tag:blogger.com,1999:blog-4088979.post331497513032850261..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Five Reasons Attribution MattersRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4088979.post-14096557044090669732015-01-02T18:18:10.323-05:002015-01-02T18:18:10.323-05:00Thanks for your comments everyone. Dre, I will hav...Thanks for your comments everyone. Dre, I will have to look at my 2004 book again and get back to you.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33228176910694950862015-01-02T17:58:18.990-05:002015-01-02T17:58:18.990-05:00Apologies for another comment, but I was just read...Apologies for another comment, but I was just reading your original book's section on I&W and curious if you have a new interpretation? Perhaps for another blog post?drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-59755058989785006972015-01-02T17:40:42.363-05:002015-01-02T17:40:42.363-05:00We need technical intelligence that focuses in on ...We need technical intelligence that focuses in on adversary tool attribution -- not just malware and malware behaviors, but also their backends, backoffices, and home-court infrastructure. We have the NSA ANT Catalog, but we need this for every cyber offensive operation.<br /><br />Then we need to find out who is financing the acquisition, construction, and/or integration of these tools. Thus, there are many layers of attribution unrealized by today's leaders and especially the media.<br /><br />It is silly to make broad conclusions about attribution. Focus in on what matters, integrate your "threat" intelligence with internal intelligence (and share).<br /><br />Focusing in on later-stage kill chain malware is my least favorite strategy. It is clear to me in a huge number of these well-known data breaches that all sorts of adversary tools were involved in many stages of the kill chain. Perhaps tools were skipped and a simple technique was utilized, but CAPEC or another project must identify, enumerate, and compare these techniques. Then, we need to start speaking that language.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-69462133303524017772015-01-01T13:54:13.767-05:002015-01-01T13:54:13.767-05:00Richard, as a current CISO and former USAF defende...Richard, as a current CISO and former USAF defender, I agree with most of what you've pointed out here. Keydet89's points about the need to recognize consultants (and defenders in general) having different goals and thought processes were important also.<br /><br />Attribution has been bastardized into identification of an objectively identifiable name, rather than an expression which captures tools, tactics procedures, campaigns etc.. and you're doing your part to correct the misconceptions. I really appreciate what you've suggested here.<br /><br />A couple of small points on the constructive side-<br /><br />1. Policy, legislation, diplomacy and/or sanctions are clearly expressions of intent relative to a goal, but they are not necessarily expression OF the goal. They are also clearly key elements of sustainment strategies--- but they don't particularly DICTATE them. Placing them at the same level as a Program Goal or at the '5th level' is (perhaps) sub-optimal. Just something to think about..<br /><br />2. You can certainly name it whatever you want (and no doubt will) but 'the five levels of strategic thought' has a Tony Robbins ringtone (if I'm honest) and more constructively, it's insufficiently specific to your topic. It's also slightly awkward having 'strategy' as a level in a model named ' the five levels of strategic thought'. <br /><br />enjoyed the post-- see you around.Greg Barnes @pwnjeetdonoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1437779131731383372014-12-31T17:29:09.867-05:002014-12-31T17:29:09.867-05:00Still at tactical level, that's impossible to ...Still at tactical level, that's impossible to handle properly the response if there is no way to know how persistent and resilient will be the opposite side. I have memory of cases where the modus operandi was quite similar between groups from different countries. Some of them gave up once the technical controls got strengthened. Others tried to target my team directly by socially engineering the top management of the company. Sticking to a purely technical defense would have been a disaster.Charlienoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27030338731386526782014-12-31T09:20:54.562-05:002014-12-31T09:20:54.562-05:00Richard,
This is a very interesting article, and ...Richard,<br /><br />This is a very interesting article, and on the face, it is counter to other articles. <br /><br />However, looking at this article from the perspective of the author (you), I don't think that's the case at all.<br /><br />As a consultant, I interact with CIOs and CISOs who may not be aware of your perspective. In fact, I'm most often interacting with them because they haven't developed a strategy. Very often, the first question I'm asked is, "Who did this?" I tend to think that's the big driver behind the "threat intel" industry...breached organizations have no means for detecting the tools (lowest level) and are still focused on putting a face on the breach.<br /><br />As a consultant, it's immensely difficult to pin down an adversary's strategy, due in no small part to the fact that attribution is so difficult. Consulting orgs do get some view into campaigns, but it's limited...not everyone breached by the same adversary calls the same response company.<br /><br />However, your approach to attribution needs to applied from the perspective of a CISO, not from someone (like me) responding to a breach that happened weeks or months ago.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15979846693659432172014-12-31T06:11:15.664-05:002014-12-31T06:11:15.664-05:00glad to see you are blogging again!glad to see you are blogging again!Anonymousnoreply@blogger.com