Yut!!! Nothing like a motivating US Marine Corps yell to get your attention. Hey Steve Adegbite here, just wanted to drop some words and give you my perspective on some of the News we (Microsoft) announced this morning.
You may have seen already we launched a trusted information sharing program for security software providers. It’s a program we created in hopes of actually helping the defenders get a leg up on protecting consumers. The Microsoft Active Protections Program will allow vetted security software providers early access to the technical details on the vulnerabilities we are addressing with each monthly security update. Microsoft is doing this in hopes that we can give the defenders more time to produce timely signatures. Basically, in doing this, we’re betting that cutting out the time to reverse engineer our security updates will give valuable time back to the defenders to focus on protection enhancement and faster delivery.
Most of the security community knows me from my work with the military and government before coming to Microsoft (i.e. founder of the USMC Information Assurance Red Team). One thing I harped on was that I believe security has to take a community-based focus. One aspect of this community-based approach is the establishment of a "trusted information sharing" program. As a red teamer, my job was to find the vulnerable points and feed that information to the defenders via trusted information channels. This helped the defender shore up their defenses or at least let them know where weak spots existed.
Microsoft Active Protections Program is doing a similar thing, just in a "commercial" way, and without me looking for vulnerable spots in code/networks at 3:45am. It’s not enough to point the finger at one entity and say “Fix it.” Those of us who belong to the security ecosystem must own the problem, and share in the solution.
I believe in this so much that when the opportunity arose to run for the steering committee at FIRST, I couldn’t miss it. I am glad Microsoft saw the same value, as they have allowed me to do this as a two-year commitment. That shows tremendous dedication to the idea that security at large is an ecosystem problem. But more on that in another time on this blog.
The point here is that everything can be addressed with the right collaborative effort. Microsoft gets that and is doing its part. The next upcoming year you’re going to see a lot of that action shining through in all arenas we engage on for security. Stay tuned and remember it takes a village to raise a child...but the digital village is where I live, and we are working together to raise a great and safe cyber ecosystem for consumers to enjoy.
For more of my insight live from Vegas check me out on twitter at www.twitter.com\SteveAdegbite
- Steve Adegbite
*Postings are provided "AS IS" with no warranties, and confers no rights.*
Hey Andrew Cushman here…
It’s that time of year, August in Vegas, time for the big show, it’s Black Hat time… Along with the vivid memories of crowded briefing rooms, the critical mass of security talent, great side conversations, and the ever present "ching-ching" of slot machines - this year, it brings up thoughts of where Microsoft, the Microsoft Security Response Center (MSRC) and our commitment to Trustworthy Computing (TwC) have been and keen anticipation of where we’re going.
I read the headlines about online threats evolving and get a firsthand look at that evolution and the scope of what we’re facing. As attacks become more complex, stealthier, and increasingly targeted, the security industry is forced to adapt and to innovate in step. We can and will continue to develop new technologies, new best practices, and educational offerings (check out “Defend the Flag”). Even with these investments and changes, the reality is that security is not a problem that can be solved, and it’s a problem where the complexity often leads to more insecurity.
The industry is reaching a point where delivering an acceptable level of security today is beyond what one company can do alone. There’s real merit in the cliché “It takes a village….” It’s time that we approached this problem collectively—industry, partners, customers, and public organizations—acting together to improve the broader security ecosystem. Think of it as Community-Based Defense, where we commit our skills and strengths to defend beyond our boundaries to protect our common customers.
In that spirit, look for several announcements from Microsoft this week that reflect the growing importance industry collaboration and information sharing play as we shift to Community-Based Defense. It’s time for the industry to come together—researchers, vendors, and the like—to take security innovation and defense to the next level.
I’m excited to be in Vegas and be a part of the announcements this week. This is a fundamental shift for Microsoft and the ecosystem. This is one case where ‘what happens in Vegas’ doesn’t apply.
- Andrew Cushman
The air was thick with adrenaline and action as the teams battled each other for the top spot at Microsoft’s Defend the Flag (DTF) training at Black Hat USA. The heat of Vegas seems a fitting place for such contests, pitting attacker against victim, in a race among teams to prevail as the strongest, the fiercest, the most tenacious defenders of their systems. Unlike Capture The Flag (CTF), the scoring is done exclusively on defensive capabilities. Teams are simultaneously attacking other teams’ systems, while trying their best to keep their own up and running. Take no prisoners, capture no flags – it’s a binary battle to either win or lose, and it’s all about how you play the game.
Armed with a suite of defensive techniques taught by our delivery partners, iSEC Partners, and Immunity’s latest CANVAS exploit framework, the players have the basics for what can be deemed a security pick-up game of 21. The training is delivered over two days, with day one a hands-on tutorial lab focusing on attack techniques and learning how to use the exploit framework in the morning, taught by Dave Aitel and Bas Alberts of Immunity. The afternoon of day one was taught by Brad Hill and Andrew Becherer of iSEC Partners, applying host hardening, forensics, and incident response techniques. Day two is an all-up melee-style competition, where the class is divided into teams of three or four players each. Each team has both attackers and defenders, and roles are switched throughout the day to make sure everyone gets to experience firsthand the power of modern-day attack tools, and the thrill of successfully beating back an onslaught at the front lines.
Some may wonder why we are teaching students how to use an exploit framework as part of this course. If the point is on defense, why take up time with any offense? It is to provide the appropriate framework for students (mostly IT Professionals who are new to security) to internalize the threats they face each day. Rather than spread FUD, we show a real modern commercial-grade toolkit to demonstrate just how easy it is for attackers to take advantage of unhardened systems that haven’t been updated. It is the best way to drive the point home beyond a shadow of a doubt: patch or perish; harden or get hacked.
Besides, we are not teaching new exploit techniques, but rather showing what is already widespread and publicly available. From a lock picking debate in the 1800’s regarding revealing the tricks and tools of the trade:
“Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.”
Since we know that roguery abounds, and that attacks are becoming much more sophisticated and innovative, we must keep pace by understanding their trade. We must learn how to use their tools and tricks in order to educate the next generation of Windows defenders.
But here’s the real twist – DTF doesn’t allow updating! That’s right, we throw a monkey wrench into the works by taking away one of the most effective security measures available. We toss the students into shark-infested waters and expect them to swim to safety. How? By employing defense in depth measures. Why? Because this is too often the real world reality in deployed networks. Either IT Pros can’t apply updates right away due to testing requirements, or they can’t update at all due to the risk they deem to critical infrastructure. This is the real-world dilemma, and DTF provides the tools to help IT Pros manage it in a heart-thumping, fist-pounding, tooth-grinding race to the finish line.
As the points stacked up on Day two, the tension mounted to a palpable pulse. Team “Defenders” held an early lead throughout the morning, with Team “OneEqualsOne” taking second place over Team “DivideByZero”, until “DivideByZero”’s Windows Server 2003 was pwned so badly that it had to be rebuilt from scratch. The afternoon brought new challenges, as each player had to switch out of the roles they had grown comfortable with in the morning – attackers now had to defend, while former defenders took on the attack role within each team.
There was also a bonus round with a physical twist, where each team had to play out the scenario that an intruder had gotten physical access to their systems. Each team hardened their systems as best they could, and then physically left them in the hands of the other teams, while they in turn attacked their opponents’ systems. When each team returned to home base, they had to figure out what their opponents had done during the physical access (planted Trojans, disabled firewall rules, etc.) and recover control of their systems.
It was a dead heat, with each team within 25,000 points of each other, out of a possible 300,000. Team “OneEqualsOne” almost took the lead until the physical challenge left them without a firewall enabled for a few critical minutes.
The fine line between security and functionality was tested by all teams, until finally a winner prevailed with Team “Defenders”. Their prize? A sense of what to do when they are under attack (which they really are, every day), the knowledge of how to harden their systems in the first place, and copies of CANVAS for each team member to take back to their real networks to make sure they have taken the right steps toward defending their actual flags.
Making our stand against attackers is something we must do with the help of the very attack tools that we are up against as defenders. Whether it is CANVAS, Core IMPACT, or MetaSploit, the tricks of the trade are growing more sophisticated and easier to use each day. Defend The Flag is a program that can help educate the legions of Windows defenders, even in the face of tough choices when it comes to their ability to run the latest and greatest versions of all software. In the hands of a defender, these are part of a necessary suite of tools and techniques to help tip the balance to keeping systems and networks secure.
In a world where roguery abounds, we as defenders must be doubly prepared to meet the challenges as they arise.
- Katie Moussouris
For more on this and Black Hat, join the conversation at http://twitter.com/k8em0
Update Title: 10:13am
One researcher, one community, one hacker at a time we are building a community-based defense to help secure our customers, our partners and the Internet.
The Microsoft EcoStrat (Ecosystem Strategy) team, part of Microsoft's Security Response Center (MSRC), operates at the intersection of technology and people. We strive to understand how vulnerabilities affect the Internet as a whole. This blog is our opportunity to talk about our work within some of these ecosystems, from the front lines.
As a member of the team, the thing I love most about this job is solving complex security issues with the people we get to engage with all across the world as part of the "security ecosystem," that is, the interconnected pool of security researchers, guidance providers, and some who would consider themselves hackers. Many of whom run the world's largest security software protection companies networks and infrastructures, and conduct research for fun and profit. These people find and report vulnerabilities, exploit vulnerabilities, fix vulnerabilities, protect customers and keep us on our toes.
A lot of what drives us is our aspirations, our hopes, if you will. Our hope that by bringing together people and policy within different organizations, we can increase trust, better defend our ecosystems and ultimately help secure our planet from malicious software threats.
Our hope is that, by being more transparent about our work in various security ecosystems and regions around the world, a message will be heard: Nobody can” secure the planet” on their own. No one product, no one company.
Knowing that, we work with a variety of communities around the world. Being a hub for many communities has its ups and downs - but the people and technology at these intersections are always interesting, Opportunities for collaboration abound – with fire drills that can polarize our internal and external security communities. Also these broad interactions expose us to all types of information and trends – improving our ability to be a harbinger of future threats, and to mitigate them by creating new intersections of technology and people.
The EcoStrat team’s next chance to interact with our security ecosystem is next week at Black Hat USA, we look forward to bringing commentaries and announcements from the Black Hat briefings.
- Sarah Blankinship