Browsing articles in "Blog"

Defcon Survival Guide 2010

Rules to Live By

1. Do not use the ATM’s at or in the close vicinity of the Riveria

2. Secure cellphones as best as possible

a. Do not connect it the wireless network

b. Bluetooth and other non-essential communications mechanisms should be off

c. Not physically visible during the conference

d. Store phones in a secure location where it will not fall out and possibly fall into the possession of someone else. In fact do this for any personal item of value.

3. Do not use any credentials on websites without encryption throughout the entire conference (see sidejacking)

a. Dynamic port forward all your traffic through a properly configured SSH tunnel

b. Use a VPN tunnel for all traffic

4. Do not take unauthorized DefCon pictures in the contest area or in the CTF area

5. Do not give away valuable information (utilize constant vigilance)

6. Do not attach a work machine or a machine with valuable information to the DefCon network

7. Do not accept ?Free? devices to attach to a machine (e.g. a free USB key from another attendee)

8. Do not antagonize anyone with a ?Goon? or higher-level attendee badge

9. Shower. Seriously, please shower. I’ve said it once, I’ll say it again, poor hygene does not make anyone a better hacker.

10 In fact please read and adhere to the do’s and don’ts of personal presentation at conferences written by Shyama, who is a well-known, knowledgeable, intelligent security professional.


What is RaffCon??? (A Mock Conspiracy Investigation)

With the security community fully engulfed in Operation Aurora, BlackHat DC, and ShmooCon, it would be easy to overlook a conspiracy. Thankfully the vigilance of SecAnalysis has uncovered an underground brewing storm, known only as ?RaffCon.? As of currently, details of RaffCon are sparse at best. However what is known, is that on 7 February 2009 some of the security communities most well-known if not notorious figures met to discuss various topics. We now are aware that the codename for that meeting was in fact, RaffCon.

The Players

In attempting to unravel the tightly knit conspiracy plot that is RaffCon, SecAnalysis scoured the hacker underground for information. At great personal risk, a SecAnalysis turned asset was able to leak the photo below. What this photo reveals is that things are worst than previously suspected.

In this photo it is clear that highly notable and dangerous personas such as Adam Ely, well known for his reporting at Information Week as well as security leadership at Tivo, Rafal Los, known for his evangelization of web application security, Michelle Schaffer, one of the most powerful Public Relations professionals in the security industry, and Caleb Sima, a well known hacker, X-Force alumni and founder of SPI Dynamics were all in attendance. In addition John Terril currently a consultant and yet another SPI alumni known for his short temperment and lethal capabilities as well as Raffy Marty, former Splunk CTO, known for entrancing even the most focused security professionals with dazzling visualizations were also in attendance. Finally, there are several sleepers who may or may not have various special assignments.

It should be noted that Caleb was an asset of SecAnalysis functioning as a double agent. The last time Caleb called over to the SecAnalysis team, was 14 December 2009. The SecAnalysis team went to San Francisco to meet with Sima. However, upon arrival the SecAnalysis team was immediately headed off by RaffCon conspirators Adam Ely and John Terril who brought back up in the form of possible Raffcon sleepers Vincent Liu, managing partner of Stach and Liu and S. Rose, a well known security persona and Security Associate at Stach and Liu. It should also be noted that during the SecAnalysis visitation, it rained uncharacteristically in San Francisco for three full days. Has Ely and the RaffCon conspirators created some type of weather control machine? The SecAnalysis team can only speculate.

What is known is that the communication between Sima and SecAnalysis nearly ended Sima. Shortly after the SecAnalysis team arrival, Sima vanished. He was later found with enough of the chemical CH3CH2OH in his blood system to kill a small elephant. Fortunately, Sima has spent a lifetime building up a resistance to that very agent.

SecAnalysis Takes Action

With no other information SecAnalysis conducted indepth if not torturous interrogations of known players in an attempt to uncover the nefarious activities of codename ?RaffCon.? First up was Rafal Los himself. Below are the details of that interrogation….

?Hello Raf, I want to keep this cordial, please tell me what RaffCon is.?

?Interesting, but what is RaffCon??

SecAnalysis team leaves the room and returns after a half hour. ?Raf, we spoke with Caleb, he told us everything, would you like to tell us of your involvement? It could save you a lot of trouble.?

?Alright Raf, we tried to do this the nice way.? After four hours of waterboarding.

We were then forced to release Rafal Los because of of Geneva conventions. Attempts to question other players including Michelle Schafer yielded similar results.

At this point the SecAnalysis team had no other choice but to burn asset Caleb Sima. At great personal risk, Caleb got into contact with SecAnalysis directly. At first Caleb was not willing to give up information, however, after he was notified that a speculative blog post would be made public regardless of a lack of real information he divulged a highly sensitive piece of information…

The conversation was immediately cut short–the SecAnalysis team has not heard from him since. It seems as though the trail ends here, We encourage our readers to keep asking questions…questions like:

Where is Caleb?

What is so secretive that a public relations rockstar could be silenced?

Are Rose and Liu RaffCon sleepers?

Do Terril and Ely have some type of weather control machine?

What is going down at Source Boston?

WHAT…is RaffCon?

ShmooCon Wrap-Up

Over the past three years I have attended rougly 25 security conferences and events. In each of those, I believe I may have been searching for ShmooCon 2010. In spite of multiple adverse conditions, ShmooCon was quite simply the best run, most worthwhile (from a learning perspective) event that I have attended to date. If for no other reason, ShmooCon 2010 was a rare celebration of computer security expertise and passion that is often lost in the overcrowded, diluted conferences that seem to have taken hold of the security industry.

The awesome qualities of ShmooCon could not be out done by the 20 inches of snow that covered the Wahsington DC metro area where ShmooCon was held. Despite the unforgiving weather, to my knowledge all the speakers, with the exception of Josh Coremann who telecommuted, were able to attend the event. Furthermore, despite canceled flights, train arrivals, and bus trips, only 100 attendees were unable to make it into the DC area. These figures are incredible when one considers the severity of the weather situation which the media has laughingly labeled ?Snowpocalypse.?

Smooth sailing in spite of adversity is not however what made ShmooCon an incredible conference. What made ShmooCon an incredible conference was the attendees. The ShmooCon attendees mirrored what I have always pictured DefCon attendees to be. This is not to say that the level of expertise of DefCon attendees is not superb, but rather to say that the elite are diluted by the indifferent. ShmooCon on the other hand seemed to house a higher potency of the passionate than the indifferent and more of the knowledgeable than the curious. Granted, ShmooCon 2010 hosted roughly 1,500 attendees compared to DefCon 17?s nearly 10,000.

The significantly lower attendance of ShmooCon was not due to demand however, but rather more due to exclusion. ShmooCon does ticket sales a little bit different than most other conferences. Specifically tickets are limited and while ShmooCon could have brought in more money by allowing more attendees, they kept the figures down to 1,500. This meant that, with few exceptions, only people particularly driven to attend were able to get tickets. In fact, in each round of ShmooCon ticket sales sold out in minutes.

As a direct result of the relatively exclusive nature of the event, the level of conversation seemed higher and the ratio of vendor marketing to security practitioners seemed just about right. Finally the content of the talks was fantastic, although I still think my tracking and profiling talk shouldn?t have been an alternate (I?m just saying). ?Granted the content was probably not on par with the likes of BlackHat DC, however, that is also a $200 ticket versus a $1,095 conference pass comparison. All things considered ShmooCon was fantastic, so kudos to the Shmoo Group, I?ve been a fan since Rouge Squadron J keep up the good work!

A Few Highlights

The highlighted presentations may still be purchased on DVD or some may still be available on

  • Hacking Sleep Cycles
  • Social Zombies II: Your Friends Need More Brains
  • Learning By Breaking: A New Project For Insecure Web Applications
  • Jsunpack-Network Edition Release: Javascript Decoding and Intrusion Detection
  • 0wn the Con
  • Just walking around talking to people

Forget the Spoon there is No Solution

Perhaps it’s all the talk about Advanced Persistent Threats (APT’s) or the arguements over sophistication, heck maybe it’s just because it’s after the holidays and I have some kind of security industry seasonal depression–but I can’t deny that my disenchantment with the security community is at an all-time high at the moment. In fact the realization is setting in that the career of a security professional is one that will be defined by the minor victories in our overall defeat. Security professionals are Michael Spinx and we’re in the ring with Tyson. The only difference is that we’re not going to get put out of our misery in one round…it’s going to be a long affair. That is of course unless we actually learn something from organized attacks like Titan Ra–errr I mean organized attacks like Operation Aurora.

To be clear I’m not talking about learning lessons from a technical or internal process perspective, rather I’m talking about learning how, as a community, we can work to better handle these types of scenarios. My own personal perspective is that the community as a whole has lost sight of what the overall goal is and how we must ALL function together to accomplish that goal. This view is exacerbated by the multiple questions that have been left in my mind by incidents such as Operation Aurora. Again let me stress that I’m not talking about anything from a technical or internal process perspective but rather pointing out the multiple questions that continue to go unanswered by the community as a whole. Questions such as: isn’t this the exact type of real-world event that drills such as Cyberstorm were supposed to prepare us for? Why, with our multiple upon multiple information sharing venues does it seem like everyone is running so frantic and misinformed? and most important in my mind, as a community are we trying to market security or are we trying to ensure it?

The truth is, that I don’t have a definitive answer to these questions. What I do know is that when most of the community is looking to vendors like McAfee and Symantec for answers it doesn’t help when one vendor calls the event a “Watershed Moment In Cybersecurity” and the other rates the risk as very low. In my personal opinion, which is supported by researching multiple responses to the event and conducting a source code analysis on the IE 0day exploit, I would personally say it’s somewhere in between, at a medium. On the one hand it is certainly not a “Watershed Moment In Cybersecurity” the details of the event that make it distinct are extremely similar to the Titan Rain incident of 2003. The only real difference between the distinct details of the two events is that Titan Rain really only targeted US government and defense contractor infrastructures, while Operation Aurora has targeted multiple industrial segments. Put simply, Operation Aurora makes for a better marketing message. On the other hand, the attack used an evolving IE 0day exploit and leveraged three pieces of malware working in concert together. The risk is not “very low”.

The bottom line is this, security events such as Operation Aurora can be detected early if not ototally prevented but the security community as a whole needs to make major changes. Vendors need to stop selling snake oil and vaporware, while security teams need to do a better job of information sharing. The only problem is that no one seems to know how to do this, so at the end of the day the problem is not the attackers, it’s the defenders and unfortunately there is no solution in sight.

ShmooCon Picks

Nothing gets me more excited professionally than the opportunity to go to a good conference. If nothing else, I relish the opportunity to surround myself with others who are as passionate for information security as I am. Unfortunately, while I have experienced a number of conferences in my six years as an information security professional, I have no as of yet experienced a ShmooCon. This year I decided to change that trend.

I will be spending three full days at the Marriott Wardman Park soaking in all the infosec information I can find with the other ShmooCon attendees who successfully battled for tickets. Find me for some cool swag and be sure to attend the Fire Talks, I might be speaking (I’m the first alternate).


1600: GPU vs CPU Supercomputing Security Shootout

1700: Economics Of Cybercrime

1800: Learning By Breaking: A New Project For Insecure Web Applications

18:30 Guest Stealing…the VMware Way


1000: Jsunpack-Network Edition Release: Javascript Decoding and Intrusion Detection

1100: Social Zombies II: Your Friends Need More Brains

1600 BaS04: A Dynamic Dataflow Tool For Auditing and Reversing


1000: PCI an Extistential Threat To Security As We Know It

1200: 0wn the Con

An Underlying Message from Operation Aurora

Looking past the hype surrounding the IE 0-day that was utilized in Operation Aurora, is it all that different from other attacks in the past? Not at all. In fact if?one were to look a little closer at what is actually delivered to the victim, it is blatantly obvious that this is an attack. From the large unescape variable that is clearly percent encoded hexidecimal values (and probably shellcode) to the padding in the form of the repeated 0c 0d. These are characteristics of exploits that the security community has been dealing with for the past four years and not of a sophisticated new threat!?In fact, existing IPS signatures were capable of triggering alerts on the attack itself. For example, ISS Proventia IPS devices would have raised at least six alarms should this IE 0-day have crossed a sensor. Why then does the security community find these attacks so frightening?

My own personal perspective is it is because the attackers showed an advanced level of sophistication beyond what most security professionals will ev er achieve in their careers. The security community today is saturated with professionals who may have never even witnessed a computer compromise, let alone truly understood one.?For the most part security professionals do not know how to hack and to a large extent do not know how to code. While they might understand the basics of a buffer overflow or SQL injection from a theoretical level, in a real world situation the average security professional would not have the slightest idea how to actually infiltrate an application or network. Thus, when security professionals are enlightened to the level of sophistication held by their opponents it is frightening. Even more so when jazzy labels like, Advanced Persistent Threat (APT) or “Operation” are applied to an incident. Terms such as these insinuate battle and make people feel threatened by something they do not truly understand and like so many other things, what people do not understand, scares them.

So while I do encourage decision makers to allocate more budget towards the products and services that will better protect them from attacks like Operation Aurora, I also encourage them to recognize the need for better understanding. Particularly, I encourage them to realize that ten people with certifications may not be worth a single person who understands the COND field of a microword, or rather someone with a deeper level of knowledge. For the rest of the security community, I would encourage them to recognize that with the saturation of what qualifies as a security professional, the endless pursuit for knowledge in this field is invaluable. If a cyberwar does truly exist, then it is not a battle of what was hacked and what was secured, but rather an intellectual competition the likes of which have not been seen since the space race. And for those frightened by the events that took place in Operation Aurora, I offer for comfort the fact that in this intellectual race, the good guys are not behind, just saturated. | An Underlying Message From Operation Aurora

Five Security Vendors to Keep an Eye On 2010

There are always the obvious leaders in the information security market place that interested observers should keep an eye out for, this is especially true of larger IT vendors that at any moment could drastically change the market by, hmmm I don’t know, buying ISS for example. Of course large vendors like RSA, IBM, McAfee, Symantec, and Cisco aside, there are some very interesting companies to keep an eye out for. Here are five of those companies.

5. Breach Security

Let’s be honest, Breach Security is not the Web Application Firewall (WAF) market leader. Nor will Breach approach that level within the near future. What makes Breach Security a company to watch is the fact that the company largely seems ripe for acquisition. While the company is not the market leader, it is in fact a market contender from a technology perspective. As such if a larger company with a more rounded product suite and better sales channels were to acquire Breach, Breach Security’s technology could rapidly become the market leading solution.

The web application security market is still relatively small, as such the WAF market is really not a five vendor market (Imperva, F5, Citrix, Breach, and Cisco). However, the market has a lot of potential to grow, should larger vendors evangelize the technology as web application attacks continues to grow. This has not gone unnoticed by some of the larger vendors making acquisitions. Of course in terms of Breach, any moves will be dependent on an acquiring companies preference between acquiring a market or creating one. Regardless, expect a big move within the space within a year or two and don’t be surprised if the move involves Breach.

4. Bit9

It is hard to deny that the endpoint application whitelisting story is becoming more than a little bit boring. The technology is sound, the security and compliance benefit is resounding, and the reality is that the technology is not resonating well within the market. Evangelizing whitelist technology is easy, selling whitelist technology is a bit more difficult. As a result Bit9 is still not the endpoint security giant that in many respects it rightly should be. Of course this difficulty is also confounded by market competitors, such as CoreTrace and McAfee through the acquisition of Solidcore, who are also taking a portion of the overall endpoint application whitelisting market.

What separates Bit9 and makes it an extremely interesting company to watch however, is Bit9′s large repository of known application hashes. In order to reduce the amount of leg work necessary to deploy Bit9 technology, Bit9 created a large hash repository of non-malicious applications. This repository and the delivery mechanism for the repository to endpoints is extremely valuable considering the growing market for a list based approach to threat. The combination of the two makes Bit9′s technology highly sought after by larger security vendors, market competitors and a lot of security purist customers. Bit9 currently offers access to that database through portal access that allows users to compare files against the database, while this is useful for investigative purposes it is merely a glimpse and does not allow vendors to leverage the database to it’s fullest extent.

Expect Bit9 to continue to trickle through the security market through partnerships that leverage Bit9 technology. In addition, expect Bit9 or Bit9 like technology to be sought after as by McAfee competitors as McAfee attempts to stake out a market with their Solidcore solution.

3. Qualys

While this list was meant to point out the less obvious companies to watch, it is difficult to ignore a company like Qualys. Qualys has historically leveraged non-security related technology, namely SaaS, to deliver high quality capabilities without a ton of headache. In addition, Qualys makes intelligent business decisions, such as the early integration with Payment Card Industries Data Security Standards (PCI-DSS) to dominate their respective markets.

Philippe Courtot (Chairman and CEO) runs Qualys with a frank no BS approach to business that is quickly becoming the stuff of legend. Regardless, it is difficult to argue that the man is not a visionary and it is clear that Qualys is a tightly run ship with an excellent executive team whose ability to execute is quickly becoming the example for privately owned security vendors.

Qualys will be an interesting company to watch because the company is reaching a size where it makes sense for another firm to either acquire the company or for Qualys to do an Initial Public Offering (IPO) and go public. It many ways this movement is long overdue. In addition, Qualys has largely staked it’s ground in the increasingly commoditized vulnerability management market. Thus, in order to grow, Qualys will be forced to venture into new arenas. Evidence of this can be seen in some of their newer offerings which focus on website malware and GRC.

Expect Qualys to continue to expand their range with a more full product portfolio and partnerships.

2. Mandiant

There is currently a great void when it comes to the realm of a single source for security leadership. While Mandiant may not be able to fully fill that void with their current products and capabilities, it has allowed them to stake out a key role in the market place as leaders in incident response. Mandiant has gained visibility as being a leader in investigative services in extremely difficult to investigate incidents. Their ability to work arm-in-arm with other larger vendors has allowed them to play the middle ground and assert themselves as thought leaders in the incident response realm. These services in tandem with their current product portfolio has allowed Mandiant to play in a realm where other incident response vendors such as Guidance Software and Access Data have struggled, the realm of enterprise IT security.

As of currently the Mandiant product portfolio does not necessarily resonate well within many larger vendors 2010 market strategy, however, as Mandiant continues to assert itself as a leader, the company becomes more of attractive to vendors who have a large product portfolio but lack thought leadership notoriety. In addition, as incidents continue to be inevitable, the market will likely shift more towards Mandiant’s product approach of assisting enterprises in handling incidents. This of course will increase Mandiant’s profitability and make it a target for acquisition. In 2010 however, expect Mandiant to continue to stake out security leadership through incident response, and highly interesting partnerships such as the already existing partnership with Bit9.

1. NetWitness

To be frank about it, NetWitness currently has the holy grail of security solutions. Ok wait, before anyone goes tearing apart this website in anger at that statement please continue reading. NetWitness does not possess the end all for security technology, however, consider the innovations in security technology over the past five years, despite all innovations 99% of information technology defense is dependent on firewalls, IPS, gateway antivirus, and endpoint security technology. In some more advanced cases there is likely an intermixing of web content filtering, ADS, and DLP solutions as well. Now consider what Netwitness offers in the context of these environments, NetWitness offers the technology that serves as the mortar between all of these technologies.

Netwitness’ unique technology allows organizations to review their network traffic with full packet captures. NetWitness then combines that basic capability with geolocation integrations, threat feed integrations with organizations such as SANS, SRI, and Shadowserver in order to deliver a product that upon discovery four years ago, my counterpart on my government incident response team described only as, “nasty.” This of course is not to mention that NetWitness integrates with industry leading technology such as the IBM SiteProtector IPS management system to make searching all of this data easier for security professionals. All that said, the underlying reason NetWitness is such an interesting company is because they have taken all of the capabili ties that security professionals have been wishing they had and scaled it to large enterprises.

In addition, NetWitness is a magnet for talented security professionals, especially those with US Government security experience, having hired such notable characters as Amit Yoran and Shawn Carpenter. Given the overall diaspora that has occurred within the security marketplace the collection of highly visible talent such as this is nothing less than eye opening. There is little doubt that this has lent itself to the consistent growth numbers posted by NetWitness.

Given these characteristics one can expect NetWitness to continue growing rapidly and/or be acquired for a large sum over the next three to five years (if not sooner).

(Honorable Mention)


Rapid7 is competing in a Qualys world, which most certainly is not easy. The company, which is currently focused almost entirely on vulnerability management, is staking out new ground in an increasingly commoditized market. This is a hard fought battle to stake out competitive differentiation against existent market leaders Qualys and nCircle as well as other market competitors such as eEye, McAfee, and Tenable who all have relatively large market shares.

Rapid7 was able to generate some market momentum with the recent acquisition of the Metasploit project. The commercial offering of Metasploit has allowed Rapid7 to explor some new venues for profit, however, what really makes Rapid7 interesting is their approach to the market. As of currently Rapid7 plays host to vulnerability assessment products, penetration testing products, and professional services, these basic lines of solutions are the foundation for other successful models that attracted highly talented security professionals in the past. With names like H.D. Moore, Rapid7 is poised to gain further market momentum and offer a somewhat attractive hub for more talent. Of course this road is not without several speed bumps.

Expect Rapid7 to continue a highly visible marketing agenda that within a year has already included the release of a freeware vulnerability scanner and the acquisition of Metasploit. In addition expect Rapid7 to carve out a better foothold in the vulnerability management market as other competitors continue to slide.

More Needs To Be Done To Protect CMS

The security industry is not doing enough to secure web Content Management Systems (CMS). With the recent attack on WordPress enabled sites hosted on GoDaddy and over 125 exploits released in the month of April for Joomla! vulnerabilities alone, this message is important enough to state plainly. Unfortunately, due to a wide variety of circumstances, this issue is largely not understood by the security community.

This is no small part due t the fact that CMS attacks are often extremely difficult to detect. It is an unfortunate reality that the vast majority of protection products are not capable of honing in on CMS attacks. Rather, most protection products either focus in on the generic web application attack aspects of CMS attacks (or they simply detect nothing). For example, the following published exploit against Lisk CMS (OSVDB-64778) would most likely trigger a broad detection of “SQL Injection” in IPS products and web application firewalls. However, would not, without deeper investigation, allow a security professional to know that the attack was actually aimed at LiSK CMS.

Example (From


While the broad generalization of this type attack string is certainly understandable the question is, is it helpful? On one hand, a generic alert allows a security professional to take immediate action to possibly prevent issues from within their network infrastructure and also allows them to broadly categorize the attack. On the other hand, the alert does not inform the security professional of the underlying issue. Thus, never allowing them to get to the root cause without time consuming analysis. This makes the the collection of metrics on these types of attacks even more difficult. As a result, statistics backed reports rarely, if ever, cite CMS as a growing vector for attack.

Unfortunately, whether strong statistics exist or not, the fact of the matter is CMS is under attack. While most of the major CMS vendors provide some-level of security through research and response processes, frankly the level necessary to secure freeware open-source CMS applications is too daunting of a task for these organizations to tackle alone. It is therefore imperative that the security community, especially the vendor community, better supports CMS security efforts. Until that support is available. Please be ready to receive more E-mails like the one below…

When Did We Lose the Endpoint Security Fight?

First let me be specific when I mention “malware.”? When I’m talking about malware I am lumping together any type of malicious piece of software that can harm an end-user or system.? This means viruses, worms, trojans, keyloggers, rootkits, backdoors, etc. With that out of the way, I have to say that recent experiences in dealing with both security professionals and IT professionals has left me wondering, when did we concede defeat to malware? I have found myself explaining on multiple occasions to end users that “viruses happen.”? Which is as if to say, “Sorry nothing we can do about it, it’s just a side effect of using a computer.”


When did we did we give up in the fight for protecting our networks from malware?? Furthermore, why, with advancing technology aren’t we better addressing the issues relating to malware? The search for the answers to these questions has sent me down a virtual memory lane of the incidents and virus outbreaks that have truly shaped the modern day IT security world. In the end though, I found that the answer was simple, we conceded defeat when we became unwilling to move off of broken and backwards endpoint security models.

Consider the History

From Cloner to Conficker (1982-2009) security has always been a step behind malicious attacks. The introduction of malware to the world at large came in the form of somewhat damaging and annoying but simple pieces of software that we termed viruses. The simplicity of these pieces of software yielded a relatively simple solution that we termed antivirus software. These early ancestors of modern day “Internet Security Suites” worked in a relatively simple fashion. Early antivirus would search files for a particular signature and if that signature matched a known bad signature, the antivirus would mitigate the issue.? Unfortunately, because Internet was nowhere near as large or as useful as it is today, most antivirus signature engines were not updated regularly. This means that as infected floppy disks were being passed from machine to machine, most systems were left vulnerable to the new or avant-garde attacks of the day.

However, because the number of viruses in the wild was relatively small (by today’s standards), antivirus companies were able to produce a reasonably high level of assurance that their software would protect their customer’s systems.? Furthermore, because antivirus software quite clearly did not enjoy the industry adoption that modern day relatives do, it made sense that the solutions were reactive in nature. Most organizations were looking to purchase antivirus software because they had experienced an incident or were experiencing an incident. Thus, it made sense that antivirus technology could be installed to alleviate a problem that already existed as opposed to try and prevent a problem from arising. In fact this model for solving known security issues worked so well for many organizations that antivirus software became a de facto security solution.

Then something interesting happenned, computers became interconnected through various networking technologies and viruses became self-propogating over various mechanisms.? Eventually we would call many of these self-propogating viruses worms because they were capable of traveling from computer to computer on their own (through wire tunnels). Early worms such as the “Morris Worm” wreaked havoc on networks all across the world. These worms exploited software vulnerabilities in ways that the IT community had never considered before. Instead of modernizing the endpoint antivirus solutions already adopted by many organizations, most sought network technologies to try and prevent worms from accessing propogation vectors. For example many integrated firewalls and gateway appliances that often scanned E-mails for viruses. However, most of the antivirus technologies available went unchanged, they were still using the exact same signature based scanning techniques in an attempt to address the changing threat landscape.

It was not until the massive flood of malware such as Code Red, Nimda, Klez, Blaster, Netsky, Sasser,Slammer and a myriad of others that we really started to see changes. More sophisticated antivirus solutions became anti-malware solutions or Internet Security Suites that integrated endpoint security technology such as host-based firewalls, host-based IPS, host-based spam filters, privacy protection, and even vulnerability management solutions. These technologies however were purposed to prevent malware from exploiting vulnerable vectors on an endpoint and wouldn’t prevent malware that was legitimately delivered to the system or was delivered over a vulnerability that the other technologies were not as of yet aware of.? Therefore antivirus engine models also began to evolve to be inclusive of technologies such as heuristic based malware detection, behavior detection, file analysis, and file emulation.

However, even with these innovations endpoint anti-malware alone does not offer a high-level of security assurance. Thus, most organizations have also integrated multiple network technologies in an attempt to try and complement the capabilities of endpoint ant-imalware. Technologies such as NAC which prevents users who may be infected from accessing the network segements of supposedly malware free machines, Intrusion Prevention Systems (IPS) which stop a multitude of network based attacks from exploiting endpoints, firewalls which also prevent a multitude of attacks, and Network Behavioral Analysis Detection Systems (NBADS) which detects covert channels used by malware.

While all of these technologies working together properly does offer a much higher-level of security assurance, unfortunately there are still a great deal of malware related issues. Unfortunately malware has evolved to take advantage of the logical cracks between the seperate security technologies used in these models.

How Does This Outline the Defeat?

The security community has been doomed to fail in the fight against malware from the very beginning. We built our models based on a last line of defense that is totally reactive. Anti-malware technology has made giant leaps in effectiveness with enhanced technologies such as heuristic or behavioral based detection. Unfortunately, that technology will always be reactive to the constantly evolving threat environment. Furthermore, the security community has been doomed to fail because instead of addressing that simple base issue, we have decided to attempt to tack-on new technology. This has done little more than grow network complexity and blur the lines of what technology is really responsible for preventing malware related issues. Of course don’t get me wrong I am a MAJOR advocate of network-based security technology such as content filters, IPS, firewalls, NBADS, and others. There are a multitude of reasons why these technologies are necessary. However, the underlying issue of malware still remains, we are doomed to concede defeat until we relieve ourselves of the blacklist endpoint anti-malware strategy.

Is There Light at the End of the Tunnel?

Quite possibly.? The continued proliferation and maturity of whitelist anti-malware models offers a great deal of hope. Whitelist anti-malware breaks the trend of endpoint security solutions predicated primarily on a reactive approach to security. Whitelist anti-malware simply focuses on what is allowed on a system as opposed to what is not. Of course this could cause a great deal of management overhead for organizations who have dynamic environments. However, as whitelist anti-malware has continued to mature most leaders in the space have made this a key focus area for the development that has gone into their products. And at this point, Whitelist anti-malware technology is a HOT topic in the market.

Many leaders are now capable of assisting security focused organizations in making the transition from ineffective blacklist models towards more effective, easy to manage, whitelist models. In fact, whitelist technology already has one of the best penetration rates in organizations focused on building the best security model possible from the ground up. Organizations such as those conforming to NERC/CIP standards have been especially keen on adopting endpoint whitelist technology. Besides the benefits of compliance and security, there are also major benefits in configuration change and control for adopters.

The rapid adoption of This has interesting future implications as the solidification of endpoints will allow organizations to focus on other areas outside of malware related incident response and endpoint security. As a result one would expect security postures to begin becoming more solid from the ground up. This could cause a far more sensible evolution in the methodolgy with which security models are built. Of course, at this point, one can only hope.

ITsec Industrial Centers of Excellence

The IT security community is a small world, especially within the vendor community. In the security market it is not uncommon for comapnies to be staffed by personnel who maintain close relationships with other personnel of fierce market competitors. Often times this is because those now fierce competitors were once co-workers. This is really no surprise as it is my personal belief that the best security professionals come from environments where they were surrounded by other excellent security professionals. Regardless, in doing a bit of research I have determined that there are industrial centers of excellence that produce highly capable and innovative security professionals. Below are a few of the industrial centers of excellence that I have personally come across (in no particular order).


The IBM ISS X-Force is one of the strongest teams of security researchers and developers in the world. More to the poin t, they are possibly the best team of vulnerability researchers outside of government-sponsored hacker teams. Before the saturation of vulnerability research, it would have been difficult to have an in-depth conversation about the IT security market without talking about the heavy influence of the ISS X-Force. Even major conferences devoted entire tracks to topics that amounted essentially to discussion of what it takes to be an X-Force member. There were certainly other teams similar to the X-Force in early on, but few were as large or as prestigious by any means. Today the X-Force still exists but largely exists in an environment where vulnerability research is becoming increasingly saturated. Thus, while much of their work is still of an industry leading caliber, getting the message out is far more difficult. Regardless, the ISS X-Force has graduated many of the industries best known personalities including a few who have had a major impact on the security market. Below are a few notable areas where ISS and especially X-Force alumni can be found making an impact.

Notable Companies Founded By ISS X-Force Alumni:

  • Cambia (now a division of nCircle)
  • Endgame Systems
  • Errata Security
  • Spi Dynamics (now HP Application Security Center)

Noteable Companies With ISS X-Force Alumni Working at Top-Levels:

  • McAfee
  • Teramark
  • Axis Capital
  • Breach Security
  • Arcsight
  • TopLayer Security
  • Cisco
  • Immunity Security
  • Damballa
  • IBM (Obviously)

SPI Dynamics

SPI Dynamics, currently HP Application Security Center, is an industry leading web application security vendor. In it’s pre-acquisition form, SPI employed some of the industries best and brightest security researchers, product managers, and evangelists. After the acquisition of SPI Dynamics, a number of noteable employees left to start their own companies or take on leadership roles within other security firms. Furthermore, HP ASC still employs several noteable people such as SPI founder Caleb Sima and Matt Wood with whom the industry can still expect big things from. While SPI Dynamics could technically be seen as an extension of the ISS as founders Brian Christiansen and Caleb Sima are both ISS alumni, SPI grew to a large enough company and has had enough alumni make an impact on the industry to be noted in their own right. Today SPI alumni can be seen taking on the difficult task of trying to attain application security from very high ranks within notable companies. Furthermore, these professionals have combined with o ther groups noted in this list here to work on avant-garde technologies that the industry should fully expect to see more of in the future.

Noteable Companies Founded By SPI Alumni:

  • GOTO Metrics LLC
  • Zoompf
  • Silvexis

Noteable Companies With SPI Alumni Working at Top-Levels:

  • Zscaler
  • Purewire
  • FishNet Security
  • Lancope
  • Veracode
  • Microsoft
  • SecureWorks

The United States Air Force Computer Emergency Response Team (AFCERT), Office of Special Investigations (AFOSI), and Information Warfare Center

There are several notable US government Computer Emergency Response Teams and Incident Response Teams that are highly recognizable and extremely capable. However, few command the same level of respect as the team that was previously known as the United States Air Force Computer Emergency Response Team. Of the few CERT’s, CSIRT’s, and CIRT’s of such a caliber, I run into AFCERT alumni most often in my analyst coverage. I do not pretend to know why this is the case, it could be because AFCERT has graduated more alumni, it could be strictly coincidence.

What I do know is that these alumni have made major waves in the information security market, both from a financial perspective and from an industry wide education perspective. As you may note, I have also included the Air Force office of Special Investigations and Information Warfare Center ?in this section. I honestly do not know what the relationship of these teams has been or how closely those specializing in computer security and digital forensic investigations worked together while within the military. I do however, know that in the private sector, as alumni, they have together produced ground breaking research and capabilities. I personally spent a great deal of time reading the books and periodicals these alumni have published in order to gain a better understanding of major security issues, especially relating to incident response.

Noteable Companies Founded By AFCERT Alumni:

  • Denim Group
  • Wheel Group(Now a part of Cisco)
  • Mandiant
  • CoreTrace

Noteable Companies With AFCERT Alumni Working at Top-Levels

  • Cisco (obviously)
  • General Electric
  • Foundstone
  • CSC
  • SAIC
  • Bank of America
  • Federal Data Systems, Inc.
  • ManTech
  • AT&T
  • Various other defense contractors

@stake (now a part of Symantec, also back on it’s own in L0pht, and in Veracode)

I honestly do not know how to characterize the @stake story, it’s happy, it’s sad, it’s happy again, I really don’t know. For those who have followed closely they saw one of the industries best security teams swallowed up by the giant that is Symantec. Next followers saw that team more-or-less fade into oblivion. Then followers saw the @stake team re-emerge in the form of L0pht, iSec Partners, Veracode and others. Each of these organizations produces products or services that are innovative and industry leading. I previously worked in an organization where I am proud to say my colleague purchased the last copy of LC5 before Symantec murd—-ugh–discontinued support due to US Government export regulations. Regardless, @stake members have left a heavy footprint on the IT security market from both a business perspective and from a historic perspective. In all honesty, if you have not yet run into some version of SQL Slammer (a warm created based on code demonstrated in an @stake Blackhat presentation) in your studies or in security monitoring or you haven’t snickered at the backdoor program Back Orifice (a program created by an @stake alumnus), you probably need to hit the security books. (much of this came from? yes I used Wikipedia as a reference)

Noteable Companies Founded By @stake Alumni:

  • iSec Partners
  • Veracode
  • Novosecure
  • Security Objectives

Noteable Companies With @stake Alumni Working at Top-Levels

  • BBN Technologies
  • Application Security Inc.
  • Adobe
  • L.E.K Consulting
  • NEOhapsis
  • Yahoo!
  • Safelight Security Advisors
  • Deloitte
  • Forrester Research (although it pains me to do so they are a competitor of mine at EMA, I’ll give a nod to Andy Jaquith)
  • Endgame systems
  • Rapid7

The NSA/ NSA Intern Programs

By this I mean the actual NSA, not an NSA center of excellence or some type of certified academic program. I’ll be honest, this is an arena where I don’t particularly have too much insight and I don’t want any insight. I’ll merely say this, the NSA has over the years employed a lot of smart people, a lot of smart people. Sometimes these people don’t advertise their work background and sometimes they do. The gentlemen who gave me my start in information security very proudly lets people know that he began his career at the NSA. During my analysis I have often heard of graduates of the NSA Summer Intern program and of NSA alumni in general. I do know that these folks have proliferated all throughout the industry in a manner that I could spend hours listing out all the notable companies they now work for. However, given the cloak and dagger nature of the company I will merely close with, they could be anywhere :-) (and I hope you realize that’s a joke)
Noteable Companies Founded By the NSA Alumni:

  • Immunity Security
  • Stach and Liu

Noteable Companies With NSA Alumni Working at Top-Levels:

  • Cisco
  • Google
  • ICSA
  • Microsoft
  • Various Defense contractors
  • State of Michigan
  • Symantec
  • Accuvant Labs

Other Notable Organizations that Have Made Major Contributions

  • Ernst and Young: Alumni founded several companies including Foundstone and now work all throughout industry
  • Trident Data Systems: Alumni founded several companies, however Trident Data Systems was a second stop for many AFCERT alumni. Trident Data Systems Alumni also started notable consulting practices, including Deloitte’s security consulting practice with ERS and the Denim Group.
  • Various government agencies: Too many to name here but the problem is that this again is an environment that over the years has been highly diluted.
  • Stanford University: Alumni have founded several notable companies including Dasient and Coverity
  • Carnegie Melon: Former home of US-CERT is certainly a top-tier University for security professionals. However, outside of federal government I run into these graduate less often.


  • The Sourcefire Vulnerability Research Team (VRT): This is an extremely passionate team of people who are all focused on security. That many passionate people working together on a regular basis is bound to advance them professionally in their skills capabilities and innovative thoughts. Although not quite the caliber or maturity of the X-Force these talents are likely to have a growing impact on industry.
  • Trustwave and especially Spiderlabs: Again a vulnerability research team much like the X-Force although not quite on the same level of maturity as of yet. Regardless, the Spiderlabs team has been an extremely attractive place for passionate security researchers to land. If these professionals ever leave, they will no doubt have a large effect on the industry (which is easy to say because several of them have already). Alternatively, if they should chose to stay at Trustwave, ?you should expect to hear more about these professionals which includes David Byrne (one of the authors of Grendel Scan).
  • WhiteHat Security: Excellent environment for training web application penetration testers and researchers. Lead by Jeremiah Grossman, Arian Evans, Bill Pennington, and previously Trey Ford, WhiteHat is pulling in young talent and training those talents to be better. The program is likely to produce highly qualified people.
  • Rapid7: With the acquisition of Metasploit Rapid7 combines several notable industry figures with a hacker rockstar persona. These are attractive traits for young passionate security professionals. One could easily expect many talents to migrate towards this company and should those talents ever leave, they could do very interesting things.
  • Any major vulnerability research team should they have a large exodus. There are a lot of other highly capable vulnerability research teams whose alumni could have a major impact on the security industry should there be any type of exodus. These teams include but are not limited to what was formerly McAfee Avert labs, MSRC, and Trend Micro’s research team.