Showing posts from 2014

Five Reasons Attribution Matters

Attribution is the hottest word in digital security. The term refers to identifying responsibility for an incident. What does it matter, though? Here are five reasons, derived from the five levels of strategic thought. I've covered those before, namely in  The Limits of Tool- and Tactics-Centric Thinking . Note that the reasons I outline here are not the same as performing attribution based on these characteristics. Rather, I'm explaining how attribution can assist responsible actors, from defenders through policymakers . 1. Starting from the bottom, at the Tools level, attribution matters because identifying an adversary may tell defenders what software they can expect to encounter during an intrusion or campaign. It's helpful to know if the adversary uses simple tools that traditional defenses can counter, or if they can write custom code and exploits to evade most any programmatic countermeasures. Vendors and software engineers tend to focus on this level beca

Don't Envy the Offense

Thanks to Leigh Honeywell I noticed a series of Tweets by Microsoft's John Lambert . Aside from affirming the importance of security team members over tools, I didn't have a strong reaction to the list -- until I read Tweets nine and ten. Nine said the following: 9. If you shame attack research, you misjudge its contribution. Offense and defense aren't peers. Defense is offense's child. I don't have anything to say about "shame," but I strongly disagree with "Offense and defense aren't peers" and "Defense is offense's child." I've blogged about offense  over the years, but my 2009 post  Offense and Defense Inform Each Other  is particularly relevant. John's statements are a condescending form of the phrase "offense informing defense." They're also a sign of "offense envy." John's last Tweet said the following: 10. Biggest problem with network defense is that defenders think

What Does "Responsibility" Mean for Attribution?

I've written a few posts here about attribution . I'd like to take a look at the word "responsibility," as used in the FBI Update on Sony Investigation posted on 19 December: As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following... (emphasis added) I'm not in a position to comment on the FBI's basis for its conclusion, which was confirmed by the President in his year-end news conference. I want to comment on the word "responsibility," which was the topic of a February 2012 paper by Jason Healey for The Atlantic Council , titled  Beyond Attribution: Seeking National Responsibility in Cyberspace . In the paper, Jason

Nothing Is Perfectly Secure

Recently a blog reader asked to enlist my help. He said his colleagues have been arguing in favor of building perfectly secure systems. He replied that you still need the capability to detect and respond to intrusions. The reader wanted to know my thoughts. I believe that building perfectly secure systems is impossible. No one has ever been able to do it, and no one ever will. Preventing intrusions is a laudable goal, but I think security is only as sound as one's ability to validate that the system is trustworthy. Trusted != trustworthy. Even if you only wanted to make sure your "secure" system remains trustworthy, you need to monitor it. Since history has shown everything can be compromised, your monitoring will likely reveal an intrusion. Therefore, you will need a detection and a response capability. If you reject the notion that your "secure" system will be compromised, and thereby reject the need for incident response, you still need a detectio

Bejtlich on Fox Business Discussing Recent Hacks

I appeared on Fox Business  (video) today to discuss a wide variety of hacking topics. It's been a busy week. Liz Claman and David Asman ask for my perspective on who is responsible, why the FBI is warning about destructive malware, how the military should respond, what businesses can do about intrusions, and more. All of these subjects deserve attention, but I tried to say what I could in the time available. For more on these and other topics, don't miss the annual Mandiant year-in-review Webinar, Wednesday at 2 pm ET. Register here . I look forward to joining Kristen Verderame and Kelly Jackson Higgins, live from Mandiant HQ in Alexandria, Virginia. Tweet

Response to "Can a CISO Serve Jail Time?"

I just read a story titled  Can a CISO Serve Jail Time? Having been Chief Security Officer (CSO) of Mandiant prior to the FireEye acquisition, I thought I would share my thoughts on this question. In brief, being a CISO or CSO is a tough job. Attempts to criminalize CSOs would destroy the profession. Security is one of the few roles where global, distributed opponents routinely conduct criminal acts against business operations. Depending on the enterprise, the offenders could be nation state adversaries largely beyond the reach of any party, to include the nation state hosting the enterprise. Even criminal adversaries can remain largely untouchable. I cannot think of another business function that suffers similar disadvantages. If a commercial competitor took actions against a business using predatory pricing, or via other illegal business measures, the state would investigate and possibly prosecute the offending competitor. For actions across national boundaries, one might see

Thank You for the Review and Inclusion in Cybersecurity Canon

I just read  The Cybersecurity Canon: The Practice of Network Security Monitoring at the Palo Alto Networks blog . Rick Howard, their CSO, wrote the post, which marks the inclusion of my fourth book in Palo Alto's Cybersecurity Canon . According to the company's description, the Canon is: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education that will make the practitioner incomplete. The Canon candidates include both fiction and nonfiction, and for a book to make it into the canon, must accurately depict the history of the cybercrime community, characterize key places or significant milestones in the community, or precisely describe technical details that do not exaggerate the craft. It looks like my book is only the second technical book to be included. The first appears to be the CERT Guide to Insider Threats.

We Need More Than Penetration Testing

Last week I read an article titled   People too trusting when it comes to their cybersecurity, experts say  by Roy Wenzl of The Wichita Eagle. The following caught my eye and prompted this post: [Connor] Brewer is a 19-year-old sophomore at Butler Community College, a self-described loner and tech geek... Today he’s what technologists call a white-hat hacker, hacking legally for companies that pay to find their own security holes.  When Bill Young, Butler’s chief information security officer, went looking for a white-hat hacker, he hired Brewer, though Brewer has yet to complete his associate’s degree at Butler... Butler’s security system comes under attack several times a week, Young said... Brewer and others like him are hired by companies to deliberately attack a company’s security network. These companies pay bounties if the white hackers find security holes. “Pen testing,” they call it, for “penetration testing.” Young has repeatedly assigned Brewer to hack into Butl

A Brief History of Network Security Monitoring

Last week I was pleased to deliver the keynote at the first Security Onion Conference in Augusta, GA, organized and hosted by Doug Burks. This was probably my favorite security event of the year, attended by many fans of Security Onion and the network security monitoring (NSM) community. Doug asked me to present the history of NSM. To convey some of the milestones in the development of this operational methodology, I developed these slides  (pdf). They are all images, screen captures, and the like, but I promised to post them. For example, the image at left is the first slide from a Webinar that Bamm Visscher and I delivered on 4 December 2002, where we presented the formal definition of NSM the first time. We defined network security monitoring as the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. You may recognize similarities with the intelligence cycle and John Boyd's Observe - Orient - Decide Act (OODA) loop. Tha

Bejtlich Teaching at Black Hat Trainings 8-9 Dec 2014

I'm pleased to announce that I will be teaching  one class  at Black Hat Trainings 2014 in Potomac, MD, near DC, on 8-9 December 2014. The class is  Network Security Monitoring 101 . I taught this class in Las Vegas in July 2013 and 2014, and Seattle in December 2013. I posted  Feedback from Network Security Monitoring 101 Classes  last year as a sample of the student commentary I received. This class is the perfect jumpstart for anyone who wants to begin a network security monitoring program at their organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware. The first discounted registration deadline is 11:59 pm EDT October 31st. The second discounted registration deadline (more expensive than the first but cheaper than later) ends 11:59 pm EST December 5th. You can  register here . I recently topped the 1,000 student

Air Force Leaders Should Read This Book

I just finished reading  The Icarus Syndrome: The Role of Air Power Theory in the Evolution and Fate of the U.S. Air Force by Carl Builder. He published this book in 1994 and I wish I had read it 20 years ago as a new Air Force second lieutenant. Builder makes many interesting points in the book, but in this brief post I'd like to emphasize one of his concluding points: the importance of a mission statement. Builder offers the following when critiquing the Air Force's mission statement, or lack thereof, around the time of his study: [Previous] Air Force of Staff, General John P. McConnell, reportedly endorsed the now-familiar slogan      The mission of the Air Force is to fly and fight.  Sometime later, the next Chief, General John D. Ryan, took pains to put it more gruffly:      The job of the Air Force is to fly and to fight, and don't you ever forget it. (p 266) I remember hearing "Fly, Fight, Win" in the 1990s as well. Builder correctly critic

On the Twenty Years Since My USAFA Graduation

Twenty years ago today, on 1 June 1994, 1024 of us graduated from the United States Air Force Academy , commissioned as brand new second lieutenants. As of September 2012, over 600 members of the class of 1994 were still in uniform. I expect that number is roughly the same today. Reaching the 20 year mark entitles my classmates still in uniform to retire with lifetime benefits, should they choose to do so. I expect some will, but based on patterns from earlier classes I do not expect a massive exodus. The economy is still in rough shape, and transitioning from the military to the private sector after a lifetime in uniform is a jarring experience. I remember 1994 being a fairly optimistic year, but the personnel situation was precarious for those who wanted to fly. After graduation we found ourselves in the middle of a drawdown, with no undergraduate pilot training (UPT) slots available. One jody (marching song) of the time went as follows: Oh there are no fighter pilots in the A

Video of Bejtlich at Cyber Crime Conference 2014

On Tuesday the 29th of April I delivered a keynote at the US Cyber Crime Conference in Leesburg, VA. The video is online although getting to it is more complicated than clicking on a link to YouTube. Here's what I did to access the video. First, visit this link for a "SabreCity" account. Fill in your "information" and click Register. You will then see a rude message saying "Registration for this conference is now closed." That's no problem. From the same browser now visit this link to go to the SabreCity "lobby." Click the "On Demand" button on the right side of the screen. Now you can access all of the videos from the conference. Mine is called "State of the Hack: 2014 M-Trends - Beyond the Breach." Click the green arrow to the left of the title to start the video. You may be interested in several of the other interesting speakers listed as well. Thank you to Jim Christy and his team for organizin

Brainwashed by The Cult of the Quick

Faster is better! Those of us with military backgrounds learned that speed is a "weapon" unto itself, a factor which is "inherently decisive" in military conflict. The benefit of speed was so ingrained into my Air Force training that I didn't recognize I had been brainwashed by what Dr. Thomas Hughes rightly identified as The Cult of the Quick . Dr. Hughes published his article of this title in the Winter 2001 issue of the Aerospace Power Journal. His main point is the following: At a time when the American military has global commitments arrayed at variable threats, both real and potential, the Pentagon’s single-minded view of speed leaves the nation’s defenders poorly prepared for the range of military opposition and enemies they may face. Although Dr. Hughes wrote his article in 2001, his prescription is as accurate as ever. I found his integration of Edward Luttwak's point very telling: In the 1990s, the quest for swift war, replete with exit s

Five Thoughts on New China Article

I just read a thoughtful article by Michael O'Hanlon and James Steinberg, posted at Brookings and Foreign Policy titled Don't Be a Menace to South (China Sea) . It addresses thorny questions regarding China as President Obama visits South Korea, Japan, Malaysia, and the Philippines. I wanted to share five quick thoughts on the article, fully appreciating I don't have all the answers to this complex strategic problem. 1. "Many in China see the U.S. rebalance as ill-disguised containment, while many in the United States see Chinese military modernization and territorial assertiveness as strong indications that Beijing seeks to undermine Washington's alliances and drive the United States from the Western Pacific." I agree with these statements as being perceptions by both sides, but I also think they are closer to the truth than what the authors believe. I recommend Dr Ashley Tellis' monograph  Balancing Without Containment: An American Strategy for

Are Nation States Responsible for Evil Traffic Leaving Their Networks?

During recent talks to various audiences, I've mentioned discussions within the United Nations. One point from these discussions involved certain nation states agreeing to modes of behavior in cyber space. I found the document containing these recent statements: A/68/98, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security  (pdf). This document is hosted within the United Nations Office for Disarmament Affairs , in the  developments in the field of information and telecommunications section. Fifteen countries were involved in producing this document: Argentina, Australia, Belarus, Canada, China, Egypt, Estonia, France, Germany, India, Indonesia, Japan, the Russian Federation, the United Kingdom of Great Britain and Northern Ireland and the United States of America. Within the section titled "Recommendations on norms, rules and principles of responsible behaviour by States," I found

Five Thoughts from VADM Rogers Testimony

I had a chance to read  Advance Questions for Vice Admiral Michael S. Rogers, USN (pdf) this weekend. I wanted to share five thoughts based on excerpts from the VADM Rogers' answers to written questions posed by the Senate Armed Services Committee. 1. The Committee asked: Can deterrence be an effective strategy in the absence of reliable attribution? VADM Rogers responded: Yes, I believe there can be effective levels of deterrence despite the challenges of attribution. Attribution has improved, but is still not timely in many circumstances... Cyber presence, being forward deployed in cyberspace , and garnering the indications and warnings of our most likely adversaries can help (as we do with our forces dedicated to Defend the Nation). (emphasis added) I wonder if "cyber presence" and "being forward deployed in cyberspace" means having access to adversary systems? There's little doubt as to the source of an attack if you are resident on the sy

Bejtlich Teaching at Black Hat USA 2014

I'm pleased to announce that I will be teaching one class at  Black Hat USA 2014   2-3 and 4-5 August 2014 in Las Vegas, Nevada. The class is  Network Security Monitoring 101 . I've taught this class in Las Vegas in July 2013 and Seattle in December 2013. I posted  Feedback from Network Security Monitoring 101 Classes  last year as a sample of the student commentary I received. This class is the perfect jumpstart for anyone who wants to begin a network security monitoring program at their organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware. The first discounted registration deadline is 11:59 pm EDT June 2nd. The second discounted registration deadline (more expensive than the first but cheaper than later) ends 11:59 pm EDT July 26th. You can  register here . Please note: I have no plans  to teach this class