Posts

New Book! The Best of TaoSecurity Blog, Volume 3

Image
  Introduction  I published a new book! The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices is the third title in the TaoSecurity Blog series .  It's in the Kindle Store , and if you have an Unlimited account, it's free.  I also published a print edition , which is 485 pages.  Book Description The book features the following description on the back cover: Since 2003, cybersecurity author Richard Bejtlich has been publishing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 stories and approximately one million words, he has selected and republished the very best entries from 17 years of writing, along with commentaries and additional material.  In the third volume of the TaoSecurity Blog series, Mr. Bejtlich addresses the evolution of his security mindset, influenced by current events and advice from his so-called set of "wise people." He talks about why speed is not the

Security and the One Percent: A Thought Exercise in Estimation and Consequences

Image
There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1% . This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions.  Introduction  This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%. A First Cut with FIRST It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude.  One method is to review entities who are members of the Forum of Incident Response and Security Teams, or FIRST . FIRST is an organization to whi

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti

Greg Rattray Invented the Term Advanced Persistent Threat

Image
  I was so pleased to read this Tweet yesterday from Greg Rattray: " Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with ... Since then both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses." Background First, some background. Who is Greg Rattray? First, you could call him Colonel or Doctor. I will use Col as that was the last title I used with him, although these days when we chat I call him Greg.  Col Rattray served 21 years in the Air Force and also earned his PhD in international security from Tufts University. His thesis formed the content for his 2001 book Strategic Warfare in Cyberspace , which I reviewed in 2002 and rated 4 stars . (Ouch -- I was a bit stingy with the stars back then. I was

The FBI Intrusion Notification Program

The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years.  This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story  U.S. notified 3,000 companies in 2013 about cyberattacks .  The story noted the following: "Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions... About 2,000 of the notifications were made in person or by phone by the FBI, which has 1,000 people dedicated to cybersecurity investigations among 56 field offices and its headquarters. Some of the notifications were made to the same company for separate intrusions, officials said. Although in-person visits are preferred, resource constraints limit the bureau

New Book! The Best of TaoSecurity Blog, Volume 2

Image
  I published a new book! The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat It's in the Kindle Store , and if you're Unlimited it's free. Print edition to follow. The book lists as having 413 pages (for the Kindle edition at least) at it's almost 95,000 words. I started working on it in June after finishing Volume 1 . Here is the book description: Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.  In the second volume of the TaoSecurity Blog series, Mr. Bejtlich addresses how to detect and respond to intrusions using third party threat intelligence sources, network data, application and infrastructure data, and endpoint data. He assesses govern

One Weird Trick for Reviewing Zeek Logs on the Command Line!

Are you a network security monitoring dinosaur like me? Do you prefer to inspect your Zeek logs using the command line instead of a Web-based SIEM? If yes, try this one weird trick! I store my Zeek logs in JSON format. Sometimes I like to view the output using jq. If I need to search directories of logs for a string, like a UID, I might* use something like zgrep with the following syntax: $ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* 2020-08-16/conn_20200816_06:00:00-07:00:00+0000.log.gz:{"_path":"conn","_system_name":"ds61","_write_ts":"2020-08-16T06:26:10.266225Z","_node":"worker-01","ts":"2020-08-16T06:26:01.485394Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"proto":"tcp","service":"ftp",&quo