Showing posts from October, 2020

Security and the One Percent: A Thought Exercise in Estimation and Consequences

There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1% . This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions.  Introduction  This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%. A First Cut with FIRST It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude.  One method is to review entities who are members of the Forum of Incident Response and Security Teams, or FIRST . FIRST is an organization to whi

MITRE ATT&CK Tactics Are Not Tactics

Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti

Greg Rattray Invented the Term Advanced Persistent Threat

  I was so pleased to read this Tweet yesterday from Greg Rattray: " Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with ... Since then both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses." Background First, some background. Who is Greg Rattray? First, you could call him Colonel or Doctor. I will use Col as that was the last title I used with him, although these days when we chat I call him Greg.  Col Rattray served 21 years in the Air Force and also earned his PhD in international security from Tufts University. His thesis formed the content for his 2001 book Strategic Warfare in Cyberspace , which I reviewed in 2002 and rated 4 stars . (Ouch -- I was a bit stingy with the stars back then. I was