Saturday, February 22, 2014

The Limits of Tool- and Tactics-Centric Thinking

Earlier today I read a post by Dave Aitel to his mailing list titled Drinking the Cool-aid. Because it includes a chart you should review, I included a screenshot of it in this blog, below. Basically Dave lists several gross categories of defensive digital security technology and tools, then lists what he perceives as deficiencies and benefits of each. Embedded in these pluses and minuses are several tactical elements as well. Please take a look at the original or my screenshot.

I had three reactions to this post.

First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology.

Second, staying within the realm of tools and tactics, Dave is just wrong on several counts:
  • He emphasizes the role of encryption to defeat many defensive tools, but ignores that security and information technology architects regularly make deployment decisions to provide visibility in the presence of encryption.
  • He ignores or is ignorant of technology to defeat obfuscation and encryption used by intruders.
  • He says "archiving large amounts of traffic is insanely expensive and requires massive analytics to process," which is wrong on both counts. On a shoestring budget my team deployed hundreds of open source NSM sensors across my previous employer to capture data on gateways of up to multi-Gbps bandwidth. Had we used commercial packet capture platforms we would have needed a much bigger budget, but open source software like Security Onion has put NSM in everyone's hands, cheaply. Regarding "massive analytics," it's easier all the time to get what you need for solid log technology. You can even buy awesome commercial technology to get the job done in ways you never imagined.
I could make other arguments regarding tactics and tools, but you get the idea from the three I listed.

Third, and this is really my biggest issue with Dave's post, is that he demonstrates the all-too-common tendency for security professionals to constrain their thinking to the levels of tactics and tools. What do I mean? Consider this diagram from my O'Reilly Webinar on my newest book:

A strategic security program doesn't start with tools and tactics. Instead, it starts with one or more overall program goals. The strategy-minded CISO gets executive buy-in to those goals; this works at a level understood by technicians and non-technicians alike. Next the CISO develops strategies to implement those goals, organizes and runs campaigns and operations to support the strategies, helps his team use tactics to realize the campaigns and operations, and procures tools and technology to equip his team.

Here is an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, and NSM-inspired operations/campaigns, tactics, and tools.

Now I don't want to seem too harsh, because tool- and tactics-centric thinking is not just endemic to the digital security world. I read how it played out during the planning and execution of the air campaign during the first Gulf War.

I read the wonderful John Warden and the Renaissance of American Air Power and learned how the US Air Force at the time suffered the same problems. The Air Force was very tactics- and technology-focused. They cared about how to defeat other aircraft in aerial combat and sought to keep the Army happy by making close air support their main contribution to the "joint" fight. The Air Force managed to quickly deploy planes to Saudi Arabia but had little idea how to use those forces in a campaign, let alone to achieve strategic or policy goals. It took visionaries like John Warden and David Deptula to make the air campaign a reality, and forever change the nature of air warfare.

I was a cadet when this all happened and remember my instructors exhibiting the contemporary obsession with tactics and tech we've seen in the security world for decades. Only later in my Air Force career did I see the strategic viewpoint gain acceptance.

Expect to hear more from me about the need for strategic thinking in digital security. I intend to apply to a PhD program this spring and begin research in the fall. I want to apply strategic thinking to private sector digital defense, because that is where a lot of the action is and where the need is greatest.

For now, I talked about the need for strategy in my O'Reilly Webinar.

Thursday, February 06, 2014

More Russian Information Warfare

In all the hype about "cyberspace" and "cyberwar," it's easy to forget about information warfare. This term was in vogue in the military when I was an Air Force intelligence officer in the 1990s. The Russians were considered to be experts at using information to their advantage and they appear to continue to wield that expertise on a regular basis. The latest incarnation goes like this:

1. Unknown parties, probably Russian SIGINT operators, intercept and record a phone call between US Assistant Secretary of State Victoria Nuland and US Ambassador to Ukraine, Geoffrey Pyatt. In the phone call, the parties use language which could be considered inflammatory or insulting to EU politicians.

2. The interceptors pass the phone call recording to a private third party.

3. Either that third party, or some recipient down the line, posts the audio and a video overlay on Youtube.

4. The third party Tweets about the video.

5. Russian-sponsored television begins broadcasting stories about the video.

6. Reputable news media begin broadcasting stories about the video.

7. The rift between American and European leaders widens (possibly).

I find several aspects of this story fascinating.

First, I am surprised that whomever intercepted the phone call decided it was worthwhile to probably burn an intelligence source. It's possible the Americans were using consumer cell phones, subject to monitoring by foreign intelligence services. If true, the Americans were not very OPSEC-aware. If the Americans were using a line which they thought was secure, then the interceptors just revealed they know how to access it.

Second, the use of third parties is characteristic of Russian activities. We are all familiar with the role of patriotic hackers, youth groups, etc. when doing normal "cyber" activities. This sort of propaganda activity, with direct ties to a probable SIGINT operation, is interesting.

Third, I wonder about the cost of this operation. In some ways it is very cheap -- Youtube, Twitter, etc. In other ways, it may be expensive -- interception and probable manual auditing of the audio to identify divisive and "offensive" content.

I don't pretend to be a Russian SIGINT expert, but I wanted to document this case in my blog. Constructive commentary is welcome but subject to moderation due to spam countermeasures. Incidentally, if I got the origin or order of any of these events wrong, I'm open to that too. I didn't ask my Russian-speaking friends to comment -- I'm just noting this story for future reference.

Update: I noticed that sources like Kyiv Post say:

Among the first to tweet the audio recording was an aide to Russian Deputy Prime Minister Dmitry Rogozin, named Dmitry Loskutov, who also wrote: "Sort of controversial judgment from Assistant Secretary of State Victoria Nuland speaking about the EU."

However, the timestamp on this Russian aide Tweet is "11:35 PM - 5 Feb 2014" whereas the private Tweet I mentioned earlier shows "9:36 pm - 4 Feb 2014" -- a day earlier.