Stiennon on Enforcement

Richard Stiennon's blog makes a great point today. He says

"The entire IT security market is focused on protections. This is great as more and more protections by default are deployed. But I believe that enforcement actions must be taken as well. There is some sign that cooperation between enforcement agencies in the UK, Israel, and Russia have been effective. The most important was the breaking up of a ring of cyber-extortionists in 2003 that dramatically slowed the number of DDOS incidents.

As it will be a while before prosperity finds its way to every corner of the globe it is imperative that law enforcement agencies start working together to track down and jail cyber criminals now."

He is completely correct. Remember the risk equation: Risk = Threat x Vulnerability X Cost (of asset). We security practitioners (and our clients) can only really influence the vulnerability aspect of the equation. We can't usually decrease the value of an asset, either. Only those in law enforcement or the military can take direct action against threats. The only real way to eliminate risk is to eliminate the threat. No amount of countermeasures can remove all vulnerabilities and keep a determined adversary from exploiting a target. Making the threat go to zero is the only way to make risk go to zero.

Stiennon also points out a fascinating Privacy Rights Clearinghouse chronology of data breaches since the ChoicePoint incident.

Comments

Anonymous said…
I completely agree. I think there is a fundamental flaw in the way law enforcement approaches cybercrime; that is, they wait for a large company to complain that they lost X thousands of dollars due to hacking/malware and only then will they open an investigation. Most of the time companies are not going to report an outbreak of Mytob or other worms/viruses, so nothing happens on the investigative front. Meanwhile, the situation for everyone gets worse. The cybercriminals certainly see that there are very few prosecutions (and therefore nothing to fear), and the ones we do hear about are most often due to an informant (as in the Sven Jaschen case) or a "clueless-kid" mistake like tagging your release with your domain which is registered with your home address (such as Jeffrey Parson).

There needs to be a law-enforcement task force actively searching for those who write and release malware in the wild, and they should start at the top of the food chain - the ones who are doing it for profit. Oftentimes, through various clues left in the binary and information shared among researchers, we find out the real identity of various malware authors. Yet not a single one of these cases we have passed along has been seriously investigated by law enforcement. This seems to be because no large company has come forward and complained that they lost substantial money due to this malware. Meanwhile these miscreants are free to continue releasing variant after variant, improving their skills and causing increasing damage worldwide. What ever happened to protecting the public?
8:55 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more