tag:blogger.com,1999:blog-40889792024-03-23T14:23:40.459-04:00TaoSecurity BlogRichard Bejtlich's blog on digital security, strategic thought, and military history.Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3082125tag:blogger.com,1999:blog-4088979.post-64450935709900246872023-06-25T15:02:00.001-04:002023-06-25T15:02:12.264-04:00My Last Email with W. Richard Stevens<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDkr-LfYlfSHJzZ6kB83fPh7UePTCeqBsFf7jRpQu_LowG597rxF6v-BaVRf3mggJB_HJrKsKvkptOeBcOx6mdXakZTIb3CdZEYBrf5XIras_7MAr8MLYtbUAvWT_4FrU7zIpK4jdSdYJV5S6gWRzwB0PSGD98IPcbvG3EMC4UeiawK2eDEFnq/s1319/cover.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1319" data-original-width="1042" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDkr-LfYlfSHJzZ6kB83fPh7UePTCeqBsFf7jRpQu_LowG597rxF6v-BaVRf3mggJB_HJrKsKvkptOeBcOx6mdXakZTIb3CdZEYBrf5XIras_7MAr8MLYtbUAvWT_4FrU7zIpK4jdSdYJV5S6gWRzwB0PSGD98IPcbvG3EMC4UeiawK2eDEFnq/w316-h400/cover.jpg" width="316" /></a></div><br /><p></p><p>In the fall of 1998 I joined the AFCERT. I became acquainted with the amazing book <i>TCP/IP Illustrated, Volume 1: The Protocols</i> by W. Richard Stevens. About a year later I exchanged emails with Mr. Stevens. Here is the last exchange, as forwarded from my AFCERT email address to my home email.</p><div style="text-align: left;"><div><span style="font-family: courier;">From "Capt Richard Bejtlich - Real Time Chief" Mon Sep 6 18:27:35 1999</span></div><div><span style="font-family: courier;">X-Mozilla-Keys: </span></div><div><span style="font-family: courier;">Received: from kinda.csap.af.mil (kinda.csap.af.mil [192.203.2.250])</span></div><div><span style="font-family: courier;"> by mw4.texas.net (2.4/2.4) with SMTP</span></div><div><span style="font-family: courier;"><span style="white-space: normal;"><span style="white-space: pre;"> </span> id RAA22116 for <bejtlich@texas.net>; Mon, 6 Sep 1999 17:27:38 -0500 (CDT)</span></span></div><div><span style="font-family: courier;">Received: by kinda.csap.af.mil (Smail3.1.29.1 #7)</span></div><div><span style="font-family: courier;"><span style="white-space: normal;"><span style="white-space: pre;"> </span>id m11O7Ee-000NcwC; Mon, 6 Sep 99 17:27 CDT</span></span></div><div><span style="font-family: courier;">Received: from walt.ip.af.mil(192.168.1.142) by kinda via smap (V1.3)</span></div><div><span style="font-family: courier;"><span style="white-space: normal;"><span style="white-space: pre;"> </span>id sma014865; Mon Sep 6 17:27:36 1999</span></span></div><div><span style="font-family: courier;">Received: from kinda.csap.af.mil by walt.ip.af.mil with smtp</span></div><div><span style="font-family: courier;"><span style="white-space: normal;"><span style="white-space: pre;"> </span>(Smail3.1.29.1 #6) id m11O7Ed-000VruC; Mon, 6 Sep 99 22:27 GMT</span></span></div><div><span style="font-family: courier;">Sender: bejtlich</span></div><div><span style="font-family: courier;">Message-ID: <37D43FD7.52CC675A@kinda.csap.af.mil></span></div><div><span style="font-family: courier;">Date: Mon, 06 Sep 1999 22:27:35 +0000</span></div><div><span style="font-family: courier;">From: Capt Richard Bejtlich - Real Time Chief </span></div><div><span style="font-family: courier;"> <richard.bejtlich@kinda.csap.af.mil></span></div><div><span style="font-family: courier;">Organization: AFCERT</span></div><div><span style="font-family: courier;">X-Mailer: Mozilla 4.6 [en] (X11; U; SunOS 5.6 sun4u)</span></div><div><span style="font-family: courier;">X-Accept-Language: en</span></div><div><span style="font-family: courier;">MIME-Version: 1.0</span></div><div><span style="font-family: courier;">To: bejtlich@texas.net</span></div><div><span style="font-family: courier;">Subject: [Fwd: Re: TCP/IP Illustrated Vol I 2nd ed?]</span></div><div><span style="font-family: courier;">Content-Transfer-Encoding: 7bit</span></div><div><span style="font-family: courier;">Content-Type: text/plain; charset=us-ascii</span></div><div><span style="font-family: courier;">X-UIDL: 7b89a44b661b28334c3553b3b92998bd</span></div><div><br /></div><div><span style="font-family: courier;">-------- Original Message --------</span></div><div><span style="font-family: courier;">From: rstevens@kohala.com (W. Richard Stevens)</span></div><div><span style="font-family: courier;">Subject: Re: TCP/IP Illustrated Vol I 2nd ed?</span></div><div><span style="font-family: courier;">To: Capt Richard Bejtlich - Real Time Chief</span></div><div><span style="font-family: courier;"><richard.bejtlich@kinda.csap.af.mil></span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">[In your message of Aug 18, 2:37pm you write:]</span></div><div><span style="font-family: courier;">> </span></div><div><span style="font-family: courier;">> Your books are excellent and everyone in my office relies upon them! </span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">Many thanks.</span></div><div><span style="font-family: courier;"> </span></div><div><span style="font-family: courier;">> Do you plan on writing a second edition of TCP/IP Illustrated Vol 1 (The</span></div><div><span style="font-family: courier;">> Protocols)? I see you have written second editions of UNIX Network</span></div><div><span style="font-family: courier;">> Programming, and I'm wondering if the TCP/IP books are next.</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;">Actually, I am first working on a revision of my APUE book, then it</span></div><div><span style="font-family: courier;">will be time for TCP Vol. 1. I am hesitant to start on TCP Vol. 1</span></div><div><span style="font-family: courier;">too soon, given the "uncertain" status of IPv6 at the present. I keep</span></div><div><span style="font-family: courier;">hoping things will settle down with IPv6 and vendors will start shipping</span></div><div><span style="font-family: courier;">real implementations.</span></div><div><span style="font-family: courier;"><br /></span></div><div><span style="font-family: courier;"><span style="white-space: normal;"><span style="white-space: pre;"> </span>Rich Stevens</span></span></div><div><span style="font-family: courier;"><br /></span></div><div><a href="http://phrack.org/issues/55/4.html" target="_blank">Mr. Stevens died a couple weeks after this email in a car accident at the age of 48</a>. RIP Mr. Stevens and thank you for your work.</div></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-33190501643667841922023-06-25T14:36:00.004-04:002023-06-25T14:36:50.963-04:00Bejtlich Skills and Interest Radar from July 2005<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiShGg3_sUHMi-dHF3xqlfdOfPo0IuA17SkJ_8hvmaZ5zjddDDr7Fghe6GhLAkShpfB0LnjgzZuv-cu69akyFE4PuXQs2Q0JQeeQbub4fqji0D3fXYeP7NqlrJYCDM1TNubOdHBgSaqebee8stt8mjmS4wkSQOF8gkC5HaPgrUJeOgtb1TU9smU/s3000/bejtlich_sair.ppt.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2250" data-original-width="3000" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiShGg3_sUHMi-dHF3xqlfdOfPo0IuA17SkJ_8hvmaZ5zjddDDr7Fghe6GhLAkShpfB0LnjgzZuv-cu69akyFE4PuXQs2Q0JQeeQbub4fqji0D3fXYeP7NqlrJYCDM1TNubOdHBgSaqebee8stt8mjmS4wkSQOF8gkC5HaPgrUJeOgtb1TU9smU/w640-h480/bejtlich_sair.ppt.jpg" width="640" /></a></div><br /><div>This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-22375487731675126042023-06-25T12:23:00.002-04:002023-06-25T12:23:23.906-04:00Key Network Questions<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJfUey3be9pEMCVYML3MlBe_hqBQf975kYJkoW93oo_eOJTjoAecqJjqBPQ4U5w2PZLpdHKHNiCI7kkK3HCxXx8gDofwJsNI-6apqT7qiXle0SQOzD1XWg0FHZWGb9nsgp89l5jsarqhRP2yiZ4RC-FP35sZGKhjfEdlJqvtOxha7y2LRDuEBY/s475/sguil_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="475" height="363" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJfUey3be9pEMCVYML3MlBe_hqBQf975kYJkoW93oo_eOJTjoAecqJjqBPQ4U5w2PZLpdHKHNiCI7kkK3HCxXx8gDofwJsNI-6apqT7qiXle0SQOzD1XWg0FHZWGb9nsgp89l5jsarqhRP2yiZ4RC-FP35sZGKhjfEdlJqvtOxha7y2LRDuEBY/w400-h363/sguil_login.png" width="400" /></a></div><br /><p></p><p>I wrote this on 7 December 2018 but never published it until today. The following are the "key network questions" which "would answer many key questions about [a] network, without having to access a third party log repository. This data is derived from mining Zeek log data as it is created, rather than storing and querying Zeek logs in a third party repository."</p><p>This is how I was thinking about Zeek data in the second half of 2018.</p><div style="text-align: left;"><div>1. What networking technologies are in use, over user-specified intervals?</div><div> 1. Enumerate non-IP protocols (IPv6, unusual Ethertypes)</div><div> 2. Enumerate IPv4 and IPv6 protocols (TCP, UDP, ICMP, etc.)</div><div> 3. What is the local IP network topology/addressing scheme?</div><div><br /></div><div>2. What systems are providing core services to the network, over user-specified intervals?</div><div> 1. DHCP</div><div> 2. DNS</div><div> 3. NTP</div><div> 4. Domain Controller</div><div> 5. File sharing</div><div> 6. Default gateway (via DHCP inspection, other?)</div><div> 7. Web and cloud services</div><div><br /></div><div>3. What tunnel mechanisms are in use, over user-specified intervals?</div><div> 1. IPSec or other VPNs</div><div> 2. SOCKS proxy</div><div> 3. Web proxy (port 3128)</div><div> 4. Other proxy</div><div><br /></div><div>4. What access services are in use, over user-specified intervals?</div><div> 1. SSH</div><div> 2. Telnet</div><div> 3. RDP</div><div> 4. VNC</div><div> 5. SMB</div><div> 6. Other</div><div><br /></div><div>5. What file transfer services are in use, over user-specified intervals?</div><div> 1. SCP or other SSH-enabled file transfers</div><div> 2. FTP</div><div> 3. SMB</div><div> 4. NFS</div><div><br /></div><div>6. Encryption measurement, over user-specified intervals</div><div> 1. What encryption methods are in use?</div><div> 2. What percentage of network traffic over a user-specified interval is encrypted, and by which method?</div><div><br /></div><div>7. Bandwidth measurement, over user-specified intervals</div><div> 1. Aggregate</div><div> 2. By IP address</div><div> 3. By service</div><div><br /></div><div>8. Conversation tracking, over user-specified intervals</div><div> 1. Top N connection pairs</div><div> 2. Bottom N connection pairs</div><div><br /></div><div>9. Detection counts, over user-specified intervals</div><div> 1. Provide a counter of messages from Zeek weird.log</div><div> 2. Provide a counter of messages from other Zeek detection logs</div><div><br /></div><div>10. For each IP address (or possibly IP-MAC address pairing), over user-specified intervals, build a profile with the following:</div><div> 1. First seen, last seen</div><div> 2. Observed names via DNS, SMB, other</div><div> 3. Core services accessed and provided</div><div> 4. Tunnel mechanisms used and provided</div><div> 5. Access services used and provided</div><div> 6. File transfer services used and provided</div><div> 7. Encryption methods</div><div> 8. Bandwidth measurements</div><div> 9. Top N and bottom N conversation tracking</div><div> 10. Detection counts</div></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-58476175310562905362023-06-25T12:17:00.003-04:002023-06-25T12:17:25.949-04:00 Cybersecurity Is a Social, Policy, and Wicked Problem<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyXJgtLzrlLrDoQct8HwAzlqThAvNocP4MAjtsVbnefHfpYZB8oc1yIDyWBUvqa43NAgHV-2SzCfkApO-ILDQQDv7-2qddkGZ2yAUZkQamBIx61ftA-0BoUZCtotix80TC9XhAy9vuausN0ukbkDPKfU4MpSpKglQYSl_rh_5UjBIT56vRE7HZ/s1523/capture_001_25062023_121658.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="881" data-original-width="1523" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyXJgtLzrlLrDoQct8HwAzlqThAvNocP4MAjtsVbnefHfpYZB8oc1yIDyWBUvqa43NAgHV-2SzCfkApO-ILDQQDv7-2qddkGZ2yAUZkQamBIx61ftA-0BoUZCtotix80TC9XhAy9vuausN0ukbkDPKfU4MpSpKglQYSl_rh_5UjBIT56vRE7HZ/w400-h231/capture_001_25062023_121658.jpg" width="400" /></a></div><br /><p>Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, <i>Dilemmas in a General Theory of Planning</i>, urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms:</p><p>“The search for scientific bases for confronting problems of social policy is bound to fail, because of the nature of these problems. They are ‘wicked’ problems, whereas science has developed to deal with ‘tame’ problems. Policy problems cannot be definitively described. Moreover, in a pluralistic society there is nothing like the undisputable public good; there is no objective definition of equity; policies that respond to social problems cannot be meaningfully correct or false; and it makes no sense to talk about ‘optimal solutions’ to social problems unless severe qualifications are imposed first. Even worse, there are no ‘solutions’ in the sense of definitive and objective answers.”</p><p>Other wicked problems include climate change, smuggling, and nuclear weaponry. </p><p>There is no “perfect new normal” because there is no “solution” for cybersecurity. </p><p>To quote Marcus Ranum from the September 2007 issue of <i>Information Security Magazine</i>: “Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” </p><p>A report by the Australian government titled <i>Tackling Wicked Problems: A Public Policy Perspective</i> suggests that there are three strategies for mitigating wicked problems: authoritative, competitive, and collaborative. Similarly, cybersecurity will likely require some combination of all three.</p><p>In summary, my modest new normal is this: anyone commenting on cybersecurity will recognize that it is a wicked problem that cannot be “solved,” but it may be mitigated, over decades, using expertise and approaches from multiple disciplines, least among them technical acumen.</p><p>If pressed to provide a technical element of the new normal, I offer “building visibility in” as one tenet. Asset owners need to understand how their digital resources are used and abused, and anyone providing computing resources should include the logging and access needed to do so.</p><p>* I found this note dated 1 June 2020 on my hard drive and decided to publish it today.</p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-54730178584228078432023-06-25T12:13:00.001-04:002023-06-25T12:14:05.006-04:00Core Writing Word and Page Counts<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FzK0qaD8mB_Q08ngvDi34ZNakibbuFb5B4WZtfq3BZ8RK4fQqcWmLlNIERxkx050LBNWecTkhyKBbs5z7RaRWRLbgjBYel-Q_pGN7TX8KvntglyOHExggl_l5ETAK0dxbV_XqGN0EM59JNZpc2vOKmFXEEBPU4UMlG-tIjMiQGyhvhZm3R9J/s1500/books%201500x500%2020220406a.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1500" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FzK0qaD8mB_Q08ngvDi34ZNakibbuFb5B4WZtfq3BZ8RK4fQqcWmLlNIERxkx050LBNWecTkhyKBbs5z7RaRWRLbgjBYel-Q_pGN7TX8KvntglyOHExggl_l5ETAK0dxbV_XqGN0EM59JNZpc2vOKmFXEEBPU4UMlG-tIjMiQGyhvhZm3R9J/w640-h214/books%201500x500%2020220406a.jpg" width="640" /></a></div><br /><p>I want to make a note of the numbers of words and pages in my core security writings.</p><p></p><ul style="text-align: left;"><li>The Tao of Network Security Monitoring / 236k words / 833 pages</li><li>Extrusion Detection / 113k words / 417 pages</li><li>The Practice of Network Security Monitoring / 97k words / 380 pages</li><li>The Best of TaoSecurity Blog, Vol 1 / 84k words / 357 pages</li><li>The Best of TaoSecurity Blog, Vol 2 / 96k words / 429 pages</li><li>The Best of TaoSecurity Blog, Vol 3 / 89k words / 485 pages</li><li>The Best of TaoSecurity Blog, Vol 4 / 96k words / 429 pages</li></ul><p></p><p>The total is 811k words and 3,330 pages.</p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-12881862538282878132023-01-08T10:00:00.001-05:002023-01-08T10:00:00.234-05:00Happy 20th Birthday TaoSecurity Blog<p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPQOwFB1iTSYU1oPRiQzEDfrD3njFcZ73mBseC8o-AP9o0ZOD---GHVGBDE8RduPa-r5sdWdYYV48_uFQVuSanKGvoi1wMPofbs8w0j3LFw6HF5yGD_WnxMD_V6K69l7ERr3fHUFahllSxeGTs9RKJ1CmUGbLYYmY1cjidnDWCt7p3v6Kmxg/s3000/taosecurity%20blog%202003-2023.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1100" data-original-width="3000" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPQOwFB1iTSYU1oPRiQzEDfrD3njFcZ73mBseC8o-AP9o0ZOD---GHVGBDE8RduPa-r5sdWdYYV48_uFQVuSanKGvoi1wMPofbs8w0j3LFw6HF5yGD_WnxMD_V6K69l7ERr3fHUFahllSxeGTs9RKJ1CmUGbLYYmY1cjidnDWCt7p3v6Kmxg/w640-h234/taosecurity%20blog%202003-2023.jpg" width="640" /></a></div><br /><p style="text-align: left;">Happy 20th birthday <a href="https://taosecurity.blogspot.com/">TaoSecurity Blog</a>, born on <a href="https://taosecurity.blogspot.com/2003/01/welcome-to-my-blog-main-new-content.html" target="_blank">8 January 2003</a>. </p><h2 style="text-align: left;">Thank you Blogger</h2><div><p></p><p style="text-align: left;"><a href="https://www.blogger.com/" target="_blank">Blogger</a> (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's <a href="https://www.schneier.com/" target="_blank">Schneier on Security</a> is the main one that comes to mind. If not for the wonderful <a href="https://archive.org/" target="_blank">Internet Archive</a>, many blogs from the early days would be lost.</p><h2 style="text-align: left;">Statistics</h2><p style="text-align: left;">In my <a href="https://taosecurity.blogspot.com/2018/01/happy-15th-birthday-taosecurity-blog.html" target="_blank">15 year post</a> I included some statistics, so here are a few, current as of the evening of 7 January:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCxcThtGMupoQEucIYaF1m2YRVp9vtCObwzOondALVDmUBhwWIGhLiBeEe_hK_BxbCtNKcA95cSMg3NoT4k79k3rco0BYVugwM9dMOoKLX7eSDqTMVMjTHegX0d0kkg6raamB_akd0qCeCKiJcYQH1XsqQt-V1kpoI2un2ymp_kLV0KCrDpw/s2533/capture_001_07012023_201618.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="2533" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCxcThtGMupoQEucIYaF1m2YRVp9vtCObwzOondALVDmUBhwWIGhLiBeEe_hK_BxbCtNKcA95cSMg3NoT4k79k3rco0BYVugwM9dMOoKLX7eSDqTMVMjTHegX0d0kkg6raamB_akd0qCeCKiJcYQH1XsqQt-V1kpoI2un2ymp_kLV0KCrDpw/w640-h140/capture_001_07012023_201618.jpg" width="640" /></a></div><p style="text-align: left;">I think it's cool to see almost 29 million "all time" views, but that's not the whole story.</p><p style="text-align: left;">Here are the so-called "all time" statistics:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCL5xPkqzGWyUhIwSKeDQ-O7C-i8wsJH7gOqMxBb5uYeeZfqd3bYoa9rbyWS1G7sOukQc0IHBJl8hC2X-IP__eTvYPIzqtXeWbev_juU1x6jfuCovFFBDhAqupBE-Mefo37hV4jHOF1B_1YEa4DlEoe-XulSyqCH-a5es7olM3olWgk4ZBBg/s2440/capture_002_07012023_201801.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="2440" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCL5xPkqzGWyUhIwSKeDQ-O7C-i8wsJH7gOqMxBb5uYeeZfqd3bYoa9rbyWS1G7sOukQc0IHBJl8hC2X-IP__eTvYPIzqtXeWbev_juU1x6jfuCovFFBDhAqupBE-Mefo37hV4jHOF1B_1YEa4DlEoe-XulSyqCH-a5es7olM3olWgk4ZBBg/w640-h196/capture_002_07012023_201801.jpg" width="640" /></a></div><br /><p style="text-align: left;">It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years. </p><p style="text-align: left;">I don't know what happened on 20 April 2022, when I had almost 1.5 million views?</p><h2 style="text-align: left;">Top Ten Posts Since January 2011</h2><p style="text-align: left;">Here are the top ten all time posts:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSBwNraUq0w3DZ5r8O3gIpo1MOE84ZCpA8WxtJb4mt_KNcXy0oSmMRfC8aV_L4U6UbG0LWqURCMdYAgBAdragJNlmy40J7wQ13kLxSGLxggD0WV4GLqNTWQQ5uA74PJXNFOnZnZvW7vngJeSOgBejtJZ4m5cvixqWx7so98V3bCsHjSIFu6Q/s2426/capture_003_07012023_202102.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1627" data-original-width="2426" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSBwNraUq0w3DZ5r8O3gIpo1MOE84ZCpA8WxtJb4mt_KNcXy0oSmMRfC8aV_L4U6UbG0LWqURCMdYAgBAdragJNlmy40J7wQ13kLxSGLxggD0WV4GLqNTWQQ5uA74PJXNFOnZnZvW7vngJeSOgBejtJZ4m5cvixqWx7so98V3bCsHjSIFu6Q/w640-h430/capture_003_07012023_202102.jpg" width="640" /></a></div><p style="text-align: left;">I'm really pleased to see posts like <a href="https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html" target="_blank">Security and the One Percent: A Thought Exercise in Estimation and Consequences</a> and <a href="https://taosecurity.blogspot.com/2021/02/digital-offense-capabilities-are.html" target="_blank">Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem</a> in this list. We've had some discussion on these topics since I posted them in the fall of 2020, but not enough. The 99% continue to suffer at the hands of adversaries and those in the security 1% who ignore them.</p><h2 style="text-align: left;">The Monetization Experiment</h2><p style="text-align: left;">I ran an advertising experiment from April 2021 through December 2022. I "earned" $116.96 by February 2022 and $104.39 by December 2022. I don't have view numbers for that whole period, but for calendar year 2022 I attracted a little over 7.5 million views. You can see that I earned about 1.4 x 10^-5 dollars per view. I disabled ads at the end of December.</p><h2 style="text-align: left;">From Twitter to Mastodon</h2><p style="text-align: left;">One big change I can discern since my 15 year post is that I have now abandoned Twitter and migrated to Mastodon. You can find me at <a href="https://infosec.exchange/@taosecurity">infosec.exchange/@taosecurity</a>. My current Twitter follower count is about 59.7k, down from just over 60k. My current Mastodon follower count is 1.9k. I don't really care about followers, but I figured I would capture these numbers to see if there is any change in the next five years.</p><h2 style="text-align: left;">The Latest Books</h2><p style="text-align: left;">I spent the early years of the pandemic collecting my 3,000 or so favorite blog posts into a four volume set called <a href="https://amzn.to/3XdChgJ" target="_blank">The Best of TaoSecurity Blog</a>. I'm really pleased with these books, available via Amazon in print or digital format. They include original posts, but each receives commentary with modern thoughts on the original content. The fourth volume includes material not found in the blog, such as unpublished writings from my abandoned War Studies PhD program or Congressional testimonies.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDt2cOrQOJLBDsVfwR0fXlVDFRWihYt8JhzZ11JoNPYGkJ9pzS06WK-RKrLGstmUkDvmbxpxeQv2nhknN2n36jqvXjVUzzcvVTuvByn7voFlN8txab5fx3xmSmDLaNx8VsWLh1xoQUG5P60lN9KuG1ZtYkVu633_pkrqeJ4XkXEqO2QZTlBg/s1600/four%20books.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="595" data-original-width="1600" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDt2cOrQOJLBDsVfwR0fXlVDFRWihYt8JhzZ11JoNPYGkJ9pzS06WK-RKrLGstmUkDvmbxpxeQv2nhknN2n36jqvXjVUzzcvVTuvByn7voFlN8txab5fx3xmSmDLaNx8VsWLh1xoQUG5P60lN9KuG1ZtYkVu633_pkrqeJ4XkXEqO2QZTlBg/w640-h238/four%20books.jpg" width="640" /></a></div><p style="text-align: left;">It looks like Amazon is randomly running a promotion on volume 2 of <a href="https://amzn.to/3CUhur5" target="_blank">The Best of TaoSecurity Blog</a> while I am writing this post. The print edition is regularly $19.95, but it's currently priced at $7.89. I don't know how long it will last, but if you're interested please check it out. </p><p style="text-align: left;">I also co-wrote and published a book on stretching with a subject matter expert -- <a href="https://amzn.to/3Gn1u1r" target="_blank">Reach Your Goal: Stretching & Mobility Exercises for Fitness, Personal Training, & Martial Arts</a>. </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPuJrH7q06L9Cm_HLS5HgG3MZmDXiPTAmg31epFT4Ac486MMhnwSli__rUTlg9l7ZxJaS4sc4lIqSmbFn4Fpkj__Rb3OofL4Lm0V237wLxJppYBB8wy4zp4v9gJN7rG8HzZNrCh8dYqVJgt7kjBuZAwTTzrychQ-h2kbTqRo1rP605t3JKWw/s1360/61IAqWsOtKL.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1360" data-original-width="907" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPuJrH7q06L9Cm_HLS5HgG3MZmDXiPTAmg31epFT4Ac486MMhnwSli__rUTlg9l7ZxJaS4sc4lIqSmbFn4Fpkj__Rb3OofL4Lm0V237wLxJppYBB8wy4zp4v9gJN7rG8HzZNrCh8dYqVJgt7kjBuZAwTTzrychQ-h2kbTqRo1rP605t3JKWw/w266-h400/61IAqWsOtKL.jpg" width="266" /></a></div><br /><p style="text-align: left;">Thanks to ARB for taking the excellent photos!</p><h2 style="text-align: left;">Enter Corelight</h2><p style="text-align: left;">I have been <a href="https://taosecurity.blogspot.com/2018/09/twenty-years-of-network-security.html" target="_blank">working at Corelight since August 2018</a>. Our <a href="https://corelight.com/" target="_blank">Corelight</a> network security monitoring platform is really amazing and I suggest everyone check it out. We continue to have big plans for the future. </p><h2 style="text-align: left;">Zeek Communicator</h2><p style="text-align: left;">Since 2018 I have assumed the communications role for the <a href="https://zeek.org/" target="_blank">Zeek network security monitoring project</a>. Besides posting announcements to <a href="https://infosec.exchange/@zeek" target="_blank">Mastodon</a> and <a href="https://www.linkedin.com/company/80104000/" target="_blank">LinkedIn</a>, I also share interaction and admin duties for our <a href="https://join.slack.com/t/zeekorg/shared_invite/zt-1ev1nr7z4-rEVSsaIzYzFWpdgh2I6ZOg" target="_blank">Slack</a>, <a href="https://community.zeek.org/" target="_blank">Discourse</a>, and <a href="https://www.youtube.com/c/Zeekurity" target="_blank">YouTube</a> sites. I'm working with the leadership team on strategies for growing community size and involvement in 2023 and beyond.</p><h2 style="text-align: left;">Hobbies</h2><p style="text-align: left;">During the last five years, I earned a <a href="https://martialvitality.blogspot.com/2018/12/thoughts-on-my-krav-maga-global-g1-test.html" target="_blank">black belt equivalent in Krav Maga Global</a> (the system uses patches, not belts) and a <a href="https://martialvitality.blogspot.com/2019/10/passing-my-bjj-blue-belt-test.html" target="_blank">blue belt in Brazilian Jiu-Jitsu</a> (helping me to survive grappling with Jeremiah Grossman at the <a href="https://www.youtube.com/watch?v=1kdqEcn0lwM" target="_blank">2019 BJJ Smackdown during Black Hat</a>). I've <a href="https://martialvitality.blogspot.com/2022/12/retiring-from-martial-arts-for-now-at.html" target="_blank">retired from practicing martial arts</a>, for now at least. However, my <a href="https://martialhistoryteam.blogspot.com/" target="_blank">Martial History Team</a> project continues, with plans through June 2025.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL_CQ2D18Pu81BqXX_O4kQJqYcvUv_0OuCNoJ7-iCwvdSMvKsgKywDPybxaMBiE9FB-ACi7faQIAS7CpQOtQCMgUtkK25BER3vlW_9ZdQOQli9GiRmCk7BuhyLl1cL6GTDpIMrAeoFjvbswPiMuBn4zd9Pli6Jrqa6CXMjtvD1_V5o7-0JqA/s446/martial%20history%20team%20logo%20be%20devoted.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="446" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL_CQ2D18Pu81BqXX_O4kQJqYcvUv_0OuCNoJ7-iCwvdSMvKsgKywDPybxaMBiE9FB-ACi7faQIAS7CpQOtQCMgUtkK25BER3vlW_9ZdQOQli9GiRmCk7BuhyLl1cL6GTDpIMrAeoFjvbswPiMuBn4zd9Pli6Jrqa6CXMjtvD1_V5o7-0JqA/s320/martial%20history%20team%20logo%20be%20devoted.jpg" width="320" /></a></div><br /><p style="text-align: left;">I read a ton of books every month, but almost none have to do with technical security topics. My interests include US Civil War history, general military and nation state strategy, unidentified aerial phenomena, airpower, science, intelligence, and other topics. I have a strict monthly schedule and thus far have been able to stick to it for the last 16 months. I don't write reviews anymore, but I do write <a href="https://martialhistoryteam.blogspot.com/search/label/survey" target="_blank">surveys</a> for the martial arts books -- 36 so far.</p><p style="text-align: left;">Finally, in 2022 I returned to one of my childhood hobbies, first begin in the fall of 1982 -- tabletop roleplaying games. I've been informally studying science fiction RPGs since the beginning of last year, potentially to begin another PhD program. I think it would be interesting to research a history PhD involving science fiction RPGs. I don't say much publicly about this, although I do have a <a href="https://dice.camp/@scifittrpg" target="_blank">Mastodon account for Science Fiction TTRPGs</a>. I've also been playing in an online <i>Star Frontiers</i> campaign with a group scattered throughout the US. </p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXyXDBTPDWUXTkeoqnHxXBn6TxodeSabn9KI3SNF6fTcNnRruUGt05XqCTd1tA1neSbtKvfMz-MKzRMGchY6wyJWLitrWpCH_9WSIL-D-qCLXlIXQpoOjaTVAiKMGjfvl-up9hYJNtacdJpbxTqWPYMV3T5HFPKMOjCt1fcATMXP5QTj2eFQ/s1044/star%20frontiers%20modified%20elmore%20cover.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1044" data-original-width="978" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXyXDBTPDWUXTkeoqnHxXBn6TxodeSabn9KI3SNF6fTcNnRruUGt05XqCTd1tA1neSbtKvfMz-MKzRMGchY6wyJWLitrWpCH_9WSIL-D-qCLXlIXQpoOjaTVAiKMGjfvl-up9hYJNtacdJpbxTqWPYMV3T5HFPKMOjCt1fcATMXP5QTj2eFQ/s320/star%20frontiers%20modified%20elmore%20cover.jpg" width="300" /></a></div><i>SF</i> was the first RPG I ever played, so it was cool to return to playing on its 40th birthday in August 2022.<p></p><h2 style="text-align: left;">Conclusion</h2><p style="text-align: left;">As you might discern, I'm expressing myself in many different venues. As a result, I don't feel the need or desire to post here, at least not that often. In 2003, most of the platforms mentioned in this post didn't exist. Blogs were the hot new communication medium. Prior to that, security people published "white papers" in text form to sites like <a href="https://packetstormsecurity.com/" target="_blank">Packet Storm</a>! (Check out <a href="https://packetstormsecurity.com/search/?q=bejtlich" target="_blank">two of my entries here</a>. Those are the PDF versions.)</p><p style="text-align: left;">As far as security goes, I mostly care about the operational/campaign and higher levels of conflict, e.g.:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieprFI_cz9vypMa-9fP-cGZCfI5RvrQ_DyCuK4VF9dxRNPZ6xAlY525fKZIeNL99QFO_FcDYIkAqWcCOikLWtzetsydSBHcEp4ZK4bKmBEGAEf86FF6fYHrWP69dw0GlIgGQn9znbQw3k1E_8eNohPnBoPR78l7QMOLt-jAN8DIT0tEhH6CA/s1885/strategy%20levels.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1562" data-original-width="1885" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieprFI_cz9vypMa-9fP-cGZCfI5RvrQ_DyCuK4VF9dxRNPZ6xAlY525fKZIeNL99QFO_FcDYIkAqWcCOikLWtzetsydSBHcEp4ZK4bKmBEGAEf86FF6fYHrWP69dw0GlIgGQn9znbQw3k1E_8eNohPnBoPR78l7QMOLt-jAN8DIT0tEhH6CA/s320/strategy%20levels.jpg" width="320" /></a></div><br /><p style="text-align: left;">In my opinion, the tactics used by intruders and defenders, and even most of the tools, have not really changed in the last 10 years, and definitely not since 2018. The operations/campaigns and strategies used by both sides haven't really changed either. </p><p style="text-align: left;">There are a few exceptions, like <a href="https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor" target="_blank">the massive SolarWinds supply chain compromise Mandiant discovered and published in December 2020</a>. Ransomware has definitely ramped up to gross levels since 2018. However, there haven't been any game-changers as far as how offense and defense interact. </p><p style="text-align: left;">Sure, way more processing is done in the cloud, and just about everything is running a vulnerable computer. However, no one on the offensive or defensive sides has significantly innovated to alter the way the two parties interact. Until that changes, security for me is largely a less interesting, but still unsolved, wicked problem. </p><p>Thank you to everyone who has been part of this blog's journey since 2003!</p></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-91606987095838127902022-11-20T09:30:00.001-05:002022-11-20T09:30:10.764-05:00Best of TaoSecurity Blog Kindle Edition Sale<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiml7ykclioceS_ZdMMAYlDwMMqmSp0H6-D4001LQaLvxBMvpeqt6O4VEHGzWa0cfGGHD6AudZhLxhT-eeVaqzKzR8RmK_Ue-OqSVUGD_n1-5R1SvmKwsXK-TB82J-6RAWLnOj7-baxh56H5LgvcYc_dgYIHEXD-fG6F53NBvRhsbEK_BQ5tQ/s1600/four%20books.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="595" data-original-width="1600" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiml7ykclioceS_ZdMMAYlDwMMqmSp0H6-D4001LQaLvxBMvpeqt6O4VEHGzWa0cfGGHD6AudZhLxhT-eeVaqzKzR8RmK_Ue-OqSVUGD_n1-5R1SvmKwsXK-TB82J-6RAWLnOj7-baxh56H5LgvcYc_dgYIHEXD-fG6F53NBvRhsbEK_BQ5tQ/w640-h238/four%20books.jpg" width="640" /></a></div><br /><p></p><p><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;">I'm running a </span><span class="ql-hashtag" style="background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space: pre-wrap;">#BlackFriday</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> </span><span class="ql-hashtag" style="background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space: pre-wrap;">#CyberMonday</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> sale on my four newest </span><span class="ql-hashtag" style="background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space: pre-wrap;">#Kindle</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are <a href="http://amzn.to/3p7Z3qb" target="_blank">here</a>.</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> There also appears to be a <a href="https://amzn.to/3tJc64P " target="_blank">daily deal right now</a> for the paperback of Volume 2, 45% off at $8.96. </span></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-49386177033773351982022-11-18T15:35:00.002-05:002022-11-18T15:37:23.441-05:00TaoSecurity on Mastodon<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnMz18u2GwCrgodYO8znOXh87ppgtQ1qtVEMWm0hZhegNCrC2ftn2bdQKXFdWxJI1V1QhiU0QRbc_JgbBKE-sJ_GfZCCLfWnXCNKbQ61WKHBra_By-Rb1WCjyMaOO7HvaiRwYi7MIr-OvPoDZBr5u3uW9DVi0Q_qm4oUHZcjUzKAs4YUY2dw/s1696/capture_001_18112022_153542.jpg" style="clear: left; display: block; float: left; padding: 1em 0px; text-align: center;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnMz18u2GwCrgodYO8znOXh87ppgtQ1qtVEMWm0hZhegNCrC2ftn2bdQKXFdWxJI1V1QhiU0QRbc_JgbBKE-sJ_GfZCCLfWnXCNKbQ61WKHBra_By-Rb1WCjyMaOO7HvaiRwYi7MIr-OvPoDZBr5u3uW9DVi0Q_qm4oUHZcjUzKAs4YUY2dw/s1696/capture_001_18112022_153542.jpg" style="clear: left; display: block; float: left; padding: 1em 0px; text-align: center;"><br /></a><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWYNbbeHWoCDS7MEvh5CYPBkkqpSueUx8Lq8ntRz_Rl4XY24nIyu7gczXMSOFUNNrMNS7RwTaDQrvNSuqfm4S90YkvXsRuptdQr0_lRKNDJ5OxWu1o0CpWii8Pkf5gxJcmZHwOwnfGwSjPW_FytZ3a5WVpMJoJQrmyL311R3d9taR3C1M6kw/s1696/capture_001_18112022_153542.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1696" data-original-width="1465" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWYNbbeHWoCDS7MEvh5CYPBkkqpSueUx8Lq8ntRz_Rl4XY24nIyu7gczXMSOFUNNrMNS7RwTaDQrvNSuqfm4S90YkvXsRuptdQr0_lRKNDJ5OxWu1o0CpWii8Pkf5gxJcmZHwOwnfGwSjPW_FytZ3a5WVpMJoJQrmyL311R3d9taR3C1M6kw/s320/capture_001_18112022_153542.jpg" width="276" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><br /><div>I am now using <a href="https://infosec.exchange/@taosecurity" rel="me">Mastodon</a> as a replacement for the blue bird. This is my attempt to verify myself via my blog. I am no longer posting to my old bird account.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-23369597440004794262022-08-10T09:30:00.001-04:002022-08-10T09:30:00.245-04:00The Humble Hub<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEJb5O0HmEzUNCE1Eg7JqJrbRnrMBSymuwREiY6kdWz2RLj6-i87DOH0TTHsqGeTx3YfYHxhxe2MEdziN2sVyxT5cTA2b85G1wzNyKgRezUTBWuRbP3EgKijQ6bHcyiZKAOXRf_lJ_SNEIDnPLhPBXs3jycjO77V7ErTyWi6UlerI8TQ_1IA/s4032/IMG_5005.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3024" data-original-width="4032" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEJb5O0HmEzUNCE1Eg7JqJrbRnrMBSymuwREiY6kdWz2RLj6-i87DOH0TTHsqGeTx3YfYHxhxe2MEdziN2sVyxT5cTA2b85G1wzNyKgRezUTBWuRbP3EgKijQ6bHcyiZKAOXRf_lJ_SNEIDnPLhPBXs3jycjO77V7ErTyWi6UlerI8TQ_1IA/w640-h480/IMG_5005.jpg" width="640" /></a></div><br /> <p></p><p>Over the weekend I organized some old computing equipment. I found this beauty in one of my boxes. It's a <a href="https://www.netgear.com/support/product/EN104TP.aspx" target="_blank">Netgear EN104TP hub</a>. I've mentioned this device before, in this blog and my books. This sort of device was the last of the true hubs. In an age where cables seem reserved for data centers or industrial facilities, and wireless rules the home and office, this hub is a relic of days gone past.</p><p>To give you a sense of how old this device is, the Netgear documentation (still online -- well done) offers a PDF created in August 1998. (Again, well done Netgear, not mucking about with the timestamps.) I'm not sure how old my specific device is. Seeing as I started working in the AFCERT in the fall of 1998, I could see this hub being easily over 20 years old. </p><p>A hub is a network device that accepts traffic from its ports and repeats the traffic to all other ports. This is different from a switch, which maintains a table identifying which MAC addresses are in use on which ports. Before building this CAM (content addressable memory, IIRC) table, traffic to a new previously unforeseen MAC address will appear on all ports save the sender.</p><p>This is a "true hub" because all of the ports are 10 Mbps. Yes, that is 100 times "slower" than the Gigabit ports on modern devices, if they have Ethernet ports at all. Starting with 10/100 Mbps devices, they all became switches. I never encountered a 100 Mbps "hub." Every device I ever had hands on was a 10/100 Mbps switch. That meant you were unlikely to see traffic on all ports when using a 10/100 Mbps device or even a 100 Mbps device (which I never saw anyway). There were no Gigabit (1000 Mbps) hubs built. I don't think the specification even supports it.</p><p>These little boxes were network monitoring enablers. If you wanted to learn, or troubleshoot, or possibly even add monitoring to a production network, you could connect an upstream cable, a downstream cable, and a monitoring cable to the hub. The upstream could be a router and the downstream might be a firewall, and the monitoring would be your NSM server. If you were looking at traffic between two individual computers and needed visibility for a NSM laptop, you would plug all three into the hub, and plug your Internet upstream into the fourth port.</p><p>I haven't needed this device in years, but I plan to keep it as a physical artifact of a time long past. At least this one still powers on, unlike my first computer, a Timex Sinclair ZX-80.</p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-89741978572329777742021-07-29T14:34:00.003-04:002021-07-29T14:34:54.661-04:00Zeek in Action Videos<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcWFyS3aGQrT6UiiiBbLkOiUs5W_Y9cYMLeH2Z7KkzzqINSWjFIEG8inSUNbYNGTjF7dcEUOOOkK7DzHQXcNMY3Nhl1PIFsdZZeJOH7bzRzpQMUdez5M7_g3t_xyygra49FBKK/s2048/capture_001_29072021_143006.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1150" data-original-width="2048" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcWFyS3aGQrT6UiiiBbLkOiUs5W_Y9cYMLeH2Z7KkzzqINSWjFIEG8inSUNbYNGTjF7dcEUOOOkK7DzHQXcNMY3Nhl1PIFsdZZeJOH7bzRzpQMUdez5M7_g3t_xyygra49FBKK/w640-h360/capture_001_29072021_143006.jpg" width="640" /></a></div><br />This is a quick note to point blog readers to my <a href="https://www.youtube.com/playlist?list=PL2EYTX8UVCMitvFQeWxILfR0cTAhaWz9w" target="_blank">Zeek in Action YouTube video series</a> for the <a href="https://www.zeek.org" target="_blank">Zeek network security monitoring project</a>. <p></p><p>Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on. </p><p>I am especially pleased with <a href="https://www.youtube.com/watch?v=sZgYmie-DpY" target="_blank">Video 6 on monitoring wireless networks</a>. It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- <a href="https://www.parrotsec.org/" target="_blank">Parrot</a>. </p><p>Please like and subscribe, and let me know if there is a topic you think might make a good video.</p><p><br /></p><p><br /></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-47755929156360692242021-04-13T11:00:00.039-04:002021-04-13T11:00:00.323-04:00New Book! The Best of TaoSecurity Blog, Volume 4<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe6YF9WJiKp0uULA6gH7y4zgy_L4W5xkOUmCV3fENBessbRL3bdnf6xy2y-uWNS1ScWWzyQ5qBL56XVyeknUtWhFk29Ol6pGst3H78RCAT2c53h7VCq4bU00BGhRhXRygZs8kZ/s2048/The+Best+of+TaoSecurity+Blog%252C+Volume+4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe6YF9WJiKp0uULA6gH7y4zgy_L4W5xkOUmCV3fENBessbRL3bdnf6xy2y-uWNS1ScWWzyQ5qBL56XVyeknUtWhFk29Ol6pGst3H78RCAT2c53h7VCq4bU00BGhRhXRygZs8kZ/w400-h640/The+Best+of+TaoSecurity+Blog%252C+Volume+4.jpg" width="400" /></a></div><br /><p>I've completed the <a href="https://amzn.to/326esgx" target="_blank">TaoSecurity Blog book series</a>.</p><p>The new book is <a href="https://amzn.to/3mFnIlb" target="_blank">The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship</a>. </p><p>It's available now for <a href="https://amzn.to/3mFnIlb" target="_blank">Kindle</a>, and I'm working on the print edition. </p><p>I'm running a <a href="https://amzn.to/326esgx" target="_blank">50% off promo on Volumes 1-3 on Kindle</a> through midnight 20 April. Take advantage before the prices go back up.</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBFOkOt5oLvgIRMCUSKT_qv9gjAL64a1HW2qDVj2I-clDOm9pErAqhWBL0_9NsH3Xeim2c1qCpTLzSEs6gC5d_VOz4qKd9gW5Sa82R5m24xd8vEtPRhThnAeAZ8WD94kYWfgid/s1689/capture_001_12042021_190617.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="628" data-original-width="1689" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBFOkOt5oLvgIRMCUSKT_qv9gjAL64a1HW2qDVj2I-clDOm9pErAqhWBL0_9NsH3Xeim2c1qCpTLzSEs6gC5d_VOz4qKd9gW5Sa82R5m24xd8vEtPRhThnAeAZ8WD94kYWfgid/w640-h238/capture_001_12042021_190617.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><br /><p>I described the new title thus:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p>Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich.</p><p>In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material. </p><p>In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives.</p><p>Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or policy audiences. It features posts from other blogs or news outlets, as well as some of his written testimony from eleven Congressional hearings. For the first time, Mr. Bejtlich publishes documents that he wrote as part of his abandoned war studies PhD program. This last batch of content was only available to his advisor, Dr. Thomas Rid, and his review committee at King's College London.</p><p>Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.</p></blockquote><p>This will likely be my final collection of writings. I've discovered some documents that may be of interest to historians, so I may contribute those to a <a href="https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-06-29/joint-task-force-computer-network-defense-20-years-later" target="_blank">national security archive like my friend Jay Healey did a few years ago</a>.</p><p>The only other work I might do for these four volumes is to record Audible editions. That would take a while, but I'm thinking about it.</p><div><br /></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-61674151723180467152021-04-01T14:00:00.009-04:002021-04-02T19:40:52.650-04:00The Origins of the Names TaoSecurity and the Unit Formerly Known as TAO<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-EleJG47pVAW7r8jr75B4gvQgtWqVMF-gIySvxgCh9nRh1dtHNjAzru-ugwV5HZ4Rv6PbwIeky9bHTVI0jfy7HzR4oAteerDpNHFIaD-HVlP38AsvZk_TjrH9-c0sFMEsnBR8/s4206/taosecurity_high_r.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="748" data-original-width="4206" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-EleJG47pVAW7r8jr75B4gvQgtWqVMF-gIySvxgCh9nRh1dtHNjAzru-ugwV5HZ4Rv6PbwIeky9bHTVI0jfy7HzR4oAteerDpNHFIaD-HVlP38AsvZk_TjrH9-c0sFMEsnBR8/w640-h114/taosecurity_high_r.jpg" width="640" /></a></div><br /><p></p><p>What are the origins of the names TaoSecurity and the unit formerly known as TAO? </p><h2 style="text-align: left;">Introduction</h2><p>I've been reading Nicole Perlroth's new book <a href="https://amzn.to/3wbWNlc" target="_blank">This Is How They Tell Me the World Ends</a>. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that arose in the 2000s. I had heard through back channels that some members of that group were upset that I was operating using the name TaoSecurity. In the 2000s and early 2010s I taught classes under the TaoSecurity brand, and even ran TaoSecurity as a single-person consultancy from 2005-2007. </p><p>The purpose of this post is to explain why, how, and when I chose the TaoSecurity identity, and to show that it is contemporaneous with the formal naming of the TAO group. The most reliable accounts indicate TaoSecurity predates the TAO brand.</p><h2 style="text-align: left;">TaoSecurity Began with Kung Fu and Taoism</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTFyzPF-tjgjo8iQ1ZutC_S0E2D9Sqr-CN3DkV1u5os3XqP_HEVh2YEF7pCH2Z3lAVvdf5ShBRGv_5oaF-GLf-3SfNI7ciyFC0EorFtyk3WJ2KUGPclr7o2Lf8CInmQ9VdazmT/s1095/martialarts-rich-sifu-21jun1996.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="925" data-original-width="1095" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTFyzPF-tjgjo8iQ1ZutC_S0E2D9Sqr-CN3DkV1u5os3XqP_HEVh2YEF7pCH2Z3lAVvdf5ShBRGv_5oaF-GLf-3SfNI7ciyFC0EorFtyk3WJ2KUGPclr7o2Lf8CInmQ9VdazmT/w400-h338/martialarts-rich-sifu-21jun1996.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">With Sifu Michael Macaris, 21 June 1996</td></tr></tbody></table><br /><p>In the summer of 1994, after graduating from the Air Force Academy and before beginning my graduate program at what is now called the Harvard Kennedy School, I started watching re-runs of the <a href="https://sourcingbrucelee.blogspot.com/2019/05/the-truth-about-creation-of-kung-fu-tv.html" target="_blank">1970s David Carradine Kung Fu TV series, created by Ed Spielman</a>. I was so motivated by the philosophical message of the program that I joined a kung fu school in Massachusetts. I trained there for two years, and studied what I could about Chinese history and culture. I learned from the show and that it was based on Taoism (<a href="https://youtu.be/rkT0tR5WVF0?t=57" target="_blank">for example</a>) so I bought a copy of the <a href="https://terebess.hu/english/tao/_index.html" target="_blank">Tao Te Ching by Lao Tzu</a> and devoured it. </p><h2 style="text-align: left;">Visiting China</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcLwrLbdYMt3IqTQPDPAywf4qS1WsqwGpXGUuho5GW0_Riq5Sh71kwo2EdbWK5__Kjjjn1KRQbrpryi3iluym6iVNVyoFYHN2I3ruO-X5qEGyMD1sI4U6HN3uekrxyvxf9rSvE/s2048/tai+chi.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1648" data-original-width="2048" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcLwrLbdYMt3IqTQPDPAywf4qS1WsqwGpXGUuho5GW0_Riq5Sh71kwo2EdbWK5__Kjjjn1KRQbrpryi3iluym6iVNVyoFYHN2I3ruO-X5qEGyMD1sI4U6HN3uekrxyvxf9rSvE/w400-h323/tai+chi.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Tai Chi on the Yangtze, May 1999</td></tr></tbody></table><br /><p>In the spring of 1999 my wife and I took a three week trip to China for our honeymoon. We were both interested in Chinese culture so it seemed like a great opportunity. It was an amazing trip, despite the fact that we were in China when the <a href="https://www.bbc.com/news/world-europe-48134881" target="_blank">United States bombed the Chinese embassy in Belgrade</a>. </p><p>I include these details to show that I was quite the fan of Chinese culture, well before any formal cyber threat intelligence reports associated me with China. I read books on Taoism and embraced its concepts.</p><h2 style="text-align: left;">Creating TaoSecurity</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHw_l0kNr8cq45XRYWIMu94BXxqt2mH_3XmqhReffTvAqiS22BhyAdvDf-X4KBigGYczNTX4d5DKV8ycn4XDl0cRH61WGwmZ5BazYEN6nCvBVWv751sXMxeoguQJuCE6K3b5fG/s798/capture_001_01042021_111146.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="205" data-original-width="798" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHw_l0kNr8cq45XRYWIMu94BXxqt2mH_3XmqhReffTvAqiS22BhyAdvDf-X4KBigGYczNTX4d5DKV8ycn4XDl0cRH61WGwmZ5BazYEN6nCvBVWv751sXMxeoguQJuCE6K3b5fG/w400-h103/capture_001_01042021_111146.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">WHOIS lookup for taosecurity.com</td></tr></tbody></table><br /><p>In the summer of 2000 I was a captain at the Air Force Computer Emergency Response Team, within the 33rd Information Operations Squadron. I decided I wanted to try creating a Web presence, so I registered the TaoSecurity domain name on 4 July 2000. The WHOIS record above shows 3 July, which is odd, because a <a href="https://taosecurity.blogspot.com/2019/07/happy-birthday-taosecuritycom.html">previous post on the topic captured the correct date of 4 July 2000</a>. I also coined the phrase "the way of digital security."</p><p>My wife commissioned an artist to design the TaoSecurity logo, which I have used continuously since then. At the time I had never heard of TAO. There was a good reason for that. TAO was just being born as well.</p><h2 style="text-align: left;">General Hayden on Creating TAO</h2><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMDwt6Ij7IJ2PpQ3-w8XfZ8B0ocmNPgIjCgXexnihwzhZI0D-z4ZOoCKDSehtkV8JZcl5gKumB5QyuLAefTuGJAFMFq0vRwjukPVYuCPpeSklYmuIjL83cnS_JkOVvNzWtXDpT/s1499/cover.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1499" data-original-width="986" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMDwt6Ij7IJ2PpQ3-w8XfZ8B0ocmNPgIjCgXexnihwzhZI0D-z4ZOoCKDSehtkV8JZcl5gKumB5QyuLAefTuGJAFMFq0vRwjukPVYuCPpeSklYmuIjL83cnS_JkOVvNzWtXDpT/s320/cover.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><i>Playing to the Edge</i> by General Michael Hayden</td></tr></tbody></table><br /><div>The first public source on the history of TAO appeared in a <a href="https://web.archive.org/web/20130616121605/http://www.foreignpolicy.com/articles/2013/06/10/inside_the_nsa_s_ultra_secret_china_hacking_group?page=full" target="_blank">2013 story for Foreign Policy by Matthew M. Aid</a>. He claimed that the agency created TAO in 1997. While it is possible that members of what would later be named TAO were working a similar mission in 1997, his story requires details that I add next.</div><p>A succinct source on the origins of the unit previously known as the TAO is the 18 October 2018 article by Steven Loleski. He wrote a piece called <a href="https://www.tandfonline.com/doi/full/10.1080/02684527.2018.1532627" target="_blank">From cold to cyber warriors: the origins and expansion of NSA’s Tailored Access Operations (TAO) to Shadow Brokers</a> (<a href="https://canvas.tufts.edu/files/1299545/download?download_frd=1" target="_blank">PDF</a>). Mr. Loleski cited General Michael Hayden's 2016 book <a href="https://amzn.to/3rBtV2o" target="_blank">Playing to the Edge</a>, which I quote more extensively here:</p><p>"<b>In the last days of 2000</b>, as we were rewiring the entire agency’s organizational chart (see chapter 2), we set up an enterprise called TAO, Tailored Access Operations, in the newly formed SIGINT Directorate (SID). We had toyed with some boutique end-point efforts before, but this was different. This was going to be industrial strength...And, even in a period of generalized growth, TAO became the fastest-growing part of NSA post-9/11, bar none."</p><p>Seeing as General Hayden was in charge of NSA at the time, that would seem to make it clear that TaoSecurity preceded TAO by several months, at least.</p><p>I also looked for details in the 2016 book <a href="https://amzn.to/3dtVFRk" target="_blank">Dark Territory: The Secret History of Cyber War</a> by Fred Kaplan. I've enjoyed several of his previous books, and he interviewed and cited me for the text.</p><p>Mr. Kaplan explained how General Michael Hayden, <a href="https://www.af.mil/About-Us/Biographies/Display/Article/104763/general-michael-v-hayden/" target="_blank">NSA director from March 1999 to April 2005</a>, named the unit, as part of a general reorganization effort. Thanks to <a href="https://cryptome.org/nsa-reorg-id.htm" target="_blank">Cryptome and FOIA requests by </a><i><a href="https://cryptome.org/nsa-reorg-id.htm" target="_blank">Inside Defense</a> </i>we can read the October 1999 report recommending organizational changes. That reorganization was the genesis for creating TAO.</p><span style="font-size: 24px;"><b>Kaplan on Creating TAO</b></span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw-0n3nMz-KupQ-blyep3oZIPUtYfyyqrd1TqP_7epDipqA8siQauQPGZTKvVtBABVzdtzLCpax6NcgIvc5jub3vuEYdF8M3sT1N3xpbW1zFfv8Pzms8b6lHfmXnAqgeWTWRL6/s1392/naming+tao.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1165" data-original-width="1392" height="335" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw-0n3nMz-KupQ-blyep3oZIPUtYfyyqrd1TqP_7epDipqA8siQauQPGZTKvVtBABVzdtzLCpax6NcgIvc5jub3vuEYdF8M3sT1N3xpbW1zFfv8Pzms8b6lHfmXnAqgeWTWRL6/w400-h335/naming+tao.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">External Team Report Recommended Organization, 22 October 1999, Cryptome</td></tr></tbody></table><br /><p>This document, titled <a href="https://cryptome.org/nsa-reorg-et.htm" target="_blank">EXTERNAL TEAM REPORT: A Management Review for the Director, NSA, October 22, 1999</a> mentions the need to reorganize the "Signals Intelligence Mission (SIM)" into "three offices, Global Response, <b>Tailored Access</b> and Global Network." The <a href="https://cryptome.org/nsa-reorg-id.htm" target="_blank">October 2000 public news story by Inside Defense about the reorganization</a> implies that it did not happen overnight. </p><p>Mr. Kaplan notes that General Hayden initiated his "One Hundred Days of Change" program on 15 November 1999. A three-day server crash in January 2000 hampered reform efforts, prompting big changes in NSA approaches to computing. However, TAO was eventually operating some time in 2000. Mr. Kaplan notes the following in his book:</p><p>"It began, even under his expansion, as a small outfit: a few dozen computer programmers who had to pass an absurdly difficult exam to get in. The organization soon grew into an elite corps as secretive and walled off from the rest of the NSA as the NSA was from the rest of the defense establishment. Located in a separate wing of Fort Meade, <b>it was the subject of whispered rumors, but little solid knowledge, even among those with otherwise high security clearances...</b></p><p>Early on, TAO hacked into computers in fairly simple ways: phishing for passwords (one such program tried out every word in the dictionary, along with variations and numbers, in a fraction of a second) or sending emails with alluring attachments, which would download malware when opened. </p><p>Once, some analysts from the Pentagon’s Joint Task Force-Computer Network Operations were invited to Fort Meade for a look at TAO’s bag of tricks. The analysts laughed: this wasn’t much different from the software they’d seen at the latest DEF CON Hacking Conference; some of it seemed to be repackaged versions of the same software. Gradually, though, the TAO teams sharpened their skills and their arsenal."</p><p>It's clear from this passage that TAO started as a small unit that conducted less exotic operations. It was difficult to join, but a far cry from the powerhouse it would soon become. It's also clear that knowledge of this organization was tightly controlled. Even the term "tailored access" was not associated publicly with NSA until the October 2000 reporting by Inside Defense, reproduced by Cryptome.</p><h2 style="text-align: left;">Minihan's Role</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuYLJZVe0bO2zU6jyuAI8v985KOwD0aUQiAaku4PAnenPH29s0A43AX8qNtv_cuWFT2qQ4AIWBnkw44G6yZMUbQTQ9L_cX-UGEgNd5B5q086wNBLp9_3p0Q8GkUZsNP7Rm6WCF/s2000/cover.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="2000" data-original-width="1325" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuYLJZVe0bO2zU6jyuAI8v985KOwD0aUQiAaku4PAnenPH29s0A43AX8qNtv_cuWFT2qQ4AIWBnkw44G6yZMUbQTQ9L_cX-UGEgNd5B5q086wNBLp9_3p0Q8GkUZsNP7Rm6WCF/s320/cover.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><i>Dark Territory</i> by Fred Kaplan</td></tr></tbody></table><br /><p>Circling back to the mention of 1997 in Mr. Aid's article, we do find the following in Mr. Kaplan's reporting:</p><p>"Fort Meade’s would be the third box on the new SIGINT organizational chart—“tailored access.”</p><p>[Lt Gen Kenneth] <a href="https://www.af.mil/About-Us/Biographies/Display/Article/106229/lieutenant-general-kenneth-a-minihan/" target="_blank">Minihan</a> [NSA director 1996-1999] had coined the phrase. During his tenure as director, he pooled a couple dozen of the most creative SIGINT operators into their own corner on the main floor and gave them that mission. What CIA black-bag operatives had long been doing in the physical world, the tailored access crew would now do in cyberspace, sometimes in tandem with the black-baggers, if the latter were needed—as they had been in Belgrade—to install some device on a crucial piece of hardware.</p><p>The setup transformed the concept of signals intelligence, the NSA’s stock in trade. SIGINT had long been defined as passively collecting stray electrons in the ether; now, it would also involve actively breaking and entering into digital machines and networks.</p><p>Minihan had wanted to expand the tailored access shop into an A Group of the digital era, but he ran out of time. When Hayden launched his reorganization, he took the baton and turned it into a distinct, elite organization—the Office of Tailored Access Operations, or TAO."</p><p>This reporting indicates that there was a tailored access group operating at NSA prior to General Hayden, but it was not actually named "TAO" and was not as large or exotic as what was to come.</p><h2 style="text-align: left;">Conclusion</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTEfKk2t_m7yVb7_0qJUfTxAXNpAYvvqKGtgW6gJKFg_gWiKgUccgxYWEUp4uCbPOia6MBOjfoB1TK8oXr5EmfNuko6nYuG94BexNE2_i4ifWxw_GOgU7dVO19lnTfgaBJYPKZ/s158/tao+inside.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="145" data-original-width="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTEfKk2t_m7yVb7_0qJUfTxAXNpAYvvqKGtgW6gJKFg_gWiKgUccgxYWEUp4uCbPOia6MBOjfoB1TK8oXr5EmfNuko6nYuG94BexNE2_i4ifWxw_GOgU7dVO19lnTfgaBJYPKZ/s0/tao+inside.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">"Tao inside," TAO's play on the Intel Inside marketing campaign</td></tr></tbody></table><br /><p>To summarize, General Hayden assigned the name TAO to a group inside NSA in late 2000, months after I registered the TaoSecurity domain name. Although General Minihan had created a tailored access group during his tenure, the existence of that team, as well as what was later formally called TAO, was a close-held secret. The term "tailored access" did not appear in the public until Inside Defense's reporting of October 2000. </p><p>Although I worked in the unit (Air Intelligence Agency) that served as the cryptologic service group for NSA (the Air Force contribution to the agency), I was not aware of any tailored access teams when I chose TaoSecurity as the name for my repository of security ideas. I selected TaoSecurity to reflect my interest in Taoism, and it had nothing to do with TAO or the NSA.</p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-81991147043008431502021-02-18T10:30:00.003-05:002021-02-18T10:53:39.880-05:00Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieojMt2-mGz6uSJ2Ut-IWk0pV_vqhkUJVjal_JZqUXrOyc_Zc7dOl6iUIpAMGqxaM1m7Y1mhAjDZu3LcleMYweEZyHwi7A2DoLOlrd-QWsHDr6Z-VeWVhohMMFUdGckyb5l4mQ/s800/scales+color.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="710" data-original-width="800" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieojMt2-mGz6uSJ2Ut-IWk0pV_vqhkUJVjal_JZqUXrOyc_Zc7dOl6iUIpAMGqxaM1m7Y1mhAjDZu3LcleMYweEZyHwi7A2DoLOlrd-QWsHDr6Z-VeWVhohMMFUdGckyb5l4mQ/s320/scales+color.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;"><br /></div><h1 style="text-align: left;"><b>Proposition</b></h1><div style="text-align: left;">Digital offense capabilities are currently net negative for the security ecosystem.[0]</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the <a href="https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html" target="_blank">security one percent</a> (<a href="https://twitter.com/hashtag/securityonepercent" target="_blank">#securityonepercent</a>), and to intelligence, military, and law enforcement agencies. The derived defensive benefits depend on the nature of the defender. The entire security ecosystem bears the costs, and in some cases even those who see tangible benefit may suffer costs exceeding those benefits.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">The Reason</h1><div style="text-align: left;">Limitations of scaling are the reason why digital offense capabilities are currently net negative.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Consider the case of an actor developing a digital offense capability, and publishing it to the general public. </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>From the target side, limitations on scaling prevent complete mitigation or remediation of the vulnerability.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The situation is much different from the offense perspective.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>Any actor may leverage the offense capability against any Internet-connected target on the planet. </b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The actor can scale that capability across the entire range of vulnerable or exposed targets.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">The Three</h1><div style="text-align: left;">Only three sets of actors are able to possibly leverage an offense capability for defensive purposes.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">First, the<b> organization responsible for developing and maintaining the vulnerable or exposed asset</b> can determine if there is a remedy for the new offense capability. (This is typically a "vendor," but could be a noncommercial entity. As a shorthand, I will use "vendor.") The vendor can try to develop and deploy a patch or mitigation method.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Second, <b>major consumers</b> of the vulnerable or exposed asset can take similar steps, usually by implementing the vendor's patch or mitigation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Third, the <b>security one percent</b> can take some defensive measures, either by implementing the vendor's patch or mitigation, or by developing and acting upon detection and response processes.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The combination of the actions by these three sets of actors will not completely remediate the digital offense capability. The gap can be small, or it can be exceptionally large, hence the net negative cost to the digital ecosystem.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">The Insight</h1><div style="text-align: left;">From the intruder side, little to no limitations on scaling mean the intruder can leverage the digital offense capability against all vulnerable targets.</div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;">This is the key insight that produces digital offense capabilities as net negative for the entire security ecosystem:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>Offensive scale is superior to defensive scale.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Stated differently:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">An intruder actor can leverage an offense capability against any vulnerable target.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Few (if any) defenders can leverage a derived defense capability against all vulnerable targets.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div>Those who object to this argument are likely one of the three actors.</div></div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Objections: Vendors</h1><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors may have the strongest case for being able to scale defense, depending on the nature of the vendor's offering.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors who provide software or other capabilities that require customer action for updates are in the weakest position. If customers do not update, they remain vulnerable.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors who mandate automatic updating are in a stronger position. Customers receive the update, with the effectiveness of the update mechanism being the major limitation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors who operate "as a service" offerings, such as the major cloud and email providers, are in the strongest position. They can silently improve their offering without user involvement. They can scale defense across their service as they more or less completely control it.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Objections: Major Consumers</h1><div style="text-align: left;"><br /></div><div style="text-align: left;">Major consumers may operate with or without the involvement or action of vendors. When the major consumer is operating an on-premise instance, for example, they can be in a position to implement a mitigation or remediation. Such major consumers have teams that qualify them as being in the security one percent, so in some ways this dual-counts the defensive benefit.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Some major consumers may remain vulnerable, however, regardless of their relative size or nature. The SolarWinds case has shown that organizations with multi-billion-dollar information technology budgets can be as helpless as those outside the security one percent.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Objections: The Security One Percent</h1><div style="text-align: left;">The security one percent is likely to voice the loudest objections. The security one percent are individuals working in entities with the budget to fund a blue (defense) team, and probably a red (offense) team.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">As mentioned in a <a href="https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html" target="_blank">previous blog post</a>, the security one percent can use offensive tools to equip their red or penetration testing teams. Those teams, nonexistent outside the security one percent, can work with or against blues team to determine if countermeasures are effective. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">The security one percent is generally oblivious to their privilege. I was personally not aware of this mindset until the rise of ransomware in 2018-2020. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">The exceptions are two-fold. One group who is aware of their privilege comes from "the other side of the tracks." They worked for an entity without a security team, perhaps in a non-IT role, or a non-security role. Another exception involves people who volunteer or consult with entities outside the security one percent. They see the gap between their own capabilities and those they are trying to help. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">One portion of the security one percent is particularly critical: those who rely upon offense for their income, or enjoy it as a hobby. They reject any sentiment or policy prescription that threatens their livelihood or enjoyment, regardless of the larger societal cost. Addressing the concerns of this group requires a separate blog post.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Summary</h1><div style="text-align: left;">The difference in the capabilities of the <b>vendor/major consumer/security one percent triad</b> and the rest of the security ecosystem is the result of <b>defense failing to scale as effectively as offense</b>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">When an actor publicly releases a digital offensive capability, especially in the form of working code, generally any threat actor can leverage that capability against any vulnerable target.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The inverse is not true. Any defensive capability, derived from the offensive capability, can generally <b>not </b>be leveraged to protect any vulnerable target. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Free or open source tools, training, or knowledge are helpful, but they require deployment, tuning, comprehension, commitment, and a host of other capabilities that do not scale as effectively as offensive code. While using offensive code has a learning and operational curve, it is nowhere as steep as that facing defenders.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The strongest and most helpful exception is found in vendors who offer "as a service" capabilities. They can independently and comprehensively improve their security posture with little to no involvement from the vulnerable population. (An exception, for example, is offering, but not mandating, multi-factor authentication. Only by adopting MFA does the population improve its security.)</div><h1 style="text-align: left;">Conclusion</h1><div style="text-align: left;">The summary yields three conclusions:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">1.<b> Limiting the availability of digital offense capabilities</b>, such that they are not public and within the reach of any threat actor, will likely limit offensive options for intruders, thereby increasing their operational costs to research, develop, deploy, and maintain offensive tools.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">2. <b>Increasing the use and reliance upon "as a service" offerings</b> will likely improve the security of the ecosystem, as defensive measures can be scaled across the entire vulnerable population.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">3. The rise of "as a service" offerings will likely <b>drive intruders to target those offerings directly</b>, rather than the independent assets distributed across the ecosystem.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">There are no "solutions" in digital security -- only trade-offs.[1] </div><div style="text-align: left;"><br /></div><div style="text-align: left;">I am cautiously optimistic that some combination of the first two conclusions would offset the rise of the third conclusion, generating a net positive improvement in digital security. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Too many in the digital world have treated security as a technical problem with technical solutions. While technical matters play a role, the centrality of the digital ecosystem means that it should be treated as a public policy concern. That strategy is at least two decades overdue.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Please direct comments on this post to <a href="https://twitter.com/taosecurity" target="_blank">Twitter</a>.</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Endnotes</h2><div style="text-align: left;">[0] I'm very confident this argument holds for <b>public digital offense capabilities</b>. After publishing this post I realized I assumed this perspective but did not make it explicit. Hence, this note.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">[1] I derive this phrase from one of my public policy professors, Philip D. Zelikow, who noted that there are no solutions in public policy -- only trade-offs. </div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-12335232503053756542020-11-09T08:30:00.011-05:002020-11-09T08:30:17.912-05:00New Book! The Best of TaoSecurity Blog, Volume 3 <div style="text-align: left;"> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEink7sGrsG0BZEQtwyeRFpy4AUsmvkuRYDSBzRSDEXrgLnRcWYVWtmW8g8GfMAAHCtM6xWIkg2wD0jqYiisVahyLsKjFMjYwrLe1dEcfZpN4mcMk9jyqJTDe1d3Elw-rJvz8v3j/s2048/The+Best+of+TaoSecurity+Blog%252C+Volume+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEink7sGrsG0BZEQtwyeRFpy4AUsmvkuRYDSBzRSDEXrgLnRcWYVWtmW8g8GfMAAHCtM6xWIkg2wD0jqYiisVahyLsKjFMjYwrLe1dEcfZpN4mcMk9jyqJTDe1d3Elw-rJvz8v3j/w400-h640/The+Best+of+TaoSecurity+Blog%252C+Volume+3.png" width="400" /></a></div><br /></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Introduction </h3><div style="text-align: left;"><br /></div><div style="text-align: left;">I published a new book!</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div><a href="https://amzn.to/3578myH" target="_blank">The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices</a> is the third title in the <a href="https://amzn.to/3p7Z3qb">TaoSecurity Blog series</a>. </div><div><br /></div><div>It's in the <a href="https://amzn.to/3578myH" target="_blank">Kindle Store</a>, and if you have an Unlimited account, it's free. </div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">I also published a <a href="https://amzn.to/3lbnNeQ" target="_blank">print edition</a>, which is 485 pages. </div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Book Description</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">The book features the following description on the back cover:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div>Since 2003, cybersecurity author Richard Bejtlich has been publishing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 stories and approximately one million words, he has selected and republished the very best entries from 17 years of writing, along with commentaries and additional material. </div><div><br /></div><div>In the third volume of the TaoSecurity Blog series, Mr. Bejtlich addresses the evolution of his security mindset, influenced by current events and advice from his so-called set of "wise people." He talks about why speed is not the key to John Boyd's OODA loop, and why security strategies designed for and by the "security 1%" may be irrelevant at best, or harmful at worst, for the remaining "99%". His history section explores the origins of the terms threat hunting and indicators of compromise, and reveals who really created the quote "there are two types of companies." His chapter on law highlights traps that might catch security teams, with advice to chief information security officers.</div><div><br /></div><div>This volume contains some of Mr. Bejtlich’s favorite posts, such as Marcus Ranum's answer to what happens when security teams confront professionals, or how the Internet continues to function despite constant challenges, or reactions to comments by Dan Geer, Bruce Schneier, Marty Roesch, and other security leaders. Mr. Bejtlich has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right. Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.</div><div><br /></div></div><h3 style="text-align: left;">Writing the Series</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">Although I had written and self-published a <a href="https://amzn.to/36dDR9H" target="_blank">book in early 2019</a>, I had used <a href="https://www.blurb.com/b/9204875-reach-your-goal-collector-s-edition" target="_blank">Blurb</a> and stayed in print format. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">For this new project, I wanted to publish "reflowable" (not print replica) Kindle editions, along with print versions, through Amazon. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">I started the project in September 2019 by labelling 300 or so out of the 3,050 blog posts as candidates for inclusion in a "best of" book. I quickly realized that "only" 300 posts, plus new material and commentary, would result in a very large project, so I decided to break it into three volumes.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I created twelve categories and began sorting and commenting on the posts in March 2020. I decided to assign four categories to each volume, with an "appendices" category for the last volume if necessary.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I chose the 5.5 inch by 8.5 inch "statement" print size since it was supported by Google Docs and was a standard print size for Amazon.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Eventually I selected almost 375 posts for the book and began the real work!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I published <a href="https://amzn.to/2GFNXat" target="_blank">volume 1</a> in May 2020. The <a href="https://amzn.to/3paOEKg" target="_blank">print edition</a> features 85,030 words in 357 pages, or about 238 words per page. </div><div style="text-align: left;"><div><br /></div><div>I published <a href="https://amzn.to/36fnTMe" target="_blank">volume 2</a> in September 2020. The <a href="https://amzn.to/2UjskQJ" target="_blank">print edition</a> features 96,288 words in 429 pages, or about 224 words per page</div><div><br /></div><div>Now, <a href="https://amzn.to/369jZEo" target="_blank">volume 3</a> has arrived in November 2020. The <a href="https://amzn.to/3n8LODF" target="_blank">print edition</a> features 90,190 words in 485 pages, or about 185 words per page.</div><div><br /></div><div>In total, the project resulted in 271,508 words over 1,271 pages, or about 214 words per page.</div></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">What's Next?</h3><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ2uOTnN4sKWdhpqYWAO5lSNxq87twXrBELYSGm5ni6giFjP4uKRtMe9NhKQgT9yoP7utxXm8msj4w5A0wOC-Q-ykUuOJ4gX5XbYNd86XvPKKZVyzBvywQERlosM_QQOgiRU94/s2048/Beyond+TaoSecurity+Blog%252C+Volume+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ2uOTnN4sKWdhpqYWAO5lSNxq87twXrBELYSGm5ni6giFjP4uKRtMe9NhKQgT9yoP7utxXm8msj4w5A0wOC-Q-ykUuOJ4gX5XbYNd86XvPKKZVyzBvywQERlosM_QQOgiRU94/w250-h400/Beyond+TaoSecurity+Blog%252C+Volume+1.png" width="250" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;">Originally I wanted to add a few items outside TaoSecurity Blog to the third volume, in a section called "Appendices." As I discovered and collected this material, I realized that adding it would essentially double the size of the third volume. As it was over 400 pages at that time, I decided I would save most of this material for another project.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">That other project is <b>Beyond TaoSecurity Blog, Volume 1: Columns, Papers, PhD Work, and Testimonies. </b>At the moment, I believe I have a handle on what to include in that title. I don't expect to have a volume 2, but I thought it best to give this a volume number as I may have more material to publish in the future.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">My goal is to publish this "Beyond" book during the next few weeks -- perhaps during or after Thanksgiving. </div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Conclusion</h3><div><br /></div><div>I wrote this series of books because I fear that this blog has become too unwieldy for its own good. Revisiting 17 years of posts, adding commentaries, and collecting related material has helped me better understand my own journey in security. The new "Beyond" book reaches a bit farther past the three blog volumes and includes material never before published, primarily from my abandoned PhD effort. I'll have more to say when I published that book before the end of the year.</div><div><br /></div><div>If you've read any of the books in the <a href="https://amzn.to/3p7Z3qb">TaoSecurity Blog series</a>, I would great appreciate a positive review! Thank you.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-17041408355947091192020-10-31T16:11:00.003-04:002021-02-06T17:45:11.620-05:00Security and the One Percent: A Thought Exercise in Estimation and Consequences<div style="text-align: left;">There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the <b>security 1% </b>or <a href="https://twitter.com/search?q=%23securityonepercent" target="_blank">#securityonepercent</a> on Twitter. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions. </div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Introduction </h3><div style="text-align: left;"><br /></div><div style="text-align: left;">This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">A First Cut with FIRST</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">One method is to review entities who are members of the <a href="https://www.first.org/members/teams/" target="_blank">Forum of Incident Response and Security Teams, or FIRST</a>. FIRST is an organization to which high-performing computer incident response teams (CIRTs) may apply once their processes and data handling meet standards set by FIRST. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">I learned of FIRST when the AFCERT was a member in the late 1990s. I also assisted with FIRST duties when Foundstone was a member in the early 2000s. I helped or sponsored membership when I worked at General Electric in the 2000s and Mandiant in the 2010s. I encourage all capable security teams to join FIRST.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Being a FIRST member means having a certain degree of incident response and data handling capability, and it signals to the world and to other FIRST teams that the member entity is serious about incident detection and response.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">As of the writing of this post, there are 540 FIRST teams worldwide. Slightly more than 100 of them are based in the United States. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">To put that in perspective, there are less than 4,000 publicly traded companies in the US. That means that <b>even if every single US FIRST member represented a publicly traded company</b> -- and that is not the case -- <b>FIRST representation for US publicly traded companies is only 2.5%</b>. </div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Beyond FIRST</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">Some of you might claim FIRST membership is no big deal. My current employer, Corelight, isn't a member, you might say. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Perhaps you could argue that for every US FIRST member, there are 9 others which have equivalent or better security teams. That would increase the cadre of entities with respectable detection and response capabilities from 100 to 1,000. That would still mean an <b>estimate that says 75% of publicly traded US companies have sub-par or non-existent security programs.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Remember that we've only been talking about a population of 4,000 publicly traded US companies. The US Small Business and Entrepreneurship Council estimates that there were <b>5.6 million employer firms in the United States in 2016.</b> Let's sadly reduce that to 4 million to account for the devastation of Covid. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">(This reduction actually makes the situation actually look better for security, as terrible as it is either way. In other words, if I used a denominator of 5.6 million and not 4 million, security estimates would be 40% worse.)</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW9ZzRb_4PYWKGx6XjdN9gzCl3XyKYoeBcjLD0GsqcSb8J5IeiaokeKUtjRU0EnTeZx_ee2oZBhnY5iyhy0qBKGljFb4lqs1nJEbiD0Lre8pwznGIhwqHZr1nGiBSDuEj9O_3C/s2043/capture_004_31102020_150603.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1033" data-original-width="2043" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW9ZzRb_4PYWKGx6XjdN9gzCl3XyKYoeBcjLD0GsqcSb8J5IeiaokeKUtjRU0EnTeZx_ee2oZBhnY5iyhy0qBKGljFb4lqs1nJEbiD0Lre8pwznGIhwqHZr1nGiBSDuEj9O_3C/w400-h203/capture_004_31102020_150603.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Small Business and Entrepreneurship Council</span></td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">Let's be really generous and assume that only 1 in 100 of those 4 million businesses have any sensitive data. (That's again very generous.) </div><div style="text-align: left;"><br /></div><div style="text-align: left;">That leaves us with 400,000 entities with data worth defending. (Again, all of these estimates make it look like we're doing better than we actually are. The reality is probably a lot worse.)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Remember that we only had 100 US teams in FIRST, and we assumed an incredible 10-to-1 ratio to add another 900 non-FIRST organizations to the list of entities with decent security.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now let's be generous again and assume a 4-to-1 ratio, such that for every 1 team in the publicly traded world there are 3 in the private world that also have decent security.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>This creates a total of 4,000 US organizations with decent security, out of 400,000 that need it. Those 4,000 are the security 1%.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you think of the "best of the best," there's probably only about <b>40 US security teams that qualify as global leaders and innovators</b>. These are the teams that can stand toe-to-toe with most foes, and still struggle due to the nature of the security challenge. You and I could probably name them: Lockheed Martin, Google, General Electric, etc.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">That group of 40 is the 1% of the 1%, being 40 of the 4,000 of the 400,000. <b>These 40 are the US .01%.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you think I'm being too conservative with only 40 teams, then feel free to increase it to 400. I'd be really curious to see someone compile a list of 400 world-beating security teams. That would still mean <b>that US group of 400 is the .1%.</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><h3 style="text-align: left;">Sanity Check: A Few Statistics</h3></div><div style="text-align: left;"><br /></div><div style="text-align: left;">To give you a sense of my numbers, and whether they are of the right order of magnitude at least, here are a few statistics:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">1. The 2020 <i>Accenture Security Third Annual State of Cyber Resilience Report</i> featured responses from 4,644 "executives," This is the same order of magnitude of my estimates here, diluted due to a global perspective. (In other words, there are actually less US executives responding to this survey due to the global respondent pool.)</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo7KLXXLhtfHFijq0CEAyLC0ASNSkbOTLQdY604irZqww7N5YGDBS2O5J8874DU88Hir-wgNThNu8o7A5q2Fdi6iJ9GBlZRGKmPsZUDzA9JBBv_KTc4L9vEtq6zjBKMBWNcYOr/s2048/capture_001_31102020_143246.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1152" data-original-width="2048" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo7KLXXLhtfHFijq0CEAyLC0ASNSkbOTLQdY604irZqww7N5YGDBS2O5J8874DU88Hir-wgNThNu8o7A5q2Fdi6iJ9GBlZRGKmPsZUDzA9JBBv_KTc4L9vEtq6zjBKMBWNcYOr/w400-h225/capture_001_31102020_143246.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">2020 <i>Accenture Security Third Annual State of Cyber Resilience Report</i>, p 46</span></td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">2. The 2021 <i>PWC Global Digital Trust Insights Report</i> featured responses from "3,249 business and technology executives around the world." This is again the same order of magnitude, again diluted due to global responses.</div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjySXe0s8u8tgH89RupDPGnMuGZRsNrKiAQO9-U2Obdj9YcZ_lk4jdhe03h2AXiXOMfCnTesLBIvfwH9hSa2STf3ciqiR1G5cXxU0QBJa4GUyNufuLtJtd_m4o_beY3ln4WZmR0/s1651/capture_003_31102020_144757.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="341" data-original-width="1651" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjySXe0s8u8tgH89RupDPGnMuGZRsNrKiAQO9-U2Obdj9YcZ_lk4jdhe03h2AXiXOMfCnTesLBIvfwH9hSa2STf3ciqiR1G5cXxU0QBJa4GUyNufuLtJtd_m4o_beY3ln4WZmR0/w400-h83/capture_003_31102020_144757.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">2021 <i>PWC Global Digital Trust Insights Report</i>, Web summary</span></td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">3. A 2019 report by Bitglass found that 38% of the Fortune 500 do not have a CISO. That's 190 publicly traded companies! Hopefully it's less in 2020. Let's be crazy and assume the CISO count is 400 out of 500?</div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL8gsrEUHGUGAuyiHvxriDmJIPRLJDKF05WcA30R4T8Tt4byMUY48tW3-7irRxV_ItLKoFIJQstfjQnMapGpnyTUugdX7pPn3kl5N7WCH3DwkuPvLz1sYbmanl8nt4fm_XKfRK/s650/bitglass-ciso-092019.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="367" data-original-width="650" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgL8gsrEUHGUGAuyiHvxriDmJIPRLJDKF05WcA30R4T8Tt4byMUY48tW3-7irRxV_ItLKoFIJQstfjQnMapGpnyTUugdX7pPn3kl5N7WCH3DwkuPvLz1sYbmanl8nt4fm_XKfRK/w400-h226/bitglass-ciso-092019.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2019 Bitglass Report</td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">4. The Verizon <i>DBIR</i> featured reporting from 81 entities, the highest number in the history of the report. I do not know how many are in the US, but it's obviously less than 100, so the order of magnitude is again preserved. In other words, of the 4,000 capable security organizations in the US, less than 2.5% of them contributed to the <i>DBIR</i>. That would be less than 100, or the number of US FIRST teams.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfY0VPKSOdfWWsq42n0b-xjEk_fOjahyOO9mwpoLsw5aaFF3_LKtK3cWC_hA12H_QbJJDUb2TJ0sCLwQdWlKirwbNJ5M4Ax2qSlWkGLjOJt_mkpJcatlQkaX_PohZwbyjp9FBx/s2809/capture_002_31102020_144516.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="612" data-original-width="2809" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfY0VPKSOdfWWsq42n0b-xjEk_fOjahyOO9mwpoLsw5aaFF3_LKtK3cWC_hA12H_QbJJDUb2TJ0sCLwQdWlKirwbNJ5M4Ax2qSlWkGLjOJt_mkpJcatlQkaX_PohZwbyjp9FBx/s320/capture_002_31102020_144516.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2020 Verizon <i>DBIR </i>Report</td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">Remember that my focus here is the United States. This means the numbers from PWC, Accenture, and Verizon need to be reduced because they represent global audiences. However, the original FIRST count of roughly 100 American entities, and the statistic about the Fortune 500, which is just American companies, are already appropriately sized.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Security and the One Percent</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">What do these numbers mean for security? </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Speaking first just for the US, it means that most of the conversations among security practitioners on Twitter, in mailing lists, during Webinars, within classes, and other gatherings of people take place within a very small grouping. <b>These are the 1%</b> that are part of the roughly 4,000 entities in the US that have a decent security capability. </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>If those are the 1%, it means that the 99% are not included in these discussions.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">This means that free threat intelligence, or free classes, or free post-exploitation security tools, or other free capabilities <b>mean nothing, or almost nothing to those 99% of organizations that do not have security capabilities</b>, or whose capabilities are so low or stretched that they cannot take advantage of whatever the 1% offers.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">An Analogy: Personal Finance</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">I almost became a certified financial planner. Had I not secured a job in the AFCERT, I planned to separate from the Air Force, earn my CFP designation, and advise people on how to manage their assets and prepare for retirement. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">I've come to realize that discussions I witness in the "security community" are like the discussions I see in the finance community. It requires taking a big step back to appreciate this situation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">People at the 1% level in finance want to know how to manage their stock options, or how to save money for their child's college tuition through specialized savings vehicle, or, at the highest ends, how to move assets throughout "Moneyland" in pursuit of ever lower taxes. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">These concerns are light-years away from the person who has a few dollars saved in an employer-provided 401(k) program, or who has little to no savings whatsoever. </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">The Consequences of the Security One Percent</h3><div><br /></div><div style="text-align: left;">So what's the big deal?</div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><b>The consequence of the existence and mindshare dominance of the security 1% is that the strategies and tactics they employ may <u>work for the 1%</u>, but not the 99%.</b> </div><div style="text-align: left;"><br /></div><div style="text-align: left;">I'm not talking about the "rich" preying on the "poor." That's neither my message nor my philosophical outlook. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Rather, I mean that <b>methods that the security 1% use to defend themselves are irrelevant at best to the 99%, and damaging at worst to the 99%.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">An example of irrelevance would be providing free indicators of compromise (IOCs) or other forms of threat intelligence. It's well-meaning but ultimately of no help to the 99%. If an entity in the 99% has a rudimentary security capability, or essentially zero security capability, threat intelligence is irrelevant.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">An example of damage would be publication of post-exploitation security tools, or PESTs. The 1% may have the ability to use such tools to equip their red or penetration testing teams, determining if the countermeasures implemented by their blue team can resist or detect and respond to their simulated and later actual attacks. The 99%, however, have little to no ability to leverage PESTs. <b>They end up simply being victims when actual intruders use PESTs to pillage the 99%'s assets.</b></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Conclusion</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">Readers can argue with my numbers. These are estimates, yes, but I believe I've gotten the orders of magnitude right, at least in the US. It's probably worse overseas, especially in the developing world. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">The point of this exercise is to propose the idea that <b>the benefits of certain activities that may accrue to the 1% may be, and likely are, irrelevant and/or damaging to the 99%.</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;">In brief:</div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><b>I challenge the security 1% to first recognize their elite status, and second, to think how their beliefs and actions affect the 99% -- especially for the worse.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">As this is a wicked problem, there is no easy answer. That may be worth a future blog post.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-23822966881913251232020-10-23T10:00:00.015-04:002020-10-23T11:33:15.767-04:00MITRE ATT&CK Tactics Are Not Tactics<div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh8UtkHOxII5KLGuTgeVk3iVj3KMfkoFLyDb11MrasYGQ9J2Q5NPBgNUX4-Dk5YKF_26s2quTQ_ve4bEh4yIF1H97CJeNqoGqlpAATJPzThQ_IGALsANV3MZLlF_zogZNHM-LI/s1016/on+tactics.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="1016" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh8UtkHOxII5KLGuTgeVk3iVj3KMfkoFLyDb11MrasYGQ9J2Q5NPBgNUX4-Dk5YKF_26s2quTQ_ve4bEh4yIF1H97CJeNqoGqlpAATJPzThQ_IGALsANV3MZLlF_zogZNHM-LI/s320/on+tactics.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;">Just what are "tactics"?</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Introduction</h2><div><br /></div><div style="text-align: left;"><a href="https://attack.mitre.org/" target="_blank">MITRE ATT&CK</a> is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The <a href="https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf" target="_blank">MITRE ATT&CK Design and Philosophy</a> document from March 2020 says the following:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div><i>At a high-level, ATT&CK is a behavioral model that consists of the following core components:</i></div><div><i><br /></i></div><div><i>• Tactics, denoting short-term, tactical adversary goals during an attack;</i></div><div><i>• Techniques, describing the means by which adversaries achieve tactical goals;</i></div><div><i>• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and</i></div><div><i>• Documented adversary usage of techniques, their procedures, and other metadata.</i></div><div><br /></div><div>My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.</div><div><br /></div><div>The key word in the tactics definition is <b>goals</b>. According to MITRE, "tactics" are "goals."</div><div><br /></div><h2 style="text-align: left;">Examples of ATT&CK Tactics</h2><div><br /></div><div>ATT&CK lists the following as "<a href="https://attack.mitre.org/tactics/enterprise/" target="_blank">Enterprise Tactics</a>":</div></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjafA9blRL6yamOBKRCMv_6n4p6suAUfQVVjHj2mSNMh05mwrgb1MNslQ_3MN9plX1tk-6mnvK204le9YRQsnNBleQV2Mj8-nxZY3zwMLX4-rttHqKWIIYwTL0D_rjtZ3Kdvjfz/s2048/capture_001_23102020_084057.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1375" data-original-width="2048" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjafA9blRL6yamOBKRCMv_6n4p6suAUfQVVjHj2mSNMh05mwrgb1MNslQ_3MN9plX1tk-6mnvK204le9YRQsnNBleQV2Mj8-nxZY3zwMLX4-rttHqKWIIYwTL0D_rjtZ3Kdvjfz/w640-h430/capture_001_23102020_084057.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/</td></tr></tbody></table><div style="text-align: left;"><br />Looking at this list, the first 11 items could indeed be seen as <b>goals</b>. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Military Theory and Definitions</h2><div><br /></div><div style="text-align: left;">As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The <a href="https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf" target="_blank">DOD Dictionary of Military and Associated Terms</a> defines tactics as "the <b>employment and ordered arrangement of forces in relation to each other. </b>See also procedures; techniques. (CJCSM 5120.01)" (emphasis added)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">In his book <i>On Tactics</i>, B. A. Friedman defines tactics as "the <b>use </b>of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Dr. Martin van Creveld, scholar and author from the military strategy world, wrote the excellent <a href="https://www.britannica.com/topic/tactics" target="_blank">Encyclopedia Britannica entry on tactics</a>. His article includes the following:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div>"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...</div><div><br /></div><div>The word tactics originates in the Greek <i>taxis</i>, meaning <b>order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. </b>From this, the Greek historian Xenophon derived the term <i>tactica</i>, the art of drawing up soldiers in array. Likewise, the <i>Tactica</i>, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the <b>ways of fighting</b> with them.</div><div><br /></div><div>The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of <b>Disposing </b>any Number of Men into a proposed form of Battle...'"</div><div><br /></div><div>From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. <b>Tactics are the methods by which leaders achieve goals. </b></div><div><b><br /></b></div><h2 style="text-align: left;">How Did This Happen?</h2><div><br /></div><div>I was not a fly on the wall when the MITRE team designed ATT&CK. Perhaps the MITRE team fixated on the phrase"tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&CK? TTPs became hot during the 2000s as incident responders drew with military experience drew on that language when developing concepts like <a href="https://taosecurity.blogspot.com/2018/11/the-origin-of-term-indicators-of.html" target="_blank">indicators of compromise</a>. That fixation might have led MITRE to use "tactics" for their top-level structure. </div><div><br /></div><div>It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.</div><div><br /></div><h2 style="text-align: left;">It's Not Just the Military</h2><div><br /></div><div>Some readers might think "ATT&CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek <i>Strategos </i>or <i>strategus</i>, plural <i>strategoi</i>, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, <i>stratagos</i>; meaning "army leader"). </div><div><br /></div><div>That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:</div><div><br /></div><div>This <a href="https://hbr.org/1987/11/strategy-vs-tactics-from-a-venture-capitalist" target="_blank">Harvard Business Review article</a> defines tactics as "the day-to-day and month-to-month decisions required to manage a business." </div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">This <a href="https://www.omha.net/news_article/show/590082">guide for ice hockey coaches</a> mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The <a href="https://www.thehartford.com/business-insurance/strategy/first-marketing-plan/marketing-tactics" target="_blank">guide for small business marketing</a> lists tactics like advertising, grass-roots efforts, trade shows, website optimization, and email and social marketing.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">In the civilian world, tactics are how leaders achieve goals or objectives.</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Conclusion</h2><div><br /></div><div style="text-align: left;">In the big picture, it doesn't matter that much to ATT&CK content that MITRE uses the term "tactics" when it really means "goals." </div><div style="text-align: left;"><br /></div><div style="text-align: left;">However, I wrote this article because the ATT&CK design and philosophy emphasizes a common language, e.g., ATT&CK "succinctly organizes adversary tactics and techniques along with providing a <b>common language</b> used across security disciplines."</div><div style="text-align: left;"><br /></div><div style="text-align: left;">If we want to share a common language, it's important that we recognize that the ATT&CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>Update</b>: This <a href="https://twitter.com/mattyb1512/status/1319661359940984834" target="_blank">Tweet from Matt Brady</a> made this point:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-63851256708047277292020-10-10T11:30:00.004-04:002020-10-11T11:40:16.936-04:00Greg Rattray Invented the Term Advanced Persistent Threat<p> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-RjX1Ti0axi2shos3uOTuJ7DMQjC6ys4nrHPuBfaUOR-0FIu-gYNmzhW2VUDH9WuGp1DC87PM0Wwb3eBa21KXEQWbTaIIIpyHRtrZzmYxu0RuuBQA0pAYGxHomZ5yh0y7ptoP/s1691/capture_001_10102020_105629.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1691" data-original-width="1338" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-RjX1Ti0axi2shos3uOTuJ7DMQjC6ys4nrHPuBfaUOR-0FIu-gYNmzhW2VUDH9WuGp1DC87PM0Wwb3eBa21KXEQWbTaIIIpyHRtrZzmYxu0RuuBQA0pAYGxHomZ5yh0y7ptoP/w506-h640/capture_001_10102020_105629.jpg" width="506" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">I was so pleased to read this <a href="https://twitter.com/GregRattray_/status/1314650788984229889">Tweet</a> yesterday from Greg Rattray:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">"<b>Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with</b>... Since then both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses."</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 style="clear: both; text-align: left;">Background</h2><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">First, some background. Who is Greg Rattray?</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">First, you could call him Colonel or Doctor. I will use Col as that was the last title I used with him, although these days when we chat I call him Greg. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Col Rattray served 21 years in the Air Force and also earned his PhD in international security from Tufts University. His thesis formed the content for his 2001 book <a href="https://amzn.to/36NJY6t" target="_blank">Strategic Warfare in Cyberspace</a>, which I reviewed in 2002 and <a href="https://www.amazon.com/gp/customer-reviews/RR0C0U97V748M/ref=cm_cr_dp_d_rvw_ttl?ie=UTF8&ASIN=0262182092" target="_blank">rated 4 stars</a>. (Ouch -- I was a bit stingy with the stars back then. I was more of an operator and less of a theorist or historian in those days. Such was my bias I suppose.)</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Col Rattray is also a 1984 graduate of the Air Force Academy. He studied history and political science there and returned as an assistant professor in the early 1990s. He was one of my instructors when I was a cadet there. (I graduated in 1994 with degrees in history and political science.) Col Rattray then earned a master of public policy degree at Harvard Kennedy School. (I did the same, in 1996.) </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Do you see a pattern here? He is clearly a role model. Of course, I did not stay in the Air Force as long, earn the same rank, or survive my PhD program!</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">After the Academy, Col Rattray served as commander of the 23rd Information Operations Squadrons on Security Hill in San Antonio, Texas. I was working in the AFCERT at the time. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">One of the last duties I had in uniform was to travel to Nellis AFB outside Las Vegas and participate in a doctrine writing project for information warfare. At the time I was not a fan of the idea, but Col Rattray convinced me someone needed to write down how we did computer network defense in the AFCERT. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">He didn't order me to participate, which I always appreciated. Years later I told him it was a good idea to organize that project and that I was probably just grumpy because of the way the Air Force personnel system had treated me at the end of my military career.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 style="clear: both; text-align: left;">Why The Tweet Matters</h2><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">For years I've had to dance around the issue of who invented the term "APT." In most narratives I say that an Air Force colonel invented the term in 2006. I based this on discussions I had with colleagues in the defense industrial base who were working with said colonel and his team from the Air Force. I did not know back then that it was Col Rattray and his team from the Air Force Information Warfare Center. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Years later I learned of Rattray's role, but not directly from him. Only this year did Col Rattray confirm to me that he had invented the term, and that 2007 was the correct year. I encouraged him to say something, because as an historian I appreciate the value of facts and narrative. As I <a href="https://twitter.com/taosecurity/status/1314662363233165314" target="_blank">Tweeted</a> after seeing Greg's Tweet:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">"Security, like any other field, has HISTORY, which means there are beginnings, and stories, and discoveries, and innovators, and leaders, and first steps, and pioneers. I'm so pleased to see people like @GregRattray_ feel comfortable enough after all these years to say something."</div><p></p><p></p><div class="separator" style="clear: both; text-align: left;">I don't think many people in the security field think about history. Security tends to be obsessed with the "new" and the "shiny." Not enough people wonder how we got to this point, or what decisions led to the current situation. The security scene in 2020 is very different from the scene in 1960, or 1970, or 1980, or 1990, or 2000, or even 2010. This is not the time to describe how or why that is the case. I'm just glad a very important piece of the puzzle is now public.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 style="clear: both; text-align: left;">More on the APT</h2><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1V2S3g27ocnt0lABVZmhq28MTdhQJdZE_3esXrXEzTdTvHC-iUfawPs_muuKR-dja7p7Nifw_HlGbLNXLQBoeBsuXhHdnAOhymVQTwW43K97LZMwWzIp0Rvmi43jlrlaqRuef/s2048/BoTB+Dec+2020+vol+3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1030" data-original-width="2048" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1V2S3g27ocnt0lABVZmhq28MTdhQJdZE_3esXrXEzTdTvHC-iUfawPs_muuKR-dja7p7Nifw_HlGbLNXLQBoeBsuXhHdnAOhymVQTwW43K97LZMwWzIp0Rvmi43jlrlaqRuef/w640-h322/BoTB+Dec+2020+vol+3.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">If you'd like to learn more about this history of the APT, check out my newest book -- <a href="https://amzn.to/2GJt9yW" target="_blank">The Best of TaoSecurity Blog, Volume 2</a>. I devote an entire chapter to blog posts and new commentary on the APT. Volume 1 arrived a few months before this new book, and I'm working on Volume 3 now.</div><br /><p></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-33507347954595883572020-09-03T11:07:00.004-04:002020-09-03T11:19:18.938-04:00The FBI Intrusion Notification Program<p>The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years. </p><p>This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story <a href="https://web.archive.org/web/20140325052838/https://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html" target="_blank">U.S. notified 3,000 companies in 2013 about cyberattacks</a>. </p><p>The story noted the following:</p><p>"Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions...</p><p>About 2,000 of the notifications were made in person or by phone by the FBI, which has 1,000 people dedicated to cybersecurity investigations among 56 field offices and its headquarters. Some of the notifications were made to the same company for separate intrusions, officials said. Although in-person visits are preferred, resource constraints limit the bureau’s ability to do them all that way, former officials said...</p><p>Officials with the Secret Service, an agency of the Department of Homeland Security that investigates financially motivated cybercrimes, said that they notified companies in 590 criminal cases opened last year, officials said. Some cases involved more than one company."</p><p>The reason this program is so important is that it shattered the delusion that some executives used to reassure themselves. When the FBI visits your headquarters to tell you that you are compromised, you can't pretend that intrusions are "someone else's problem."</p><p>It may be difficult for some readers to appreciate how prevalent this mindset was, from the beginnings of IT to about the year 2010.</p><p>I do not know exactly when the FBI began notifying victims, but I believe the mid-2000's is a safe date. I can personally attest to the program around that time.</p><p>I was reminded of the importance of this program by Andy Greenberg's new story <a href="https://www.wired.com/story/fbi-hacking-victim-notifications/" target="_blank">The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time</a>. </p><p>I strongly disagree with this "botched" characterization. Andy writes:</p><p>"[S]omehow this breach [of the Democratic National Committee] had come as a terrible surprise—despite an FBI agent's warning to [IT staffer Yared] Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.</p><p>The FBI agent's warnings had 'never used alarming language,' Tamene would tell the Senate committee, and never reached higher than the DNC's IT director, who dismissed them after a cursory search of the network for signs of foul play."</p><p>As with all intrusions, criminal responsibility lies with the intruder. However, I do not see why the FBI is supposed to carry the blame for how this intrusion unfolded. </p><p>According to investigatory documents and this <a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/">Crowdstrike blog post</a> on their involvement, at least seven months passed from the time the FBI notified the DNC (sometime in September 2015) and when they contacted Crowdstrike (30 April 2016). That is ridiculous. </p><p>If I received a call from the FBI even hinting at a Russian presence in my network, I would be on the phone with a professional incident response firm right after I briefed the CEO about the call.</p><p>I'm glad the FBI continues to improve its victim notification procedures, but it doesn't make much of a difference if the individuals running IT and the organization are negligent, either through incompetence or inaction.</p><p><b>Note: Fixed year typo.</b></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-29670898030636872262020-09-01T08:30:00.002-04:002020-11-08T10:02:53.857-05:00New Book! The Best of TaoSecurity Blog, Volume 2<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLmV8h2DmN_yjddccFt5QLzIqe62IMwkNvww9hP-NKvr3JseuHYiePVEEoESJOJjmF_xPIZ6hHrjFeWuHLjLH6K-sDR0ARdpPECHGhhow2uFPtog7ieCClSzkCWQF3ofFG_ger/s2048/The+Best+of+TaoSecurity+Blog%252C+Volume+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLmV8h2DmN_yjddccFt5QLzIqe62IMwkNvww9hP-NKvr3JseuHYiePVEEoESJOJjmF_xPIZ6hHrjFeWuHLjLH6K-sDR0ARdpPECHGhhow2uFPtog7ieCClSzkCWQF3ofFG_ger/s640/The+Best+of+TaoSecurity+Blog%252C+Volume+2.jpg" /></a></div><br /> <p></p><p>I published a new book!</p><p><a href="https://amzn.to/3lHm1D0" target="_blank">The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat</a></p><p>It's in the <a href="https://amzn.to/3lHm1D0" target="_blank">Kindle Store</a>, and if you're Unlimited it's free. Print edition to follow.</p><p>The book lists as having 413 pages (for the Kindle edition at least) at it's almost 95,000 words. I started working on it in June after finishing <a href="https://amzn.to/2YSlmVt" target="_blank">Volume 1</a>.</p><p>Here is the book description:</p><p>Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing. </p><p>In the second volume of the TaoSecurity Blog series, Mr. Bejtlich addresses how to detect and respond to intrusions using third party threat intelligence sources, network data, application and infrastructure data, and endpoint data. He assesses government and private security initiatives and applies counterintelligence and counteradversary mindsets to defend digital assets. He documents the events of the last 20 years of Chinese hacking from the perspective of a defender on the front lines, in the pre- and post-APT era. </p><p>This volume contains some of Mr. Bejtlich’s favorite posts, such as histories of threat hunting, so-called black and white hat budgeting, attribution capabilities and limits, and rating information security incidents. He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right. Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.</p><div>I have a third volume planned. I will publish it by the end of the year. </div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNZZzZheMNPRCeiGcTpFO9zsGqrSyVPtZpDrPAgoQ6Jmku9fKRCM_VtokvDqxzKaR-q3hoeEm8aUwVGz4whcLvtvG6DVv2MVhwrFLT4H9PN8HejxCHX9GIZ13xivy5wp_aHYJG/s1380/capture_001_18062020_154748.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="697" data-original-width="1380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNZZzZheMNPRCeiGcTpFO9zsGqrSyVPtZpDrPAgoQ6Jmku9fKRCM_VtokvDqxzKaR-q3hoeEm8aUwVGz4whcLvtvG6DVv2MVhwrFLT4H9PN8HejxCHX9GIZ13xivy5wp_aHYJG/s640/capture_001_18062020_154748.png" width="640" /></a></div><br /><div>If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-10663516703321764332020-08-19T11:17:00.003-04:002020-08-20T11:49:30.850-04:00One Weird Trick for Reviewing Zeek Logs on the Command Line!Are you a network security monitoring dinosaur like me? Do you prefer to inspect your Zeek logs using the command line instead of a Web-based SIEM?<div><br /></div><div>If yes, try this <b>one weird trick!</b></div><div><br /></div><div>I store my Zeek logs in JSON format. Sometimes I like to view the output using jq.</div><div><br /></div><div>If I need to search directories of logs for a string, like a UID, I might* use something like zgrep with the following syntax:</div><div><br /></div><div><div><span style="font-family: courier; font-size: small;">$ <b>zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/*</b></span></div><div><span style="font-family: courier; font-size: small;"><br /></span></div><div><span style="font-family: courier; font-size: small;">2020-08-16/conn_20200816_06:00:00-07:00:00+0000.log.gz:{"_path":"conn","_system_name":"ds61","_write_ts":"2020-08-16T06:26:10.266225Z","_node":"worker-01","ts":"2020-08-16T06:26:01.485394Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"proto":"tcp","service":"ftp","duration":3.780829906463623,"orig_bytes":184,"resp_bytes":451,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"ShAdDafF","orig_pkts":20,"orig_ip_bytes":1232,"resp_pkts":17,"resp_ip_bytes":1343,"community_id":"1:lEESxqaSVYqFZvWNb4OccTa9sTs="}</span></div><div><span style="font-family: courier; font-size: small;">2020-08-16/ftp_20200816_06:26:04-07:00:00+0000.log.gz:{"_path":"ftp","_system_name":"ds61","_write_ts":"2020-08-16T06:26:04.077276Z","_node":"worker-01","ts":"2020-08-16T06:26:03.553287Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"user":"anonymous","password":"ftp@example.com","command":"EPSV","reply_code":229,"reply_msg":"Entering Extended Passive Mode (|||31746|).","data_channel.passive":true,"data_channel.orig_h":"192.168.2.76","data_channel.resp_h":"196.216.2.24","data_channel.resp_p":31746}</span></div><div><span style="font-family: courier; font-size: small;">2020-08-16/ftp_20200816_06:26:04-07:00:00+0000.log.gz:{"_path":"ftp","_system_name":"ds61","_write_ts":"2020-08-16T06:26:05.117287Z","_node":"worker-01","ts":"2020-08-16T06:26:04.597290Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"user":"anonymous","password":"ftp@example.com","command":"RETR","arg":"ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5","file_size":74,"reply_code":226,"reply_msg":"Transfer complete.","fuid":"FueF95uKPrUuDnMc4"}</span></div><div><br /></div><div>That is tough on the eyes. I cannot simply pipe that output to Jq however:</div><div><br /></div><div><span style="font-family: courier; font-size: small;">$ <b>zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | jq .</b></span></div><div><span style="font-family: courier; font-size: small;">parse error: Invalid numeric literal at line 1, column 28</span></div><div><br /></div><div>What I need to do is strip out the filename and colon before the JSON. I learned how to use sed to do this thanks to <a href="https://unix.stackexchange.com/questions/136794/how-to-use-sed-to-replace-all-characters-before-colon" target="_blank">this post</a>. </div><div><br /></div><div><span style="font-family: courier; font-size: small;">$ <b>zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | sed 's/.*gz://' | jq .</b></span></div><div><span style="font-family: courier; font-size: small;"><b><br /></b></span></div><div><span style="font-family: courier; font-size: small;">{</span></div><div><span style="font-family: courier; font-size: small;"> "_path": "conn",</span></div><div><span style="font-family: courier; font-size: small;"> "_system_name": "ds61",</span></div><div><span style="font-family: courier; font-size: small;"> "_write_ts": "2020-08-16T06:26:10.266225Z",</span></div><div><span style="font-family: courier; font-size: small;"> "_node": "worker-01",</span></div><div><span style="font-family: courier; font-size: small;"> "ts": "2020-08-16T06:26:01.485394Z",</span></div><div><span style="font-family: courier; font-size: small;"> "uid": "CLkXf2CMo11hD8FQ5",</span></div><div><span style="font-family: courier; font-size: small;"> "id.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;"> "id.orig_p": 53380,</span></div><div><span style="font-family: courier; font-size: small;"> "id.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;"> "id.resp_p": 21,</span></div><div><span style="font-family: courier; font-size: small;"> "proto": "tcp",</span></div><div><span style="font-family: courier; font-size: small;"> "service": "ftp",</span></div><div><span style="font-family: courier; font-size: small;"> "duration": 3.780829906463623,</span></div><div><span style="font-family: courier; font-size: small;"> "orig_bytes": 184,</span></div><div><span style="font-family: courier; font-size: small;"> "resp_bytes": 451,</span></div><div><span style="font-family: courier; font-size: small;"> "conn_state": "SF",</span></div><div><span style="font-family: courier; font-size: small;"> "local_orig": true,</span></div><div><span style="font-family: courier; font-size: small;"> "local_resp": false,</span></div><div><span style="font-family: courier; font-size: small;"> "missed_bytes": 0,</span></div><div><span style="font-family: courier; font-size: small;"> "history": "ShAdDafF",</span></div><div><span style="font-family: courier; font-size: small;"> "orig_pkts": 20,</span></div><div><span style="font-family: courier; font-size: small;"> "orig_ip_bytes": 1232,</span></div><div><span style="font-family: courier; font-size: small;"> "resp_pkts": 17,</span></div><div><span style="font-family: courier; font-size: small;"> "resp_ip_bytes": 1343,</span></div><div><span style="font-family: courier; font-size: small;"> "community_id": "1:lEESxqaSVYqFZvWNb4OccTa9sTs="</span></div><div><span style="font-family: courier; font-size: small;">}</span></div><div><span style="font-family: courier; font-size: small;">{</span></div><div><span style="font-family: courier; font-size: small;"> "_path": "ftp",</span></div><div><span style="font-family: courier; font-size: small;"> "_system_name": "ds61",</span></div><div><span style="font-family: courier; font-size: small;"> "_write_ts": "2020-08-16T06:26:04.077276Z",</span></div><div><span style="font-family: courier; font-size: small;"> "_node": "worker-01",</span></div><div><span style="font-family: courier; font-size: small;"> "ts": "2020-08-16T06:26:03.553287Z",</span></div><div><span style="font-family: courier; font-size: small;"> "uid": "CLkXf2CMo11hD8FQ5",</span></div><div><span style="font-family: courier; font-size: small;"> "id.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;"> "id.orig_p": 53380,</span></div><div><span style="font-family: courier; font-size: small;"> "id.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;"> "id.resp_p": 21,</span></div><div><span style="font-family: courier; font-size: small;"> "user": "anonymous",</span></div><div><span style="font-family: courier; font-size: small;"> "password": "ftp@example.com",</span></div><div><span style="font-family: courier; font-size: small;"> "command": "EPSV",</span></div><div><span style="font-family: courier; font-size: small;"> "reply_code": 229,</span></div><div><span style="font-family: courier; font-size: small;"> "reply_msg": "Entering Extended Passive Mode (|||31746|).",</span></div><div><span style="font-family: courier; font-size: small;"> "data_channel.passive": true,</span></div><div><span style="font-family: courier; font-size: small;"> "data_channel.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;"> "data_channel.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;"> "data_channel.resp_p": 31746</span></div><div><span style="font-family: courier; font-size: small;">}</span></div><div><span style="font-family: courier; font-size: small;">{</span></div><div><span style="font-family: courier; font-size: small;"> "_path": "ftp",</span></div><div><span style="font-family: courier; font-size: small;"> "_system_name": "ds61",</span></div><div><span style="font-family: courier; font-size: small;"> "_write_ts": "2020-08-16T06:26:05.117287Z",</span></div><div><span style="font-family: courier; font-size: small;"> "_node": "worker-01",</span></div><div><span style="font-family: courier; font-size: small;"> "ts": "2020-08-16T06:26:04.597290Z",</span></div><div><span style="font-family: courier; font-size: small;"> "uid": "CLkXf2CMo11hD8FQ5",</span></div><div><span style="font-family: courier; font-size: small;"> "id.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;"> "id.orig_p": 53380,</span></div><div><span style="font-family: courier; font-size: small;"> "id.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;"> "id.resp_p": 21,</span></div><div><span style="font-family: courier; font-size: small;"> "user": "anonymous",</span></div><div><span style="font-family: courier; font-size: small;"> "password": "ftp@example.com",</span></div><div><span style="font-family: courier; font-size: small;"> "command": "RETR",</span></div><div><span style="font-family: courier; font-size: small;"> "arg": "ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5",</span></div><div><span style="font-family: courier; font-size: small;"> "file_size": 74,</span></div><div><span style="font-family: courier; font-size: small;"> "reply_code": 226,</span></div><div><span style="font-family: courier; font-size: small;"> "reply_msg": "Transfer complete.",</span></div><div><span style="font-family: courier; font-size: small;"> "fuid": "FueF95uKPrUuDnMc4"</span></div><div><span style="font-family: courier; font-size: small;">}</span></div></div><div><br /></div><div>Maybe this will help you too.</div><div><br /></div><div>*I use the find command in other circumstances.</div><div><br /></div><div><b>Update:</b> Twitter user @captainGeech42 <a href="https://twitter.com/captainGeech42/status/1296110420428599302" target="_blank">noted</a> that I could use grep -h and omit the sed pipe, e.g.:</div><div><br /></div><div><div>$ zgrep -h "CLkXf2CMo11hD8FQ5" 2020-08-16/* | jq .</div></div><div><br /></div><div>Thanks for the tip!</div><div><br /></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-82206192942460851712020-07-16T11:04:00.004-04:002020-07-27T17:53:34.898-04:00I Did Not Write This Book<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvXKYsUoCcrGdyCavUCw-AKHuTyMG1IPIKax0sD-WpoLs1eNpaz73CjHXLUf3odlQ3DIJaYzk1jzfE-uzHRbQlyprVVeLDQmh3HuQs_V72ydGrrv22RRaZefqaTyy3LHIxkGEi/s2938/capture_001_16072020_104430.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Fake Book" border="0" data-original-height="1071" data-original-width="2938" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvXKYsUoCcrGdyCavUCw-AKHuTyMG1IPIKax0sD-WpoLs1eNpaz73CjHXLUf3odlQ3DIJaYzk1jzfE-uzHRbQlyprVVeLDQmh3HuQs_V72ydGrrv22RRaZefqaTyy3LHIxkGEi/w640-h234/capture_001_16072020_104430.png" title="Fake Book" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fake Book </td></tr>
</tbody></table>
<br />
<div>
Someone published a "book" on Amazon and claimed that I wrote it! I had NOTHING to do with this. I am working with Amazon now to remove it, or at least remove my name. Stay away from this garbage!<br />
<br />
<b>Update: </b>Thankfully, within a day or so of this post, the true author of this work removed it from Amazon. It has not returned, at least as far as I have seen.</div>
<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-57819846340686615932020-05-04T11:51:00.000-04:002020-05-04T11:51:25.347-04:00New Book! The Best of TaoSecurity Blog, Volume 1<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQwaHGprtrqcUkfyRjoPi-IP6ADRq6sIIvy-fGFtUdCEPndgO0055j1xlUyMhZJu9PflNXrhgS1NsyMD-jknYlydBdl6x9F0zEr7hMeTwz42z-gEAtOqBJCIe4uq2v1zqfSRPM/s1600/The+Best+of+TaoSecurity+Blog+vol+1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1003" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQwaHGprtrqcUkfyRjoPi-IP6ADRq6sIIvy-fGFtUdCEPndgO0055j1xlUyMhZJu9PflNXrhgS1NsyMD-jknYlydBdl6x9F0zEr7hMeTwz42z-gEAtOqBJCIe4uq2v1zqfSRPM/s640/The+Best+of+TaoSecurity+Blog+vol+1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
I'm very pleased to announce that I've published a new book!<br />
<br />
It's <a href="https://amzn.to/2SBsB0H" target="_blank">The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice</a>. It's available now in the <a href="https://amzn.to/2SBsB0H" target="_blank">Kindle Store</a>, and if you're a member of Kindle Unlimited, it's currently free. I may also publish a print version. If you're interested, please tell me on <a href="https://twitter.com/taosecurity" target="_blank">Twitter</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFn0W9DnP4s5gPSLyuih2OrLel_ae3HW0guuAcWFO2j2Prh8iYJjsTgvbpjzhVFe1EbwbJfu_Gbm2TfDdG4I_2vh4XBmTAqa1KuM-_o7wWBhqOF5ctT51zxsKW65DjyrBz9O8t/s1600/capture_001_04052020_113014.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="928" data-original-width="1600" height="370" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFn0W9DnP4s5gPSLyuih2OrLel_ae3HW0guuAcWFO2j2Prh8iYJjsTgvbpjzhVFe1EbwbJfu_Gbm2TfDdG4I_2vh4XBmTAqa1KuM-_o7wWBhqOF5ctT51zxsKW65DjyrBz9O8t/s640/capture_001_04052020_113014.png" width="640" /></a></div>
<br />
<br />
The book lists at 332 pages and is over 83,000 words. I've been working on it since last year, but I've used the time in isolation to carry the first volume over the finish line.<br />
<br />
The Amazon.com description says:<br />
<br />
Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.<br />
<br />
In the first volume of the TaoSecurity Blog series, Bejtlich addresses milestones, philosophy and strategy, risk, and advice. Bejtlich shares his thoughts on leadership, the intruder's dilemma, managing burnout, controls versus assessments, insider versus outsider threats, security return on investment, threats versus vulnerabilities, controls and compliance, the post that got him hired at a Fortune 5 company as their first director of incident response, and much more.<br />
<br />
He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right. Read how the security industry, defensive methodologies, and strategies to improve career opportunities have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.<br />
<br />
Finally, if you're interested in subsequent volumes, I have two planned.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZY5G8SdFiOQ9iazr5_fmmSM_Zlf4AaxuRIOhT5iWu3NcGBcytBwkESqAzKrH_BWZlfnCHZBgLqQvkd7QehRyd97Db5tXfRfHkWqmRp2fOFv3IdVGYcHStWWGZERny-ssJ9ZDU/s1600/capture_001_03052020_215637.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="680" data-original-width="1365" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZY5G8SdFiOQ9iazr5_fmmSM_Zlf4AaxuRIOhT5iWu3NcGBcytBwkESqAzKrH_BWZlfnCHZBgLqQvkd7QehRyd97Db5tXfRfHkWqmRp2fOFv3IdVGYcHStWWGZERny-ssJ9ZDU/s640/capture_001_03052020_215637.png" width="640" /></a></div>
<br />
I may also have a few other book projects in the pipeline. I'll have more to say on that in the coming weeks.<br />
<br />
If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!<br />
<div>
<br /></div>
<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-14541102955187866952020-04-07T11:28:00.000-04:002020-04-07T11:28:11.590-04:00If You Can't Patch Your Email Server, You Should Not Be Running It<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrBguke20WJl1BfWP055PGU5ZX0AarM1OuOvm2Rgixs1_7ExAS9DP1wFdJkOHdOHQaMI_Up-cKOs0fvzrOpNeshSOS1FBeryeQfsaQxk0qvLOYiwnGj2aPwaQFKKbfu7RfDoF7/s1600/Servers+vulnerable+to+CVE-2020-0688.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="439" data-original-width="697" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrBguke20WJl1BfWP055PGU5ZX0AarM1OuOvm2Rgixs1_7ExAS9DP1wFdJkOHdOHQaMI_Up-cKOs0fvzrOpNeshSOS1FBeryeQfsaQxk0qvLOYiwnGj2aPwaQFKKbfu7RfDoF7/s640/Servers+vulnerable+to+CVE-2020-0688.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">CVE-2020-0688 Scan Results, per Rapid7</td></tr>
</tbody></table>
<br />
tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It."<br />
<br />
I read a <a href="https://www.bleepingcomputer.com/news/security/80-percent-of-all-exposed-exchange-servers-still-unpatched-for-critical-flaw/" target="_blank">disturbing story today</a> with the following news:<br />
<br />
"Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.<br />
<br />
As they found, <b>'at least 357,629 (82.5%) of the 433,464 Exchange servers' are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.</b><br />
<br />
To make matters even worse,<b> some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable</b> given that 'the related Microsoft update wasn’t always updating the build number.'<br />
<br />
Furthermore, <b>'there are over 31,000 Exchange 2010 servers that have not been updated since 2012</b>,' as the Rapid7 researchers observed. '<b>There are nearly 800 Exchange 2010 servers that have never been updated</b>.'<br />
<br />
They also found <b>10,731 Exchange 2007 servers</b> and more than 166,321 Exchange 2010 ones, with the former<b> already running End of Support (EoS) software that hasn't received any security updates since 2017</b> and the latter reaching EoS in October 2020."<br />
<br />
In case you were wondering, <a href="https://www.bleepingcomputer.com/news/security/nsa-warns-about-microsoft-exchange-flaw-as-attacks-start/" target="_blank">threat actors have already been exploiting these flaws</a> for weeks, if not months.<br />
<br />
Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide.<br />
<br />
In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them.<br />
<br />
It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives -- namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others.<br />
<br />
I expect some readers are saying "I would never put my email in the hands of those big companies!" That's fine, and I know several highly competent individuals who run their own email infrastructure. The problem is that they represent the small fraction of individuals and organizations who can do so. Even being extremely generous with the numbers, it appears that less than 20%, and probably less than 15% according to other estimates, can even keep their Exchange servers patched, let alone properly configured.<br />
<br />
If you think it's still worth the risk, and your organization isn't able to patch, because you want to avoid megacorp email providers or government access to your email, you've made a critical miscalculation. You've essentially decided that it's more important for you to keep your email out of megacorp or government hands than it is to keep it from targeted or opportunistic intruders across the Internet.<br />
<br />
Incidentally, you've made another mistake. Those same governments you fear, at least many of them, will just leverage Metasploit to break into your janky email server anyway.<br />
<br />
The bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization's information, but the information of anyone with whom you exchange emails.<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-4165037078184904902020-04-02T19:03:00.001-04:002020-04-02T19:05:11.326-04:00Seeing Book Shelves on Virtual Calls<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmx7e73ocpkekan4ZHckrUF84cypTeet_1_g0mUqW67pkJkrCC7mr94S7gTaXNO64aVYK3Xq443uuGGK-9jlQEJCT1BGreZ3NW8BVF5cjB6WFEjzHJFh897ang8uSEKy_N28Jq/s1600/IMG_0866.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmx7e73ocpkekan4ZHckrUF84cypTeet_1_g0mUqW67pkJkrCC7mr94S7gTaXNO64aVYK3Xq443uuGGK-9jlQEJCT1BGreZ3NW8BVF5cjB6WFEjzHJFh897ang8uSEKy_N28Jq/s640/IMG_0866.png" width="640" /></a></div>
<br />
I have a confession... for me, the best part of virtual calls, or seeing any reporter or commentator working for home, is being able to check out their book shelves. I never use computer video, because I want to preserve the world's bandwidth. That means I don't share what my book shelves look like when I'm on a company call. Therefore, I thought I'd share my book shelves with the world.<br />
<br />
My big categories of books are martial arts, mixed/miscellaneous, cybersecurity and intelligence, and military and Civil War history. I've cataloged about 400 print books and almost 500 digital titles. Over the years I've leaned towards buying Kindle editions of any book that is mostly print, in order to reduce my footprint.<br />
<br />
For the last many years, my book shelving has consisted of three units, each with five shelves. Looking at the topic distribution, as of 2020 I have roughly 6 shelves for martial arts, 4 for mixed/miscellaneous, 3 for cybersecurity and intelligence, and 2 for military and Civil War history.<br />
<br />
This is interesting to me because I can compare my mix from five years ago, when I did an interview for the now defunct <a href="https://web.archive.org/web/20150603062402/http://www.warcouncil.org/warbooks/?author=54bb7722e4b095413a5b551f" target="_blank">Warcouncil Warbooks project</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgobTM9BJPt0HqxJ4na-JO1UmexAanuik_WufoW_Gg88cgI56JnIJyIY8utCnbU4C5kJHyV2O2XjmMUufJmdiAerJ7SP3hk2qeKIw3zg2FWoh87mQvd-Q8fb5AGqCvFc0UanJxg/s1600/IMG_0100.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgobTM9BJPt0HqxJ4na-JO1UmexAanuik_WufoW_Gg88cgI56JnIJyIY8utCnbU4C5kJHyV2O2XjmMUufJmdiAerJ7SP3hk2qeKIw3zg2FWoh87mQvd-Q8fb5AGqCvFc0UanJxg/s640/IMG_0100.JPG" width="640" /></a></div>
<br />
In that image from 2015, I can see 2 shelves for martial arts, 4 for mixed/miscellaneous, 7 for cybersecurity and intelligence, and 2 for military and Civil War history.<br />
<br />
What happened to all of the cybersecurity and intelligence books? I donated a bunch of them, and the rest I'm selling on Amazon, along with books (in new or like new condition) that my kids decided they didn't want anymore.<br />
<br />
I've probably donated hundreds, possibly approaching a thousand, cyber security and IT books over the years. These were mostly books sent by publishers, although some were those that I bought and no longer needed. Some readers from northern Virginia might remember me showing up at ISSA or NoVASec meetings with a boxes of books that I would leave on tables. I would say "I don't want to come home with any of these. Please be responsible. And guess what -- everyone was!<br />
<br />
If anyone would like to share their book shelves, the best place would be as a <a href="https://twitter.com/taosecurity/status/1245849700386902018" target="_blank">reply to my Tweet on this post</a>. I look forward to seeing your book shelves, fellow bibliophiles.<br />
<br /><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-82678549066518266902020-03-27T11:15:00.000-04:002020-03-27T11:15:36.751-04:00Skill Levels in Digital Security<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKeZpx4RymDn0ztWzn5AY9Arv27FToq8NPdDTdVEgUGdru_r4ccrTOJrFHfobbVUeDbZcQVgjB5YmaTrb4itUp-G92dHeiNBBY0IvPvQwnsW5GSu975tZn2N5qYUNIeVJhZqsq/s1600/capture_001_27032020_105607.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="729" data-original-width="1232" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKeZpx4RymDn0ztWzn5AY9Arv27FToq8NPdDTdVEgUGdru_r4ccrTOJrFHfobbVUeDbZcQVgjB5YmaTrb4itUp-G92dHeiNBBY0IvPvQwnsW5GSu975tZn2N5qYUNIeVJhZqsq/s640/capture_001_27032020_105607.png" width="640" /></a></div>
<br />
Two posts in one day? These are certainly unusual times.<br />
<br />
I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to <a href="https://www.google.com/books/edition/Archives_of_Psychology/U6RGAQAAMAAJ?hl=en&gbpv=1&dq=novice+apprentice+journeyman+expert&pg=RA2-PA12&printsec=frontcover" target="_blank">Google Books</a> I found this article in a 1922 edition of the Archives of Psychology that mentioned four key terms:<br />
<br />
<ol>
<li>The <b>novice </b>is a (person) who has no trade ability whatever, or at least none that could not be paralleled by practically any intelligent (person).</li>
<li>An <b>apprentice </b>has acquired some of the elements of the trade but is not sufficiently skilled to be trusted with any important task.</li>
<li>The <b>journey(person)</b> is qualified to perform almost any work done by members of the trade.</li>
<li>An <b>expert </b>can perform quickly and with superior skill any work done by (people) in the trade.</li>
</ol>
<div>
I believe these four categories can apply to some degree to the needs of the digital security profession.</div>
<div>
<br /></div>
<div>
At GE-CIRT we had three levels -- event analyst, incident analyst, and incident handler. We did not hire novices, so those three roles map in some ways to apprentice, journeyperson, and expert. </div>
<div>
<br /></div>
<div>
One difference with the classical description applies to how we worked with apprentices. We trusted apprentices, or event analysts, with specific tasks. We thought of this work as important, just as every role on a team is important. It may not have been leading an incident response, but without the work of the event and incident analysts, we may not have discovered many incidents!</div>
<div>
<br /></div>
<div>
Crucially, we encouraged event analysts, and incident analysts for that matter, to always be looking to <i>exceed the parameters</i> of their assigned duties.</div>
<div>
<br /></div>
<div>
However, we stipulated that if a person was working beyond their assigned duties, they had to have their work product reviewed by the next level of analysis. This enabled mentoring among the various groups. It also helped identify people who were candidates for promotion. If a person consistently worked beyond their assigned duties, and eventually reached a near-perfect or perfect ability to do that work, that proved he or she was ready to assume the next level.</div>
<div>
<br /></div>
<div>
This ability to access work beyond assigned duties is one reason I have problems with limiting data by role. I think everyone who works in a CIRT should have access to all of the data, assuming there are no classification, privacy, or active investigation constraints.</div>
<div>
<br /></div>
<div>
One of my laws is the following:</div>
<div>
<br /></div>
<div>
<b>Analysts are good because they have good data. An expert with bad data is helpless. An apprentice with good data has a chance to do good work.</b></div>
<div>
<b><br /></b></div>
<div>
I've said it more eloquently elsewhere but this is the main point. </div>
<div>
<br /></div>
<div>
For more information on the apprenticeship model, this <a href="https://www.classicalu.com/the-apprenticeship-model-three-levels-to-mastery/" target="_blank">article</a> might be useful.</div>
<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0