Wednesday, May 14, 2014

Video of Bejtlich at Cyber Crime Conference 2014

On Tuesday the 29th of April I delivered a keynote at the US Cyber Crime Conference in Leesburg, VA.

The video is online although getting to it is more complicated than clicking on a link to YouTube.

Here's what I did to access the video.

First, visit this link for a "SabreCity" account. Fill in your "information" and click Register.

You will then see a rude message saying "Registration for this conference is now closed."

That's no problem. From the same browser now visit this link to go to the SabreCity "lobby."

Click the "On Demand" button on the right side of the screen. Now you can access all of the videos from the conference.

Mine is called "State of the Hack: 2014 M-Trends - Beyond the Breach." Click the green arrow to the left of the title to start the video.

You may be interested in several of the other interesting speakers listed as well. Thank you to Jim Christy and his team for organizing the conference, inviting me to speak, and for providing these videos for free online.

Update: You might want to know what I discuss. For the first part of the talk I summarize three key findings from the 2014 M-Trends Report. In the second part I discuss strategic security using a Civil War example then turn to a network security monitoring example. In the final minutes I answer audience questions.

Saturday, May 03, 2014

Brainwashed by The Cult of the Quick

Faster is better! Those of us with military backgrounds learned that speed is a "weapon" unto itself, a factor which is "inherently decisive" in military conflict. The benefit of speed was so ingrained into my Air Force training that I didn't recognize I had been brainwashed by what Dr. Thomas Hughes rightly identified as The Cult of the Quick.

Dr. Hughes published his article of this title in the Winter 2001 issue of the Aerospace Power Journal. His main point is the following:

At a time when the American military has global commitments arrayed at variable threats, both real and potential, the Pentagon’s single-minded view of speed leaves the nation’s defenders poorly prepared for the range of military opposition and enemies they may face.

Although Dr. Hughes wrote his article in 2001, his prescription is as accurate as ever. I found his integration of Edward Luttwak's point very telling:

In the 1990s, the quest for swift war, replete with exit strategies and premature cease-fires, has led to less, not more, decisive war, as Edward Luttwak argues. For him, wars nowadays rarely “run their natural course” to “burn themselves out and establish the preconditions for a lasting settlement.” Instead, they “become endemic conflicts that never end because the transformative effects of both decisive victory and exhaustion are blocked.” The present struggle against terrorism may well prove an acid test for Luttwak’s point.

These points resonated with me because they reflected what I am learning about the US Civil War. Scott, Grant and Lincoln knew that a quick, early strike against Richmond, whereby the Union seized the capital of the Confederacy, would not decisively end the Civil War and bring the rebels back to the Union. Sad as it may seem, the rebels had to believe that there was no further point in fighting the war. If Richmond had fallen in 1861, only months after the attack on Fort Sumter, it's likely the Confederacy would have transferred their capital and kept fighting. Following the advice of the "cult of the quick" would have been a poor strategy during the Civil War. (That doesn't necessarily justify fighting a four year conflict, but I believe a strategy of quickly capturing Richmond to the exclusion of other objectives would have resulted in Civil War 2, and so on, similar to World War II.)

On the cyber side, the article reminded me of an area where speed is often paramount: detection and response. However, I remembered that my guidance on "fast" containment has always integrated one exception, as I noted on page 199 of my newest book, The Practice of Network Security Monitoring:

The speed with which a CIRT and constituent take containment actions is the subject of hot debate in the security world. Some argue for fast containment in order to limit risk; others argue for slower containment, providing more time to learn about an adversary. The best answer is to contain incidents as quickly as possible, as long as the CIRT can scope the incident to the best of its capability.

Scoping the incident means understanding the intruder’s reach. Is he limited to interacting with only the one computer identified thus far? Does he control more computers, or even the entire network by virtue of exploitation of the Active Directory domain controllers?

The speed with which a CIRT can make the containment decision is one of the primary ways to measure its maturity. If the CIRT regularly learns of the presence of advanced (or even routine) threats via notification by external parties, then rapid containment is less likely to be effective. A CIRT that cannot find intrusions within its own environment is not likely to be able to rapidly scope an incident. “Pulling the plug” on the first identified victim will probably leave dozens, hundreds, or thousands of other victims online and available to the adversary.

On the other hand, if the CIRT develops its own threat intelligence, maintains pervasive visibility, and quickly finds intruders on its own, it is more likely to be able to scope an incident in a minimum amount of time. CIRTs with that sort of capability should establish the intruder’s reach as rapidly as possible, and then just as quickly contain the victim(s) to limit the adversary’s options. (emphasis added)

I highly recommend reading The Cult of the Quick. You may find you have also been brainwashed!

Gunfight picture credits: Popular Mechanics