Tenable Blog

Recently I attended the Secure World Boston conference to sit in on a panel with industry experts about APT (Advanced Persistent Threat, for a great write-up on the definition see Richard Bejtlich's article titled, "What Is APT and What Does It Want?"). Following are some of my thoughts on the topic:

• Is APT something that everyone should be worrying about and planning for (is APT pervasive or just hype)? – APT is a new buzzword, but of course such threats have been around as long as there have been computer networks. It makes me think back Clifford Stoll’s book titled “The Cuckoos Egg”. I love Cliff’s analogy of “jiggling” the keys over the communications lines to disrupt the attackers just enough, but still give them enough access to keep an eye on them.

• Explain how APT works (reconnaissance, phishing, infection, exfiltration)? – The recon phase is the toughest to defend against and the most important phase to an attacker. Pre-texting is so important, yet much of the information has to be public and it’s tough to detect when someone is doing recon. This may turn into targeted phishing attacks, which are increasingly more successful. No matter how hard we try, we can’t educate all our users and expect them to catch 100% of the attacks - we have to rely on technology and training to ward off these attacks. Inevitably, people get into our systems and we need to have measures to detect unauthorized access to our systems. It’s presumptuous to think that your organization will never have a breach.

The CCDC 2011

The Collegiate Cyber Defense Competition (CCDC) is always a fantastic and educational event, and this year was no exception. Hundreds of people converged to share ideas, learn how to hack, learn how to defend and talk about security. Below is a brief summary of the happenings at the event:

• The Attackers - Many of the same people as previous years filled the role of the "hackers". They did a great job this year and showed how much they've learned over the years. The big takeaway from the Red Team is sharing. Using a new tool called "Armitage", they were able to share shell access to the Blue Team hosts, proving that sharing truly is caring.
• The Defenders - By design, the Blue teams are put at a disadvantage. This is meant to emulate the real world, where attackers have vast resources and often stay a step ahead. However, the Blue teams were very creative, employing reverse sabotage by leaving pieces of paper around the event with usernames and passwords written on them, which were completely fake.





The Red Team was able to re-configure the Blue Team's phones and leave them messages on the display, a digital "love note" if you will. Phones for the Blue Team were ringing throughout the event, playing random WAV files from a server as well.

Welcome to the Tenable Network Security Podcast - Episode 74

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher and Ron Gula, Tenable CEO/CTO

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - March 2011
  • Leveraging Wake-On-LAN Support to Audit Powered-Off Hosts with Nessus
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Penetration Testing Execution Standard - A group has been formed to define what a penetration test really is and means. Several standards and compliance documents reference a "penetration test", but yet no one has really taken the time to define it. Carlos and I are involved with this effort, myself on the vulnerability scanning portion and Carlos on the post-exploitation side.

Another Microsoft Patch Tuesday is upon us. This month I was surprised that two vulnerabilities making headlines recently were not included in this Microsoft Patch Tuesday, namely the 0-day Windows SMB Vulnerability and the reported “Pwn2Own” IE vulnerability. The best way to remediate any vulnerability is to apply a patch provided by the vendor, and it’s puzzling why Microsoft is delaying the release of patches for these widely publicized vulnerabilities.

To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

• MS11-015 - Vulnerabilities in Windows Media Could Allow Remote Code Execution - Nessus Plugin ID 52583 (Credentialed Check)

I will be hosting a webinar that presents Tenable's strategy for agentless auditing and reporting of various US Government standards including FDCC, USGCB, CyberScope and a variety of DISA STIG specifications. The webinar will include: