CSP-CERT® Events:
Cyber Summit 2018: “Philippine Army Cyber Security Preparedness Moving Beyond Compliance”

by CSP-CERT Red Team®
posted June 2018

The Philippine Army with the vision: “By 2028, a world-class Army that is a source of national pride” has conducted its annual Cyber Security Summit last June 21-22, 2018 with the theme “Philippine Army Cybersecurity Preparedness Moving Beyond Compliance”. Aiming to equip their IT Personnel and invited guests with the knowledge of new technologies and threats to cyber security, the Philippine Army has invited various companies in the technology industry including the Cyber Security Philippines – CERT team to show case their capabilities through talks, demonstrations, and booths.

The summit started off with the plans and progress on cyber security from the three major services of the Armed Forces of the Philippines; Philippine Army, Philippine Navy and Philippine Air Force. The talks from different companies soon followed after.

The team discussed the life cycle of an attack from exploit discovery and weaponization to vulnerability assessment and penetration testing (VAPT) and breach response with the sole focus on the hardware vulnerabilities Meltdown and Spectre on day 2.

Meltdown and Spectre - An overview of a hardware vulnerability class that will hunt us for a period of time

Early this January 2018, Google Project Zero disclosed a hardware vulnerability that affects almost all modern CPU’s today, the effects were the attacker allows the overcoming of memory isolation by just providing a way to any user process to read the kernel (in this case it’s the entire kernel) memory of our machine it executes.

The team discussed that Meltdown vulnerability is an operating system independent vulnerability that takes advantage of the Out of Order Execution paradigm used on high-performance microprocessors to make use of instruction cycles. The Out of Order Execution is exploited to read arbitrary kernel memory locations to leak the victim’s physical memory that may contain personal information.

It was discussed that spectre came from the side effect of speculative execution it induce victims to perform speculative operations that would not occur during correct program execution and can result on leaking confidential information via a side channel to the adversary, a similar effect to meltdown vulnerability.

The team then, provided details on affected hardware and progress of the patches and its effectiveness.

Vulnerability Assessment and Penetration Testing

Implying the importance of Vulnerability Assessment and Penetration Testing in an organization, the team discussed its goals and processes of conducting a security assessment.

It was also discussed on how to identify the meltdown and spectre vulnerability in our computers and the steps on how to prevent attacks to these vulnerabilities.

Break in Case of Emergency - Blue Team Breach Response Strategies: Following the Attacker’s Footsteps

After the weaponization of vulnerabilities and executing the payload, breach response was discussed.

It was explained that the adversarial setting in cyber security is that an attacker’s only goal is to compromise a single employee or machine to perform his motives while a defender must protect each and every one of the employees and machines of the company. It was also pointed out that we focus too heavily on keeping bad guys out that once they get in, we fail miserably and not in an easily detectable fashion.

The importance of understanding the sequence of events of an attack was explained to be able to properly correlate logs and determine the attacker entry point and activities.

But incident response has its own challenges as the responders must sit through millions of events that are cluttered by normal events and valid transactions to cut it down to a few log events to properly investigate the incident. Another problem is the preservation of evidences as people usually panic when breaches happen and tamper or destroy artifacts that is needed for an investigation.

A glimpse of a proper procedure during an incident response has been discussed with sample artifacts to be collected depending on the scenario. Additional processes like live response and tools that could help in an investigation have tackled throughout the speaking slot ending with concerns:

• How would your executives react if an investigation to a breach took days instead of hours?

• Would your forensic analyst waste precious effort and time in a forensic investigation if critical information is missing to reconstruct the attack/validate data exfiltration like packet loss?

• Are you concerned with a continuous CAPEX investment in full packet capture as your Enterprise grows?