Wednesday, March 24, 2010


I am pleased to announce that on Friday 19 March the Forum of Incident Response and Security Teams, or FIRST, accepted the General Electric Computer Incident Response Team, GE-CIRT, as a full member.

This represents about a year of work for us. I am really proud of our team, especially since we reached initial operational capability on 1 January 2009.

I would like to thank James Barlow and Rob Renew for sponsoring our application; Sarah Gori for leading our application process; David Bianco for helping Sarah with technical aspects of the process; and our security team members for assisting with meeting FIRST's criteria.

If you are a member of an incident detection and response team but your team is not part of FIRST, please check out the membership process. I advocated joining FIRST for three reasons:

  1. Joining FIRST is a sign to the world that your team has reached a certain level of maturity, stability, and capability.

  2. The membership process itself will help focus your team's operations and may help justify process and capability improvements that you may or may not realize you need.

  3. FIRST is a community of like-minded professionals with whom you can share information, practices, and lessons that might not be suitable for wider discussions.

When I speak at FIRST 2010 in Miami in June I will describe our membership process and more generally how to build a Fortune 5 CIRT. The conference is open to non-FIRST members, so please consider attending it.

Finally, I am still trying to fill a few of the roles listed here. I am particularly interested in finding a system administrator with FreeBSD and MySQL database experience, for our Information Security Infrastructure Engineer (job 1147859 at Please consider applying for one of the other roles within GE as well, listed below my jobs. Thank you.

Bejtlich in April Wired Magazine

The April issue of Wired Magazine features an article by Noah Shachtman titled Security Watch: Beware the NSA’s Geek-Spy Complex. Noah writes:

Early this year, the big brains at Google admitted that they had been outsmarted. Along with 33 other companies, the search giant had been the victim of a major hack — an infiltration of international computer networks that even Google couldn’t do a thing about. So the company has reportedly turned to the only place on Earth with a deeper team of geeks than the Googleplex: the National Security Agency...

Technically, rendering this aid isn’t the NSA’s job, says Richard Bejtlich, a former Air Force cybersecurity officer now with General Electric. “But when you’re in trouble, you go to the guys who actually have a clue.”

I appreciate the mention Noah! The focus of his article is as follows:

[Within NSA, o]ne team wants to exploit software holes; the other wants to repair them. This has created a conflict — especially when it comes to working with outsiders in need of the NSA’s assistance. Fortunately, there’s a relatively simple solution: We should break up the NSA.

I told Noah I didn't think that would work. I outlined one reason in my post Offense and Defense Inform Each Other. Each side in the battle is stronger because of the other.

However, I agree that many people don't trust NSA. I do, but I know people there, and I was an Air Force intel officer who served at the former Air Intelligence Agency (which was the Air Force Service Cryptologic Element to NSA). The NSA is trying to fight external threats, not listen to you crunch corn flakes while eating breakfast.

I don't see anything short of a massive cyber disaster resulting in actions to change NSA. It's probably more realistic to see calls for greater Congressional oversight to safeguard privacy.

Bejtlich Returns to PaulDotCom Podcast

The guys at PaulDotCom posted the podcast .mp3 (39 MB) they conducted last week. It was another debate between myself and Ron Gula. We contrast control-centric and threat-centric defensive strategies, as well as discuss advanced persistent threat. Thanks for having us. I had forgotten that I was on their second show in January 2006!

Monday, March 22, 2010

Ways to Justify Security Programs: 13 Cs

My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program.

I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.

  1. Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.

  2. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.

  3. Competitiveness. Please see my previous blog post.

  4. Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.

  5. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.

  6. Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.

  7. Constituents. I use this term to apply to internal parties. Large companies often provide services to other business units.

  8. Controllership. Is your organization well-governed? Can it account for the state of its systems for auditors and so forth?

  9. Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over the world to handle incidents, or handling them remotely by moving data, not people?

  10. Consolidation or Centralization. These themes are likely to enable specialization, more effective internal resource allocation, and improve defenses.

  11. Confidence. Confidence applies to all parties involved. Can you trust your data?

  12. Counting. This is a plug for metrics.

  13. [Securities and Exchange] Commission. This is a play on the 10k- forms shareholders receive in the mail. Please see the linked post for more details.

Sunday, March 21, 2010

Forget ROI and Risk. Consider Competitive Advantage

In my last post, Time and Cost to Defend the Town, I mentioned pondering different ways to discuss digital security with a new executive. This business leader reportedly said "every day, our businesses are competing in a global marketplace. How can we help them?" I thought about that statement and one idea came to mind:

Digital security helps businesses build competitive advantage.

I've decided that competitiveness is the new theme which I will use to justify my team's activities when discussing our mission with management.

It seems simple and accurate to me. Capable digital security teams help businesses build competitive advantage by keeping data out of the hands of adversaries.

Contrast competitiveness with two other popular paradigms for discussing digital security: ROI and risk. Imagine the following conversations. Which do you prefer?

1. "ROI-centric discussion"

Security person: Hello boss. We need to implement our security program because it has a ROI of $1 million dollars.

Boss: You mean if we adopt your program we're going to earn $1 million dollars?

Security person: No, we'll save $1 million.

Boss: Get out of my office. Come back after you've taken a finance class.

2. "Risk-centric discussion"

Security person: Hello boss. We need to implement our security program because I've calculated our risk to be 1.35.

Boss: What does that mean?

Security guy: Hmm, ok I'll leave now.

3. "Competitiveness discussion"

Security person: Hello boss. We need to implement our security program because it will provide a competitive advantage to our businesses.

Boss: That's a new one. Tell me more.

Security person: We have adversaries who try to steal, and sometimes do steal, our data.

Boss: So what. Isn't it just World of Warcraft credentials?

Security person: Our adversaries steal intellectual property like design plans, pricing data, negotiation strategies, and other information which means they might understand our business as well as we do.

Boss: Is that true? You mean we could lose deals because our products are copied, our bids undercut, our positions already known? I wonder if that's why we lost a deal to MegaCorp last month...

Security person: Now that you mention it, here is a report on suspicious computer activity involving MegaCorp last week. Our team managed to interdict their theft attempt, but in the future we'd like to be able to detect and respond faster, as well as make it more difficult for the adversary to have a chance to steal our information.

Boss: Now you're talking. Sit down, let's discuss this.

Notice what happened here. Magazines written for CIOs, CTOs, CISOs, and so on constantly advocate "speaking the language of the business." Unfortunately this "language" has been assumed to be finance. As a result security people tried to shoehorn their projects into ROI or ROSI, to laughable results.

As we've seen during the last few years, "risk" has turned out to be a dead end too. The numbers mean nothing. Even if you could somehow measure risk, it's easy enough for managers to accept a higher level of risk than the security manager.

Competitiveness, on the other hand, is everything to business people. They are constantly looking for an edge. It a tight economy, gaining an advantage over the competition could mean the difference between thriving or going out of business.

Notice that discussing competitiveness also avoids the death spiral associated with ROI discussions: cost. When conversation is ROI-centric, digital security is perceived as being a loss prevention exercise and a cost center. IT in general is often seen in this light. Don't dump money in a cost center -- cut spending instead!

When you turn the focus on the adversary -- you are threat-centric -- and discuss how he is trying to beat you and how you can beat him, you are likely to strike a primal chord in the mind of the business person. The executive is likely to wonder "what else can we do to give us a competitive advantage?" Suddenly the digital security shop is seen as a business partner in a common fight with the competition, not a cost center dragging down the "productive" elements of the business.

This isn't a new idea, but it's largely absent in the mindshare of digital security professionals. (If anyone has an ACM account I'd like to read Using information security to achieve competitive advantage by Charles Cresson Wood, 1991.) In addition to mentioning ROI and risk, it's important to remember that compliance is the other driver that is likely to justify funding. However, I believe we are more likely to see security shops spending resources explaining why their current activities meet regulatory requirements. I doubt new programs are going to be created to meet compliance needs, since compliance is basically a ten-year-old justification at this point.

Friday, March 19, 2010

Time and Cost to Defend the Town

Recently I guest-blogged on the importance of learning how another person thinks. This week I had a chance to apply this lesson with a new decision maker. I learned that I need to develop a way for this executive to think about our security program. I discussed the situation with my wife and she suggested focusing on cost. I thought about this a little more and realized that was the right way to approach the problem.

Consider the following scenario. You're the mayor of a town. You need to decide how much of your budget to allocate to the fire department. To apply the most simplistic analysis to the problem, consider this scene. As mayor you give the fire chief a simple goal: "protect us from fires!" The fire chief asks you: "Mayor, on average, how fast do you want the fire department to respond to a fire?"

I am not an expert on fighting real fires, but let's think about a range of some possible answers.

  • Option 1. Instantly. Literally as soon as a fire is detected, fire fighters are on site. Assume this level of response produces the maximum level of containment and preservation of property value, on average.

  • Option 2. Within 15 minutes. Assume this level of response produces 75% containment and preservation of property value, on average.

  • Option 3. Within 30 minutes. 50% containment and preservation of property value, on average.

  • Option 4. Within 45 minutes. 25% containment and preservation of property value, on average.

  • Option 5. Within 60 minutes. It's too late. With this timing, the property value is destroyed.

As mayor you're likely to first reach for option 1. After all, you want to preserve property value. However, the fire chief says "maybe you should consider the following data."

  • Option 1 costs $64 million. Fire fighters are deployed at 16 locations.

  • Option 2 costs $32 million. Fire fighters are deployed at 8 locations.

  • Option 3 costs $16 million. Fire fighters are deployed at 4 locations.

  • Option 4 costs $8 million. Fire fighters are deployed at 2 locations.

  • Option 5 costs $4 million. Fire fighters are deployed at 1 location.

At this point you're starting to sweat. There has to be a way out of this situation! You decide that you can't afford option 1, or 2, or probably even 3. The recession is hitting your town hard. You ask the fire chief if there's a way to reduce the number of fires expected to occur, so that a smaller fire fighting force can react more quickly to fewer fires.

The fire chief switches from his fire fighter role to that of fire marshall. He says that is certainly possible, if the mayor wants to pick from one or more of the following options.

  • Rebuild dwellings using fire-resistant materials.

  • Inspect and rewire electrical systems, including aggressive, persistent monitoring for faults.

  • Deploy advanced fire, smoke, and related alarms everywhere.

  • Remove flammable materials from dwellings.

  • Educate citizens on fire hazards.

  • Ensure all citizens know how to contact the fire department, and have the means to do so efficiently and effectively.

  • Plus a dozen more options...

You are probably getting the hang of this scenario. At this point the mayor needs to know the cost of each of the fire resistant methods outlined above. Let's not forget one other element: the fire chief asks the police chief to inform the mayor of the arsonist threat, and describes how dedicating counter-threat activities can deter and detain adversaries who set dwellings ablaze.

At the end of the day, the fire chief is presenting options to the mayor, and it's up to the mayor to decide how fast do we want to be able to respond to the fires that will happen, for how much cost.

(I underline the "fires that will happen" because that is the reality of life. Disasters happen, so you have to plan for them.)

For me, this is the best way to approach this executive. The fire chief doesn't get to decide how much money to spend on the problem. That's the mayor's decision. The mayor needs to make a budget choice, preferably with the fire chief's input, and then let the fire chief make the best resource allocation to meet the time goals requested by the mayor.

For me, time and cost are the best levers we can move in digital security. I can measure detection and response time for the incidents we handle. I can track how much money I am spending to meet those time requirements. If the mayor wants faster response time, the mayor can try to reduce the number of fires via fire marshall programs and/or apply more resources to the fire fighters.

Beyond measuring incident detection and response for real intrusions, you can use red teaming/adversary simulation to create metrics. You can say "for the money currently spent on our security resistance program, it takes a Red Team X number of minutes to accomplish Goal X. Is that acceptable?" If X minutes is unacceptable, you can again present cost-benefit analysis in order to derive a decision.

If you think you've heard this line of reasoning before (outside this blog), please check whether the other advocates have emphasized outcomes as I do here and elsewhere. I'm not saying "spend $10 million to achieve 95% patch compliance." That's an input metric. I'm talking about output metrics against real intrusion activity and adversary simulations.

Wednesday, March 17, 2010

Guest Post on SecureThinking about Cyber Shockwave

BT asked me to write a guest post on their blog, so I provided a new Reaction to Cyber Shockwave. I hadn't really addressed one of the main reasons why I liked Cyber Shockwave, despite the LOL-worthy "technical" aspects of the "simulation," when I wrote my first Reaction to Cyber Shockwave.

Please check out the post if you'd like to read more about this. Thank you.

Sunday, March 14, 2010

Verizon Incident Sharing Framework

Earlier this month Verizon Business announced their Verizon Incident Sharing Framework (VerIS framework). This document is a means to describe digital security incidents, using four main groupings: 1. Demographics, 2. Incident Classification, 3. Discovery and Mitigation, and 4. Impact Classification.

The idea is to provide a framework that incident investigators can complete for every digital security incident. Using the output, security teams can better identify trends and make recommend improved security strategies and tactics. For example, Verizon builds their Data Breach Investigation Report using data from their incident responses as formatted using the VerIS framework.

Verizon asked me to participate on a "board" affiliated with this project, so you can expect to hear more from me. Verizon started a Zoho Forum to discuss the framework, but I think a Wiki would better facilitate collaboration and development of the document. At work we are working on our next generation incident management system, so I think the VerIS framework might help us identify information to collect on incidents.

Saturday, March 13, 2010

Bejtlich Keynote at VizSec 2010

I am pleased to report that I've been invited to deliver the keynote at VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee for a third year and will be evaluating papers soon. Please visit my post on calls for papers for DFRWS, VizSec, and RAID. Thank you.

Wednesday, March 10, 2010

Bejtlich OWASP Podcast Posted

My appearance on OWASP Podcast 61 is available.

The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate.

We recorded the podcast in late January. Jim asked me the following questions:
  1. Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days?
  2. What's the difference between focusing on threats vs focusing on vulnerabilities?
  3. What is your problem with the "protect the data" mindset?
  4. What do you mean by "building visibility in"?
  5. What is your take on the Aurora/Google hack?
  6. You just tweeted that "Network Security Monitoring ideology is the proper mechanism to combat APT/APA". Do you think network IPS/IDS/WAF can help defend insecure web applications? What are the limits of Network Security Monitoring?
  7. How important a role do you think secure coding and secure software development life-cycle play in defending the enterprise?
  8. Have HIPAA, PCI, SOX and other regulations helped reduce risk in the average enterprise?
  9. Is seems pretty clear that attackers have a clear advantage. Why is that? How can we turn the tide?
  10. Any thoughts on OWASP? Are we helping the cause?
  11. Where are we going to be as an industry in 10 years?
  12. You blogged that "The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset." Given that we don't have any high integrity database, identities or application servers - how do you detect a breach of integrity when there is no verifiable integrity in the system in the first place?

Monday, March 08, 2010

Traffic Talk 10 Posted

I just noticed that my tenth edition of Traffic Talk, titled -- where Web 2.0 meets network packet analysis, has been posted. From the article:

Solution provider takeaway: is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis.

Not many networking solution providers are happy with the apparently limited number of network traces available for testing their products or processes. Hardly a day goes by on a network-focused mailing list without a participant asking, "Where can I download network traffic to test X?" Fortunately for anyone who wants to take network traffic exchange to a new level, Mu Dynamics has answered the call. Its site is the self-proclaimed "Web 2.0 for packets." In this edition of Traffic Talk, we'll take a tour of to see what features it offers networking solution providers, including network packet analysis.

Saturday, March 06, 2010

Einstein 3 Coming to a Private Network Near You?

In my Predictions for 2008 I wrote:

Expect greater military involvement in defending private sector networks... The plan calls for the NSA to work with the Department of Homeland Security (DHS) and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the "Cyber Initiative."

Now in Feds weigh expansion of Internet monitoring we read:

Homeland Security and the National Security Agency may be taking a closer look at Internet communications in the future.

The Department of Homeland Security's top cybersecurity official told CNET on Wednesday that the department may eventually extend its Einstein technology, which is designed to detect and prevent electronic attacks, to networks operated by the private sector. The technology was created for federal networks.

Greg Schaffer, assistant secretary for cybersecurity and communications, said in an interview that the department is evaluating whether Einstein "makes sense for expansion to critical infrastructure spaces" over time.

Not much is known about how Einstein works, and the House Intelligence Committee once charged that descriptions were overly "vague" because of "excessive classification." The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.

The first step towards creating Cyber NORAD is instrumentation. Stay tuned.

Making a Point with Pressure Points

Imagine you're a martial arts student. One day you have a guest instructor, accompanied by some of his black belts. They're experts in so-called "pressure point fighting." You've heard a little of this system, whereby practitioners can knock out adversaries with a series of precise strikes that lack the power of a brute-force approach. Until today you've had no direct experience. You may be skeptical, or maybe you believe such techniques are possible.

The seminar starts. You watch the guest instructor explain his techniques. He starts knocking out his black belts. Maybe you believe what you see, or maybe you don't. Then the instructor asks for volunteers, and several of your fellow students agree. The instructor knocks them all out, including a student you really trust to not "take a fall" to make the guest "look good." You ask the student "what happened?" and he replies "that dude knocked me out!"

Next the black belts fan out through the class to help teach pressure point techniques. They ask you if you want to get knocked out with a three-strike technique, or if you just want to feel disoriented with a two-strike technique. You decide you're a believer at this point, but you want to see what it feels like to receive a two-strike technique. Sure enough, two rapid strikes later, you're wondering what happened but are still conscious. That's all you need to believe; you're glad you're not lying on the floor, out cold!

The class ends. Several bystanders were watching through the studio's windows. Some of them are laughing. They think the whole class was fake, a joke, or stupid. Some witnesses are curious. They believe what they saw and want to know more. A few ask questions. Others mumble to themselves incoherently, probably intoxicated or mentally ill.

One of the students decides to talk to a famous yet local news reporter about his experience. This widely-read newspaper reports the story the next day, attracting a lot of attention.

With a wider audience, an extended discussion takes place about this pressure-point fighting activity.

One company conducts a Webcast and a spokesperson says "my mom used to knock me out with a frying pan when I was a kid!" He also says there's no difference between pressure-point fighting and getting punched in the face.

Another company decides to register a domain name called "" and starts talking about how it works, applying what they know from Western boxing. This misses the mark but uninformed observers can't really tell the difference.

A third company jumps on the pressure point fighting bandwagon, issuing supposedly original research, inventing its own analysis, and integrating the technique into its marketing material. It turns out someone at the company had a confidential agreement with the original pressure point fighting instructor, but unilaterally decided to take a few pages out of his notebook and run to the market to make a fast buck.

A fourth company knows a lot about pressure point fighting. It writes original reporting based on its experience. Critics claim this company is just offering marketing based on the new craze.

Reaction to the news among those without direct experience is mixed, as might be expected.

Some readers are martial artists themselves. They fear being irrelevant. They are afraid their skills are not sufficient. They decide to ridicule anyone who participated in the seminar, or who has knowledge.

Some readers distrust authority. They think these techniques are just a government conspiracy to justify additional police powers. The only reason anyone is talking about such affairs is their need to get greater budgets for their oppressive police powers, man!

Some readers think the whole affair is "fear, uncertainty, and doubt" (FUD). Who could knock out a person by hitting a few pressure points? It's all a lie, or just the latest craze. It must be fake.

Some readers have been learning and practicing pressure point fighting for the last several years. They know it isn't a joke, and it is real. Also, some readers without experience realize they should learn more about pressure point fighting. That knowledge could save their lives, or the lives of those close to them. These like-minded people communicate privately, since the public arenas are now clogged with too many false discussions.

Aside from the fact that advanced persistent threat is an adversary, and not a fighting technique, this story explains the last 6 weeks of APT activity in the security industry. Not all factors are included, but enough to make my point.

Incidentally, the pressure point class is true, at least as far as the class content is described.

Keeping FreeBSD Applications Up-to-Date in BSD Magazine

The March 2010 BSD Magazine includes an article I wrote titled Keeping FreeBSD Applications Up-to-Date.

It's a sequel to my article in the January 2010 BSD Magazine titled Keeping FreeBSD Up-to-Date: OS Essentials.

With these two articles published, they replace the versions I wrote in 2005.

I wrote these articles to demonstrate the variety of ways a system administrator can keep the FreeBSD operating system and applications up-to-date, with examples showing commands and effects.

Thursday, March 04, 2010

Bejtlich Teaching at Black Hat EU and USA 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year.

Next is Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I will be teaching TCP/IP Weapons School 2.0.

Registration is now open. Black Hat has three price points and deadlines for registration remaining.

  • Regular ends 1 Apr

  • Late ends 11 Apr

  • Onsite starts at the conference

Finally we have Black Hat USA 2010 Training 0n 25-28 July 2010 at Caesars Palace in Las Vegas, NV. I will be teaching two sessions of TCP/IP Weapons School 2.0, one on the weekend and one during the week.

Registration is now open. Black Hat has set five price points and deadlines for registration.

  • Super Early ends 15 Mar

  • Early ends 1 May

  • Regular ends 1 Jul

  • Late ends 22 Jul

  • Onsite starts at the conference

Seats are filling -- it pays to register early!

If you review the Sample Lab I posted earlier this year, this class is all about developing an investigative mindset by hands-on analysis, using tools you can take back to your work. Furthermore, you can take the class materials back to work -- an 84 page investigation guide, a 25 page student workbook, and a 120 page teacher's guide, plus the DVD. I have been speaking with other trainers who are adopting this format after deciding they are also tired of the PowerPoint slide parade.

Feedback from my 2009 sessions was great. Two examples:

"Truly awesome -- Richard's class was packed full of content and presented in an understandable manner." (Comment from student, 28 Jul 09)

"In six years of attending Black Hat (seven courses taken) Richard was the best instructor." (Comment from student, 28 Jul 09)

If you've attended a TCP/IP Weapons School class before 2009, you are most welcome in the new one. Unless you attended my Black Hat training in 2009, you will not see any repeat material whatsoever in TWS2. Older TWS classes covered network traffic and attacks at various levels of the OSI model. TWS2 is more like a forensics class, with network, log, and related evidence.

I plan to retire TWS2 after Vegas this year and teach TWS3 in 2011, if Black Hat invites me back.

I recently described differences between my class and SANS if that is a concern.

I look forward to seeing you. Thank you.

Bejtlich to Speak at FIRST 2010

I'm happy to report that I will present Building a Fortune 5 CIRT Under Fire at FIRST 2010 on 16 Jun 10 in Miami, FL. I plan to attend the majority of the conference, since it is one of the few focused on incident detection and response. I hope to see you there!