Let’s face it, no matter how hard we try, or how elaborate the defense, sometimes the fox gets in the hen house (Or sometimes it just eats at McDonald’s). When I was in college taking a computer systems design course my professor stated that computer technology is invented in fits and starts. For example, someone would invent really fast memory, but speed was limited by the bus, therefore negating the performance improvement. This could not be more true when it comes to computer security. Anti-Virus vendors, for example, will take a step forward in detection, and malware authors figure out a way around it, and the cycle continues. This is evident in the latest versions of the Metasploit framework, version 3.2, which has improved its ability to dodge anti-virus tools (See John Strand’s great video tutorial on this feature here).

I believe that a fox will always stand out in a hen house, no matter how much it tries to look like a hen, it will always be a fox. When an attacker compromises a system, they may try to mask the behavior as legitimate. When they communicate with the compromised system, and collect information from it, it may be masked as legitimate. However, there is typically some behavior or artifact left, either on the system or on the network, which indicates an attack has occurred. The big question is not even what we do about it, but how do we deal with it in a cost effective manner. In Jason’s previous post he poses part of the the problem referred to as the “Security 3-legged Stool”:

“…let’s look at this from the perspective of an executive or even a control engineer. They want the biggest security bang for their buck which includes not only hard cost but ongoing maintenance expense.”

Cost is but one leg of the stool, usability and performance comprise the others. Many will say that a “Security 3-legged Stool” does not exist. That does not mean we can give up hope! Lets look at some practical defensive tips in the categories of protection, detection, and reaction that strive to be cost-effective (and in a perfect world usable and fast):

1) System Hardening (Protection) – As Jason mentions, Bandolier is a great project for systems hardening on control systems (or any system for that matter). As I go through the various system hardening techniques, I think about how each control is affecting the attackers ability to collect information, maintain system access, and clean-up their tracks. Windows especially has some powerful features that can make it difficult for attackers, even once the system has been compromised. The DISA standards are very comprehensive and my pick for hardening guides (Windows 2003 Security Checklist Version 6, Release 1.8 – September 22, 2008) . This process can be cost effective if properly built into your systems administration procedures as it does not require any additional hardware or software.

2) Log Monitoring (Detection) – This measure is high maintenance as you have to correlate and check the logs regularly in order to be effective. However, there are many commercial and open-source tools available for log correlation and a control systems specific projects in the for of Portaledge and Quickdraw. Log monitoring can be expensive, but if limited in scope to only critical systems can start out more cost effective.

3) Network Monitoring (Detection) – While systems can be penetrated, and logs can be deleted by the attacker, at some point traffic must pass through the network. Network intrusion detection is a very important defensive measure, and using “Extrusion” rules (Such as the ones from Emerging Threats) can provide a fantastic way to detect post-exploitation traffic in your network. While some may say its too late, I always advise that we use extrusion detection to identify malicious behavior sooner rather than later. What’s worse, a system that has been compromised for a few hours, or a system that has been compromised for months or even years? (Back at the University I heard stories of a mainframe computer that had been compromised for several years, and the attacker gave himself away because he was applying patches to prevent others from compromising it). Snort can be used to implement this monitoring and is free when combined with the emerging threats rules.

4) Incident Response (Reaction) – Its always best to be prepared, have an incident response plan and test it. Some of the most damaging incidents I have encountered were made worse by the absence of a well-defined incident response plan. SANS has some great examples and guides. The only cost to this process is time.

The above four defensive measures are not the perfect solutions for all organizations (they do require time and maintenance). However, they do lay a nice foundation to build upon, and good process can help alleviate the time problem. Most importantly they will help you quickly spot that fox in the hen house.