Arron Finnon: Finuxs Historical Tour of IDS Evasion, Insertions and Other Oddities

hello thank you very much I hope you've all had a very good bsid um if you have how about clap for bsize

so phix okay let's uh let's do this then so how many of you have heard me speak before okay you know the people around you don't know how much swearing is about to happen right okay I'm Scottish so what that means is when I exhale I swear and I'm not [ __ ] joking so if you are easily offended by uh robust language be a good time to leave okay so this is why I don't use Tac ah run slay progressor that's why so who am I well my name's Aaron um I work for a company called Alba 13 I'm a uh you've all watched me grow over the years I'm now a chief security officer

which means that uh I get to troll at a sea level position um you can get me at phix um we do do some podcasting occasionally um and I quite a bit uh but it's just because I love you so I'm going to talk about Network intrusion prevention systems or the dead technology as we like to call it um you know this technology that um it's probably people who haven't come to this talk because it's about IPS right like oh no no no IPS IPS is [ __ ] it's [ __ ] it's [ __ ] and yet in 2010 Gartner believes in Standalone IPS products 989 million so we'll just say a billion between friends was spent on Standalone

IPS products okay billion dollars for a dead technology in 2010 phix where are you picking on 2010 well 2010 is the beginning of the European uh recession we bail out two European countries in that time I used to think a billion dollars was a big number I like Yay billion dollars you know let let's give some context to that number and then someone told me do you know averagely the Americans spend a billion dollars a year on chewing gum so maybe it's not so big after all but I'm going to talk about ipss anyone that's known me will know that I've spent a lot large portion of my career focusing on IPS but not at a

vender layer but as a as a tester because we have an industry that spends billions and billions and billions of dollars on products that don't work okay yay I've told you something you didn't know in other news water is wet right NSS well I watched a very very interesting talk uh a little while ago from a guy called Johnny for Flyn who is part of the uh detection team at Facebook and what he did is he went through the Gartner and Verizon reports and so on and so forth and it was all very interesting so it turns out compromise if you don't detect a compromise straight away the likelihood is is going to be between 18 to 24 months before you

pick it up okay so out of those compromises and the g report that were picked up later on uh nearly half of those that were picked up were nothing different than a user going oh my system isn't working the way I expected it to work basically the smell test it's just something that doesn't feel quite right nearly half the compromises in the Gartner and Verizon reports are literally used as saying it's not working after that the next biggest indicator of compromise is third parties what do you mean third parties what I mean is the bank calling you up and saying hey why are you transferring $50,000 to Malaysia we think you might be compromised think you might be

right after that in uh detecting compromises 88.5% of the time random log review have you noticed that the IPS guy talking about IPS hasn't mentioned IPS in the compromising part yet of detecting compromises 3.5% of the time an IPS picks up a compromise so let's just bring this a little bit back random person randomly checking random logs is more successfully successful randomly than multibillion dollar industry so I'm I'm telling you stuff that you already know let's be honest with you I'm not I'm not uh I'm not showing you the bright light you know what happens is is we have an industry where we as Security Professionals allow an industry to suck okay how many of you I learned this

lesson in Austria by the way so you can blame the austrians for this can you all raise your hands for a second every single one of you I'm going to name and shame you if you don't okay I'm looking keep your hands up if you have ever had to deal with an IPS vendor right keep your hands up if you ever had to deal with an IPS vendor how many of you were able to get a straight answer about detection rates oh look why is it that no one has their hands up because they don't talk about it it's about throughput you know I buy a very expensive piece of detection capability and you're going to talk to me about the

10,000 simultaneous connections that you can make [ __ ] awesome thanks but but we can handle 10 gig full duplex that's brilliant but what can you detect but we can have 50,000 simultaneous user profiles yeah shut the [ __ ] up what is it that you detect you notice they don't tell us we have an industry a multi-billion dollar industry that does not sell on detection okay the clues in the name intrusion detection systems we don't talk about detection it's like a cartel you know the the the IPS Club the first rule of ips Club is you don't talk about detection rates what do we think the second rule is don't talk about detection rates so if we have a concept about what

intrusion prevention systems a similar Market we're talking about sports cars where the vendor sells it on the GPS not how fast it goes okay so can you imagine buying a Ferrari how fast does it go oh we've got a great GPS system yes but how how fast do you go yeah we've got air conditioning how how fast do you go no no we've got a great surround sound stereo with USB you know we we we have an industry where we allow that most of us know these systems suck and what do we do we allow them to suck we don't question it because they're [ __ ] that's how we do business we we accept the

failure the problem is is that in an IPS context some stuff is really difficult to detect right detection is not an easy business by any stretch of the imagination how many times do you think I get asked about if we worked out detection rates for IPs do we not think the the industry would become like the AV industry I swear to God if I just had a Bitcoin every time I was asked I wouldn't be here ladies and gentlemen I would be on my Island but the problem is is that we don't verify how effective they are the problem is is there's a lot of things that they have to do Protocols are a complicated business

okay detection is not simple so in 96 we start to see what we consider the Heyday of breaking ids's okay uh new shim and Pak release a paper um and it is the beginning of the end for the you know the system that detects all the things and will save the Cyber Kingdom from the Cyber bad guys cyber cyber cyber right 96 and what happens is we have a a Heyday in messing around with protocols and a lot of the stuff is within the realm of what's acceptable within a protocol against what isn't acceptable in a protocol so we have this rule I'm going to talk a little bit about it later on but when you do like a

protocol implementer you have this rule where they basically say send conservatively but receive liberally which means be very very specific in what you send out be very very open in what you allow which sounds [ __ ] awesome until you're the poor bastard that actually has to detect [ __ ] in that mess okay these are some IDs evasion techniques that were available during 96 this [ __ ] still works okay and if you look at one some of the things that that an IDs has to do so an IDs someone once said to me an IDs has to be like a web server really why does an IDs have to be like a web server well an IDs has to

understand web attacks well no an IDs has to be like every [ __ ] web server then because implementations are different and never mind the protocol issues so in protocol in HTTP there's a beautiful the one of the first beautiful attacks against an evasion against the IDS static string analysis that's how these things work we take a string and if it looks bad we do an alert what could possibly go wrong well what could possibly go wrong is if you can imagine a get request okay HTTP you know get HTTP blah blah blah blah blah blah evil payload HTML version 1.1 okay that nice little simple string well if you see invalid HTTP version dot this was an invasion

technique that was discovered in '96 where you see the bit that says HTTP version one 1.1 apparently and it still does work from time to time if you change the dot to a comma the static string analysis doesn't work anymore because they hadn't wrote a rule that covered that Dam invalid version numbering because remember the key word here is send liberally uh send conservative receive liberally so what's happening is the Implement is saying you obviously meant a DOT you didn't mean a comma okay invalid version number what's the highest httv version that you can get 1.1 well it turns out that if you do a version request for 1.8 you don't get an error condition you just get the next

available HTTP version which is 1.1 and nothing happens what do we think happens to static string analysis at this point it's not there it's over directory self-referencing how many of you are web application testers dot do do do do do who would have thought that [ __ ] would have worked on IPS apparently [ __ ] does but you have to look at some of the issues that we have here some of this stuff is just being a bit freaky with the protocol you know doing something a bit cheeky right and as a as a Kendrick Spirit of Loki I can appreciate being a little bit cheeky but when you look at chunked HTTP chunk this is when you really start to

realize the issue so when we look at uh compression in HTTP requests what happens is um generally if you like use gzipped or deflate or something like this what happens is it tells you the length of the payload that's coming okay cuz that's really [ __ ] handy like hey I know how much data I'm going to get awesome and it's easy for an IPS that says okay I know how much data I'm going to get this is how much I'm going to buffer but HTTP chunk you don't have that okay what you have is the potential for a stream to continually go on and on and on and on and on there is no at the

beginning packet there is no this is going to be to mag okay it is chunk data that is just sent and sent and sent and sent now let's think about this as an IPS we have two options we buffer everything and then we analyze it once we think the buffer is full like we've got the full payload what could possibly go wrong if you give me an unlimited amount of storage on your IPS I can guarantee you you're going to fail open in about two minutes or you say m okay maybe there was something there who cares what do you think actually happens who cares that's what happens we still can't fix the chunk problem because the protocol allows us

to do this why don't we block HTTP chunk why don't we do that that's a good idea yeah no if you do this you basically break pretty much all of the streaming protocols online your users are going to [ __ ] love you when you can't use YouTube anymore that's what you get for doing that but this is the protocol that our IPS industry has to deal with and yet what we do is we don't talk about these problems we just say IPS is [ __ ] and we let them get away with it and we don't test them on the important stuff there is not a solution but it doesn't mean we get to

pack up shop and go home we still have to do stuff random case URLs this is [ __ ] beautiful right it turns out who would have thought it that case sensitivity on a Windows system is different than case sensitivity on a Linux system right of course phix we know this so static string analysis on a Windows system I could just put it all in capitals and if you've got your static string and lower case guess what I'm going through your static string analysis makes a difference on a Windows system but it doesn't make makes a difference on a Linux system but it doesn't make a difference on a Windows system okay well what we're going to do

then is we're going to look for Apache right because you know it's Linux Apache lamp yay right but you can get Apache on a on a Windows system and the problem is is that now you have an Apache deployment that is either case sensitive on the Linux box or not or case insensitive on a Windows box and you somehow is an IDs protecting the world because you know we stop all the zero days up up up you know aets and all those lovely three-letter abbreviations a lot of interesting issues and what they boil down to ultimately a lot of these HTTP evasions are boiled down to protocol ambiguities I like my protocols ambiguous of all of you are wondering

that's Colin McLean the Beloved Dr hacka from abete um I notice he's not here so [ __ ] him that does not surprise me the father is drinking already okay but protocol ambiguities what I've just talked about about systems having differences we're just talking about the OS the then we talk about the what the protocol can get up to because what I can tell you ladies and gentlemen is is if you go to a uh an RFC okay a request for comments document that's supposed to clearly lay out how a protocol works yeah they're not actually very good at doing that caseing an example TCP one of the most important protocols that we have has so many [ __ ] gray

areas in the RFC that it will continue to keep on giving us IDs evasion techniques until we find something else such as you're able to send segments in TCP and in IP you you we call those fragments but in TCP we use segments and you can use you can rewrite a data stream mid Transit by moving the segments about the the the offset they're not ordered um they tend to be sent ordered TCP segments but theoretically the designed not to be sent ordered okay so what you can do is you can rewrite packets mid Transit but it's not clearly defined in the protocol which offset takes presidence okay they don't clearly Define this so who would have thought it

that two competing operating systems would do things differently who would have seen that coming of course poor little IPS multi-billion dollar industry has to work that [ __ ] out so windows will always favor newer data over old data and you bet your Ash Unix will do completely the opposite hey we didn't see that coming did we woohoo so not only now do we have things within a protocol that we can do that is a little bit uh hinky we also then have to deal with the areas within a protocol that are not clearly defined such as an interesting story so there is a type of an attack called an insurent attack and what happens here is you

um you insert extra packets into the stream to camouflage what you're up to and it turns out the IPS vendors were not checking the IP check s in the IP packets they were just accepting it so what we figured out was that we you can send packets that we know as soon as you hit an internet router because the protocol clearly defines that you need to drop a packet with an invalid check s right a couple of years before we worked out how bad we [ __ ] that one up um so you're able to hide like you know put in extra packet so evil payload HTML didn't read that anymore but the minute that it

hit an internet facing routa all the camouflage disappeared so not only do we have a system now where we have protocols that are not clearly defined protocols that are dependent on the operating systems around them we also now have a situation where we have implementers or people implementing passes of protocols that are ignoring rfc's case in point Fitbit how many of you use Fitbit wow who would have thought Geeks don't do Fitbit we don't conform to a stereotype whatsoever so this is the interesting story that the protocol clearly defines in HT in a HTTP request that you have a user agent string hey I'm Firefox you know how we all get [ __ ] over on an Android device

because we'll go to some site and go ah download our app you no we don't want to download your app I've just completely forgotten what your web request is but hey download our app we have this all the time but this is through the user agency string so Fitbit decided we don't need a user agent string [ __ ] that [ __ ] so you have this little Fitbit device that counts your footsteps calls back home to little web server I'm sure you've all seen the tweets that's when we know our friends are lazy it's like you've taken five footsteps you don't really want to be tweeting that [ __ ] you know if you've walked three miles then

we'll Pat you on the back but otherwise so Fitbit sends its data up in the cloud you've walked this woohoo Cloud all the things part problem is is that so fitb Fitbit devs are a little bit lazy they haven't put a user agent string in you know who else is a little bit lazy malware authors they don't like to put user agent strings in so what do you think happens when you have a Fitbit on an area may be guarded by a snort box hey we're being attacked by Chinese malware no your users are just walking right it's it's all good the Cyber Kingdom safe brother don't worry it's all good no need for the Cyber fire

trucks and the Cyber War we're okay right so now just before I've started we've covered just the interesting fact that we we now have protocols that are ambigu that that are hard to understand for us we have inter we we have people writing protocols that don't conform to the protocol we have operating system issues as well as application issues and this multi-billion dollar industry somehow has to detect stuff but we give them a blank pass because it [ __ ] it's a dead technology we don't test them we don't push them as I said earlier the real issue here is send conservative conservatively and receive liberally well if you stop that from happening then we break parts of the

internet and let's not even get into some really really interesting stuff so the Beloved Steve Lord of 44c who who isn't here either so [ __ ] him too once tweeted me said the '90s called we want your friend frag flag and uh Source Port tricks back they're like you can't [ __ ] have them I'm still using them right and it's true so we've gone through some of the issues in protocols but what's really interesting is 98 sees this really big push in really playing about with a protocol doing some hinky stuff so we talked about offsets with packets we say okay we can rewrite packets and that's all confusing then let's talk talk about

Flags so if I send a packet that rewrites a packet but they both have a flag that happen to be different which one takes precedence surprise surprise not clearly defined in the protocol so it turns out that if I put in one packet that's being overwritten that I've got an invalid time stamp but in the other packet I don't however it's going to be interpretated can be changed the problem with this is is that the poor implementers in this case the IPS industry and it's not often I say the poor implementers of ips I can assure you right but these guys have to work it out and they [ __ ] up quite a lot

really really

bad this old versus new issue is an issue that we're still going to get played out it's still going to happen we're still going to see it do you know oh I nearly I nearly lost the microphone then so do you know how many of you raise your hands again [Music] everyone I'm making sure you've all got you've not got your hand up come on I told you I did warn you how many of you know ncto the web scanner ncto keep your hands up if you do pardon that that counts it's okay so how many of you have heard of a thing called lib whisker lib whisker lib whisker is um the library that does the IDS evasion

techniques in ncto how many of you knew that ncto does IDs evasion techniques that's cuz you've been to one of my talks [Laughter] that's the believe that that's the loved Chris Chris over there Chris John Riley he really uh he's really awesome so nikto has a lot of IDs evasion techniques that are all kind of based on this 1996 paper it's all running there a lot of people say to me where am I going to get IDs evasion techniques uh ncto like M spy uh few other tools they're all there okay they're all they're all good for the hood they're all there but all of this stuff is really based on a 96 kind of

protocol stuff well it turns out we have a solution you've got to love the IPS industry right faced with a problem what they do is get a new product right you've got a lot of them you've completely [ __ ] up the protocol stuff that's okay we have a new product Trade Mark okay let's talk about protocol normalization right protocol normalization it's basically how many of you have seen the scene in uh in Aliens where they basically turn around and say I think we should nuke it from orbit it's the only way to be sure that ladies and gentlemen is protocol normalization so how do you get an IPS the problem with IPS is it's incapable

of knowing what endpoint is going on what's happening with the end points right it doesn't know if the packet's been being sent are going to go to a Linux box or a Windows box so on and so forth it doesn't know that well it can fix that problem by being the end point what I'm going to do is I'm going to rewrite all the packets and I'm going to then analyze the Rewritten data stream and then I'm going to send that data stream off to the end point so basically it nukes it from orbit okay because it's the only way to be sure but ladies and gentlemen we're talking about an industry that [ __ ] up

horrifically now rewriting packets on your network woohoo I feel confident sure you do I went on on site recently well about a year ago and uh I did an IPS test I love IPS tests that start with we'd like an IPS test okay what would you like to know Well we'd like you to test the IPS yeah granted I get that but what do you want to get out of the test we want you to test the IPS yeah okay you can stop repeating IPS I get this but what do you want to know well we don't know well in that case y it's an IPS you know what is it that you want it's got Blinky lights

it's cool it's fine it's an IPS it's all good so I go on site and you know it's going to be good that started and then secured location I'll not tell you about the police officer because that was quite funny too um so I get there you know it's going to be a good test on a secure location when your chaperone says I could do without this today like hey I've just flown in from [ __ ] Scotland we're doing this [ __ ] or you're getting build I don't give a [ __ ] but either way I'm here I would use me so I'm talking to the guy and I'm saying to him hey

you know when they installed the I first off I'm like okay let's take me to your data store which one's your IPS and he walks up to the data cabinet pulls the data cabinet up and he says I think it's that one and I'm like you think nice cool how did the Handover work oh that was really easy like a team came in and they plugged it into the data rack and then they walked back out again see you pul and that was the installation of a secure location in the UK okay you have no idea what these people do but trust me you should be [ __ ] scared right who have no idea what their IPs does I

say to them cool so I've had a look at your IPS stuff I'm going to tell you some stuff about it but uh if you ever have network problems do you ever check the logs on the IPS no we don't okay you do understand that this thing rewrites packets on your network right does it yeah really yeah really it's in line and it rewrites packets huh well that makes sense now I'm like this is going to be a lot of fun but what happens this was the best thing I spoke to him and I said to him why have you got an IPS why have you not so what they wanted to do is they had an

endtoend encryption thing going on for a secret Network underneath and I'm like problem with these IPS is is the way that you've got it configured is it's going to do a thing called failed open which means when it [ __ ] up it just pretends it's a router and it doesn't detect anything anymore call me oldfashioned but does that not seem a factor worth pushing maybe and I Sayan why have you got an IPS than if you want it to fail open well that's what the vendor told us we needed oh you you went to a vendor and said we need to buy some stuff what do we need and they went hang on a

second let me get the checklist you're now compliant ISO standard blah blah blah blah [Laughter] blah that's basically what's happening how many of you are PCI guys this is going to be fun it's it yeah so I at least once a week deal with this situation we don't get any false positives really yeah don't get any true positives either yeah how do you know CU I'm guessing that you've deployed your IPS between two encrypted endpoints I deal with this once a week okay at first it was entertaining yeah now I'm suddenly bitter and twisted and angry right so encrypted endpoint encrypted endpoint IPS no ability to decrypt the packets how does this happen this is

where PCI comes in okay you're required to have a third party application Scanner not required to in fact you're not allowed to break an SSL tunnel okay so you want me to scan for bad packets but you want to encrypt the packets so I can't see them yeah woohoo win IPS and win PCI thanks very much for it but we see this all the time good friend of mine Andrew Barrett called me up recently dude you're not going to believe what I've just had [ __ ] hell man why is Andrew it says I was in a meeting with some senior Network admins and they were having some problems with the IPS uhhuh and the senior Network

admin guy said we should SSL encrypt all the traffic and basically he was using SSL as a load balancer to take the traffic off the IPS like okay dude I'm I'm gonna I'm going to put this out here right think green and turn the [ __ ] thing off because it's just as look it's just as effective now right but and suppose with everything that's going on right now uh maybe load balancing and open SSL probably are fit for purpose now but uh yeah you you know it's bad but the problem with this encrypted endpoint stuff is it really does want me to hit a [ __ ] with another [ __ ] right because it's constant once a week

I get this stuff constantly then we have Banks deploying IPS between two encrypted endpoints I am not how many of you work for for a financial organization right you know this [ __ ] happens all the time you know why because we don't test jack [ __ ] that's why trust but verify unless it's a security device then we don't trust but verify so we've gone through the beautiful problems of HTTP and HTML and all of these understood defined protocols RFC [ __ ] woo now let's talk about de facto protocols you know things that are not defined in RFC like DC RPC or do we call it msrpc today or what other name is it right

these Protocols are not defined in documents if you don't believe me ask the sber team how much fun it is getting Network shares on a Linux system okay how many organizations use SMB Rel religiously this [ __ ] is all over corporate Network who would have thought corporate Ville want to share documents with network shares for a protocol not defined in black and white that's been made up by Microsoft and your IPS has to work out what's going on yay how effective do you think we're going to be now woohoo um how many of you have been to my talks before okay this is the ston soft run so most of you I don't think I've

given one this year so we'll do it now so ston soft scared the [ __ ] out of the industry we've got 164 Advanced evasion techniques the world's coming to an end whoop whoop whoop set the Cyber fire alarms off okay what's an advanced evasion technique ah well responsible disclosure yeah but what's the details responsible disclosure yeah but what we want to know is we want to know what an advanced no no no no no no we're responsible disclosure we're not telling anyone okay so we're supposed to be worried about stuff that we don't know about right yeah okay so after a little while we kind of realized that maybe maybe it was just a bit of a storm and a teacup

moment and yeah it turns out it was a bit of a storm and a teacup moment so two years later eventually stonesoft decides this going to release some some data about it now I may have acquired a few peup files of their Advanced evasion techniques and worked out what was going on pretty quickly but apparently what you do is you take a really [ __ ] old evasion technique and an even [ __ ] older evasion technique you put them together and this is a brand new Advanced evasion technique ladies and gentlemen woohoo the internet's going to fall to pieces thanks for that we're the first to do Advanced evasion techniques yeah you know what we were able to use two

evasion techniques in M exploit since 2006 get over yourself okay it's done also I'm guessing you've never read the paper the Achilles heal of detection systems no we haven't wow I know you haven't but cuz who would have thought obscuring your observation is a bit obscure who would who would have seen that coming there's web appli take the web up testers could tell us how stupid idea it is to keep on putting evasion techniques on top of evasion techniques I was blessed to speak to some of their researchers last year oh that was educational and I said I said you you you obviously haven't read the ailles hill of detection systems he no we haven't how

do you know because adding evasion techniques on top of evasion techniques will increase your detection capabilities by a factor of six for each evasion technique that you add on top what do you mean I mean that the dce RPC pre-processors and snort are pretty [ __ ] at the moment but your TCP segmentation gives the [ __ ] game away who would have thought that by adding different things on that our detection surface would have got bigger yay so it was great because apparently they can detect 100% of advanced evasion techniques I'm like yeah because they're your Advanced evasion techniques of course you can detect your own stuff how can how good is Snort well we

don't know we we haven't really tried it ah okay so you by the default setting in your Advanced evasion techniques you use a segmentation of 8 bytes the pre-processor in snort will fire an alarm for anything less than 128 bytes it's dce RPC preprocess was pretty [ __ ] at the time so their dce RPC evasion techniques would have sailed through snore but the fact that they [ __ ] about with the TCP was what set the alarms off by adding evasion techniques on top of evasion techniques obscuring your obif is obscure seriously but thank you for this CU you scared the [ __ ] out of everyone but ston soft uh the lovely ston soft recently

were purchased by makave for € 200 million really yeah Intel purchased mcavey and then mcavey purchased stonesoft even John is not that [ __ ] crazy you know I miss John I miss him a lot we need kind of characters like that in security that are going to call people out for stuff and maybe blog while you're on the Run that's kind of good as well know where's my where's my my uh bath salts one of the proudest moments I had was when John makavy followed me on Twitter said I [ __ ] love you man don't shoot me bro so we think you know we think the whole ston soft thing oh 200 million y

remember dead technology yeah okay let's talk about our lovely Brothers at Cisco purchasing Source fire for $2.7 billion dead technology remember you know doesn't detect [ __ ] $2.7 billion 8 years previously checkpoint tried to purchase um Source fire $225 million at the time which was still an increase in their stock price showing that how do you increase your company value by 1,110 per. you just be a [ __ ] detection company that sucks um sorry I did a talk in Geron in Michigan where you they're one of the community sponsors if you ever get to America you should totally go to Geron it's a [ __ ] awesome conference so I'm doing the talk and I've got my

figures slightly wrong okay hands up and I say Cisco purchased a sourcefire for $2.6 billion and the sauce fire guy gets up in the middle of my talk and says I think you'll find it's $2.7 billion and I'm like oh you're going to have so much fun ladies and gentlemen if you have any problems with your Source fire products this man right here in the black t-shirt is the man that you can speak to he's going to be in the sponsor area what's your name needless to say not my friend after that but [ __ ] him so surprisingly from time to time I get asked my opinion about what's happening in the detection area right who would

have thought it you spend all this time talking about it people want you to know stuff so I get asked about Source fire hey what what's this Source fire Cisco thing going to do for us and I'm like you shouldn't worry about it right why well you know what snorts probably dead but that's probably going to take 5 Years cuz Cisco don't have a good reputation with Open Source Products at the best of time but the only thing that's worse reputation for them is how fast they move at doing things they're even [ __ ] slower than the Titanic um on a good day and I say well what you're probably going to find is

that your sourcefire products are going to be supported even longer because now there Cisco products so Cisco is going to be looking after it that's all good in the hood it's all cool don't worry about it what do you think about the makave situation yeah that's pretty [ __ ] but the Cisco stuff's pretty cool what we're probably going to see though is we're probably going to see snort we're probably going to see the situation that Oracle did uh with um open office we're going to take that we're going to bring it in h oh no we don't want it set it free to the community and we're probably going to see that with snort we're probably going to see

that c a drift okay but the rules are going to be around what we're probably going to see is more businesses like emerging threats more bespoken rule deals going on that's probably what we're going to see I'm going to talk about one of my favorite favorite stories so I do a lot of talks about effective IDs testing we really suck at science when it comes to IDs testing testing the definition of science is something that's recreatable well I can [ __ ] assure you in IPS testing that's the last thing on people's minds you just get a sacrificial host and a pent tester and apparently my IPS is secure or not secure or it's like peanut butter and

and and jet engine equals shiny Alex Hunt but that's basically what what happens and then you try and explain to people that this is not recreatable you're just testing the pent tester against an IPS device what do you mean well I mean that I can make you more secure overnight by just changing the pen tester so rather than having someone with 10 years experience I'm just going to put someone on with two months experience and guess what you're secure again no problems have been found welcome to security metrics ladies and gentlemen now what you do is you have people that look at you go oh [ __ ] and then you have people that look at you go

oh that's an idea okay but one of the things that I talk about is once you detect something you should always be able to detect it okay it's not so much to ask that if I pick it up once I should be able to pick it up a million times so welcome to IPS Club we'll step back in time there is a product that buffered a thousand popular threats I don't know why they chose a thousand it was just a lovely number I think but they chose a thousand threats that they were going to protect great throughput you know fantastic throughput thousand popular threats okay what do you think happens when a new popular threat comes

in see the one at the end gone so what you were protected against 6 months ago does not necessarily mean that you're protected against now amazing throughput though wooo it is one of the most bizarre Concepts I mean the evasion technique against this product is use an old exploit that's it that is the only evasion technique that you need against this product multi-billion dollar industry awesome ah the kill chain how many of you have heard of the the Cyber kill chain I believe I was very disappointed to find out the Cyber kill chain was not a chain that killed all the cybers yeah I was a [ __ ] I want to hit [ __ ]

with another [ __ ] now right but so how many of you know what the kill chain is because you're going to get run down your throat over the next couple of years oh my God so lck ke Martin thees some work with the military who would have thought so the military have a thing called The Kill chain and it is you've got to love the way the military names stuff they don't [ __ ] about really do they so what they realized is when you want to kill people I'm I'm sorry I mean targets are illegal insurgence right but when you want to kill those people there's certain things that has to be achieved like I need a

gun with bullets with a soier in the area to pull the trigger and I need to know where they the target is or the illegal Insurgent um and then we need to give the okay order so there's a number of steps that have to be taken to make this happen and what the Amer I think it's the American Military originally with this one and what the Americans realized pretty quickly was yeah if we don't protect these little links we're not such an effective kill team and then what they realized is hey we don't just need to use that for attack we can use that for defense right if we stop cuz just like we want to kill them they want to kill

us and they they need to get bullets and they need to get guns and they need to find us and they need to get the orders and they need to do this and if we disrupt parts of that chain who would have thought it lives are saved okay so what did lot ke Martin do when you know what that would be really [ __ ] good in detection and what we're going to do is if we're going to have you know that lovely term AP it used to mean hacking people but now we've got a whole acronym for it um it turns out that people need to register a command and control center that you need to be profiled

targeted exploited and then payloads and so on and so exfiltration da da da da da da all of these points are places where we can detect Bad Voodoo happening really cool concept to be fair then we let the marketing people get involved uh then we got cyber kill chain cyber kill chain cyber kill chain cyber kill chain killchain cyber cyber cyber and now you speak to detection people and we're like no don't mention the word again it hurts the problem is is that we really don't need any more data okay when we've got we've got enough data we don't need to find new ways of getting more metadata or whatever we already have enough data okay we we can say hey look

he's logged in in our office building he's just gone through the door key system and yet he's accessing his email from China H you know we don't need new tools for that we already have that log data we don't need any more more log data well why don't we need any more log data well we're going to need a bigger boat that's the problem if we got any more data where we could pull dat like like key indicators of what's going on we're going to need bigger data storage we've got enough so I'm going to wrap up but I'm going to have a little bit of a rant I know you feel like you've been ranted it

but I had two minds about this I think it's clear to say that the security industry in the past couple of years has seen stuff that we never really expected we were going to see that we're facing challenges now that are biblical and lack of a better term we have mass surveillance going on we're needed more now than we've ever been needed before and do you know what we've done to answer that internal fights rather than sitting down and looking at the problem of we've just broken SSL how do we make the world better heart bleed was an amazing opportunity for us to help people understand the issue of password security right this [ __ ] that we've been

dealing for 30 years and we can't get it [ __ ] right now we could have password reset the world and really educate them about past phrases and you know what we did as an industry we bickered amongst each other we argued and gave contradictory advice and called people names recently we've had fighting of calling people I've seen a tweet calling people bipolar scen [ __ ] and parody accounts picking on people and yet we're supposed to be in Industry we've got enough challenges as it is without fighting on each each other so I wanted to take this opportunity to say get over our beef because our enemies are a mile from Victory and we're still arguing and

fighting if we don't pull our game together we're going to be Surplus to requirements there isn't going to be security because it will have been engineered out so it's time to stop if you disagree with a peer don't call them names just disagree with them we're supposed to be professional I'm not saying that anyone in this room has done that but we all know that in the past couple of weeks this has happened massively we need to stop it because if we don't there isn't going to be a security Community by the end of it there's just going to be three letter agencies running everything it needs to stop so if you catch someone being

ridiculously out of order to someone say something because we need to concentrate on security we're needed more now than ever before so that is my rant and I am sorry about it but I thought it was important to say something about it so end the fighting increase the peace okay so questions and answers you probably either have got loads of questions or just getting the [ __ ] off the stage I'm cool with either to be fair any questions hi so do you think that this multi-billion dollar industry exists because marketing people are so much better at getting their ideas across to D users than we are as an industry I think what we have is an issue where we

still have companies that will invest money on metal rather than on skin okay and if you're in that situation uh then it's easy if you're looking for a one box solution surprisingly there is an industry that can do that for you but yes I think they deler Del their message a lot better than us without doubt any other questions so rather than asking anything about any particular vendor solution here if you're being in my case there's an IPS coming in place I'm going to have to support the damn thing I get to influence the project what are the key sort of messages I should go back with and make sure bloody done that I should

take away from this talk and so you need to look at what detection means for you okay I was very naive at the beginning to think that detection was was a one-size fit all problem and the problem is is and this came from detection rates you know what what does vendor X detect well you know what it doesn't actually [ __ ] matter what only detection rate matters is your detection rate doesn't matter if this vendor is [ __ ] [ __ ] right what matters is this vendor is good for you and at that you need to sit down and work out what detection means for your organization sometimes it's prevention sometimes it's detection sometimes it's

compliance all of those answers are fine but there's no point doing a test when the person's just interested in compliancy and you're going to look at like prevention me methods there's no point there's no point even getting in that debate because you're not going to win so you need to understand so for me if I I was you I would work out what detection means for my company and then from there on inwards structure my arguments about the core principle of what we want to achieve but detection is not a zero some game you will never find a box that fixes all the problems although I'm sure there's a few vendors that would tell you different I hope

that helps thank you that was actually very useful any more for

anymore so uh this is the first time I've sort of seen all this kind of stuff in detail right that would could be a lot more detailed from from from what from what I've seen it's [ __ ] right why why is it got like this why when it first started did somebody go who hang on because what we did is we we put a death nail in the coffin all the way through and what we really did is give a blank pass ah it's [ __ ] that's okay it's [ __ ] it's okay it's [ __ ] it's okay and we just gave up I mean people turn it off in a pentest

to do the pentest and then turn it back on again I mean wow really because that's an effective pen test I know people will disagree with me but hey it's just going to be a pain in the ass can we turn off we'll do the pen test okay super bum but we just give it a blank pass where we basically have the in Industry equivalent of selling a Ferrari because of the GPS and that's how it works and it has to it does have to stop I mean we have to enough is enough and say okay okay um we need to test the [ __ ] and we need to make it effective and they can be very

effective anymore for anymore well ladies and gentlemen I oh he you were close there buddy no pressure but everyone's looking at you now hi interesting talk um for what you've been saying about um IDs ipss could the same thing be said about um virus scanners and antimalware filters and all the rest of the Silver Bullet tools that the vendors sell us yeah um show me a security product vendor and I'll show you someone that can bend the truth effectively um but yeah we're all guilty in some way in shape or form um I don't think I'm sure we've all heard about how antivirus would save us and we've got malware this and blah blah blah blah

blah and it's all super cool awesome um if you believe that then that's totally cool if you people have any more questions come and find me in the bar I would like to take this opportunity as well to um thank you all for coming and I hope you've enjoyed your bside so give yourself a round of

applause and while you're at it everyone uh all the crew you should totally give them a round of applause too thank you Aaron thank you don't go anywhere we're going to have a closing ceremony in a few minutes