This document discusses the importance and challenges of defensive cybersecurity research. It notes that while offensive research may be easier due to exploitable technology vulnerabilities, defensive research is important for protecting systems and data from attackers. Defensive research involves efforts like finding and mitigating vulnerabilities, developing detection and response capabilities, understanding evolving attack techniques, and improving security standards and implementations. The document outlines many open challenges in areas like phishing, malware, memory corruption, and forensics. It argues that to be successful, defensive ideas must be practical, scalable, cost-effective, and widely adopted. The rewards of defensive research are more intangible compared to offensive research, but are still very important for enhancing security.
3. Before we begin… Who is NCC?
• 100 million GBP revenue FTSE company
• Cyber Security Assurance Practice
• 180 UK technical assurance consultants
• applied research
• technical security assessments
• cyber forensics incident response
• 50 UK risk / audit consultants
• 90 US technical assurance consultants
• Escrow & Software Assurance = sister BUs
5. Why Offensive Research is Easy*
• Time, money, capability
• Usability
• Technology diversity / fragmentation
• Technology mono-cultures / near mono-cultures
• Technology life-cycles
• Developers
• Implementers / Integrators
• End-users
Fact 1: NCC has games consoles and/or arcade machines in all technical offices!
6. Why We do Defensive Research
• Drive down costs
• Keep aggressors out
• system / software design, build and operate
• Minimize the impact when that fails
• defence in depth / resilience / aid clean-up
• Know what happened and clean up
• audit, forensics, loss measurement and recovery
• Understand what is happening
• threat intel / exposure etc.
Fact 2: the author of !exploitable v2 works for NCC in Cheltenham
7. Applied Defensive Research can be* Reactive
• Tangible threat / needs
• organisations / users feeling pain
• demonstrated financial / data loss / compromise
• Easiest to demonstrate ROI for
• addresses concerns / gaps
• known market to sell solutions for
• Pro-active
• academia**
• domain of the few
Fact 3: author of the browser hackers handbook works for NCC in Australia
8. Applied Defensive Research is Broad
• Hardware
• Operating systems
• Programming languages
• Compilers
• Libraries / frameworks
• Features / integration
• Human sciences
• Models and data analysis
• Algorithmic
• Standards
• Design patterns
• Implementation
• Build
• Deployment
• Sustainment
Fact 4: we have a massive UK tech team (> 150) which only results in awesome!
10. XSS
• Types
• traditional (basic?) XSS
• domXSS – example of refinement
• Game of: source v sink
• Solutions thus far:
• Internet Explorer XSS protection feature*
• Content Security Policy*
• DOMPurify**
Status: PARTIALLY SOLVED
Fact 5: NCC works on everything from SCADA to ATMs to cars to web apps
11. SQL Injection
• Input validation
• black-listing / white-listing
• Non verbose error messages*
• blind etc.
• Parameterisation
• Abstraction / NoSQL
Status: PARTIALLY SOLVED
Fact 6: 1K GBP bonuses for publishing whitepapers at NCC
12. Malicious Code
• Malicious code arrives
• Signature AV
• metamorphism / packers
• rootkit / bootkits
• Signature AV, unpackers, rootkit detection
• signing of binaries
• in process injection
• Behaviour monitoring
• fragmented behaviour
• Reputation – stolen identity
Fact 7: you get utilisation credits (like client work) for research at NCC
13. Memory Corruption
• Stack
• cookies / variable re-ordering / multi stack / NX
• Heap
• cookies / out of band* / NX
• SafeSEH
• compatibility holes
• ASLR
• compatibility holes
• weak entropy / exhaustion
• information leaks*
Fact 8: NCC loves publishing its tools as open source - http://github.com/nccgroup
14. Memory Corruption
• Kernel executing code from userland
• SMEP – Supervisor Mode Execution Prevention*
• Kernel access data in userland
• SMAP – Supervisor Mode Access Protection*
• ROP
• call flow analysis
• gadget less code
• Plus many more
• PaX, EMET, BlueHat prize etc.
Fact 9: suits are for client sites not our offices.. unless you want to of course!
15. Code Review
• Grep / Lint
• comedy basic, false positives, noisy
• Taint analysis
• compilation / parsing of code
• procedural / intra-procedural
• Gamification
• formal verification
• http://www.cs.washington.edu/verigames/
Status: PARTIALLY SOLVED
Fact 10: the early Samba domain protocol breakthrough was done by an NCCer
16. Sandboxing
• Constrain a process not to do bad stuff*
• chroot escapes etc.
• Many levels
• File system
• Network
• IPC
• System calls
• Whilst maintaining compatibility*
Status: PARTIALLY SOLVED
Fact 11: we employed 7 graduates last year, we’re aiming for 20 this year
17. Protective Monitoring
• IDS / IPS
• stream reconstruction
• OS specific fragmentation behaviours
• many methods of encoding
• encryption
• maintaining pace with network speeds
• .. etc
Status: PARTIALLY SOLVED
Fact 12: we have internal training for infra to web apps to threat modelling to code
18. Response / Threat Intel: Forensics
• Physical versus logical acquisition
• many devices OS
• Memory forensics
• Structured / unstructured data analysis and
correlation
• Application of expert systems / inference engines
• Non fancy name of AI (includes knowledge
bases)
Status: PARTIALLY SOLVED
Fact 13: we don’t have time sheets! and our expenses are electronic!
19. Threat Intel: Honey Pots
• Make them discoverable
• darknets / seeding
• Make them attackable
• network, web, mobile etc.
• Make them look real enough
• emulate, real-tin, simulate, virtualize
• Make them tempting enough
• Make them indistinguishable
Fact 14: all of the first two grades of management are ex technical doers*
20. Hot Patching
• How to patch security vulns without restarts
• Research
• Code injection*
• Compiled function structure
• MOV EDI, EDI – two byte NOP
• Security
Status: PARTIALLY SOLVED
Fact 15: we work with our US and Australian teams jointly on projects
21. DRM
• Software based DRM
• cracks
• Geography specific based DRM
• cracks but constrained
• Hardware augmented DRM
• crack
• Hardware DRM / CAC
• cracks / duplication
Status: PARTIALLY SOLVED
Fact 16: NCC has tech offices in Manchester, Leatherhead, Chelly and Milton Keynes
23. Challenges
• User and consumer cyber security awareness
• Practical cyber security in start-ups and other
resource constrained environments
• Cyber incident remediation, clean-up, impact
measurement and quantification
Fact 17: we have two service-lines launching this year designed by consultants
24. Phishing
• Human science
• Humans just want to get stuff done
• Humans are nosey
• Humans like flattery
• Smart(er) technology
• When baysien filters fail
etc..
Fact 18: each office has a monthly techy presentation afternoons & social evenings
25. Forensics
• Storage Reduction for Network Captures
• High Performance Captured Network Meta Data
Analysis
• Network Capture Visualization
• Automated Net Flow Heuristic Signature Production
• Forensic Memory Resident Password Recovery
• Application of Location Services in Data Forensics
Investigations
Fact 19: you get free fruit* at work - *we wish it was chocolate
26. Throw Away Home Automation
• Cheap embedded systems
• some shown to have backdoors
• Range of impacts if owned
• danger to life*
• privacy
• security
• financial
Fact 20: we may be big but that comes with certain benefits (e.g. lab admins)
27. …. everything else .…
• stopping Terry from using sprintf*
• automatic CSP generation and refinement
• attack surface mapping / visualisation
• micro virtualized OS secure design
• defensive software defined networking
• anti-anti-forensics
• making Linux security features useable
for low skilled vendors
etc..
Fact 21: we love CVs e-mail colin.gillingham@nccgroup.com (he’ll thank me later)
28. The Reward for Doing Defensive Research…
…many…
• No BBC articles
• Frustration when
people don’t use it
and then get
owned
• Maybe 200k from
Microsoft Bluehat*
• No trips to Vegas
• No world wide con
tour
• People
complaining when
it does work
because they
didn’t read the
manual
29. Summary
• Defensive research is one of the most rewarding areas
• you don’t need to be an academic
• you don’t need to solve world hunger
• Lots of defensive ideas come and go
• The trick is making / getting them:
• implemented
• practical
• scalable
• cost effective
• adopted
30. An Example
TL;DR: Intel implements UDEREF
equivalent 6 years after PaX, PaX
will make use of it on amd64 for
improved performance.
http://forums.grsecurity.net/viewtopic.php?f=7&t=3046
32. Almost Final Thought
“We may be at the point of diminishing returns by
trying to buy down vulnerability, maybe it’s time to
place more emphasis on coping with the
consequences of a successful attack, and trying
to develop networks that can “self-heal” or “self-
limit” the damages inflicted upon them”
Gen. Michael Hayden (USAF-Ret.), former head of the NSA and the CIA
33. Final Thought
start small, learn, practice, improve, fail, start
again, get better, fail again, start once more,
get even better and maybe win!
34. The future (in an alternate universe)
Defendercon 2015
Showcasing applied defensive research with
the pizazz of offensive including the
defend2spend competition…
35. UK Offices
Manchester - Head Office
Cheltenham
Edinburgh
Leatherhead
London
Milton Keynes
North American Offices
San Francisco
Atlanta
New York
Seattle
Austin
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Thanks? Questions?
Ollie Whitehouse
ollie.whitehouse@nccgroup.com