Wednesday, May 29, 2019

Your threat model is wrong

Several subjects have come up with the past week that all come down to the same thing: your threat model is wrong. Instead of addressing the the threat that exists, you've morphed the threat into something else that you'd rather deal with, or which is easier to understand.


An example is this question that misunderstands the threat of "phishing":

The (wrong) threat model is here is that phishing is an email that smart users with training can identify and avoid. This isn't true.

Good phishing messages are indistinguishable from legitimate messages. Said another way, a lot of legitimate messages are in fact phishing messages, such as when HR sends out a message saying "log into this website with your organization username/password".

Yes, it's amazing how easily stupid employees are tricked by the most obvious of phishing messages, and you want to point and laugh at them. But frankly, you want the idiot employees doing this. The more obvious phishing attempts are the least harmful and a good test of the rest of your security -- which should be based on the assumption that users will frequently fall for phishing.

In other words, if you paid attention to the threat model, you'd be mitigating the threat in other ways and not even bother training employees. You'd be firing HR idiots for phishing employees, not punishing employees for getting tricked. Your systems would be resilient against successful phishes, such as using two-factor authentication.

IoT security

After the Mirai worm, government types pushed for laws to secure IoT devices, as billions of insecure devices like TVs, cars, security cameras, and toasters are added to the Internet. Everyone is afraid of the next Mirai-type worm. For example, they are pushing for devices to be auto-updated.

But auto-updates are a bigger threat than worms.

Since Mirai, roughly 10-billion new IoT devices have been added to the Internet, yet there hasn't been a Mirai-sized worm. Why is that? After 10-billion new IoT devices, it's still Windows and not IoT that is the main problem.

The answer is that number, 10-billion. Internet worms work by guessing IPv4 addresses, of which there are only 4-billion. You can't have 10-billion new devices on the public IPv4 addresses because there simply aren't enough addresses. Instead, those 10-billion devices are almost entirely being put on private networks behind "NATs" which act as a firewall. When you look at the exposure of IoT to the public Internet, such as port 23 used by Mirai, it's going down, not up.

NATs suck as a security device, but they are still proof against worms. With everything behind NAT, worms are no longer a thing. Sure, a hacker may phish a desktop behind a firewall, and thus be able to mass infect an entire corporation, but that's not an Internet-ending worm event, just very annoying for the corporation. Yes, notPetya spread to partner organizations, but that was through multihomed Windows hosts, often connected via VPN, and not a path IoT can take.

In contrast, when a vendor gets hacked and pushes out an auto-update to millions of devices, that is an Internet-ending mass infection event. We saw that with notPetya that was launched as an autoupdate. We've seen that recently with Asus, which pushed out mass malware, though the malicious actor was apparently on focused on specific targets rather than exploiting that infection for mass destruction.

Nicholas Taleb has books on "Black Swan" events and "Antifragile" systems. This example is exactly that sort of thing. Yes, non-updated IoT devices will cause a continuous stream of low-grade problems. However, centralized auto-updates risk seldom, but massive, problems. Non-updated IoT systems lead to resilient networks, auto-update patches lead to fragile networks.

Anyway, this is just the start of your "wrong threat model". The main security weaknesses that cause 99% of the problems are services exposed to the public Internet and users exposed to the public Internet. IoT has neither of these, and thus, billions added to the Internet are not the problem you imagine.

My threat model for Internet-ending events are three:
  • Windows vulns
  • something else exposed to the public Internet
  • automatic updates of a popular product
IoT isn't in this list.

Catastrophic ransomware infections

There are two types of ransomware infections:
  • Low grade infection of individual desktops, probably from phishing, which the IT department regularly cleans up with out too much problem.
  • Crippling infections of the entire network that spreads via Windows networking credentials (often using 'psexec').
I mention this because of a NYTimes reporter who has created a third type that's blamed on the leaked tool "EternalBlue" from the NSA. While I can't confirm that wasn't the case in Baltimore, it hasn't been the case in any other major ransomware attack. In particular, it wasn't the case in Merk and FedEx.

Yes, EternalBlue was used in those two attacks, but had it been EternalBlue alone, it would've been the first example of a few unpatched systems that needed to be fixed. What caused the $billion in damage was spreading via Windows credentials.

A couple weeks ago, Microsoft patched a vulnerability in their Remote Desktop feature that they say is wormable. There are right now more than 900,000 machine exposed on the Internet that can be exploited. A new worm like notPetya is likely on the way. The correct response to this threat model isn't "patch your systems" it's "fix your Windows credentials". Segment your active directory domains and trust permissions so when the worm gets admin rights in one domain it can't spread to the others. Yes, also patch your systems, but a few will remain unpatched, and when infected, they shouldn't spread to patched systems with psexec.

I've looked at lots of crippling ransomware attacks, including notPetya. What makes them crippling is never anything but this problem of Windows credentials and 'psexec' style lateral movement. This is your threat model.


The problem with cybersecurity is that you aren't paying attention to your threat model. An important step in addressing both phishing and ransomware worms is taking local admin rights away from users, yet many (most?) organizations are unwilling to do that. So they pretend the threat is elsewhere, such as blaming users for falling victim to phishing rather than blaming themselves for not making systems resilient to successful phishing.

No comments: