One Page to Share with Your Management

I thought this brief question-and-answer session, Richard Clarke: Preparing For A Future Cyberwar by Kim S. Nash extracted the essence of advanced persistent threat problems and how to address them. I'd like to publish the whole article, but instead I'll highlight my favorite sections:

Nash: How can the federal government protect companies?

Clarke: Do more. As a matter of law and policy, the federal government should actively counter industrial espionage.

Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach.

Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations.

Also:

Clarke: Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they're reluctant to do anything special...

Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to policies necessary for protection. Most of the time, all people want the CIO to do is keep the network up and costs down. As a result, many CIOs have been hired for their expertise in those areas, not for expertise in figuring out how to make a resilient network that resists attack.

Finally:

Clarke: It should be the federal government's responsibility to tell companies not only when they've been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on...

[S]ometimes companies don't know they've been hacked. But frequently they realize after the fact. You don't know you've lost information until a knockoff of your product or some competing products start showing up in the marketplace.

I agree with all of these sentiments.

Incidentally I started read the library copy of Cyber War but decided I needed to take notes in the margins. So, I bought a copy from Amazon.com. I plan to finish it and review it by the end of the month.

Comments

David said…
Odd, I was sure I had seen a luke warm review of 'Cyber War' on your blog awhile ago. I actually picked it up myself, mainly because it looked like a thin book that executive level folks would read and get excited about.

Very interested to see your opinion/review of it!
11:03 AM
Christopher Porter said…
"[S]ometimes companies don't know they've been hacked. But frequently they realize after the fact. You don't know you've lost information until a knockoff of your product or some competing products start showing up in the marketplace."

Great point made here and very similar to what we (Verizon) have seen in our DBIR series. Usually a company doesn't know they have been breached until they are notified by a 3rd party. The 3rd party discovers the breach because the attacker fradulently uses the data that was stolen.
1:06 PM
M Ahmed said…
You have done a marvelous job! I am really inspired with your work.
8:41 PM
Dan said…
"Clarke: It should be the federal government's responsibility to tell companies not only when they've been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on..."

I agree with all of these sentiments.

I don't. :)

1. It's not the government's place to tell me when my TV has been stolen either.
2. This is the problem with things like Infraguard. The intel you get is either so generic and sanitized that it is worthless and 6 months out of date, or it is so specific that no one will share it (neither the feds or the victims). It's, IMO, insane to think that companies will willingly share this info with their competitors or that they will be ok with it being shared by the government.
11:09 PM
Anonymous said…
Wrong. It's not their responsibility at all. Let bad companies sink and good companies develop security that works. Taxpayers don't have enough money to protect everyone anyway.
3:09 PM
David said…
Dan:

In response to 1, when you're TV gets stolen, it's something physical that's taken, that you will be able to easily notice. If someone came into your house, photocopied all of your personal records so they could steal your identity, wouldn't you want the government to let you know if they had the means?
5:38 PM
Dremspider said…
I think that it boils down to money on deciding whether the government should be responsible for assisting companies in the defense of their networks. Do you believe that the government would be able to do defense better and cheaper then companies working on their own? Governments do have a few advantage, because the data is shared if they are able to find a particular network attack in one network they will quickly be able to see what other networks have been exploited or attempted. The big problem I see with this approach is understanding of networks. The government can't and won't be able to have an understanding of every network. Anyone who monitors networks will tell you that you need to understand the network as well as changes being made to it.

What I would see as working more successfully would be if the government could be responsible for feeding data to businesses. Working with organizations such as the Open Security Foundation are a step in the right direction. In this case businesses are still responsible for defending their own network but the ability to share data still exists. Working within the community is better then building a new community which is what the government is trying to do.
9:55 PM
Anonymous said…
@Ayesha

If someone steals your TV, you probably know about it. but it's a TV, not like anyone can do anything but try to sell it.

If someone steals your car in the middle of the night while you sleep, goes on a robbery spree, and returns the car later, wouldn't you want to know why the seat was left scooted all the way back? more importantly, why are there bullet holes in the trunk?
11:27 AM
Anonymous said…
I couldn't agree with Dan more... its not the government's responsibility to control every aspect of our lives. It's that corporation's responsibility to protect themselves. If you don't want your research and development department hacked, go hire a network security consultant and charge for your product accordingly. Otherwise me, you and everyone else ends up paying for that corps fault in higher taxes to fund the extra staffing that the feds have to provide.

This is the most ridiculous stance on corporate network security i have ever read. Why don't we all take a step back and start taking responsibility for our own actions and not rely on the government for everything. The guy from Verizon above, it's Verizon's fault that their product info was hacked... not the feds. Go hire someone that knows what the hell they are doing.

This cyber war guy may know what he is talking about when it comes to hardening infrastructure, but you need to learn some self-worth and start relying on yourself to accomplish goals. Not the government. I'm all about sharing information to make this country a better place, but our legislature is not the end all be all to make sure our personal information is safe.
12:02 PM
Richard Bejtlich said…
Last anonymous: do you expect companies to protect the airspace over their office buildings, factories, etc.? I'd like to see some of my tax dollars spent on "provide for the common defense" as mentioned in our Declaration of Independence. If you disagree with the airspace comment, please read http://taosecurity.blogspot.com/2007/09/us-needs-cyber-norad.html
9:14 PM
Peter Abatan said…
The reason for the divided views is to be expected, especially coming of the back of the recent bank bailouts. On the other hand I do not expect a global corporate like Google to take on the might of China if information espionage agents are involved.

Without a shadow of doubt global organizations would have to invest heavily to actively counter industrial espionage. Persistent security tools would play a dominant role to counter this new warfare. Some organisations get it, and some don't but it only takes a few examples for the other organizations to get it.
6:39 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more