Richard Bejtlich has a Blackhat round up, and his conclusions are most interesting:
Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, "properly configured," not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
The languages we use to build programs, the container we deploy them into and the environment they execute all assume at best a neutral environment or worse the old "we're inside the firewall (see the flames on the Visio drawing?)". The apps, containers, and platforms were never designed or built to deal with malice, but malice is what they face.
Detecting current attacks in "real time" is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by "rich Internet applications" and frameworks. I realized that the "rich" in "RIA" refers to the money intruders will make by exploiting Web clients.
Part of not being designed for execution in a malicious space is lack of detection support.
The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it's time to face the truth. There is no way to get "ahead of the threat" here.
Unfortunately this is very true, the training has to get better and the tools have to get better to raise the floor for defenders, but they are simply too susceptible in too many areas. Leaving knowledge aside, the attackers' tools are much better for attacking than the defenders tools are for defending.
Kent Beck said that he doesn't look at programs as things, but rather as shadows of communities. You can just as easily look at security vulnerabilities as shadows of organizations, and this is the issue at play in Bejtlich's conclusions -- no one is charged to resolve these problems, the vulnerabilities that exist are shadows or seams left by infosec, risk management, and assurance efforts that make glaze over issues, make incorrect assumptions, or don't have tools/training to begin to solve the issue.
Vendors assessed against best practice? Check.
Systems configured per policy? Check.
Did you patch the systems? Check.
Did you configure firewall? Check.
System or process resilient in face of malice or a stiff breeze? Crickets chirping...
Comments