Dan Guido on teaching penetration testing courses; intrusion analysisDate: Jul 18, 2011
In this video Q&A with SearchSecurity.com News Director Rob Westervelt, iSec Partners Security Consultant Dan Guido discusses his penetration testing courses at NYU and how they change the worldview of aspiring infosec pros, plus his research on intrusion analysis and his belief that it’s time for enterprises to rethink how they approach intrusion defense.
Read the full transcript from this video below:
Dan Guido on teaching penetration testing courses; intrusion analysis
Rob: Hi. Thanks very much for watching this video. I'm Rob Westervelt. In this edition, we're going to be talking about malware, and more specifically, whether malware is getting more sophisticated, and how enterprises can actually learn by studying what attackers do. Joining me is Dan Guido, he's with iSEC Partners. Dan, thanks for being here.
Dan Guido: You're welcome.
Rob Westervelt: So, Dan, why don't we start off with your teaching? I understand you teach Pen Testing and Vulnerability Analysis at NYU. Tell us a little bit about that.
Dan Guido: It's a graduate course. The people that usually take it are fourth year undergraduates and first year master's students. Every once in a while we get a PhD, or two. And it's a course that teaches people how to think like attackers. We walk them through all the different skills that you would need, all the different skills that attackers acquire in their daily life, in order to perform successful intrusions and successful attacks against applications, against networks, against infrastructure. It's a very offensive course; we don't discuss defense. That's for the rest of the program to give them.
Rob Westervelt: Why is it important to think like an attacker?
Dan Guido: Well, I think as an industry we've kind of lost focus a little bit. We tend to think nowadays that security is about secure code. But security is about defense against attacks, and attacks have more components to them than just an insecure piece of software. Attacks are comprised of threats, and threats have different motivations, and they have different capabilities, and they have different techniques and tactics and procedures, that they rely upon and reuse from intrusion to intrusion. And, going through my class is one thing, one way that people can become aware of that.
And, yeah, I think as an industry we've gone a little bit off course. So my talks, my teaching, all that is sort of aligned along the path that you must know who is attacking you. And the more familiar you become with them, the more effective your defense is going to be.
Rob Westervelt: So, Dan, do people actually change when they take that course, from the beginning to the end of the course?
Dan Guido: Yeah, absolutely. The feedback that I get from students that take it is usually amazing. Because we're basically teaching computer science students how to walk through walls, right? It's very rewarding for the people that do very well at it. So, I've had a number of people that graduate the class, that go on to work in the local security industry, that change careers, that decide in their final year of computer science that this is what they really like to do. And it's very rewarding as a teacher as well, to see that happen.
Rob Westervelt: So, you're teaching this methodology to individuals, but how can enterprise actually use this to defend against attacks or even go on the offensive, as you put it?
Dan Guido: I think that, again, as an industry, as people that are working in this industry, we've forgotten what security is, that security is defense against attacks. Security is not freedom from malware. Security is not having secure code. Security is about awareness of what attacks are going to occur, and doing your best to prevent and detect them. And people seem to lose the component of the actual person performing that, and focus on easier to grasp concepts, like the number of vulnerabilities that I have, or the pieces of malware that I have. And that loss of focus has resulted in all of the successful attacks that have been performed in the last few months.
Everybody comes out and says, "Well, we did everything that the industry said we were supposed to do. We followed all the check boxes. We have our IDS, we have our AV." But nobody actually sat down and compared the effectiveness of those security measures against real attacks as they were occurring in the wild. And if they did that, they would have seen just how ineffective they were.
Rob Westervelt: What do you say to people that say, "Wait a second, we're failing at the basic security things." And now, you want them to think about what cyber criminals are doing, and apply it.
Dan Guido: Right. So, in my talk, I actually make this case pretty well, I think. The attackers that are in vogue right now are APT. Everyone's very concerned about these targeted attackers, people that apply vast resources in order to compromise organizations with very high effect. But as an industry, everybody is still affected by things like mass malware. That is a problem that is just as persistent as the advanced persistent threat.
So, how do we really expect to go after something like the advanced persistent threat, if we can't stop ourselves from being hacked by accident? So, we definitely need to take a few steps back and look at the mistakes that we've made and that we're continuing to make, and solve those "easy problems" first.
Rob Westervelt: So, you also run the Exploit Intelligence Project for iSEC partners. Tell us a little bit about that, and what kind of data that you're getting from that.
Dan Guido: So, the Exploit Intelligence Project was me trying to answer the question: how are exploits actually used in the wild? And, in doing that, I collected a lot of basic raw data about how exploits are used, but I also developed techniques for analyzing that data in order to come up with effective defenses based on it. And what I'm trying to do with those analysis techniques, I call it trade craft, is that I'm trying to flip the defender's dilemma on its head.
I'm trying to look at something that attackers are bad at, and I'm trying to show that they are resource constrained as much as you are as a defender. And that because they are resource constrained, you can attack them back and apply different security protections that make it more expensive, that make it more difficult for them to have a successful intrusion, in a way that flips this whole model of the defender's dilemma on its head. So, that is the Exploit Intelligence Project in a nutshell. It just happened that for the first case study I performed, the weak point were exploits.
For other groups of attackers, for targeted attackers, for people that are out to steal PII information, for nation state sponsored people, or nation state associated people like APT, the answers will likely be different. It might not be exploits, it might be something else that is the most effective point at which to disrupt your adversary. But in this case for mass malware, it is very clearly the exploitation phase.
Most of the products that we have out today presume that they can somehow beat determination, that they can beat a determined attacker that wants to compromise my organization. And people put out these turnkey products that are presumed to be some kind of one stop shop, in order to prevent all of these attacks, or detect them or whatnot. And what I'm saying is that technology does not beat determination, that we need to have awareness of what the attackers are doing, what they're good at, what they're bad at, what's expensive, and sort of this holistic view of the full cycle of where they start to where they finish, rather than just these little points in between.
Rob Westervelt: So, you've found that out of thousands of vulnerabilities, you've been able to whittle it down to just 13 that are of great importance.
Dan Guido: So, basically in the industry, there's this myth, this myth of sophistication that everybody believes that every vulnerability out there is going to be exploited, everyone is worth caring about. But the reality, as I said before, is that attackers are resource constrained, too. They have to optimize their own efforts in order to get the maximum return.
And what you find when you actually collect attack data, when you have this data to verify, you see that among certain groups of attackers, such as mass malware, out of those 8,000 that come out every year, they're only abusing about 13, 14 of them every year. So it becomes a very valuable exercise to figure out why they're choosing those 13 or 14, and what makes those 13 or 14 special, rather than focusing on all 8,000 that come out every year, which can be incredibly costly and hard to do.
I mean, 8,000 vulnerabilities is 600 vulnerabilities per month. That's 20 per day. Even if each of them were just an email and I spent like five minutes on each one, I'd quickly get overwhelmed, with everything else I have to do as a defender. So, part of what I'm trying to explain here is that we can focus our defense. We can have a less costly, more effective defense, if we can think like our attackers and identify those 13 in the same way that they do.
Rob Westervelt: The other thing I saw that was really interesting was that there are only four vendors that are really affected here, that are really targeted by attackers: Oracle, Adobe, Microsoft and Apple.
Dan Guido: Yeah. So, as I said, these dominant platforms give the most return on investment, for somebody that's developing exploits like this. I don't want to go attack a piece of software that's only going to be installed on one out of every ten people that I go after. If I'm launching an opportunistic attack that works based on volume, I need to go against a piece of software, develop an exploit for a piece of software that everybody has. And whether it's third party or first party, the fact remains that things like Flash and Reader and Java and Quicktime all have market shares of upwards of 50%.
So, while there may be vulnerabilities and all sorts of random pieces of software that you have, there are ones that matter more than others. And the ones that matter more than others are the ones in those software products.
Rob Westervelt: So, if an enterprise is going to be using your strategy or your technique here, is this a process change, is this a technology change, or is this kind of a mixture of both?
Dan Guido: I'd say it's absolutely on the process side. The technology changes that you have to make are the result of the process changes that you will make. In my presentation, I go through my analysis of attackers. And through that process that I performed, that's where I came up with the effective defenses that were useful to implement. Things like the Enhanced Mitigation Experience Toolkit, or EMET for Microsoft. These arose naturally as the result of my analysis process.
So, it's very important for an organization to get good data about attackers that care about them, that are going after them, and then to have smart people analyze that data. Now, as a corporate defender, as somebody working for a Citibank, a giant company like this, it may be difficult to have that level of expertise internally. So, I'm also recommending that people in the industry, people in the security industry who do products, who do consulting, who do have the ability to hire these very technical experts, perform the same kind of analysis that I am.
Rob Westervelt: Dan Guido of iSEC Partners, thanks very much for being here.
Dan Guido: You're welcome. I had fun.
Rob Westervelt: And thank you for being here. For more information on this topic and others, you can go to SearchSecurity.com.