Security experts of all stripes appeared at a closed-door plenary session at the 2017 FIRST (Forum of Incident Response and Security Teams) Regional Symposium for Asia-Pacific in Taichung, Taiwan to discuss the latest cybersecurity issues and what to do about them. Among the highlights: better email security, a new “Internet Immune System”, and the case for AI-powered automation.
At the plenary, Adnan Baykal, chief advisor from the Global Cyber Alliance, described his organization as a “coalition of the angry”, fed up with the commercialization and lack of cooperation in the security industry. The GCA itself gets most of its funding from the Manhattan District Attorney’s office which had seized money from Wall Street organizations that did not follow AML guidelines. The Manhattan DA approached the GCA, asking them to come up with solutions that would have a great impact on cyber security, two of which were presented at the FIRST symposium.
The first, DMARC (Domain-Based Message Authentication, Reporting and Conformance), is an email security protocol currently supported by 85% of in-boxes in the United States.
The recipient mail server will query the DNS for the sender’s DMARC policy. If both check out, only then will they allow mail to go through. In order to implement DMARC, first the organization must implement SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).
“I thought we were over SPF, but it turns out that a lot of mailboxes are implementing SPF but improperly,” Baykal said. “Many are too wide and allow anything to go through, and some are too strict, while third parties sending email on your behalf are going to end up in people’s spam boxes.”
The GCA suggests that all organizations first implement DMARC with a “none” policy just to gain visibility and logs to see who is sending emails from the company. The GCA provides help and toolkits to help create SPF, DKIM and DMARC policies, all free of charge.
The second solution was the Internet Immune System, a privacy-enhancing, malware-domain blocking DNS service that is set to launch next month. Working with Packet Clearinghouse, the Alliance has launched in beta a network of global DNS resolving clusters that block domains based on commercial threat intelligence from a large number of partners.
Unlike many other free DNS service providers, the Internet Immune System will not use the data for advertising or data mining. The security companies sharing information for the system will only get anonymized data on the blocked query down to the city level, which will help them learn about where a specific attack was targeted.
In the current beta, over 600,000 end points from 111 organizations are protected, and anyone can join before it is officially launched in November. Baykal promised that the IP address of IIS would be even easier to remember than Google DNS’ 18.104.22.168 (one key reason many admins simply use Google). Users can sign up for the test phase at dns.globalcyberalliance.org.
The case for AI automation
Meanwhile, Cycarrier founder Jeremy Chiu (better known in white hat hacking circles as Birdman), spoke of the need to deploy AI systems to help automate incident response and help overworked humans.
Most people simply want to remove malware as soon as possible, but doing so without investigating first will destroy evidence that might lead to the identity of the attacker. AI would greatly speed up the time to investigate, Chiu said. Another reason for using AI is policies that prohibit sharing confidential information with outside researchers.
Birdman shared a story of one Taiwan NGO that was infected with an APT (advanced persistent threat) that managed to escape detection by traditional anti-virus software because the infected files were signed by a VMWare certificate, which most anti-virus filters ignored because the signature checks out. Upon further investigation, it was discovered that the attacker added a root CA under the name of VMWare to the Windows certificates.
The organization’s switch was also compromised – which was a challenge because router firmware does not use virus checkers.
Ultimately – and this was a recurring theme throughout the conference – Birdman said that the proliferation of threats boiled down to a lack of IT budget and resources, with the poor IT staff overworked and struggling just with day-to-day tasks, never mind dealing with targeted cyber attacks.