Thursday, February 19, 2015

Elevating the Discussion on Security Incidents

I am not a fan of the way many media sources cite "statistics" on digital security incidents. I've noted before that any "statistic" using the terms "millions" or "billions" to describe "attacks" is probably worthless.

This week, two articles on security incidents caught my attention. First, I'd like to discuss the story at left, published 17 February in The Japan Times, titled Cyberattacks detected in Japan doubled to 25.7 billion in 2014. It included the following:

The number of computer attacks on government and other organizations detected in Japan doubled in 2014 from the previous year to a record 25.66 billion, a government agency said Tuesday.

The National Institute of Information and Communications Technology used around 240,000 sensors to detect cyberattacks...

Among countries to which perpetrators’ Internet Protocol addresses were traced, China accounted for the largest share at 40 percent, while South Korea, Russia and the United States also ranked high.

NICT launched a survey on cyberattacks in Japan in 2005, when the number of such incidents stood at around 310 million. The number rose to about 5.65 billion in 2010 and to 7.79 billion in 2012.

25.66 billion "computer attacks"? That seems ridiculous at first glance. Based on observations from "around 240,000 sensors," that's over 100,000 "attacks" per sensor per year, or nearly 300 per sensor per day. That still seems excessive, although getting closer to an order of magnitude that might make sense.

You might find the trend line more interesting, i.e., 310 million to 5.65 billion to 7.79 billion to 25.66 billion. However, it is important to adjust for increased visibility at each point. I doubt that 240,000 sensors were operating prior to 2014.

(On a secondary note, I'm not thrilled by the section saying that Chinese IP addresses accounted for 40% of the "attacks." While that may be a "fact," it doesn't say anything by itself that helps with attribution.)

Nevertheless, talking about individual "attacks," especially when counting them discretely, is outmoded thinking, in my opinion. "Attacks" could include anything from transmitting a TCP segment to a specific port, to attempting SQL injection on a Web site, to sending a phishing email.

If properly defined, "attacks" become somewhat interesting, but their value as indicators should extend beyond being simple atomic events.

I was much more encouraged by the second article, at right, published 18 February by Reuters, titled Lockheed sees double-digit growth in cyber business. It included the following:

[Chief Executive Officer Marillyn] Hewson told the company's annual media day that Lockheed had faced 50 "coordinated, sophisticated campaign" attacks by hackers in 2014 alone, and she expected those threats to continue growing.

The use of the term "campaign" is significant here. Campaign aligns with the operational level of war, between Tactics and Strategy. (Tactics are employed as actions at the individual battle or skirmish level, while Strategy describes matching ways and means to achieve specific ends. See my posts on strategy for more.)

Campaigns are sets of activities pursued over days, weeks, months, and even years to accomplish strategic and policy goals. The term campaign indicates purpose, applied over an extended period of time. When the LM CEO speaks in these terms, she shows that her security team is thinking at an advanced level, likely aligning campaigns with specific threat actors and motives.

When a CEO talks about 50 campaigns, she can have a more meaningful discussion with the executives and board. She can talk about threat actors behind the campaigns, what happened during each campaign, and how the team detected and responded to them. The term Campaign also matches well with business operations; think of "marketing campaigns," "sales campaigns," etc.

I would very much like to see security teams, officials, and others think and talk about campaigns in the future, and place statistics on "attacks" in proper context. Note that some threat researchers talk about campaigns when they write reports on adversary activity, so that is a good sign already.

No comments: