Silicon Shecky

Infosec Practitioner

Connect

CarbonBlack doesn’t do it again

By Leave a Comment

No Summer Camp for me this year. Instead I had a small family style vacation, hence why there was no post last week.

This week, I figure on ranting about CarbonBlack again. Seems while I was on vacation they did back end upgrades to Defense. These wonderful upgrades, that should have been properly tested, have caused a lot of prior fixes to not work. What does this mean? Well a ton more false positive alerts, poorer performance, a recurrence of VDI sensors getting stuck in bypass mode (or spinning up in bypass mode and issues with grouping and dismissing alerts. How do you release something without proper testing?

The statement from CB is that most of this will be fixed in the next sensor update, which comes out this month, but in the mean time there is not much that can be done. I have been a huge fan of CB Response and CB Protect in the past. Well tested, well thought out, and all the controls one needed to be able to tune properly. Defense honestly seems like they do not care. This latest update seems to have not been tested with the current sensor. New sensors usually have some issues of their own (they keep breaking prior fixes for instance) and have to be tested and vetted by organizations to make sure that they do not break anything. Meanwhile, CarbonBlack breaks things on our end by making our job that much more difficult with their back end upgrades. These are lessons to be learned from by any company out there on what not to do. This also shows the problem with going with a cloud based solution that a company has no control over the update/upgrade cycle on.

Last year’s Blackhat, CarbonBlack put out a beautiful marketing claim about Defense stopping Mimikatz. Look up the video of someone proving that wrong within days. Some people I know over at CarbonBlack knew that would happen and were not happy with their marketing department over it.

I hope that CarbonBlack realizes what a pain these items are. I know the whole first to market, gotta keep things fresh and make changes is part of the industry. Forcing people to use that latest immediately upon release is the wrong way to do things though. Why this happens with Defense (which I have picked apart before) is beyond my understanding. Confer was bought by Carbon Black a few years ago now, but it seems like it is the item they are still not sure what to do with.

 

Anatomy of a Rejected CFP

By Leave a Comment

Call For Presentations, a staple of any conference. Those of us that come up with ideas to share, love and dread them. I wrote about them in my CFP season post earlier this year. Of 4 CFPs I put in for conferences this year, I got rejected for 3 of them. The last one, which is for Derbycon, just came this week. I am not surprised by the rejection as Derbycon had 125 slots and 495 Presentations put in (not 495 speakers, people put in multiple presentations to hedge their bets, I put in just one). Over the last few weeks, I have been impress with how transparent Derbycon has been with the process. Dave Kennedy tweeted a thank you that showed who was the panel who reviewed and scored them. There was another tweet from Dave I do believe that explained preference levels (score, has the presentation been done before etc…) used to make the decisions. He even tweeted about how difficult it was deciding who to cut because of how good the presentations sounded. Now the CFP for Derby was blind, so the reviewers did not know PII of who the submissions were from. Some, like Lesley Carhart, Lee Holmes, and Amit Serper gave thoughts and recommendations based on what they saw (click on their names to see what they wrote).

I figured I would post my CFP here (email address removed) and take a look at it, what I might have done wrong, and one small complaint about the Google Forms (based on what Lesley wrote about outlines). Lets take a dive shall we?

 
 
 
 


Thanks for filling out DerbyCon 8.0 Evolution - Call for Papers


Here's what we got from you:
DerbyCon 8.0 Evolution - Call for Papers
Use this form if you are looking to submit a talk for DerbyCon. All submitted talks will be reviewed by the DerbyCon CFP review board. If accepted, DerbyCon will reach out via the email address provided in this form. An accepted talk provides admission to DerbyCon for each speaker(s) and $200 cash per talk (to be divided if more than 1 speaker). If you choose to do so, donations are accepted at check in. DerbyCon does not provide reimbursement for travel and expenses. Follow @DerbyCon for additional announcements. 
 
Email address *

Additional email address(es) of speaker(s) 
If there is more than one speaker that will be contacted Example: Karl - creepy@derbycon.com , Bob Speaker - bob@example.net ....(clearly showing name association with email address, separating multiple speakers by commas). This info will be used to contact you, it will not be published 
 
Name(s) of speaker(s) *
Provide your name(s), these will be printed in the handout and on the website unless notice is given
Mike "Shecky" K
 
Twitter Handle(s) of speaker(s) 
Example: Karl - @dorkultra , Bob Speaker - @bobspeaks ....(clearly showing name association with twitter handle, separating multiple speakers by commas). This info will be published on the handout and website unless notice is given
Siliconshecky
 
Speaker(s) Bio *
Provide a brief bio for the Speaker(s)
Shecky has been involved in computers since the late 70's. Over the last 20 years he has worked up from being on the help-desk to Security Engineering roles. He helps organized one of the Burbsec meetups in the Chicago area, has volunteered at B-Sides Chicago in 2017, and Burbseccon in 2018 in Chicago and spoken at Cyphercon in 2018 and B-Sides Chicago in 2014.
 
Talk Title *
This will be the title of the talk
Communication Breakdown
 
Talk Description *
This is the description of the talk that will be put in the DerbyCon handout and website
We have all seen it and experienced it. It lurks all around us, and when shows its ugly head problems get exasperated. We have a communication breakdown so we will breakdown communication. The problems, and possible solutions. Ways to get better at communicating and how to potentially hack ourselves into being better communicators.
 
Talk Outline *
Provide an outline of your talking points. This helps us narrow in on the talks that are a great fit for the con.
I.	Introduction 
II.	II. The problem 
A. Talking over people’s heads 1. Example 
B. Talking around the truth 
C. Treating others like idiots, both in and out of the Cybersecurity Field 1. Example 
III. Why should we work on communication skills? 
                      A. Buy In from others in the company/client 
                      B. Lower levels of frustration 
                      C. Easier to get help when needed 
                      D. Helps lower the loneliness factor 
                      E. Helps with Social Engineering skills 
                      F. Communication does help secure things 
IV. Different types of communication and how to work on them 
                     A. Written Word 
                                1. Blog 
                                2. Whiter paper 
                                3. Social Media 
                     B. Spoken Word 
                                1. Toastmasters 
                                2. Acting/Improv Classes 
                                3. Speaking at confrences 
                                4. Talk to strangers 
                                            a) Just say hello 
                                            b) Listen first 
                                            c) Talk to at least one new person every conference 
                                            d) Go to local meetups (security or non-security) 
V. Conclusion – hack yourself into becoming a communicator 
VI. Questions 
 
Provide a category for your talk *
Ex: password cracking, social engineering, phishing, blue team, etc
Communication/Social Engineering
 
Has this talk been given before? If so.. Where? 
Let us know if and where this talk was given before
This talk has not been given
 
Talk Length *
How long is your talk? Stable talks are 30 minutes, normal talks are 45. Please note that we reserve the right to change talk times based on available time slots and variety of content.
•         ( ) 30 Minutes (Stable Talk)
•         (X) 45 Minutes (Standard Talk)


Create your own Google Form

Pretty normal, I made one spelling error in the outline (the word conferences is misspelled).

Anything that we can see wrong with the description? Maybe a little grammar near the end:

“We have all seen it and experienced it. It lurks all around us, and when shows its ugly head problems get exasperated. We have a communication breakdown so we will breakdown communication. The problems, and possible solutions. Ways to get better at communicating and how to potentially hack ourselves into being better communicators.

That last line probably should be combined into the sentence before it. That would be points off then, and can make a difference. When I wrote it, it seemed right to me, but English and grammar are weak points (one of the reasons I write this blog is to get better at both of them).

Next up is the outline. I have adjusted it back to how I saw it when I put it in originally. I did the outline in Word so I could get formatting correct. Lesley said in her blog post about problems she found with some of the CFPs “Many submissions I reviewed did not include one or the other. In some cases, the submitters provided long bullet lists or paragraphs instead of a tabbed outline that concisely described their talk proposal. ”

Above you see a proper outline. The actual e-mail showed my outline like this:

 

Talk Outline *

Provide an outline of your talking points. This helps us narrow in on the talks that are a great fit for the con.

  1. Introduction II. The problem A. Talking over people’s heads 1. Example B. Talking around the truth C. Treating others like idiots, both in and out of the Cybersecurity Field 1. Example III. Why should we work on communication skills? A. Buy In from others in the company/client B. Lower levels of frustration C. Easier to get help when needed D. Helps lower the loneliness factor E. Helps with Social Engineering skills F. Communication does help secure things IV. Different types of communication and how to work on them A. Written Word 1. Blog 2. Whiter paper 3. Social Media B. Spoken Word 1. Toastmasters 2. Acting/Improv Classes 3. Speaking at confrences 4. Talk to strangers a) Just say hello b) Listen first c) Talk to at least one new person every conference d) Go to local meetups (security or non-security) V. Conclusion – hack yourself into becoming a communicator VI. Questions

Notice, it has lost its formatting. I will take blame on this one partially, only due to the fact that I did have it originally in proper outline form, and once submitted it reverted to the paragraph above. This is something I will have to figure out how to prevent next CFP I do, but it would cause points to be removed from my score.

Other items that get talked about such as fit into the conference’s overall theme/scheme are tough to judge since that information was not given by Derbycon itself. It is a guessing game there as to how the CFP review board felt on that. Soft skills talks are difficult to get accepted unless a CFP is perfect, at least from my perspective. Truth is I probably should have put this in as a workshop instead of a talk, I mean who wants to just listen to someone talk about communicating. I do wish we could have gotten feedback from the review board sent to us, but with almost 500 submissions, that is just way too time consuming,

Hopefully this helps some of you out there with what a rejected CFP looks like, and please feel free to comments and critique mine. Thanks again to Derbycon for being so transparent on the whole process.

The Secret Sauce Does Not Help Security

By Leave a Comment

There are a ton of tools out there, some work well, some not so well. Most of them have some sort of secret sauce, you know the stuff we are not supposed to see because it might be a trade secret or the company is just not good at documenting them. I recently have been dealing with the Carbon Black Defense EDR(Endpoint Detection and Response) tool, and let me tell you, the secret sauce there is really a drain on what is a nice, if not quite mature, tool for Endpoint Response.

Before I start getting more into it, I have worked with Carbon Black products for the last 3 years. The majority of it was with Response and Protect (formerly Bit9), and I found that neither of those tools have this same problem that I am running into. Defense(formerly Confer), which I started dealing with a few months ago, I figured would not be too difficult to pick up since I had a background in the other software. Truth is, it was not difficult to make the switch in a generalized sense. It has been painful in the, I know what needs to be done and what I need to see but they are not allowing either to show or easily be accessed. And while simplicity is not a bad thing, lack of controls is not simplicity but rather creates a more complex and less usable product.

The idea behind EDR solutions such as Carbon Black Defense is to allow more insight into a machine, and to be able to block malicious software (especially the unknown unknowns) before any damage is done. Defense does a good job at this (although not perfect as you can lookup the whole “We Stop Mimikatz” debacle from last year’s Blackhat), but at a major price, which is time. The amount of false positives that get generated is amazing, which is why any solution like this needs to be tuned for efficiency. Yes you can use a SIEM to cut through a lot of the clatter, but in the end you still need to tune the solution. With CB Response and Protect, you can get very granular on rules and alerts to cut through the noise. Defense, though a “Response” tool in its own right, does not allow for granularity in the allow and deny rules. In fact I see it as more of an all or nothing based on their “Secret Sauce”, of which you get but a small idea in their documentation, of TTPs lining up with Threat Indicators. Here are the screens for allowing and blocking:

Allowing software by rule

Blocking by Rule

You can see both the Allow and Block rule construction is simplified. You can put in an application by path (with wildcards to cover directory structure up and down). Allowing allows you the options of completely bypassing CB Defense (Not a great solution) or in most Threat Indicator categories Allow without logging or Allow with logging. Why one would allow without logging makes no sense, but it is an option. Blocking you get a choice of Terminate Process or Deny Operation. The little target symbol will bring you to an investigation page searching for that operation. Notice you do not know how it determines what operation is what (there are a couple examples for most items in the documentation but not enough). Also, it is a generic allow or deny for the path or the application itself, and I mean you cannot say if X application invokes Y then it is ok or not ok. This is surprising considering all the hashing that goes on to make some of the determinations.

Lets look at an example. I am going to focus on Outlook starting up and using a plugin for encryption. I get an alert every time someone goes through this startup. Yes I have told Defense not to alert on this behavior, but the smallest change (IP address, machine name, new version any change) makes the alert as seen by CB Defense a completely different creature.

Outlook Alert

The alert I am talking about are the bottom two (each one is a separate machine but alerting on the exact same thing). You see the alert level is 3 and just so you know these are not blocked by policy, but they are still alerted. Not a lot of information on the alert, in fact you do not even see what it tried to execute from a memory buffer. When I go into the Alert Triage section on the bottom alert I see the following:

Alert Triage Outlook

Here I see the process outlook is invoking. No path of the process, not a whole lot of detailed information to make a decision on in the environment, but a lot of  trust us we know what we are doing type information. There is a similar type screen in Response but it gives much more info and gets way more detailed (including thread lists). The same information is in the background somewhere but is not being shown. There is the investigation button, so let us see if that gives us more info so we can make an informed decision:

Investigation Screen

Well, we do get more information, but what does it mean? We can see the paths being invoked and loaded (and functions called). We do not see full command lines (at one point I did with Powershell invoking commands but that has disappeared recently). I see the TTPs and Hashes. While not on the screen shot, there is a button if I click on the Application that allows me to look up the hashes on Virus Total (one bad hit there and it skewers the rating system toward alerting). So even without a ton of detailed information, I can make a guess that this is good if I know the environment uses said plugin.I do not know how it determined why it alerted, outside of Outlook invoking the plugin. This happens when you open a document, spreadsheet or pdf from outlook, or even from the web. I get alerts from people opening up spreadsheets they have created or that hook into software specific to the vertical to pull data from it. There are many other cases where you do not even get this much information.

So I should be able to not alert on this right? Wrong. I can whitelist everything and still be alerted. I cannot say do not alert if Outlook invokes this application. I can’t even say do not alert if whitelisted invokes whitelisted. I am using the word alert specifically, because that is what the SOC will see. The logging needs to happen for both good and bad. I can search through the investigation area for specific files, hashes, machine names, but in the end the info I get is as above. Now imagine getting 5 alerts every 5 minutes and having to go through each one. That can be a ton of alerts in a large company. What I get told is to look at the Priority Score. That helps very little as there is no documentation as to what causes a score to be. How many points is each TTP? The information is there in the background somewhere. Why can it not be viewed in an advanced mode?

I have not looked at too many other EDR (briefly Rapid 7’s at a prior place of employment) but it seems each one has their faults. I have heard about the false positive issue with some of them by asking around. Also, I am not saying that CB Defense doesn’t do what it is supposed to do, which is block and alert. What it does not do though is make life more autonomous in the Endpoint Detection and Response area, if anything it makes it more human resource intense just to get through the false positives. The idea of alerting on non-blocked events is great, it is how one can find unknown/unknown threats and actors potentially living off the land. The technology behind these alerts allows for more granular tuning, and the priority score is a great idea. Without knowing the secret sauce behind the alerts, if for nothing else than tuning purposes, software like this becomes a time sink.