Information security is, at bottom, human conflict conducted by technical means. The discussions at Jailbreak, however deeply technical they became, all described people doing things to other people with code, with all the intensionality that implies.
The Jailbreak Brewing Company continued its idiosyncratic but always interesting series of security symposia last Friday with a day-long session devoted to technical presentations on what the conference organizers called "(in)security tools." Held on the brewery's premises in Laurel, Maryland (well-known as a center of cybersecurity operators, both public and private), the symposium was sponsored by Raytheon, Fortego, Millennium Corporation, Praxis Engineering, Carbon Black, Vulnerability Research Labs, GRIMM, Booz Allen Hamilton, and Synack. Discussions ranged from insider threats to obfuscation and evasion techniques, and the detection thereof.
The first speaker took up the human dimension directly. Carbon Black's Jeremiah Clark discussed what he characterized as the "forgotten human threat." That's not to say that the familiar threat inventory of cybercriminals, hacktivists, and nation-state security and intelligence services is forgotten, but in Clark's view the insider threat can be forgotten. Insiders, after all, have the most access, and are involved (whether intentionally or inadvertently) in some sixty percent of attacks. A culture of oversharing on social media has made the attacker's task easier (consider the success that phishing continues to enjoy) and we often fail in the defender's first task: not making the attacker's job easier (consider failure to follow sound hygienic practices with respect to passwords, and the widespread adoption of bring-your-own-devices practices without preparatory security groundwork).
Why are insiders so hard to detect? They already have access, Clark notes, often highly privileged access. "They know the enterprise's layout and defenses. They live off the land, using tools already there." And treating insiders with suspicion "goes against our trusting instinct." He advised close attention to privilege management, continuous monitoring, and anomaly detection: the data an organization collects routinely can be used to spot anomalous and possibly threatening activity.
The presentations that followed Clark's concentrated on dealing with adversaries who react, change, and obfuscate their activities. We'll have reports on these, along with video and audio from the symposium, up on this site over the course of the next several days.
Jailbreak Security Summit 2017
Join some of the world's best security researchers as they talk about vulnerabilities in security tools at the only computer security event held at a production brewery. Attendance is limited to 100 to keep the Security Summit small and encourage conversation between speakers, attendees, and sponsors.
Jeremiah Clark - The Most Insecure Security Tool of All
Employees represent the biggest threat to an organization, the absolute hinderance to an effective cyber security posture. From clicking on a link to monitor a giraffe's birthing status, to installing new software via USB, or hoarding government secrets to give to WikiLeaks - humans are the weakest link in the chain. How can we do a better job of detecting, mitigating, and managing this threat?
Patrick Wardle - OverSight: Exposing Spies on macOS
One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
Alexei Bulazel - Detecting & Evading Automated Malware Analysis
Automated dynamic malware analysis systems, aka "malware sandboxes", are an important tool on the front lines of defense against modern malware. Unfortunately for defenders, these systems can be easily detected and evaded by malware.
Jonathan Levin - Know Your Unknowns: Runtime Analysis of Suspicious Software
This talk will focus on one of the most difficult problems reverse engineers, malware and security researchers face: How to determine what an unknown software does. Focusing on Android and iOS, as well as their desktop counterparts (Linux and MacOS), Jonathan will discuss and demonstrates tools and techniques for monitoring process access to system resources and kernel APIs.
Ben Clark & Matt Hulse - How President Trump’s 400 lb Hacker Bypasses Security Products
Organizations are increasingly layering security products and tools in the hopes of preventing attacks. Unfortunately, most of these products are playing simple numbers games, hoping to catch most, but failing to catch all, malware. The talk focuses on operational techniques used to circumvent detection. It will emphasize the understanding of security product weaknesses, and the tools and tricks available to take advantage of them.
Travis Goodspeed & Ryan Speers - Confusing Disassemblers of Compressed RISC Instruction Sets
X86 has all sorts of fun ways to mess with reverse engineers at the instruction set level by varying offsets to execute in the middle of an instruction. In the holy ideal of RISC, this wouldn't happen because instructions are of fixed length.
But then RISC got all uppity while targeting the embedded market, trying to squeeze itself into 16-bit aligned instructions whose length can sort of--but not really--vary. MSP430, ARM, MIPS, and PowerPC all support these shortened instructions, so let's take a look at some specific examples in which disassemblers and reverse engineers can be confused by them. We'll split instructions apart, graft them back together as chimera freaks of nature, and the hardware will happily run it just as disassemblers run off-track.