MSRC Ecosystem Strategy Team : Microsoft Vulnerability Research

Constants and Change

msrcecostrat — Tue, 03 Feb 2009 08:00:00 GMT

Microsoft has been talking about community-based defense for some time now. This week, I want to provide a personal dimension to the campaign, and give an update on recent activities. Curiously, as I started to write this post, a couple of phrases popped up, which despite being somewhat trite, seemed appropriate – "change is constant" and "the more things change the more they stay the same."

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

Over the last years my outreach efforts expanded beyond the security researcher part of the security ecosystem to include CERTs and other guidance providers, as well as security organizations and companies. My most recent past and future activities give a view.

Before we get into the trip report, though, I want to spend just a second on a couple of guiding principles and introduce some vocabulary.

I attend a lot of conferences around the world. A number of years ago, I started referring to them as “watering holes” – like watering holes security conferences are the places in the ecosystem that attract a diverse population focused on a common need. The most interesting conferences are the ones with the best “hallway track” – the ones that attract the most diverse and most interesting attendees also typically generate the most interesting hallway (or after hours) discussions.

My objective in attending conferences is twofold. I want to foster community support, help make connections between Microsoft and different parts of the ecosystem, and make bridging connections between parts of the ecosystem that might not otherwise mingle. Secondly, I want to stimulate conversation about shared problems, ensure attendees understand what Microsoft is doing and promote discussion about collaborative solutions.

In December, I was in Sao Paulo at the DISI 2008 – Dia Internacional de Segurança em Informática; an event co-hosted the Brazilian Army and FIESP – the Industry Federation of the State of Sao Paulo. This conference was interesting because of the community it brings together and the challenges unique to Brazil. I presented last year and delivered an embryonic call to action for community-based defense. I was very pleased to be able to return a year later and give an update that showed Microsoft’s progress. I pointed to programs like the Microsoft Active Protections Program (MAPP), the Industry Consortium for Advancement of Security on the Internet (ICASI), the Exploitability Index and Microsoft Vulnerability Research (MSVR) to demonstrate that we are walking the walk.

January found me in California at a Bay Area security confabulation whose theme was “Partnerships: finding ways to energize a common defense.” The attendees came from across the industry and the security ecosystem. I found the hallway track(s) exceptionally valuable and especially enjoyed the discussion and presentations on cloud computing security. I presented on ICASI, and gave a behind the scenes look at its goals, formation, and current state. Microsoft, along with Cisco, IBM, Intel, and Juniper formed ICASI in 2008 to drive excellence and innovation in security response and to promote effective industry collaboration to address the rising tide of multi-vendor security issues.

Also in January, I volunteered (and was accepted J) to be the Program Chair for the 2010 conference organized by the Forum for Incident Response and Security Teams (FIRST). I’m a relative newcomer to the FIRST family and realize I have a fair amount to learn – the education starts at the next Steering Committee meeting in Miami and continues at the FIRST 2009 conference this June in Kyoto. I am very pleased by the warm reception and the opportunities this group has to influence and drive positive ecosystem change.

I also took on a new role within TwC Security in January. I handed over responsibility for the monthly security update releases to Mike Reavey in order to better focus on understanding and addressing emerging security threats. The new job is completely different, yet very much still the same. You’ll continue to see me at conferences around the world, I’ll continue to be active in the industry and ecosystem and I’ll continue to promote dialog about the changing threat landscape and what Microsoft can and should do to strengthen Community Based Defense.

-Andrew

Black Hat Follow Up: Answering the Hard Questions

msrcecostrat — Tue, 14 Oct 2008 09:01:00 GMT

Handle:
Silver Surfer

IRL:
Mike Reavey

Rank:
Director, MSRC

Likes:
Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities

Dislikes:
Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns

It’s October! And for those who remember Black Hat 2008 in Las Vegas, this means the programs we announced have launched. These programs include the Microsoft Active Protections Program and the Microsoft Exploitability Index, which begin with today's October Security Bulletin Release. Microsoft Vulnerability Research is also continuing to run a formalization of our ongoing efforts as responsible researchers in the community.

Following the announcement, there was a discussion on the Daily Dave security mailing list, where folks wanted to ask us more questions than were asked after we announced our three security programs at Black Hat 2008. We responded, asking folks to send their questions our way.

We didn’t answer some questions from the thread about future product development and our relationships with specific researchers. However, below are answers to questions about the three specific programs announced at Black Hat to make sure folks understand them fully.

We appreciate the feedback on these programs. They are all focused on increasing collaboration and information sharing to tilt the advantage in the favor of the defenders of networks as they combat attackers.

So, here are the questions, and the answers:

Questions about Microsoft Active Protections Program (MAPP)

1. Can you fully define 'offensive' or 'attack' software? Is a security assessment tool that does not exploit categorized as such? Consider a tool like nmap or Nessus, would that discount Fyodor or Tenable?

Of course, absolute definitions in this space are challenging. However, an example of pure offensive or attack software is any software that weakens for a prolonged or permanent state, the security integrity of a system to either exploit it or pilfer it (steal data, credentials, toe holds for further exploitation (rootkits)). Tools like MPack would be one example I would categorize as pure attack tool. With that said Nessus or Nmap (tools many of us here have used when doing security consulting) would not be considered pure offensive/attack tools.

2. What if a company makes multiple products, some aggressive and some passive? eEye or Tenable would be examples, where each has defensive products designed to act as IDS/IPS as well as assessment tools.

We would still allow such a company, provided they met the criteria, in the MAPP. They would still have to abide by the criteria that states that "protections" built with MAPP data must be held until the security update is publicly released. This ensures that someone doesn't get the signature and reverse engineers it to discover the issue being updated then releases Proof-of-Concept (PoC) on it. Now, I think where you are going is that there is a potential that the same company can use this information in their assessment products prior to the release of the security update. This is correct but it would be a violation of the MAPP agreement, and if discovered, we would terminate their membership. However, early on we realized that assessment tools play a big role in the enterprise and consumer security space. We will continue to work on this area. Right now, we’re focused on giving customers better active protections as they work to deploy our security updates.

3. What about companies that clearly make defensive products, but also have other questionable activities? Consider TippingPoint which has an IPS solution, but also does the ZDI Initiative, where they share (sell) vulnerability information to their clients.

We would evaluate their defensive business first and do a risk analysis of other activities to ensure that it does not harm the same customers we are trying to protect. This is not a "pure" solution but it is a real world one due to the nature of some security firm’s business practices. If at any point any MAPP member is found engaging in activities that hurt our customers, they will be removed immediately.

4. If an organization is found to have leaked information inappropriately, what are the consequences? Being kicked out of the cartel seems like a given, but by potentially putting millions of computers at risk prematurely, would Microsoft also pursue the company legally?

The company would be removed from the MAPP immediately. I can't speak on any legal action but I can imagine our legal department would review the matter. Also, please remember that one of the key operational goals of MAPP is to provide information “just-in-time.” Therefore, any negative actions only have a short window before the updates themselves are released for customers.

5. Would Microsoft comment and give a rough number of companies that have been accepted into MAPP to demonstrate the interest?

The MAPP has been receiving a fair amount of application as you can guess. We are still processing and getting people officially in, so no definitive numbers are available yet. Rough guesses are still matching up to what I said on the stage of about 20 to 40 companies by launch.

Questions about Microsoft Vulnerability Research (MSVR)

6. Are these people finding third-party vulnerabilities also looking at Microsoft products?

Yes. The people looking for third-party vulnerabilities are primarily in our security engineering teams, and they do look for vulnerabilities in our own products, along with conducting other security research and response activities. Some vulnerability finders within Microsoft are in other teams with other responsibilities, such as in various product teams.

7. Is this done using automated tools (proprietary or otherwise), by hand or a mix?

A mix. An overall goal of MSVR would be to not only help increase security by finding instances of vulnerabilities that are present in third-party software, but also in sharing methods we’ve learned in how to uncover these vulnerabilities. So if we can identify an opportunity, we will also share the principles and methodology we’ve developed as part of the Microsoft Security Development Lifecycle (SDL), which can include tools and manual techniques.

8. What disclosure policy do you adhere to, and is it published?

Our goal is to follow the OIS guidelines, found here: http://oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf .

9. Once the vulnerability is fixed, vendors frequently issue advisories or mention the fix in a changelog and credit the person/company who reported it. Can you cite a single example of this? If not, why not?

Yes we can. Engineers at Microsoft had been reporting vulnerabilities to third-party vendors long before MSVR was founded. MSVR is both a formalization of how we handle vulnerabilities that are casually found during the course of someone's normal work (as was the case for years), as well as an expansion of research focus to third-party software specifically to look for vulnerabilities. Before MSVR, finders at Microsoft either reported the issues they found to the vendor directly, or asked the MSRC to help them do so. They are individually credited in the affected vendor's advisories. Try searching for Tom Gallagher in some ISVs security bulletins.

Question about Microsoft Exploitability Index

10. If there are only a handful of people who can make a reliable exploit for a particular vulnerability (or not) and none of them work for Microsoft, how can Microsoft accurately determine whether an exploit for a particular vulnerability will be somewhat reliable or totally reliable (or not possible at all)?

This question makes a good point, and that is, much of the Exploitability Index accuracy is based off of who is doing the work versus a strict scientific methodology. We realize there’s a chance we might not be 100% right all the time. However, we’ve done a few things to try and make sure this index is accurate enough to help realize its goal of giving more actionable information to customers to prioritize their deployment.

First, it’s most relevant for the first two weeks to 30 days after release. Meaning, exploitation science may change, and there may be private methods under discussion, but for customers making deployment decisions, it should provide enough information to help make a more informed prioritization than before. Second, we do have the folks from the Security Vulnerability Research and Defense (SVRD) team working on the vulnerability from its initial report, until the release, and they’ll be assessing exploitability as part of their normal process.

That’s not all, as we’ll also be following methodologies discussed at BlueHat conferences so using similar approaches which the community uses when analyzing our updates. And finally, we’ll leverage the community established through MAPP to check our work before we release the index. With three layers of people and processes, we expect Exploitability Index to provide valuable information to customers in their decision making.

- Mike Reavey

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Leaving Las Vegas: A Black Hat Salute

msrcecostrat — Fri, 08 Aug 2008 09:00:00 GMT

Handle:
The Crushman

IRL:
Andrew Cushman

Rank:
Security Director

Likes:
Cranberry juice (thanks Jay!)

Dislikes:
Super helpful hotel desk clerks (thanks Raoul?)

What can I say? Once again, Black Hat did not disappoint. And that’s not just post-party speak. The conversations were good, the input was invaluable, and the support for the new programs we launched—well, it’s been overwhelming. The vibe in the MSRC “Helping Secure the Planet” presentation was great, the audience was engaged and had plenty of questions and Mike, Katie and Steve demonstrated the depth of talent and commitment in the MSRC. We’re excited to take that momentum and move it forward.

Our hats are off to the awesome Black hat team for putting on another great conference. I only wish I could have made it into more sessions. Among briefings with media on our news, reconnecting with old friends and making new ones, and fielding a steady flow of invite requests for the party, the time just flew by. But hey, I did manage to introduce Rod Beckstrom for his keynote and got a tweet in on that.

And how about Twitter? I didn’t imagine I would enjoy it so much and who'd have thought it would drive so much conversation at the show? We had fun participating and watching the discussions unfold. It’s been a great channel to share news and carry on further about some of the presentations and event happenings. I especially enjoyed Ryan Naraine’s play-by-play at the Pwnie Awards.

And about the Pwnie Awards, I want to echo my thanks for the “Most Epic Fail” Honorable Mention. Rest assured we’ll be back next year with the same commitment to security engineering!

I’m also really excited about our new EcoStrat blog (http://blogs.technet.com/ecostrat/). The team has written some great posts. The blog provides an opportunity for the EcoStrat team to “show our work” and provide a good look behind the scenes on what we’re doing and how we’re working with the broader security community. We will continue to take advantage of opportunities so as to continue a dialogue.

This week really has solidified a fundamental shift for Microsoft and it’s been refreshing to see that shift in perception and reception towards us at the conference—from what used to be a focus on free drinks and invites to a genuine interest in what we’re offering and how we’re engaged in the security community.

I’m sure good times were had by all here at the show, and our hope, and commitment, is that what happened in Vegas, particularly what we announced in Vegas, does not stay in Vegas.

- Andrew Cushman

*Postings are provided "AS IS" with no warranties, and confers no rights.*

Threats in a Blender, and Other Raisons d'être

msrcecostrat — Thu, 07 Aug 2008 15:35:00 GMT

Handle:
k8e

IRL:
Katie Moussouris

Rank:
Senior Security Program Manager

Likes:
Cool vulns (responsibly disclosed of course), girls with soldering irons, Spanish tapas, quantum teleportation

Dislikes:
Rudeness, socks-n-sandals, licorice

There are times when one must look toward the best interests of the customers above any competitive strategies. Security is one of those themes that has the power to unite teams across company boundaries. As the EcoStrat team builds and strengthens relationships with researchers and partners, we are sometimes faced with unique challenges that we’ve never encountered before.

In the days of the big worms, we as a company and an industry had to rise to the occasion. Today our challenges have evolved, and are a great deal more complex. As we as a collective industry rise to the occasion once again, our awareness and response must evolve as well.

Enter the dawn of the Blended Threat. Mix one part third-party vulnerability with one part Microsoft vulnerability (and blend over ice) – it sounds like a drink vying to replace the Mojito.

It’s not like these types of threats didn’t exist before, but much like format string vulnerabilities that had been lurking in code for years, no one has been talking much about blended threats in a widespread way – until now. Sure, AV vendors used the term, but they were speaking of malware displaying multiple characteristics and using several techniques to achieve their goals. We’re talking about vulnerabilities that are comprised of two or more less severe vulnerabilities.

It started not with a bang, but with a whisper -- A couple of researchers each independently reported two low/moderate severity issues to two separate companies. On their own, they seemed to both companies to be relatively low-risk. But the researcher who reported the issue to us thought of combining the two vulnerabilities, to allow remote code execution.

In a historic collaboration, both companies came together against our common enemy: security threats. Microsoft Security Advisory 953818 was born of this blended threat, and the Ecosystem Strategy Team was there with a new initiative, announced today at Black Hat: Microsoft Vulnerability Research (MSVR).

Microsoft Vulnerability Research was created as part of the evolution of Microsoft Trustworthy Computing’s work in Security Response, SDL and Security Science. This program is one of the company’s many efforts to not only improve the security of Windows, but of the entire Windows ecosystem, responsibly researching vulnerabilities in third-party software most commonly used by Windows customers. While the source of the vulnerabilities will usually come from original research at Microsoft, the program will also handle third-party vulnerability coordination for blended threats reported to us by responsible researchers, as was the case with Microsoft Security Advisory 953818.

So what's really news here? If we've been practicing responsible disclosure for years, why are we making a big deal about it now? Well, think about when you've performed a penetration test on a company's application and you happen to find a vulnerability in the underlying commercial database. That's traditionally how we used to find third party vulnerabilities--through the course of our normal security work. Now, with MSVR, we're expanding our security research focus to specifically look for third party vulnerabilities.

The MSVR program will formalize the company’s responsible disclosure efforts of working directly with affected vendors, confidentially providing them specific vulnerability information and helping them to create updates.

So in the case of this recent blended threat, along with teams across Microsoft and externally, MSVR allowed us to coordinate with the finders, and across the companies to ensure the best possible outcome for our mutual customers. Technical contacts, PR contacts -- all were involved in this effort. It was new ground for all parties, as we had never attempted a joint response to a mutual security threat that was borne of smaller vulnerabilities from each of our products.

We are often asked what our team does. This is part of it. We are the ones who can fast-track security responses that affect not just our users, but users of other people's software to make a significant impact on the safety of the entire Windows ecosystem. We help make the impossible possible. We do it with a *lot* of help from our friends, and some from our rivals. One thing is certain: While this incident may have been the first, it will not go down in history as the last. Blended threats are the new black. And we will all collectively have to become the new Chuck Norris.

Like the countries of the world uniting against a hostile alien invasion, we of all people understand that we can't do it alone. We rely on the kindness of researchers, competitors, partners, and strangers to make it all come together to help us secure our ecosystem. We are irrevocably intertwined, and so the threats that face us all are blended by their very nature.

My name is Katie Moussouris, and if I am Leia, the security ecosystem is my Obi-Wan Kenobi.

Help us, Obi-Wan Kenobi, you're our only hope.

For my final thoughts on Black Hat and more, come join me at http://twitter.com/k8em0.

*Postings are provided "AS IS" with no warranties, and confers no rights.*