Why defensive research is sexy too.. … and a real sign of skill

Why defensive research is sexy too..… and a real sign of skill

and 21 subliminal* facts about NCC

Before we begin…

Hopefully not a lesson in sucking eggs

Before we begin… Who is NCC?

• 100 million GBP revenue FTSE company• Cyber Security Assurance Practice

• 180 UK technical assurance consultants• applied research

• technical security assessments

• cyber forensics incident response

• 50 UK risk / audit consultants

• 90 US technical assurance consultants

• Escrow & Software Assurance = sister BUs

Offence v Defense

Why Offensive Research is Easy*

• Time, money, capability• Usability• Technology diversity / fragmentation• Technology mono-cultures / near mono-cultures• Technology life-cycles• Developers • Implementers / Integrators• End-users

Fact 1: NCC has games consoles and/or arcade machines in all technical offices!

Why We do Defensive Research

• Drive down costs • Keep aggressors out

• system / software design, build and operate

• Minimize the impact when that fails• defence in depth / resilience / aid clean-up

• Know what happened and clean up• audit, forensics, loss measurement and recovery

• Understand what is happening• threat intel / exposure etc.

Fact 2: the author of !exploitable v2 works for NCC in Cheltenham

Applied Defensive Research can be* Reactive

• Tangible threat / needs• organisations / users feeling pain

• demonstrated financial / data loss / compromise

• Easiest to demonstrate ROI for• addresses concerns / gaps

• known market to sell solutions for

• Pro-active• academia**

• domain of the fewFact 3: author of the browser hackers handbook works for NCC in Australia

Applied Defensive Research is Broad

• Hardware• Operating systems• Programming languages• Compilers• Libraries / frameworks• Features / integration

• Human sciences• Models and data analysis

• Algorithmic• Standards• Design patterns• Implementation• Build• Deployment• Sustainment

Fact 4: we have a massive UK tech team (> 150) which only results in awesome!

Examples of the Arms Race

Defence v Offense

XSS

• Types• traditional (basic?) XSS

• domXSS – example of refinement

• Game of: source v sink• Solutions thus far:

• Internet Explorer XSS protection feature*

• Content Security Policy*

• DOMPurify**

Status: PARTIALLY SOLVEDFact 5: NCC works on everything from SCADA to ATMs to cars to web apps

SQL Injection

• Input validation• black-listing / white-listing

• Non verbose error messages*• blind etc.

• Parameterisation• Abstraction / NoSQL

Status: PARTIALLY SOLVED

Fact 6: 1K GBP bonuses for publishing whitepapers at NCC

Malicious Code

• Malicious code arrives• Signature AV

• metamorphism / packers

• rootkit / bootkits

• Signature AV, unpackers, rootkit detection• signing of binaries

• in process injection

• Behaviour monitoring• fragmented behaviour

• Reputation – stolen identityFact 7: you get utilisation credits (like client work) for research at NCC

Memory Corruption

• Stack• cookies / variable re-ordering / multi stack / NX

• Heap• cookies / out of band* / NX

• SafeSEH • compatibility holes

• ASLR• compatibility holes

• weak entropy / exhaustion

• information leaks*

Fact 8: NCC loves publishing its tools as open source - http://github.com/nccgroup

Memory Corruption

• Kernel executing code from userland• SMEP – Supervisor Mode Execution Prevention*

• Kernel access data in userland• SMAP – Supervisor Mode Access Protection*

• ROP• call flow analysis

• gadget less code

• Plus many more• PaX, EMET, BlueHat prize etc.

Fact 9: suits are for client sites not our offices.. unless you want to of course!

Code Review

• Grep / Lint• comedy basic, false positives, noisy

• Taint analysis• compilation / parsing of code

• procedural / intra-procedural

• Gamification• formal verification

• http://www.cs.washington.edu/verigames/

Status: PARTIALLY SOLVEDFact 10: the early Samba domain protocol breakthrough was done by an NCCer

Sandboxing

• Constrain a process not to do bad stuff*• chroot escapes etc.

• Many levels• File system

• Network

• IPC

• System calls

• Whilst maintaining compatibility*

Status: PARTIALLY SOLVEDFact 11: we employed 7 graduates last year, we’re aiming for 20 this year

Protective Monitoring

• IDS / IPS• stream reconstruction

• OS specific fragmentation behaviours

• many methods of encoding

• encryption

• maintaining pace with network speeds

• .. etc

Status: PARTIALLY SOLVED

Fact 12: we have internal training for infra to web apps to threat modelling to code

Response / Threat Intel: Forensics

• Physical versus logical acquisition• many devices OS

• Memory forensics • Structured / unstructured data analysis and correlation

• Application of expert systems / inference engines• Non fancy name of AI (includes knowledge

bases)

Status: PARTIALLY SOLVED

Fact 13: we don’t have time sheets! and our expenses are electronic!

Threat Intel: Honey Pots

• Make them discoverable• darknets / seeding

• Make them attackable• network, web, mobile etc.

• Make them look real enough• emulate, real-tin, simulate, virtualize

• Make them tempting enough• Make them indistinguishable

Fact 14: all of the first two grades of management are ex technical doers*

Hot Patching

• How to patch security vulns without restarts• Research

• Code injection*

• Compiled function structure

• MOV EDI, EDI – two byte NOP

• Security

Status: PARTIALLY SOLVED

Fact 15: we work with our US and Australian teams jointly on projects

DRM

• Software based DRM• cracks

• Geography specific based DRM• cracks but constrained

• Hardware augmented DRM• crack

• Hardware DRM / CAC• cracks / duplication

Status: PARTIALLY SOLVEDFact 16: NCC has tech offices in Manchester, Leatherhead, Chelly and Milton Keynes

Brain Food

…

Challenges

• User and consumer cyber security awareness

• Practical cyber security in start-ups and other resource constrained environments

• Cyber incident remediation, clean-up, impact measurement and quantification

Fact 17: we have two service-lines launching this year designed by consultants

Phishing

• Human science• Humans just want to get stuff done

• Humans are nosey

• Humans like flattery

• Smart(er) technology• When baysien filters fail

etc..

Fact 18: each office has a monthly techy presentation afternoons & social evenings

Forensics

• Storage Reduction for Network Captures• High Performance Captured Network Meta Data Analysis

• Network Capture Visualization• Automated Net Flow Heuristic Signature Production• Forensic Memory Resident Password Recovery• Application of Location Services in Data Forensics Investigations

Fact 19: you get free fruit* at work - *we wish it was chocolate

Throw Away Home Automation

• Cheap embedded systems• some shown to have backdoors

• Range of impacts if owned• danger to life*

• privacy

• security

• financial

Fact 20: we may be big but that comes with certain benefits (e.g. lab admins)

…. everything else .…

• stopping Terry from using sprintf*• automatic CSP generation and refinement• attack surface mapping / visualisation• micro virtualized OS secure design• defensive software defined networking• anti-anti-forensics• making Linux security features useable for low skilled vendors

etc..Fact 21: we love CVs e-mail [email protected] (he’ll thank me later)

The Reward for Doing Defensive Research…

…many…• No BBC articles• Frustration when people don’t use it and then get owned

• Maybe 200k from Microsoft Bluehat*

• No trips to Vegas• No world wide con tour

• People complaining when it does work because they didn’t read the manual

Summary

• Defensive research is one of the most rewarding areas• you don’t need to be an academic

• you don’t need to solve world hunger

• Lots of defensive ideas come and go• The trick is making / getting them:

• implemented

• practical

• scalable

• cost effective

• adopted

An Example

TL;DR: Intel implements UDEREF equivalent 6 years after PaX, PaX will make use of it on amd64 for

improved performance.

http://forums.grsecurity.net/viewtopic.php?f=7&t=3046

Liked this? BSides Manchester is coming..

Almost Final Thought

“We may be at the point of diminishing returns by trying to buy down vulnerability, maybe it’s time to place more emphasis on coping with the consequences of a successful attack, and trying to develop networks that can “self-heal” or “self-limit” the damages inflicted upon them”

Gen. Michael Hayden (USAF-Ret.), former head of the NSA and the CIA

Final Thought

start small, learn, practice, improve, fail, start

again, get better, fail again, start once more, get even better and maybe win!

The future (in an alternate universe)

Defendercon 2015

Showcasing applied defensive research with the pizazz of offensive including the

defend2spend competition…

UK Offices

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

North American Offices

San Francisco

Atlanta

New York

Seattle

Austin

Australian Offices

Sydney

European Offices

Amsterdam - Netherlands

Munich – Germany

Zurich - Switzerland

Thanks? Questions?

Ollie [email protected]