EndGame CEO: Root Out Hackers Before They Strike

The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz: Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...

The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.

Good luck with that

[stealth_finger]

Seems like you just made yourself a target.

Re:Good luck with that

[davester666]

Yeah, requires three things: time, effort and money

1. Time and effort: Any IT working "looking for hackers attacking the network" is automatically assumed to be doing unproductive work by their immediate supervisor. Or by their supervisor. It is also pretty likely that none of his bosses will not understand anything he has done to stop a hacker, and they are also unlikely to believe him. Released to look for other opportunities.
2. Money: any money spent on this "looking for a problem proactively" is money not available for the executive bonus pool. Since the result of anyone working on doing this at best can only claim to have stopped someone, and only MAY have prevented a loss of some kind, clearly the first executive that realizes this deserves a bonus at least equal to the budget of the department he just cut, because that is real, verifiable savings going hundreds of years into the future. He basically has just saved the company from bankruptcy.

Re:Good luck with that

[beh]

Stupid idea!

You do remember older flicks like Sneakers etc and their depiction of phreaking - with the perpetrators actually monitoring how many hops the called party manage to hack their way back through.

This will be the same - but instead of hacking multiple phone exchanges, you have to hack into multiple systems, before you attack your "true" destination.

On the positive side, this might be a good thing - if a hacker breaks into multiple systems to build up a chain of hosts to route his attack through, that attacker now even has an incentive to harden all intermediate systems he broke into, just to slow down the "counter-attack"...

Re:Good luck with that

[cavreader]

"automatically assumed to be doing unproductive work by their immediate supervisor" If your job description is not related to IT security you are being unproductive in the eyes of your supervisor. For example, if you are getting paid to develop and support applications that is what you should be doing. You can work on your security concerns after hours or get a job in IT security.

Re:Good luck with that

[drinkypoo]

"automatically assumed to be doing unproductive work by their immediate supervisor" If your job description is not related to IT security you are being unproductive in the eyes of your supervisor.

And whether they are correct or a flaming idiot depends on the rest of your job description, and the job descriptions of those around you. If you are in IT, and it isn't anyone else's job to maintain IT security, then it is your job no matter what anyone else thinks. If it isn't done, you can't do any of your other jobs.

All well and good for nation states

All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...

Re:All well and good for nation states

[fuzzyfuzzyfungus]

Plus, at least some of the targets of your 'proactive defense' are nation states; and they will be even less happy about being attacked than they will about you attacking 3rd parties.

I've got one for you: wise up, do your homework.

Just stop babbling nonsense. It seems that "we gotta get 'em basterds" makes for a better headline, but... every breach I've seen in the last years is due to *catastrophic negligence*. Including the (admittedly, for the time) very high tech Stuxnet thingie in Natanz. I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports? And operators willing to stuff a $RANDOM_USB_STICK into that? Seriously?

How many levels of fail was this?

Now go through all the last breaches, and think again: how many levels of fail?

> Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.

So stop buying snake oil and take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).

Next step is implementing technical measures. Make sure that someone in-house understands thoroughly what's going on. Resist the urge to buy the next shiny thing because the salespeople of this company look smartest: remember that the investment in those smart salespeople isn't going into hard core development -- and that's what you want.

Fick's an idiot. This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is, where well-known "products" often enlarge your attack surface instead of reducing it.

Fick reminds me of some dictator in some semi-failed state making up an Enemy of the Nation to make people forget that their actual problem is internal corruption and missing crops.

Buzzword bonanza

Read the article, and I honestly don't see his end goal.
Got the impression all he wants is penetration testing and security through obscurity, or monitor incoming traffic for "malicious intent".
I could be mistaken as the whole article was a bit of a buzzword bonanza.

Threat Hunting

[tero]

Threat Hunting isn't exactly a new concept, it's been around for ages.

But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.

So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype

Re:Threat Hunting

[neurovish]

Threat Hunting isn't exactly a new concept, it's been around for ages.

But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.

So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype

Unfortuately, you had to go through 3/4 of the article before he even got to what he was talking about. I was pretty disappointed once I got there, although I was expecting it.

Maybe it is time to set up an on-prem cloud-based hunt team solution?

Re:I've got one for you: wise up, do your homework

[l0n3s0m3phr34k]

End-users, the "layer 8" of the OSI model. One way to stop a good chunk of intrusions: force everyone in your organization to go back to plain-text email. No more HTML emails, no more files attached to emails, no embedded links or graphics. Almost every time I read about some new ransomware hit, or most break-ins, it's always some phishing attack via email. Obviously these end-users aren't capable of being educated how to recognize them, so to me the only way to "fix" the problem is to BOFH the situation and remove the most commonly used paths of attack. Anyone who demands these "enhanced capabilities" should also be made to sign an addendum to their employment contract that they are financially responsible for any attacks that they allowed because they just "had to have the ability for people to send them files in their Outlook".

Re:Legal?

[l0n3s0m3phr34k]

Mental attacks? Does Finland have an issue with rouge telepaths?

Not just hackers...

We should also root out murderers before they strike, by "determining" who will commit murder and punishing them while they are still innocent. Or maybe not.
Maybe this CEO is phenomenally dumb?

TFA is a bit vauge

[l0n3s0m3phr34k]

But the companies' (Endgame) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.

I call bullshit.

[rew]

There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.

And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!

Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!

In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.

You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.

Re:I call bullshit.

[geekmux]

...Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!

In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable...

Yes, this is likely true. They should be held liable once the issue is reported and not acted upon. Not even knowing about an issue makes it a bit harder to pin blame. IT professionals may appear to work magic at times, but they're not psychics.

You cannot blame the guy who stumbled upon this issue for "hacking".

Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.

Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail?

Unethical? Not "nice"? You have a very cute way of labeling theft, which was blatantly obvious to the person doing the "hacking", and is also blatantly obvious to the jury or judge that would convict them. Doing it for a damn year? Yeah, in other legal circles that would be defined as the difference between manslaughter and first-degree murder. Nothing like planning your budget around 10-cent pizzas.

Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.

Something we agree on. This, in a nutshell, is what is truly wrong.

Re:I call bullshit.

[Opportunist]

Sorry, but allowing the client to manipulate critical data like the amount due that he should not have control over is criminal negligence. At the very least it should be, for any programmer should know that this is critical. If he doesn't know that, he has no reason creating computer programs.

That isn't something obscure where the "oh, I didn't know that" excuse should work. That should be reserved for nontrivial cases where it did actually take a security researcher to unearth something buried in some layers of code that nobody could foresee.

Re:I call bullshit.

[rickb928]

"Are you saying that a site that doesn't notice the 0.10 € payments in their bookkeeping for a year is without blame?"

Cliff Stoll saw a $0.75 error and followed it to Markus Hess, exposing a deliberate espionage effort.

"it's probably not that hard to bury a few 10-cent pizza transactions among tens of thousands, and escape even a detailed audit"

If so, it's not a detailed audit. But that particular 'free pizza' hack could have been have been averted, probably, by adding ion a check for the cheapest menu item available, and then refusing the amount when it was lower. All of which is much harder than just coding it right in the first place. IANAP, but I can conceive of a few techniques - ignore the price in the link, and keep it internally to be used for processing the transaction, which will cause problems for split tenders, but that's poorly supported anyways.

Lazy fails.

Re:How can you defend

[Opportunist]

Simple. Open door, if what's behind it is neither a lawyer or has access to some, use flame thrower. Else, wave and close door quietly.

Re:I can't even imagine what he's talking about.

[Opportunist]

Honeypots are a bit like undercover policemen. You can use them to catch the dumb ones and give the smart ones more leg- and elbowroom.

Re:In chess

[Opportunist]

In chess, everything is black and white.

Not so much in the world.

I have also an idea

[Opportunist]

How about rooting out future CEOs before they have harebrained ideas. It's also much easier to predict. Just shoot every CEO during his inaugural speech.

Re:I've got one for you: wise up, do your homework

> End-users, the "layer 8" of the OSI model.

They are definitely the most vulnerable part. But don't get me wrong, it's not about blaming the users. They just want to get stuff done, it's their job. And they are put under considerable pressure at that.

It's the job of the organizations to strengthen the users and to raise their level of proficiency in understanding the issues involved. Heck, they are not stupid, in real life they wouldn't hand over their flat keys to a random stranger on the street (with a small note containing their address).

The security department's job is technical, but at the same time educational. It must encompass all the "stack", starting with the users.

As long as there is a "security department" making some magic stuff nobody else understands, and which is only perceived as an impediment to the daily chore, we've lost.

Re:Too good at the job

[arth1]

Buying security from security firms gives very little bang for the buck. Security isn't a commodity any more than love is. You can only buy fake versions of either.

Spend the same on security minded employees and individualized training. Spearfish your employees and require mandatory training of anyone caught. Hold security training without powerpoint, and keep your employees informed with facts. Pay out small bonuses to people who display awareness. Post the name of departments where anyone has attempted to run malware or otherwise shown gross negligence. Make it a people thing, not a box in the server room and some licenses.

When TFA says "Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...", they were dead wrong. It should be closer to 100%, with almost all going to internal resources.