Showing posts from December, 2014

Five Reasons Attribution Matters

Attribution is the hottest word in digital security. The term refers to identifying responsibility for an incident. What does it matter, though? Here are five reasons, derived from the five levels of strategic thought. I've covered those before, namely in  The Limits of Tool- and Tactics-Centric Thinking . Note that the reasons I outline here are not the same as performing attribution based on these characteristics. Rather, I'm explaining how attribution can assist responsible actors, from defenders through policymakers . 1. Starting from the bottom, at the Tools level, attribution matters because identifying an adversary may tell defenders what software they can expect to encounter during an intrusion or campaign. It's helpful to know if the adversary uses simple tools that traditional defenses can counter, or if they can write custom code and exploits to evade most any programmatic countermeasures. Vendors and software engineers tend to focus on this level beca

Don't Envy the Offense

Thanks to Leigh Honeywell I noticed a series of Tweets by Microsoft's John Lambert . Aside from affirming the importance of security team members over tools, I didn't have a strong reaction to the list -- until I read Tweets nine and ten. Nine said the following: 9. If you shame attack research, you misjudge its contribution. Offense and defense aren't peers. Defense is offense's child. I don't have anything to say about "shame," but I strongly disagree with "Offense and defense aren't peers" and "Defense is offense's child." I've blogged about offense  over the years, but my 2009 post  Offense and Defense Inform Each Other  is particularly relevant. John's statements are a condescending form of the phrase "offense informing defense." They're also a sign of "offense envy." John's last Tweet said the following: 10. Biggest problem with network defense is that defenders think

What Does "Responsibility" Mean for Attribution?

I've written a few posts here about attribution . I'd like to take a look at the word "responsibility," as used in the FBI Update on Sony Investigation posted on 19 December: As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following... (emphasis added) I'm not in a position to comment on the FBI's basis for its conclusion, which was confirmed by the President in his year-end news conference. I want to comment on the word "responsibility," which was the topic of a February 2012 paper by Jason Healey for The Atlantic Council , titled  Beyond Attribution: Seeking National Responsibility in Cyberspace . In the paper, Jason

Nothing Is Perfectly Secure

Recently a blog reader asked to enlist my help. He said his colleagues have been arguing in favor of building perfectly secure systems. He replied that you still need the capability to detect and respond to intrusions. The reader wanted to know my thoughts. I believe that building perfectly secure systems is impossible. No one has ever been able to do it, and no one ever will. Preventing intrusions is a laudable goal, but I think security is only as sound as one's ability to validate that the system is trustworthy. Trusted != trustworthy. Even if you only wanted to make sure your "secure" system remains trustworthy, you need to monitor it. Since history has shown everything can be compromised, your monitoring will likely reveal an intrusion. Therefore, you will need a detection and a response capability. If you reject the notion that your "secure" system will be compromised, and thereby reject the need for incident response, you still need a detectio

Bejtlich on Fox Business Discussing Recent Hacks

I appeared on Fox Business  (video) today to discuss a wide variety of hacking topics. It's been a busy week. Liz Claman and David Asman ask for my perspective on who is responsible, why the FBI is warning about destructive malware, how the military should respond, what businesses can do about intrusions, and more. All of these subjects deserve attention, but I tried to say what I could in the time available. For more on these and other topics, don't miss the annual Mandiant year-in-review Webinar, Wednesday at 2 pm ET. Register here . I look forward to joining Kristen Verderame and Kelly Jackson Higgins, live from Mandiant HQ in Alexandria, Virginia. Tweet