Building Security InEditors: John Steven, jsteven@cigital.com

Gunnar Peterson, gunnar@arctecgroup.net

JANUARY/FEBRUARY 2011 1540-7993/11/$26.00 © 2011 IEEE COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 91

RichaRd Bejtlich

General Electric

john Steven

Cigital

GunnaR PeteRSon

Arctec Group

Directions in Incident Detection and Response

this makes IDR much more dif-ficult and what these new targets mean for IDR. We, in turn, offer tactics on how application secu-rity teams can help. — John Steven and Gunnar Peterson

Richard Bejtlich: As the leader of a commercial computer incident re-sponse team providing services to my company, I fear that industry’s IDR model is inadequate. One way IDR fails involves the identification of application-level compromises. Application misuse and abuse, which aim to access data, differ from intrusions, which aim to gain persistent control of the target OS. In attacks on applications, intruders likely seek unauthorized access to data and in some cases might desire unauthorized alteration of data. In contrast, traditional IDR models tend to assume that attackers seek to compromise the target platform, with the primary objectives be-ing the deployment of a persistence mechanism, remote command and control, and access to privileged ac-counts. With this in mind, I make four assumptions concerning the application-centric-security world.

First, organizations expect their security teams to increasingly expand their expertise beyond

humanly possible levels. Teams probably don’t possess the deep domain knowledge necessary to understand one or two applica-tions, never mind the dozens, hun-dreds, or thousands operating in the enterprise. So, security teams probably don’t understand applica-tions, let alone effectively identify subtle attacks against them.

Second, teams must understand subtle activity; failing to do so might cause them to miss the only precursor to actual exploitation of an application. Assuming exploi-tation takes the form of a massive dump of data from the application, security teams might identify a successful attack. However, by the time a team recognizes the mas-sive dump in progress, the attack might have progressed too much to effectively stop. In the end, the security team has a chance to re-alize an attack happened, but only after the fact.

Third, instrumenting appli-cations to provide information on subtle activity poses differ-ent challenges than instrument-ing network-connected devices in general. Suspicious and malicious access to an application might manifest itself only as slightly ab-normal interaction between the

This issue, Richard Bejtlich leads a conversation

on how incident detection and response (IDR)

teams’ focus on detecting and preventing attacks

has moved from targeting OSs to unauthorized-

access-application functionality and data. He discusses why

attacker and application, within the application’s established pa-rameters. For example, an attacker probing or exploiting a Web appli-cation might access it via HTTPS-encrypted traffic, which might be opaque to traditional network-based sensors. Logs might prove more important than other infor-mation sources, but understand-ing logs is a tall order. The need to rely on different instrumentation methods puts analysts in a new, uncomfortable position.

Finally, learning to understand application-level attacks will like-ly frustrate IDR teams. Analysts who share log details might ex-pose sensitive information. They might also be forced to understand a unique instance of an applica-tion and not find peers who can help interpret the output. Analysts probably aren’t going to find class-es that teach how to interpret the logs on which they rely.

If these assumptions prove at least partially correct, organizations will have more difficulty defending their systems in a world where intruders care more about accessing and ma-nipulating data than about seeking to control OSs. This seems coun-terintuitive, because controlling the OS affords the intruder greater freedom of maneuver compared to application misuse or abuse. How-ever, if the intruder cares only about interacting with data on his or her terms, and succeeds, why should the intruder care about whether he or she “owns the box”?

What can we do about this sce-nario? I don’t believe we can equip security analysts with much more

Building Security In

92 IEEE SECURITY & PRIVACY JANUARY/FEBRUARY 2011

than basic application knowledge. The larger the environment to monitor, the less likely a security analyst will be familiar with every application exposed to attack. We must first properly define the prob-lem and determine a monitoring operation’s goal. Too often, securi-ty architects lead with technology, thinking the approach used in their last case can be easily applied to a new one. For example, deploying a network appliance that sniffs traffic to detect intrusions probably wastes time and effort if the goal is to identify application-level abuse and misuse. Unfortunately, I frequently encounter security architects who think network appliances solves the IDR problem for Internet-exposed Web services.

John Steven and Gunnar Peterson: Rather than focusing on silver-bullet monitoring tools, security architects can help security analysts understand and follow an applica-tion’s workflows by showing them how application components, ser-vices, and systems fit together. Showing an analyst which com-ponents and services call others

can avoid lost trails in the log or save discovery time. The discussion might start as coarsely as determin-ing which application components call what services where but could eventually include how to track us-ers, roles, or sessions across such calls.

Bejtlich: After defining the prob-lem and determining a monitor-ing operation’s goal, we must determine to what degree an ap-plication exposed to attack pro-vides logging. Security analysts should test an application for se-curity deficiencies while it emits logs to a collection platform. They should assess their ability to dis-cern attacks against the applica-tion, given the log data at hand. If the log data doesn’t sufficiently demonstrate evidence of various stages of attack, the security team must engage developers to aug-ment the logging sources. They might need to introduce a third-party product, such as a Web ap-plication firewall (WAF), simply to provide additional logging data.

Steven and Peterson: Secu-rity architects can point out what

frameworks and toolkits devel-opers used to build each compo-nent or service. Sometimes, these frameworks support configurable logging without redeploying or re-starting an application. Regardless, this discussion makes discovering and parsing logs easier. Develop-ers and architects should use their interactions with analysts as an op-portunity to update their logging requirements for a future release. Whereas a WAF might support immediate needs for increased log-ging, factoring such functionality into the application itself will like-ly give access to more clear data about user actions and data access.

Bejtlich: Finally, security staff should work with software pro-grammers to develop a more intuitive sense of how various ap-plications work in real life. Many security analysts already possess intuition for actions at the technol-ogy stack’s lower levels, particu-larly at the network and OS layers. To successfully resist, detect, and respond to incidents affecting only applications, security analysts must increase their familiarity with ap-plications, state transitions, and abuse and misuse patterns.

Steven and Peterson: Software programmers and architects can benefit from understanding how analysts detect and follow up on incidents as well. Understanding postdeployment workflows might cause them to change their design proactively to aid data collection or response to exploitation.

Richard Bejtlich is the Director of Inci-

dent Response for General Electric. Con-

tact him at richard.bejtlich@ge.com.

Gunnar Peterson is managing prin-

cipal of Arctec Group. Contact him at

gunnar@arctecgroup.net.

John Steven is a senior director at Cigi-

tal. Contact him at jsteven@cigital.com.