Saturday, September 20, 2014

Significant threat - VPN over DNS and Are Threat Intelligence organizations really dying off?

In 2012, Wapack Lab’s began examining the use of VPN-over-DNS and the potential risks of insiders and external users from applications used circumvent authentication mechanisms, introduce new applications (tools) into the environment, and exfiltrate sensitive information through DNS’s always-open port. We've provided reporting of possible VPNs running over DNS to literally several dozen companies. Wapack Labs continues to advise organizations to closely examine its DNS name registers for VPN-over-DNS entries and monitor its DNS traffic closely; and policies should be considered to disallow the use of this application. This week, we published a detailed report on the VPN-over-DNS tool.

Executive Summary 

VPN-over-DNS, is a free Android application available on the Google Play store, downloadable to both Android telephones and as a web-based application. It boasts fully integrated DNS Tunneling combined with several mail clients, and while some organizations allow this application, Wapack Labs believes it to be a significant counterintelligence threat to companies who both allow it, and companies who may not be aware of its use. 

VPN-over-DNS was first released to the Google play store on August 20th of 2012 by a French developer and is advertised as “data exfiltration, for those times when everything else is blocked.” VPN-over-DNS fully qualified domain names (FQDN) have been observed with passive DNS to resolve to a wide array of IP spaces including education, government, corporate, military, and even unassigned IP ranges. However, FQDNs resolving to an organization’s IP space may not be an indication that users within that IP space are actively using VPN-over-DNS, but rather VPN-over-DNS has been used in the past, and that the tunnel may still be available for use. Wapack Labs is providing this analysis because of widespread observation in the wild as well as situational awareness of an application with insider threat potential. 

The analysis, including mitigation strategies is available to Wapack Labs customers, including Red Sky Alliance members. 


Are Threat Intelligence organizations really dying off?

I heard it three times this week. Threat intelligence shops integrating into the Security Operations Centers are being killed off because managers can't seem to show ROI.

Here's the dirty little secret... There's a model for this.. you should be able to actually track the cost of your intelligence process and make an informed make/buy decision on intelligence offerings as a service (like ours!). I'm sorry. I can't credit the source. I've worked on so many of these, but every one that I've worked on all look much the same. I start with a basic CMM maturity model and adapt it. It looks a bit like Figure 1. Click to enlarge.

Immature infosec teams are indiscriminate feeders when it comes to intelligence. They devour everything only to realize that much of what they ate might have been tin cans, steel belted radials, and general garbage. The good stuff that they actually needed, was somewhere in there, but that bad stuff really tastes bad. During this immature phase, operations drives intelligence. Incident response analysis is mistaken for intelligence, and open sources of information are consumed without regard for quality.

As the team moves up the maturing model, they start realizing that they want more data, better tools, and they start participating externally with smarter groups... The bird dog is training the bird dog. Now the costs REALLY go up. Learning lessons from their own environment becomes crucial, and analysis of internal data becomes key. The team finds more and more vulnerabilities, frustrating management. This costs money. The team is learning. During this phase, operations still drive intelligence, but the pendulum is beginning to swing the other way. The team starts hunting. They don't yet understand the concept of 'collecting against requirements' but they do have a standing set of information on which they maintain constant vigil...

And then it gets better. It's when the teams become mature. Collection requirements, EEIs, and scouring the landscape for new threats becomes the norm. Many teams realize the value of (select) home grown and open source tools, complimenting the COTs suite, and depending on the size of the team (I know BRILLIANT small teams that do very well!) they realize the value of intelligence in the SOC. When the team becomes an intelligence producer instead of an intelligence consumer. In fact it's almost magic. This is when intelligence feeds operations.

Closing in on maturity, the model should start to look like figure 2 (forgive the slide!):
So how do you know?

Measure it!... Intel should do a couple of things for you:

  • At the strategic level, intelligence gives executives (and your marketing team!) an idea of what's coming. The more you know, and the better you plot it out, the better you'll be.
  • Intel should help with the tactical.. Not only the "what's going to hurt me tomorrow" but more priority questions like "what is going to hurt me today?" Intel should compliment your SOC operation. The should know on a daily basis, what Intel thinks they should be protecting against... What's coming for us? What's coming for our industry? And what is everyone else seeing?
  • And... when you can show drops in reaction times as a result of intel, or perhaps, faster reaction times resulting from very typical intel techniques - tabletop exercises, formalized brainstorming, greybeard sessions, and white/blackhat sessions (note I didn't mention penetration or vulnerability testing??), you know you've arrived.

When you can show results like this... and your intelligence is fast turn, very actionable, and as right as it can be, you'll have no problems communicating the value of your team to upper management.

So start here...  if you're an immature team, and need to keep your costs low, join an open source group. Learn as much as you can. Bounce indicators off of Threat Recon (it's free to 1000 queries per month), and start looking for badness in your network. Need help? Call us.

On another note, I'm going to start posting as Wapack Labs instead of Red Sky Alliance. The portal is strong, but we've talked with a professional marketing guy who suggests we think about branding. Much of what I blog about falls outside of the information sharing construct. When we present, we talk of intelligence services and delivering it in many forms and in many forums --Red Sky Alliance, the FS-ISAC, through a community in Threat Connect (Beadwindow is on Threat Connect), and OEM'd (Threat Recon is available through ThreatQuotient). I'll be messaging from Wapack Labs from here out. Please use my Wapack Labs email account...

Have a great weekend!