes internal details and the other types of information are classified at the level required ( tactical ~S , Strategic ~TS).

    Airside can be funny because its unclass, S and TS all at the same time.
     
  14. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    29,967
    Location:
    Brisbane
    So.... we don't care about 30GB of data walking out the door from a company that does work for the military? Like, we're just so numb to this shit now, that it rates as "meh"?

    Sign of the times, I guess.
     
  15. connico

    connico Member

    Joined:
    Jan 30, 2004
    Messages:
    2,659
    Location:
    Sydney
    admin / admin

    thats the sign of the times...

    we just recently encouraged a very large banking corporate to change the way their passwords work. move towards a more google type of pass system if you know what i mean... was rejected all around by the board members... as it was too complicated ... maybe i shouldnt have shown what a typical one use key password looked like...
     
  16. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    9,791
    Location:
    Canberra
    Its not a sign of the time, it has always been this way. Thats the entire point of ASCI33/ISM etc. Its about figuring out what is really worth protecting and putting in controls to actually protect it (the best controls are physical). From a Government point of view the data loss that really actually matters to them is intelligence and strategic planning. From there its a slippery downward slope. Yeah loosing every member of the public private details would be embarrassing but compared to the day before that event, the threat profile to the country hasn't really changed.
     
  17. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    4,952
    Location:
    qld.au
    This. You can virtually ignore the fact that it's a Defence related company, that's just what makes it sexy for the news channels. It's embarrassing yes and you should expect that they know more about security than other businesses... but it's not the case. From a commercial viability and reputation perspective these sorts of companies should take basic security of their unclassified systems far more seriously but they don't because that's always been the norm for smaller businesses.

    Medical and financial companies are just as bad, I've seen passwords in both sorts of organisations with passwords as weak as "Password1". I really didn't think people used anything that simple until I had to investigate breaches... and the reality would horrify people like elvis :)

    Oh, and govt organisations I know of at least two with a system which had admin / admin with zero firewall / DMZ. It's normally the excuses of "it was just to set it up" and 2 years later they forgot. It's why having a strong security ethos within a company takes real dedication, users are there at every step to place barriers in front of you.

    I'm all for welcoming our AI overlords to control all things IT, just wish they'd hurry up!
     
  18. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    29,967
    Location:
    Brisbane
    While your response is highly clinical, my comments were more aligned with basic give-a-shit and personal integrity.

    The fact that shit gets hacked at the rate it does because absolute basic 101-style suggestions are not followed is alarming.

    Although the fact that so many people are not alarmed (some borderline catatonic) is where my "sign of the times" comment comes from. I've worked for some pretty fucking banal businesses in my time, but I sure as shit didn't have unpatched servers and admin/admin type crap going on there.

    The attitude from higher in the chain is even more concerning. Turnbull wants a national identification database. People said "what about the security of that database?". Turnbull replies:

    "You can't allow the risk of hacking to prevent you from doing everything you can to keep Australians safe."

    http://www.smh.com.au/federal-polit...ver-all-drivers-licences-20171003-gytshq.html

    Top answer, boss. Zero fucks given from our PM. That's just super.

    This whole industry is fucked from top to bottom.
     
    Last edited: Oct 13, 2017
  19. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    2,770
    Location:
    Canberra
    black box, otherwise users will bias the engine to ensure pwd == username ;)
     
  20. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    50,753
    Location:
    brisbane
    surely he understands what he just said, surely.
     

Share This Page