Slashdot Mirror
EndGame CEO: Root Out Hackers Before They Strike (qz.com)
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz:
Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
Seems like you just made yourself a target.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...
Just stop babbling nonsense. It seems that "we gotta get 'em basterds" makes for a better headline, but... every breach I've seen in the last years is due to *catastrophic negligence*. Including the (admittedly, for the time) very high tech Stuxnet thingie in Natanz. I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports? And operators willing to stuff a $RANDOM_USB_STICK into that? Seriously?
How many levels of fail was this?
Now go through all the last breaches, and think again: how many levels of fail?
> Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
So stop buying snake oil and take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Next step is implementing technical measures. Make sure that someone in-house understands thoroughly what's going on. Resist the urge to buy the next shiny thing because the salespeople of this company look smartest: remember that the investment in those smart salespeople isn't going into hard core development -- and that's what you want.
Fick's an idiot. This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is, where well-known "products" often enlarge your attack surface instead of reducing it.
Fick reminds me of some dictator in some semi-failed state making up an Enemy of the Nation to make people forget that their actual problem is internal corruption and missing crops.
"Instead, going on the offense and hunting for adversaries entails surveying your assets stealthily and continuously."
You mean like having a monitoring system in place? Checking for too many consecutive failed logins? Unauthorized IPs trying to connect to sensitive servers/devices? Checking to see if any IPs registered to APNIC have gotten logged in? Checking on the md5 hash of the /etc/password file and reporting whenever it changes? Installing an IPS in front of the edge of the network?
Can someone please help me understand what's so different about what this guy is proposing, vs common practices which already exists? What, he's going to develop an AI for IPS systems so we never need to feed them rules again?
How do you 'root out' a non-domestic hacker? Drone strikes?
But very little content in there. I did not read any form of plan.
Well it isn't, but it's certainly easier to exploit a system if you allow shit like BYOE - oh sorry, that's normally BYOD, but "Bring Your Own Exploit" is far closer.
"" Insisting staff use laptops and 'floating injection points' rather than the good ol 'machine on a desk' that's assigned to you.
I'll concede 'floating injection points' , sorry desks, do initially save money, but really it's not a win.
The base problem is that when it comes to a choice between money, convenience and security - security is always shafted. Well I have news for you, it can't work.
I'll concede the fact that 100% security is hard and probably unprovable, but really current practice is just plain stupid.
Read the article, and I honestly don't see his end goal.
Got the impression all he wants is penetration testing and security through obscurity, or monitor incoming traffic for "malicious intent".
I could be mistaken as the whole article was a bit of a buzzword bonanza.
Threat Hunting isn't exactly a new concept, it's been around for ages.
But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.
So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype
Attack is the best form of defence.
End-users, the "layer 8" of the OSI model. One way to stop a good chunk of intrusions: force everyone in your organization to go back to plain-text email. No more HTML emails, no more files attached to emails, no embedded links or graphics. Almost every time I read about some new ransomware hit, or most break-ins, it's always some phishing attack via email. Obviously these end-users aren't capable of being educated how to recognize them, so to me the only way to "fix" the problem is to BOFH the situation and remove the most commonly used paths of attack. Anyone who demands these "enhanced capabilities" should also be made to sign an addendum to their employment contract that they are financially responsible for any attacks that they allowed because they just "had to have the ability for people to send them files in their Outlook".
Mental attacks? Does Finland have an issue with rouge telepaths?
We should also root out murderers before they strike, by "determining" who will commit murder and punishing them while they are still innocent. Or maybe not.
Maybe this CEO is phenomenally dumb?
But the companies' (Endgame) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.
There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.
And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!
Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!
In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.
You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.
Is that endgame somehow connected to that "Endgame"?
Anyone knows a site that shares the solution of those puzzles?
bickerdyke
Yes the blushing telepaths are the worst.
FTA:
Some worry that such an aggressive approach to defense and security may break laws. It does not. To be clear, proactive hunting is not “hacking back” or illegally “shooting back” at cyber adversaries beyond the infrastructure you own. Hunting is essential, while hacking back is illegal.
I can just hear it now - the sound of yet more privacy being trampled underfoot as all those 'proactive hunting' parties go traipsing through our virtual back yards.Lovely!
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
Simple. Open door, if what's behind it is neither a lawyer or has access to some, use flame thrower. Else, wave and close door quietly.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It sure sounds like the sort of thing he'd write.
Have you learned nothing from The Terminator? It's far more efficient to kill the parents.
How about rooting out future CEOs before they have harebrained ideas. It's also much easier to predict. Just shoot every CEO during his inaugural speech.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Please move along. This is just a man who has run out of ideas and is fantasizing about high valuations and using catch-phrases and buzzwords to paint a pretty picture for the press.
> End-users, the "layer 8" of the OSI model.
They are definitely the most vulnerable part. But don't get me wrong, it's not about blaming the users. They just want to get stuff done, it's their job. And they are put under considerable pressure at that.
It's the job of the organizations to strengthen the users and to raise their level of proficiency in understanding the issues involved. Heck, they are not stupid, in real life they wouldn't hand over their flat keys to a random stranger on the street (with a small note containing their address).
The security department's job is technical, but at the same time educational. It must encompass all the "stack", starting with the users.
As long as there is a "security department" making some magic stuff nobody else understands, and which is only perceived as an impediment to the daily chore, we've lost.
What if it were T-shirts that might disintegrate under certain conditions? We would know that the fabric wasn't well tested and it could break down, but we would not know exactly how, so we follow some of the steps suggested in the comments here. (1) We would find experts on disintegrating T-shirts and learn that fire would most certainly destroy them, but water might dissolve them as well. UV light might break down some of the fibers, so stay out of sunlight and don't spend too much time in certain kinds of fluorescent light. (2) Then we educate our people. (3) Then some teenage boys would aim a hose at some of the people wearing our T-shirts. (4) Our T-shirts would fall apart to the delight of some and horror of others. (5) We would scream, "Get those naughty boys!"--though some might be secretly applaud them. (6) When it kept happening, we would say, "We've got to round up teenage boys with hoses, water balloons, and super soakers."
Perhaps we might insist on better T-shirts but it is doubtful since the new T-shirts are just way cooler. It is easier to blame the boys.
I think money was better spend learning how to properly configure you corporate systems and actually learn how to make secure applications.. Some of the hack i have read have been bossible because some idiot didn't properly secure systems installed.
Buying security from security firms gives very little bang for the buck. Security isn't a commodity any more than love is. You can only buy fake versions of either.
Spend the same on security minded employees and individualized training. Spearfish your employees and require mandatory training of anyone caught. Hold security training without powerpoint, and keep your employees informed with facts. Pay out small bonuses to people who display awareness. Post the name of departments where anyone has attempted to run malware or otherwise shown gross negligence. Make it a people thing, not a box in the server room and some licenses.
When TFA says "Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...", they were dead wrong. It should be closer to 100%, with almost all going to internal resources.
Stop connecting everything to the internet
Hold C level officers criminally liable for breaches, including in government. The OPM, IRS and Target hacks should have resulted in the enablers going to jail.
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers.
In other words, this ignore the fact that most hacking incidents are the result of gross negligence and incompetence (most of that shit would be stopped on its track if people do their security homework and put the necessary money in IT and user training.)
Moreover, it tell us to go wild west hunting for hackers. How far would you take that? Hack others before they hack you? Block others that might be suspicious? Because if you take this shit to its logical conclusion, that is where we end up.
Look, just do your bloody homework when it comes to security.
When you give a chimp a gun, and the chimp shoots someone, you don't blame the chimp.
If we can't rely on organizations to adhere to frighteningly basic security concepts (usually at the core of these breaches) how can we trust them to hire a mercenary to go on the offensive against bad guys?
I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is developing the capabilities to detect the intruder that has breached their defenses. We all like to talk about the magical "APT" that has unlimited time and resources and can teleport around your network without making a sound, but it just doesn't exist. Even a very advanced, skilled attacker, with months of time, is going to need to perform significant recon on the network. Much of that recon is atypical behavior for a non-malicious user.
Detecting malicious behavior isn't even that hard, it just takes some knowledge of what we hackers do. Alerting on specific domain events, looking for specific traffic patterns, and profiling normal system behavior. Even a small security shop can greatly benefit by well-placed honey pots around their network. These type of things are not visible to an attacker, and if your network is reasonably secure, the attacker is likely to trip over one or more of them before they get what they are after.
Basically what he's saying is "Arrest these hackers before they commit a crime" without ever knowing if they're actually being targeted by hackers or if the hackers are even committing a crime in the first place.
Sounds like wonderful precedent for a company to try establishing here in the USA.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
If this is a cyber war we are engaged in, mere defense is not enough. DDOSing botnets for instance, or counterattacks directly against black hats, but it's fair, as in all's fair in love and war.
I can see where a botnet seeking known MAC addresses and hammering them might result in black hats having to come up with new laptops, changing LAA, spending time responding to counterattacks, which impedes them at least minimally. Good work.
deleting the extra space after periods so i can stay relevant, yeah.
I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports?
If they had plugged up the USB ports with glue, which some companies actually do by the way, would you call them more or less ridiculous?
This comment is haxzor-smug, a form of posing.
take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Yes, please, step up to my tent. I'm offering "security training courses."
(It's not a bad idea. I'm just saying, once you get into this tone of voice, anything can be made to seem stupid to the imaginary peanut gallery by putting it in quotes.)
This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is
Now we agree. The industry is in a really sad state. I'm nostalgic for the old days when we could blame everything on Windows.
The problems I see:
- Windows makes it "easy" to do many things, but read data off a USB stick without executing it isn't one of those things.
- Computers still try to draw lines between "read" and "execute," which were sane lines on a small machine but not fundamental. You could say a Word document is a program that executes inside the MS Word sandbox. Really we need to put all programs in a sandbox, and make that sandbox strong and meaningful to the user. Then, user-training becomes, "do not trust programs." Right now you are forced to trust desktop and mobile programs so the training would be unactionable and counterproductive, but on the web for example programs are sandboxed, and users can be trained to distrust them, somewhat.
- Windows programs merge into the system, changing it in arbitrary ways, silently running whenever they like. Not only is there no difference between code and data, there's no difference between a virus and a program besides human intent of the author. There is no "uninstall," there is only "voluntarily self-destruct." How are you supposed to add earthquake safety paint to that metaphor?
- C programmers punting to "all humans make mistakes which turn into bugs. It's unavoidable." I'm not so sure. ex., cheri-cpu.org can reduce the "buffer overflow surface" of C and C++ for a very cheap cost in gates, using old techniques from IBM mainframe days that were lost. We are treading water against a tide of security bugs, slowly drifting out to sea. What is the plan for getting back to shore? I see some people working on that, ignored. Meanwhile, both greedy-pundits and haxzor-smug pundits say, "paddle harder, doggie." Programmers at elite companies say, "we are great at security because we're so much better than ," when they should be using an absolute metric and realizing they are losing.
... anyone thought of this before?
How fucking clever.
Oh, wait ...
I had this goddam discussion with management back in 1996 all the way up until I retired in 2014.
They said, while it's a problem, it's an IT problem, and we get no funding for training, best-practice firewalls and shit like that.
My insistence that they change passwords at least once a decade, and to refrain from using the same simple password for EVERYTHING went ignored.
As a courtesy, I just sent them a mass email saying that I put every one of their emails into haveibeenpwned and they need to get their shit together.
They want me to CALL and explain.
If they won't listen in person over a period of years, a fucking phone call is a waste of my time.
I sent one more email pointing to retirement.
It little behooves the best of us to comment on the rest of us.
Donald, is that you?
Why bother securing your Apache/Nginx installation when it gives you a chance to be a loud drama queen complaining "some bad guy" hacked you?
.exe attachment? Its just Soooo fun to play "Kim Kardashian Solitaire"!!
Why bother migrating your outdated Windows XP machines to Linux, when you could instead have all the job security in the world - repairing virus-infected systems?
Why not open a
If your office is lazy, uses minimal passwords, doesn't update Windows or have antivirus, open ports everywhere, open wifi, uninformed employees - you will be hacked. This is how MOST of the hacking cases happen, and it doesn't require "climbing up the escalatory ladder" to fix - it requires that managers, bosses, and all employees stop resisting changes, stop using cloudy services for critical data, stop facebooking at work, migrate to Linux if possible, stop using naked ftp, etc. etc.. all been said before.
Stop hiring MBA's who focus on "synergy" and get some real programmers/engineers who have 20+ years of computer experience. Degrees are meaningless. "Instead of the traditional 'hacker with a hoodie,' companies must actively support diversity." - what the hell does that mean? "hacker with a hoodie".. you mean the person who probably knows the subject at hand best and doesn't happen to be a vapid fashionista airhead?
I don't like the noise of this "hunting" stuff. So much mention of "offensive hacking" and little mention of addressing COMPETENCE. Sounds like somebody that wants to go around picking fights - not protecting themselves. This "hunting" stuff only seems appealing to aggressively-minded individuals willing to get themselves into legal trouble and waste company time on speculative goose-chases they can do little-to-nothing about. I can picture it now.. some corporate "situation room" with everyone watching a hacker find the "adversary's" server, and promptly switching off his laptop saying "we found it, that's all we can do!" Good work team! Now That's Synergy!!!
Go apply some updates and stay out of other people's computers!
Seriously though ... the article makes a clear distinction between looking for intruders (legal) which the article advocates and "hacking back" (illegal) which it doesn't.
So this AC post is completely barking up the wrong tree (or a troll). I admit that the article is the usual clueless CEO bumf, but at least don't make it into something it isn't.
Either way there's nothing whatsoever "insightful" about this response.
Perimeter security?!? No, No, No! Every serious security professional knows that it does not work. Repeat after my: "Defense in-depth".
Agreed.
One of the big problems out there is that so much software is *written* to be insecure; at best it checks external inputs, but once you get past external inputs you pretty much have free reign over calling any other function that is accessible.
So until programmers start taking security seriously and start writing software with the goal of keeping people out unless the software is used correctly (e.g checking all inputs and outputs of functions at all levels, internal or otherwise) then there will always be a very large attack footprint. If developers got serious about security the attack foot print would significantly narrow; would it be perfect? No; but it'd be an awful lot harder (multiple orders of magnitudes) to get software to do something it wasn't suppose to.
The ironic thing is that developers will claim moving to a GC'd language (like Java) for security (no more points to worry about...well, we know there really are pointers in Java) but then completely ignore the elephant in the room of someone hacking into their software, or the performance penalties that are incurred.
Some simple security preventative measures:
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
until executives start making security a priority, rather than a reflexive action, nothing will change. The majority of corporate boardrooms are filled with MBA types and people with sales backgrounds. Even in high tech companies, the tech founder usually gets squeezed out at some point to make room for the MBA that is going to grow the company.
Typically, MBA's and salespeople view security as a burden, a necessary evil, a nuisance. They would rather allocate funds to marketing. Or the latest diversity flavor of the week. IT in general is viewed as a cost center and data security gets lumped in with that. Most corporate leaders don't really understand IT security because they generally don't come from an IT background. So it gets treated as an afterthought and, predictably, the IT folks are left to stamp out the resulting brush fires.
Standard operating procedure:
1) Send everyone a letter telling them that their credentials have been compromised
2) Offer them 6 months of free credit monitoring
3) Issue them a new card
4) Encourage the customer to change their password
5) Sweep it under the rug
Him pointing out that $75 billion was spent reminds me of the 'Tommy Boy' speech Farley gives that ends partly with "Because they know all they sold ya was a guaranteed piece of shit. That's all it is, isn't it? Hey, if you want me to take a dump in a box and mark it guaranteed, I will. I got spare time"
"I hereby label Nick Fink as a security risk, a potential terrorist, a possible molester and an unperson.
Worse, he is not a team player.
Based on this irrefutable accusation, and the serious risk of Pre-Crime ... I demand that he be neutralised.
Either interned for life or simply eliminated.
I cannot allow the evidence for this to be scrutinised, since our security, nay our very freedom, depends on secrecy.
Dissent or protest will prove the accusation."
Fascists. We know how this ends.
(R)ule in Hell or (S)erve in Heaven [R]?
You can't get some minimum wage support staff to do that so it must be impossible.
Time to offend someone
Sacre bleu!
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Here we go with the punish-before-crime movement
Did you fools learn NOTHING from Gitmo?
All you do with arrests (or attacks) PRIOR to any crime is make angry people into enemies dedicated to your destruction
They've worked so well in the past! Next we just need thoughtcrime, and everyone will live happily ever after.
https://www.eff.org/https-everywhere
Anomaly detection and whitelisting are measures that already exist in actual code that can run on a real computer right now. Monitoring and alerting tools are becoming commonplace, and we even have an acronym or two to sum up the process (thinking of SIEM here). So this call-to-arms is either late or stupid, depending on how far it intends go.
Assuming the attacker has half a brain, he will proxy his inputs and outputs through intermediate devices. Compromised servers, botnets, whatever. This pro-active approach will yield little usable information without tracking him down, finding his tools, or locating his caches of stolen data.
In order to do any of that, your company must gain access to those proxy devices to see where he is coming from or to gather incriminating data if any exists. But wait---unauthorized access of a computer is against US law. The CFAA does not have any exemptions for IT vigilantism.
So you must commit the same crime in order to catch the attacker. Unless he's incompetent enough to attack from his own home or office.
At best, this is a call to use tools that any information security professional should already be aware of. It's nothing more than a glorified advertisement for their products. At worst, it is an encouragement to cross the line into vigilantism---which can have legal consequences.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.