tag:blogger.com,1999:blog-40889792023-05-19T08:27:42.466-04:00TaoSecurity BlogRichard Bejtlich's blog on digital security, strategic thought, and military history.Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3077125tag:blogger.com,1999:blog-4088979.post-12881862538282878132023-01-08T10:00:00.001-05:002023-01-08T10:00:00.234-05:00Happy 20th Birthday TaoSecurity Blog<p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPQOwFB1iTSYU1oPRiQzEDfrD3njFcZ73mBseC8o-AP9o0ZOD---GHVGBDE8RduPa-r5sdWdYYV48_uFQVuSanKGvoi1wMPofbs8w0j3LFw6HF5yGD_WnxMD_V6K69l7ERr3fHUFahllSxeGTs9RKJ1CmUGbLYYmY1cjidnDWCt7p3v6Kmxg/s3000/taosecurity%20blog%202003-2023.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1100" data-original-width="3000" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPQOwFB1iTSYU1oPRiQzEDfrD3njFcZ73mBseC8o-AP9o0ZOD---GHVGBDE8RduPa-r5sdWdYYV48_uFQVuSanKGvoi1wMPofbs8w0j3LFw6HF5yGD_WnxMD_V6K69l7ERr3fHUFahllSxeGTs9RKJ1CmUGbLYYmY1cjidnDWCt7p3v6Kmxg/w640-h234/taosecurity%20blog%202003-2023.jpg" width="640" /></a></div><br /><p style="text-align: left;">Happy 20th birthday <a href="https://taosecurity.blogspot.com/">TaoSecurity Blog</a>, born on <a href="https://taosecurity.blogspot.com/2003/01/welcome-to-my-blog-main-new-content.html" target="_blank">8 January 2003</a>.&nbsp;</p><h2 style="text-align: left;">Thank you Blogger</h2><div><p></p><p style="text-align: left;"><a href="https://www.blogger.com/" target="_blank">Blogger</a> (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's <a href="https://www.schneier.com/" target="_blank">Schneier on Security</a> is the main one that comes to mind. If not for the wonderful <a href="https://archive.org/" target="_blank">Internet Archive</a>, many blogs from the early days would be lost.</p><h2 style="text-align: left;">Statistics</h2><p style="text-align: left;">In my <a href="https://taosecurity.blogspot.com/2018/01/happy-15th-birthday-taosecurity-blog.html" target="_blank">15 year post</a> I included some statistics, so here are a few, current as of the evening of 7 January:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCxcThtGMupoQEucIYaF1m2YRVp9vtCObwzOondALVDmUBhwWIGhLiBeEe_hK_BxbCtNKcA95cSMg3NoT4k79k3rco0BYVugwM9dMOoKLX7eSDqTMVMjTHegX0d0kkg6raamB_akd0qCeCKiJcYQH1XsqQt-V1kpoI2un2ymp_kLV0KCrDpw/s2533/capture_001_07012023_201618.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="555" data-original-width="2533" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCxcThtGMupoQEucIYaF1m2YRVp9vtCObwzOondALVDmUBhwWIGhLiBeEe_hK_BxbCtNKcA95cSMg3NoT4k79k3rco0BYVugwM9dMOoKLX7eSDqTMVMjTHegX0d0kkg6raamB_akd0qCeCKiJcYQH1XsqQt-V1kpoI2un2ymp_kLV0KCrDpw/w640-h140/capture_001_07012023_201618.jpg" width="640" /></a></div><p style="text-align: left;">I think it's cool to see almost 29 million "all time" views, but that's not the whole story.</p><p style="text-align: left;">Here are the so-called "all time" statistics:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCL5xPkqzGWyUhIwSKeDQ-O7C-i8wsJH7gOqMxBb5uYeeZfqd3bYoa9rbyWS1G7sOukQc0IHBJl8hC2X-IP__eTvYPIzqtXeWbev_juU1x6jfuCovFFBDhAqupBE-Mefo37hV4jHOF1B_1YEa4DlEoe-XulSyqCH-a5es7olM3olWgk4ZBBg/s2440/capture_002_07012023_201801.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="750" data-original-width="2440" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCL5xPkqzGWyUhIwSKeDQ-O7C-i8wsJH7gOqMxBb5uYeeZfqd3bYoa9rbyWS1G7sOukQc0IHBJl8hC2X-IP__eTvYPIzqtXeWbev_juU1x6jfuCovFFBDhAqupBE-Mefo37hV4jHOF1B_1YEa4DlEoe-XulSyqCH-a5es7olM3olWgk4ZBBg/w640-h196/capture_002_07012023_201801.jpg" width="640" /></a></div><br /><p style="text-align: left;">It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years.&nbsp;</p><p style="text-align: left;">I don't know what happened on 20 April 2022, when I had almost 1.5 million views?</p><h2 style="text-align: left;">Top Ten Posts Since January 2011</h2><p style="text-align: left;">Here are the top ten all time posts:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSBwNraUq0w3DZ5r8O3gIpo1MOE84ZCpA8WxtJb4mt_KNcXy0oSmMRfC8aV_L4U6UbG0LWqURCMdYAgBAdragJNlmy40J7wQ13kLxSGLxggD0WV4GLqNTWQQ5uA74PJXNFOnZnZvW7vngJeSOgBejtJZ4m5cvixqWx7so98V3bCsHjSIFu6Q/s2426/capture_003_07012023_202102.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1627" data-original-width="2426" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSBwNraUq0w3DZ5r8O3gIpo1MOE84ZCpA8WxtJb4mt_KNcXy0oSmMRfC8aV_L4U6UbG0LWqURCMdYAgBAdragJNlmy40J7wQ13kLxSGLxggD0WV4GLqNTWQQ5uA74PJXNFOnZnZvW7vngJeSOgBejtJZ4m5cvixqWx7so98V3bCsHjSIFu6Q/w640-h430/capture_003_07012023_202102.jpg" width="640" /></a></div><p style="text-align: left;">I'm really pleased to see posts like&nbsp;<a href="https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html" target="_blank">Security and the One Percent: A Thought Exercise in Estimation and Consequences</a> and&nbsp;<a href="https://taosecurity.blogspot.com/2021/02/digital-offense-capabilities-are.html" target="_blank">Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem</a>&nbsp;in this list. We've had some discussion on these topics since I posted them in the fall of 2020, but not enough. The 99% continue to suffer at the hands of adversaries and those in the security 1% who ignore them.</p><h2 style="text-align: left;">The Monetization Experiment</h2><p style="text-align: left;">I ran an advertising experiment from April 2021 through December 2022. I "earned" $116.96 by February 2022 and $104.39 by December 2022. I don't have view numbers for that whole period, but for calendar year 2022 I attracted a little over 7.5 million views. You can see that I earned about 1.4 x 10^-5 dollars per view. I disabled ads at the end of December.</p><h2 style="text-align: left;">From Twitter to Mastodon</h2><p style="text-align: left;">One big change I can discern since my 15 year post is that I have now abandoned Twitter and migrated to Mastodon. You can find me at <a href="https://infosec.exchange/@taosecurity">infosec.exchange/@taosecurity</a>. My current Twitter follower count is about 59.7k, down from just over 60k. My current Mastodon follower count is 1.9k. I don't really care about followers, but I figured I would capture these numbers to see if there is any change in the next five years.</p><h2 style="text-align: left;">The Latest Books</h2><p style="text-align: left;">I spent the early years of the pandemic collecting my 3,000 or so favorite blog posts into a four volume set called <a href="https://amzn.to/3XdChgJ" target="_blank">The Best of TaoSecurity Blog</a>. I'm really pleased with these books, available via Amazon in print or digital format. They include original posts, but each receives commentary with modern thoughts on the original content. The fourth volume includes material not found in the blog, such as unpublished writings from my abandoned War Studies PhD program or Congressional testimonies.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDt2cOrQOJLBDsVfwR0fXlVDFRWihYt8JhzZ11JoNPYGkJ9pzS06WK-RKrLGstmUkDvmbxpxeQv2nhknN2n36jqvXjVUzzcvVTuvByn7voFlN8txab5fx3xmSmDLaNx8VsWLh1xoQUG5P60lN9KuG1ZtYkVu633_pkrqeJ4XkXEqO2QZTlBg/s1600/four%20books.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="595" data-original-width="1600" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDt2cOrQOJLBDsVfwR0fXlVDFRWihYt8JhzZ11JoNPYGkJ9pzS06WK-RKrLGstmUkDvmbxpxeQv2nhknN2n36jqvXjVUzzcvVTuvByn7voFlN8txab5fx3xmSmDLaNx8VsWLh1xoQUG5P60lN9KuG1ZtYkVu633_pkrqeJ4XkXEqO2QZTlBg/w640-h238/four%20books.jpg" width="640" /></a></div><p style="text-align: left;">It looks like Amazon is randomly running a promotion on volume 2 of <a href="https://amzn.to/3CUhur5" target="_blank">The Best of TaoSecurity Blog</a>&nbsp;while I am writing this post. The print edition is regularly $19.95, but it's currently priced at $7.89. I don't know how long it will last, but if you're interested please check it out.&nbsp;</p><p style="text-align: left;">I also co-wrote and published a book on stretching with a subject matter expert --&nbsp;<a href="https://amzn.to/3Gn1u1r" target="_blank">Reach Your Goal: Stretching &amp; Mobility Exercises for Fitness, Personal Training, &amp; Martial Arts</a>.&nbsp;</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPuJrH7q06L9Cm_HLS5HgG3MZmDXiPTAmg31epFT4Ac486MMhnwSli__rUTlg9l7ZxJaS4sc4lIqSmbFn4Fpkj__Rb3OofL4Lm0V237wLxJppYBB8wy4zp4v9gJN7rG8HzZNrCh8dYqVJgt7kjBuZAwTTzrychQ-h2kbTqRo1rP605t3JKWw/s1360/61IAqWsOtKL.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1360" data-original-width="907" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPuJrH7q06L9Cm_HLS5HgG3MZmDXiPTAmg31epFT4Ac486MMhnwSli__rUTlg9l7ZxJaS4sc4lIqSmbFn4Fpkj__Rb3OofL4Lm0V237wLxJppYBB8wy4zp4v9gJN7rG8HzZNrCh8dYqVJgt7kjBuZAwTTzrychQ-h2kbTqRo1rP605t3JKWw/w266-h400/61IAqWsOtKL.jpg" width="266" /></a></div><br /><p style="text-align: left;">Thanks to ARB for taking the excellent photos!</p><h2 style="text-align: left;">Enter Corelight</h2><p style="text-align: left;">I have been <a href="https://taosecurity.blogspot.com/2018/09/twenty-years-of-network-security.html" target="_blank">working at Corelight since August 2018</a>. Our <a href="https://corelight.com/" target="_blank">Corelight</a> network security monitoring platform is really amazing and I suggest everyone check it out. We continue to have big plans for the future.&nbsp;</p><h2 style="text-align: left;">Zeek Communicator</h2><p style="text-align: left;">Since 2018 I have assumed the communications role for the <a href="https://zeek.org/" target="_blank">Zeek network security monitoring project</a>. Besides posting announcements to <a href="https://infosec.exchange/@zeek" target="_blank">Mastodon</a>&nbsp;and <a href="https://www.linkedin.com/company/80104000/" target="_blank">LinkedIn</a>, I also share interaction and admin duties for our <a href="https://join.slack.com/t/zeekorg/shared_invite/zt-1ev1nr7z4-rEVSsaIzYzFWpdgh2I6ZOg" target="_blank">Slack</a>,&nbsp;<a href="https://community.zeek.org/" target="_blank">Discourse</a>,&nbsp;and <a href="https://www.youtube.com/c/Zeekurity" target="_blank">YouTube</a> sites. I'm working with the leadership team on strategies for growing community size and involvement in 2023 and beyond.</p><h2 style="text-align: left;">Hobbies</h2><p style="text-align: left;">During the last five years, I earned a <a href="https://martialvitality.blogspot.com/2018/12/thoughts-on-my-krav-maga-global-g1-test.html" target="_blank">black belt equivalent in Krav Maga Global</a> (the system uses patches, not belts) and a <a href="https://martialvitality.blogspot.com/2019/10/passing-my-bjj-blue-belt-test.html" target="_blank">blue belt in Brazilian Jiu-Jitsu</a>&nbsp;(helping me to survive grappling with Jeremiah Grossman at the <a href="https://www.youtube.com/watch?v=1kdqEcn0lwM" target="_blank">2019 BJJ Smackdown during Black Hat</a>). I've <a href="https://martialvitality.blogspot.com/2022/12/retiring-from-martial-arts-for-now-at.html" target="_blank">retired from practicing martial arts</a>, for now at least. However, my <a href="https://martialhistoryteam.blogspot.com/" target="_blank">Martial History Team</a> project continues, with plans through June 2025.</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL_CQ2D18Pu81BqXX_O4kQJqYcvUv_0OuCNoJ7-iCwvdSMvKsgKywDPybxaMBiE9FB-ACi7faQIAS7CpQOtQCMgUtkK25BER3vlW_9ZdQOQli9GiRmCk7BuhyLl1cL6GTDpIMrAeoFjvbswPiMuBn4zd9Pli6Jrqa6CXMjtvD1_V5o7-0JqA/s446/martial%20history%20team%20logo%20be%20devoted.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="446" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL_CQ2D18Pu81BqXX_O4kQJqYcvUv_0OuCNoJ7-iCwvdSMvKsgKywDPybxaMBiE9FB-ACi7faQIAS7CpQOtQCMgUtkK25BER3vlW_9ZdQOQli9GiRmCk7BuhyLl1cL6GTDpIMrAeoFjvbswPiMuBn4zd9Pli6Jrqa6CXMjtvD1_V5o7-0JqA/s320/martial%20history%20team%20logo%20be%20devoted.jpg" width="320" /></a></div><br /><p style="text-align: left;">I read a ton of books every month, but almost none have to do with technical security topics. My interests include US Civil War history, general military and nation state strategy, unidentified aerial phenomena, airpower, science, intelligence, and other topics. I have a strict monthly schedule and thus far have been able to stick to it for the last 16 months. I don't write reviews anymore, but I do write <a href="https://martialhistoryteam.blogspot.com/search/label/survey" target="_blank">surveys</a> for the martial arts books -- 36 so far.</p><p style="text-align: left;">Finally, in 2022 I returned to one of my childhood hobbies, first begin in the fall of 1982 -- tabletop roleplaying games. I've been informally studying science fiction RPGs since the beginning of last year, potentially to begin another PhD program. I think it would be interesting to research a history PhD involving science fiction RPGs. I don't say much publicly about this, although I do have a <a href="https://dice.camp/@scifittrpg" target="_blank">Mastodon account for Science Fiction TTRPGs</a>. I've also been playing in an online <i>Star Frontiers</i> campaign with a group scattered throughout the US.&nbsp;</p><p style="text-align: left;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXyXDBTPDWUXTkeoqnHxXBn6TxodeSabn9KI3SNF6fTcNnRruUGt05XqCTd1tA1neSbtKvfMz-MKzRMGchY6wyJWLitrWpCH_9WSIL-D-qCLXlIXQpoOjaTVAiKMGjfvl-up9hYJNtacdJpbxTqWPYMV3T5HFPKMOjCt1fcATMXP5QTj2eFQ/s1044/star%20frontiers%20modified%20elmore%20cover.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1044" data-original-width="978" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXyXDBTPDWUXTkeoqnHxXBn6TxodeSabn9KI3SNF6fTcNnRruUGt05XqCTd1tA1neSbtKvfMz-MKzRMGchY6wyJWLitrWpCH_9WSIL-D-qCLXlIXQpoOjaTVAiKMGjfvl-up9hYJNtacdJpbxTqWPYMV3T5HFPKMOjCt1fcATMXP5QTj2eFQ/s320/star%20frontiers%20modified%20elmore%20cover.jpg" width="300" /></a></div><i>SF</i> was the first RPG I ever played, so it was cool to return to playing on its 40th birthday in August 2022.<p></p><h2 style="text-align: left;">Conclusion</h2><p style="text-align: left;">As you might discern, I'm expressing myself in many different venues. As a result, I don't feel the need or desire to post here, at least not that often. In 2003, most of the platforms mentioned in this post didn't exist. Blogs were the hot new communication medium. Prior to that, security people published "white papers" in text form to sites like <a href="https://packetstormsecurity.com/" target="_blank">Packet Storm</a>! (Check out <a href="https://packetstormsecurity.com/search/?q=bejtlich" target="_blank">two of my entries here</a>. Those are the PDF versions.)</p><p style="text-align: left;">As far as security goes, I mostly care about the operational/campaign and higher levels of conflict, e.g.:</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieprFI_cz9vypMa-9fP-cGZCfI5RvrQ_DyCuK4VF9dxRNPZ6xAlY525fKZIeNL99QFO_FcDYIkAqWcCOikLWtzetsydSBHcEp4ZK4bKmBEGAEf86FF6fYHrWP69dw0GlIgGQn9znbQw3k1E_8eNohPnBoPR78l7QMOLt-jAN8DIT0tEhH6CA/s1885/strategy%20levels.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1562" data-original-width="1885" height="265" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieprFI_cz9vypMa-9fP-cGZCfI5RvrQ_DyCuK4VF9dxRNPZ6xAlY525fKZIeNL99QFO_FcDYIkAqWcCOikLWtzetsydSBHcEp4ZK4bKmBEGAEf86FF6fYHrWP69dw0GlIgGQn9znbQw3k1E_8eNohPnBoPR78l7QMOLt-jAN8DIT0tEhH6CA/s320/strategy%20levels.jpg" width="320" /></a></div><br /><p style="text-align: left;">In my opinion, the tactics used by intruders and defenders, and even most of the tools, have not really changed in the last 10 years, and definitely not since 2018. The operations/campaigns and strategies used by both sides haven't really changed either.&nbsp;</p><p style="text-align: left;">There are a few exceptions, like <a href="https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor" target="_blank">the massive SolarWinds supply chain compromise Mandiant discovered and published in December 2020</a>. Ransomware has definitely ramped up to gross levels since 2018. However, there haven't been any game-changers as far as how offense and defense interact.&nbsp;</p><p style="text-align: left;">Sure, way more processing is done in the cloud, and just about everything is running a vulnerable computer. However, no one on the offensive or defensive sides has significantly innovated to alter the way the two parties interact. Until that changes, security for me is largely a less interesting, but still unsolved, wicked problem.&nbsp;</p><p>Thank you to everyone who has been part of this blog's journey since 2003!</p></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-91606987095838127902022-11-20T09:30:00.001-05:002022-11-20T09:30:10.764-05:00Best of TaoSecurity Blog Kindle Edition Sale<p>&nbsp;</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiml7ykclioceS_ZdMMAYlDwMMqmSp0H6-D4001LQaLvxBMvpeqt6O4VEHGzWa0cfGGHD6AudZhLxhT-eeVaqzKzR8RmK_Ue-OqSVUGD_n1-5R1SvmKwsXK-TB82J-6RAWLnOj7-baxh56H5LgvcYc_dgYIHEXD-fG6F53NBvRhsbEK_BQ5tQ/s1600/four%20books.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="595" data-original-width="1600" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiml7ykclioceS_ZdMMAYlDwMMqmSp0H6-D4001LQaLvxBMvpeqt6O4VEHGzWa0cfGGHD6AudZhLxhT-eeVaqzKzR8RmK_Ue-OqSVUGD_n1-5R1SvmKwsXK-TB82J-6RAWLnOj7-baxh56H5LgvcYc_dgYIHEXD-fG6F53NBvRhsbEK_BQ5tQ/w640-h238/four%20books.jpg" width="640" /></a></div><br /><p></p><p><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;">I'm running a </span><span class="ql-hashtag" style="background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space: pre-wrap;">#BlackFriday</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> </span><span class="ql-hashtag" style="background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space: pre-wrap;">#CyberMonday</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> sale on my four newest </span><span class="ql-hashtag" style="background-color: white; border: var(--artdeco-reset-base-border-zero); box-sizing: inherit; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; font-weight: var(--artdeco-reset-typography-font-weight-bold); margin: var(--artdeco-reset-base-margin-zero); outline: var(--artdeco-reset-base-outline-zero); overflow-wrap: normal; padding: var(--artdeco-reset-base-padding-zero); vertical-align: var(--artdeco-reset-base-vertical-align-baseline); white-space: pre-wrap;">#Kindle</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;"> format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are <a href="http://amzn.to/3p7Z3qb" target="_blank">here</a>.</span><span style="background-color: white; color: rgba(0, 0, 0, 0.9); font-family: -apple-system, system-ui, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, &quot;Helvetica Neue&quot;, &quot;Fira Sans&quot;, Ubuntu, Oxygen, &quot;Oxygen Sans&quot;, Cantarell, &quot;Droid Sans&quot;, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Emoji&quot;, &quot;Segoe UI Symbol&quot;, &quot;Lucida Grande&quot;, Helvetica, Arial, sans-serif; font-size: 16px; white-space: pre-wrap;">&nbsp; There also appears to be a <a href="https://amzn.to/3tJc64P " target="_blank">daily deal right now</a> for the paperback of Volume 2, 45% off at $8.96. </span></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-49386177033773351982022-11-18T15:35:00.002-05:002022-11-18T15:37:23.441-05:00TaoSecurity on Mastodon<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnMz18u2GwCrgodYO8znOXh87ppgtQ1qtVEMWm0hZhegNCrC2ftn2bdQKXFdWxJI1V1QhiU0QRbc_JgbBKE-sJ_GfZCCLfWnXCNKbQ61WKHBra_By-Rb1WCjyMaOO7HvaiRwYi7MIr-OvPoDZBr5u3uW9DVi0Q_qm4oUHZcjUzKAs4YUY2dw/s1696/capture_001_18112022_153542.jpg" style="clear: left; display: block; float: left; padding: 1em 0px; text-align: center;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnMz18u2GwCrgodYO8znOXh87ppgtQ1qtVEMWm0hZhegNCrC2ftn2bdQKXFdWxJI1V1QhiU0QRbc_JgbBKE-sJ_GfZCCLfWnXCNKbQ61WKHBra_By-Rb1WCjyMaOO7HvaiRwYi7MIr-OvPoDZBr5u3uW9DVi0Q_qm4oUHZcjUzKAs4YUY2dw/s1696/capture_001_18112022_153542.jpg" style="clear: left; display: block; float: left; padding: 1em 0px; text-align: center;"><br /></a><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWYNbbeHWoCDS7MEvh5CYPBkkqpSueUx8Lq8ntRz_Rl4XY24nIyu7gczXMSOFUNNrMNS7RwTaDQrvNSuqfm4S90YkvXsRuptdQr0_lRKNDJ5OxWu1o0CpWii8Pkf5gxJcmZHwOwnfGwSjPW_FytZ3a5WVpMJoJQrmyL311R3d9taR3C1M6kw/s1696/capture_001_18112022_153542.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1696" data-original-width="1465" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWYNbbeHWoCDS7MEvh5CYPBkkqpSueUx8Lq8ntRz_Rl4XY24nIyu7gczXMSOFUNNrMNS7RwTaDQrvNSuqfm4S90YkvXsRuptdQr0_lRKNDJ5OxWu1o0CpWii8Pkf5gxJcmZHwOwnfGwSjPW_FytZ3a5WVpMJoJQrmyL311R3d9taR3C1M6kw/s320/capture_001_18112022_153542.jpg" width="276" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><br /><div>I am now using&nbsp;<a href="https://infosec.exchange/@taosecurity" rel="me">Mastodon</a>&nbsp;as a replacement for the blue bird. This is my attempt to verify myself via my blog. I am no longer posting to my old bird account.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-23369597440004794262022-08-10T09:30:00.001-04:002022-08-10T09:30:00.245-04:00The Humble Hub<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEJb5O0HmEzUNCE1Eg7JqJrbRnrMBSymuwREiY6kdWz2RLj6-i87DOH0TTHsqGeTx3YfYHxhxe2MEdziN2sVyxT5cTA2b85G1wzNyKgRezUTBWuRbP3EgKijQ6bHcyiZKAOXRf_lJ_SNEIDnPLhPBXs3jycjO77V7ErTyWi6UlerI8TQ_1IA/s4032/IMG_5005.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="3024" data-original-width="4032" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEJb5O0HmEzUNCE1Eg7JqJrbRnrMBSymuwREiY6kdWz2RLj6-i87DOH0TTHsqGeTx3YfYHxhxe2MEdziN2sVyxT5cTA2b85G1wzNyKgRezUTBWuRbP3EgKijQ6bHcyiZKAOXRf_lJ_SNEIDnPLhPBXs3jycjO77V7ErTyWi6UlerI8TQ_1IA/w640-h480/IMG_5005.jpg" width="640" /></a></div><br />&nbsp;<p></p><p>Over the weekend I organized some old computing equipment. I found this beauty in one of my boxes. It's a <a href="https://www.netgear.com/support/product/EN104TP.aspx" target="_blank">Netgear EN104TP hub</a>. I've mentioned this device before, in this blog and my books. This sort of device was the last of the true hubs. In an age where cables seem reserved for data centers or industrial facilities, and wireless rules the home and office, this hub is a relic of days gone past.</p><p>To give you a sense of how old this device is, the Netgear documentation (still online -- well done) offers a PDF created in August 1998. (Again, well done Netgear, not mucking about with the timestamps.) I'm not sure how old my specific device is. Seeing as I started working in the AFCERT in the fall of 1998, I could see this hub being easily over 20 years old.&nbsp;</p><p>A hub is a network device that accepts traffic from its ports and repeats the traffic to all other ports. This is different from a switch, which maintains a table identifying which MAC addresses are in use on which ports. Before building this CAM (content addressable memory, IIRC) table, traffic to a new previously unforeseen MAC address will appear on all ports save the sender.</p><p>This is a "true hub" because all of the ports are 10 Mbps. Yes, that is 100 times "slower" than the Gigabit ports on modern devices, if they have Ethernet ports at all. Starting with 10/100 Mbps devices, they all became switches. I never encountered a 100 Mbps "hub." Every device I ever had hands on was a 10/100 Mbps switch. That meant you were unlikely to see traffic on all ports when using a 10/100 Mbps device or even a 100 Mbps device (which I never saw anyway). There were no Gigabit (1000 Mbps) hubs built. I don't think the specification even supports it.</p><p>These little boxes were network monitoring enablers. If you wanted to learn, or troubleshoot, or possibly even add monitoring to a production network, you could connect an upstream cable, a downstream cable, and a monitoring cable to the hub. The upstream could be a router and the downstream might be a firewall, and the monitoring would be your NSM server. If you were looking at traffic between two individual computers and needed visibility for a NSM laptop, you would plug all three into the hub, and plug your Internet upstream into the fourth port.</p><p>I haven't needed this device in years, but I plan to keep it as a physical artifact of a time long past. At least this one still powers on, unlike my first computer, a Timex Sinclair ZX-80.</p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-89741978572329777742021-07-29T14:34:00.003-04:002021-07-29T14:34:54.661-04:00Zeek in Action Videos<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-9YVos6fiutc/YQLzznzMrYI/AAAAAAABQV0/XnHLfOYEJYwg7CmAdlYwfuaJbm4D8O8wgCLcBGAsYHQ/s2048/capture_001_29072021_143006.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1150" data-original-width="2048" height="360" src="https://1.bp.blogspot.com/-9YVos6fiutc/YQLzznzMrYI/AAAAAAABQV0/XnHLfOYEJYwg7CmAdlYwfuaJbm4D8O8wgCLcBGAsYHQ/w640-h360/capture_001_29072021_143006.jpg" width="640" /></a></div><br />This is a quick note to point blog readers to my <a href="https://www.youtube.com/playlist?list=PL2EYTX8UVCMitvFQeWxILfR0cTAhaWz9w" target="_blank">Zeek in Action YouTube video series</a> for the <a href="https://www.zeek.org" target="_blank">Zeek network security monitoring project</a>.&nbsp;<p></p><p>Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.&nbsp;</p><p>I am especially pleased with <a href="https://www.youtube.com/watch?v=sZgYmie-DpY" target="_blank">Video 6 on monitoring wireless networks</a>. It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- <a href="https://www.parrotsec.org/" target="_blank">Parrot</a>.&nbsp;</p><p>Please like and subscribe, and let me know if there is a topic you think might make a good video.</p><p><br /></p><p><br /></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-47755929156360692242021-04-13T11:00:00.039-04:002021-04-13T11:00:00.323-04:00New Book! The Best of TaoSecurity Blog, Volume 4<p>&nbsp;</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-sAiwY4ZN_WY/YHTciVwTUEI/AAAAAAABLPk/sGvTNKPnv206IteGLduT-0L2ufRzNUeeQCLcBGAsYHQ/s2048/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="640" src="https://1.bp.blogspot.com/-sAiwY4ZN_WY/YHTciVwTUEI/AAAAAAABLPk/sGvTNKPnv206IteGLduT-0L2ufRzNUeeQCLcBGAsYHQ/w400-h640/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B4.jpg" width="400" /></a></div><br /><p>I've completed the <a href="https://amzn.to/326esgx" target="_blank">TaoSecurity Blog book series</a>.</p><p>The new book is&nbsp;<a href="https://amzn.to/3mFnIlb" target="_blank">The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship</a>.&nbsp;</p><p>It's available now for <a href="https://amzn.to/3mFnIlb" target="_blank">Kindle</a>, and I'm working on the print edition.&nbsp;</p><p>I'm running a <a href="https://amzn.to/326esgx" target="_blank">50% off promo on Volumes 1-3 on Kindle</a> through midnight 20 April. Take advantage before the prices go back up.</p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-j9sPtsrFD6Y/YHTZlcRQ0UI/AAAAAAABLPU/5rU0ogS3r_07H6WQc8euN0dmQp5NYqNQACPcBGAYYCw/s1689/capture_001_12042021_190617.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="628" data-original-width="1689" height="238" src="https://1.bp.blogspot.com/-j9sPtsrFD6Y/YHTZlcRQ0UI/AAAAAAABLPU/5rU0ogS3r_07H6WQc8euN0dmQp5NYqNQACPcBGAYYCw/w640-h238/capture_001_12042021_190617.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><br /><p>I described the new title thus:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p>Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich.</p><p>In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.&nbsp;</p><p>In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives.</p><p>Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or policy audiences. It features posts from other blogs or news outlets, as well as some of his written testimony from eleven Congressional hearings. For the first time, Mr. Bejtlich publishes documents that he wrote as part of his abandoned war studies PhD program. This last batch of content was only available to his advisor, Dr. Thomas Rid, and his review committee at King's College London.</p><p>Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.</p></blockquote><p>This will likely be my final collection of writings. I've discovered some documents that may be of interest to historians, so I may contribute those to a <a href="https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-06-29/joint-task-force-computer-network-defense-20-years-later" target="_blank">national security archive like my friend Jay Healey did a few years ago</a>.</p><p>The only other work I might do for these four volumes is to record Audible editions. That would take a while, but I'm thinking about it.</p><div><br /></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-61674151723180467152021-04-01T14:00:00.009-04:002021-04-02T19:40:52.650-04:00The Origins of the Names TaoSecurity and the Unit Formerly Known as TAO<p>&nbsp;</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Eid4loeT-gU/YGXcPpNFUeI/AAAAAAABLAc/6wieSbU0uw8wtK0Esa3GsyzVw46wjQjngCLcBGAsYHQ/s4206/taosecurity_high_r.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="748" data-original-width="4206" height="114" src="https://1.bp.blogspot.com/-Eid4loeT-gU/YGXcPpNFUeI/AAAAAAABLAc/6wieSbU0uw8wtK0Esa3GsyzVw46wjQjngCLcBGAsYHQ/w640-h114/taosecurity_high_r.jpg" width="640" /></a></div><br /><p></p><p>What are the origins of the names TaoSecurity and the unit formerly known as TAO?&nbsp;</p><h2 style="text-align: left;">Introduction</h2><p>I've been reading Nicole Perlroth's new book <a href="https://amzn.to/3wbWNlc" target="_blank">This Is How They Tell Me the World Ends</a>. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that arose in the 2000s. I had heard through back channels that some members of that group were upset that I was operating using the name TaoSecurity. In the 2000s and early 2010s I taught classes under the TaoSecurity brand, and even ran TaoSecurity as a single-person consultancy from 2005-2007.&nbsp;</p><p>The purpose of this post is to explain why, how, and when I chose the TaoSecurity identity, and to show that it is contemporaneous with the formal naming of the TAO group. The most reliable accounts indicate TaoSecurity predates the TAO brand.</p><h2 style="text-align: left;">TaoSecurity Began with Kung Fu and Taoism</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-D8-UkVNTDBA/YGXefnEA0wI/AAAAAAABLAk/szvRpmdQ1s8MG66AMWDpk09GRk2HNzr1wCLcBGAsYHQ/s1095/martialarts-rich-sifu-21jun1996.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="925" data-original-width="1095" height="338" src="https://1.bp.blogspot.com/-D8-UkVNTDBA/YGXefnEA0wI/AAAAAAABLAk/szvRpmdQ1s8MG66AMWDpk09GRk2HNzr1wCLcBGAsYHQ/w400-h338/martialarts-rich-sifu-21jun1996.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">With Sifu Michael Macaris, 21 June 1996</td></tr></tbody></table><br /><p>In the summer of 1994, after graduating from the Air Force Academy and before beginning my graduate program at what is now called the Harvard Kennedy School, I started watching re-runs of the <a href="https://sourcingbrucelee.blogspot.com/2019/05/the-truth-about-creation-of-kung-fu-tv.html" target="_blank">1970s David Carradine Kung Fu TV series, created by Ed Spielman</a>. I was so motivated by the philosophical message of the program that I joined a kung fu school in Massachusetts. I trained there for two years, and studied what I could about Chinese history and culture. I learned from the show and that it was based on Taoism (<a href="https://youtu.be/rkT0tR5WVF0?t=57" target="_blank">for example</a>) so I bought a copy of the <a href="https://terebess.hu/english/tao/_index.html" target="_blank">Tao Te Ching by Lao Tzu</a> and devoured it.&nbsp;</p><h2 style="text-align: left;">Visiting China</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-Vx04Tg43MXE/YGXg90FbmVI/AAAAAAABLAs/49hN4bzZVhUDARC2bu65D49TanTFmiXPgCLcBGAsYHQ/s2048/tai%2Bchi.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1648" data-original-width="2048" height="323" src="https://1.bp.blogspot.com/-Vx04Tg43MXE/YGXg90FbmVI/AAAAAAABLAs/49hN4bzZVhUDARC2bu65D49TanTFmiXPgCLcBGAsYHQ/w400-h323/tai%2Bchi.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Tai Chi on the Yangtze, May 1999</td></tr></tbody></table><br /><p>In the spring of 1999 my wife and I took a three week trip to China for our honeymoon. We were both interested in Chinese culture so it seemed like a great opportunity. It was an amazing trip, despite the fact that we were in China when the <a href="https://www.bbc.com/news/world-europe-48134881" target="_blank">United States bombed the Chinese embassy in Belgrade</a>.&nbsp;</p><p>I include these details to show that I was quite the fan of Chinese culture, well before any formal cyber threat intelligence reports associated me with China. I read books on Taoism and embraced its concepts.</p><h2 style="text-align: left;">Creating TaoSecurity</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-QLrYJLmNI8M/YGXi6zH64ZI/AAAAAAABLA0/GHyetm1rEY4Z_nyn0Ed1-oyLFaYjHlQlACLcBGAsYHQ/s798/capture_001_01042021_111146.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="205" data-original-width="798" height="103" src="https://1.bp.blogspot.com/-QLrYJLmNI8M/YGXi6zH64ZI/AAAAAAABLA0/GHyetm1rEY4Z_nyn0Ed1-oyLFaYjHlQlACLcBGAsYHQ/w400-h103/capture_001_01042021_111146.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">WHOIS lookup for taosecurity.com</td></tr></tbody></table><br /><p>In the summer of 2000 I was a captain at the Air Force Computer Emergency Response Team, within the 33rd Information Operations Squadron. I decided I wanted to try creating a Web presence, so I registered the TaoSecurity domain name on 4 July 2000. The WHOIS record above shows 3 July, which is odd, because a <a href="https://taosecurity.blogspot.com/2019/07/happy-birthday-taosecuritycom.html">previous post on the topic captured the correct date of 4 July 2000</a>. I also coined the phrase "the way of digital security."</p><p>My wife commissioned an artist to design the TaoSecurity logo, which I have used continuously since then. At the time I had never heard of TAO. There was a good reason for that. TAO was just being born as well.</p><h2 style="text-align: left;">General Hayden on Creating TAO</h2><div><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-y-lTCRyg_bU/YGXwVWyWkJI/AAAAAAABLBQ/VbAinamJqmsCT74hHk-qV-wdtohyWs6PgCPcBGAYYCw/s1499/cover.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1499" data-original-width="986" height="320" src="https://1.bp.blogspot.com/-y-lTCRyg_bU/YGXwVWyWkJI/AAAAAAABLBQ/VbAinamJqmsCT74hHk-qV-wdtohyWs6PgCPcBGAYYCw/s320/cover.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><i>Playing to the Edge</i> by General Michael Hayden</td></tr></tbody></table><br /><div>The first public source on the history of TAO appeared in a <a href="https://web.archive.org/web/20130616121605/http://www.foreignpolicy.com/articles/2013/06/10/inside_the_nsa_s_ultra_secret_china_hacking_group?page=full" target="_blank">2013 story for Foreign Policy by Matthew M. Aid</a>. He claimed that the agency created TAO in 1997. While it is possible that members of what would later be named TAO were working a similar mission in 1997, his story requires details that I add next.</div><p>A succinct source on the origins of the unit previously known as the TAO is the 18 October 2018 article by Steven Loleski. He wrote a piece called&nbsp;<a href="https://www.tandfonline.com/doi/full/10.1080/02684527.2018.1532627" target="_blank">From cold to cyber warriors: the origins and expansion of NSA’s Tailored Access Operations (TAO) to Shadow Brokers</a>&nbsp;(<a href="https://canvas.tufts.edu/files/1299545/download?download_frd=1" target="_blank">PDF</a>). Mr. Loleski cited General Michael Hayden's 2016 book <a href="https://amzn.to/3rBtV2o" target="_blank">Playing to the Edge</a>, which I quote more extensively here:</p><p>"<b>In the last days of 2000</b>, as we were rewiring the entire agency’s organizational chart (see chapter 2), we set up an enterprise called TAO, Tailored Access Operations, in the newly formed SIGINT Directorate (SID). We had toyed with some boutique end-point efforts before, but this was different. This was going to be industrial strength...And, even in a period of generalized growth, TAO became the fastest-growing part of NSA post-9/11, bar none."</p><p>Seeing as General Hayden was in charge of NSA at the time, that would seem to make it clear that TaoSecurity preceded TAO by several months, at least.</p><p>I also looked for details in the 2016 book&nbsp;<a href="https://amzn.to/3dtVFRk" target="_blank">Dark Territory: The Secret History of Cyber War</a> by Fred Kaplan. I've enjoyed several of his previous books, and he interviewed and cited me for the text.</p><p>Mr. Kaplan explained how General Michael Hayden, <a href="https://www.af.mil/About-Us/Biographies/Display/Article/104763/general-michael-v-hayden/" target="_blank">NSA director from&nbsp;March 1999 to April 2005</a>, named the unit, as part of a general reorganization effort. Thanks to <a href="https://cryptome.org/nsa-reorg-id.htm" target="_blank">Cryptome and FOIA requests by </a><i><a href="https://cryptome.org/nsa-reorg-id.htm" target="_blank">Inside Defense</a>&nbsp;</i>we can read the October 1999 report recommending organizational changes. That reorganization was the genesis for creating TAO.</p><span style="font-size: 24px;"><b>Kaplan on Creating TAO</b></span><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-8BkQdUGy-jw/YGXsVilrG4I/AAAAAAABLBE/Axa-_eWPbWsoiT2pW6Q2H0jiwxTChtSqwCLcBGAsYHQ/s1392/naming%2Btao.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1165" data-original-width="1392" height="335" src="https://1.bp.blogspot.com/-8BkQdUGy-jw/YGXsVilrG4I/AAAAAAABLBE/Axa-_eWPbWsoiT2pW6Q2H0jiwxTChtSqwCLcBGAsYHQ/w400-h335/naming%2Btao.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">External Team Report Recommended Organization, 22 October 1999, Cryptome</td></tr></tbody></table><br /><p>This document, titled <a href="https://cryptome.org/nsa-reorg-et.htm" target="_blank">EXTERNAL TEAM REPORT: A Management Review for the Director, NSA, October 22, 1999</a>&nbsp;mentions the need to reorganize the "Signals Intelligence Mission (SIM)" into "three offices, Global Response, <b>Tailored Access</b> and Global Network." The <a href="https://cryptome.org/nsa-reorg-id.htm" target="_blank">October 2000 public news story by Inside Defense about the reorganization</a>&nbsp;implies that it did not happen overnight.&nbsp;</p><p>Mr. Kaplan notes that General Hayden initiated his "One Hundred Days of Change" program on 15 November 1999. A three-day server crash in January 2000 hampered reform efforts, prompting big changes in NSA approaches to computing. However, TAO was eventually operating some time in 2000. Mr. Kaplan notes the following in his book:</p><p>"It began, even under his expansion, as a small outfit: a few dozen computer programmers who had to pass an absurdly difficult exam to get in. The organization soon grew into an elite corps as secretive and walled off from the rest of the NSA as the NSA was from the rest of the defense establishment. Located in a separate wing of Fort Meade, <b>it was the subject of whispered rumors, but little solid knowledge, even among those with otherwise high security clearances...</b></p><p>Early on, TAO hacked into computers in fairly simple ways: phishing for passwords (one such program tried out every word in the dictionary, along with variations and numbers, in a fraction of a second) or sending emails with alluring attachments, which would download malware when opened.&nbsp;</p><p>Once, some analysts from the Pentagon’s Joint Task Force-Computer Network Operations were invited to Fort Meade for a look at TAO’s bag of tricks. The analysts laughed: this wasn’t much different from the software they’d seen at the latest DEF CON Hacking Conference; some of it seemed to be repackaged versions of the same software. Gradually, though, the TAO teams sharpened their skills and their arsenal."</p><p>It's clear from this passage that TAO started as a small unit that conducted less exotic operations. It was difficult to join, but a far cry from the powerhouse it would soon become. It's also clear that knowledge of this organization was tightly controlled. Even the term "tailored access" was not associated publicly with NSA until the October 2000 reporting by Inside Defense, reproduced by Cryptome.</p><h2 style="text-align: left;">Minihan's Role</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-_xZiq0xroDY/YGXx0c51VTI/AAAAAAABLBY/vVlE17zt_WsNg-6G_Q7FbPIaVHJwsURmACLcBGAsYHQ/s2000/cover.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="2000" data-original-width="1325" height="320" src="https://1.bp.blogspot.com/-_xZiq0xroDY/YGXx0c51VTI/AAAAAAABLBY/vVlE17zt_WsNg-6G_Q7FbPIaVHJwsURmACLcBGAsYHQ/s320/cover.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><i>Dark Territory</i>&nbsp;by Fred Kaplan</td></tr></tbody></table><br /><p>Circling back to the mention of 1997 in Mr. Aid's article, we do find the following in Mr. Kaplan's reporting:</p><p>"Fort Meade’s would be the third box on the new SIGINT organizational chart—“tailored access.”</p><p>[Lt Gen Kenneth] <a href="https://www.af.mil/About-Us/Biographies/Display/Article/106229/lieutenant-general-kenneth-a-minihan/" target="_blank">Minihan</a> [NSA director 1996-1999] had coined the phrase. During his tenure as director, he pooled a couple dozen of the most creative SIGINT operators into their own corner on the main floor and gave them that mission. What CIA black-bag operatives had long been doing in the physical world, the tailored access crew would now do in cyberspace, sometimes in tandem with the black-baggers, if the latter were needed—as they had been in Belgrade—to install some device on a crucial piece of hardware.</p><p>The setup transformed the concept of signals intelligence, the NSA’s stock in trade. SIGINT had long been defined as passively collecting stray electrons in the ether; now, it would also involve actively breaking and entering into digital machines and networks.</p><p>Minihan had wanted to expand the tailored access shop into an A Group of the digital era, but he ran out of time. When Hayden launched his reorganization, he took the baton and turned it into a distinct, elite organization—the Office of Tailored Access Operations, or TAO."</p><p>This reporting indicates that there was a tailored access group operating at NSA prior to General Hayden, but it was not actually named "TAO" and was not as large or exotic as what was to come.</p><h2 style="text-align: left;">Conclusion</h2><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-es8rhdmg_1w/YGX2sxdG4BI/AAAAAAABLBk/FPQZqc5NoQ8naaopzp5Qn84pnpZdiZhtwCLcBGAsYHQ/s158/tao%2Binside.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="145" data-original-width="158" src="https://1.bp.blogspot.com/-es8rhdmg_1w/YGX2sxdG4BI/AAAAAAABLBk/FPQZqc5NoQ8naaopzp5Qn84pnpZdiZhtwCLcBGAsYHQ/s0/tao%2Binside.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">"Tao inside," TAO's play on the Intel Inside marketing campaign</td></tr></tbody></table><br /><p>To summarize, General Hayden assigned the name TAO to a group inside NSA in late 2000, months after I registered the TaoSecurity domain name. Although General Minihan had created a tailored access group during his tenure, the existence of that team, as well as what was later formally called TAO, was a close-held secret. The term "tailored access" did not appear in the public until Inside Defense's reporting of October 2000.&nbsp;</p><p>Although I worked in the unit (Air Intelligence Agency) that served as the cryptologic service group for NSA (the Air Force contribution to the agency), I was not aware of any tailored access teams when I chose TaoSecurity as the name for my repository of security ideas. I selected TaoSecurity to reflect my interest in Taoism, and it had nothing to do with TAO or the NSA.</p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-81991147043008431502021-02-18T10:30:00.003-05:002021-02-18T10:53:39.880-05:00Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem <div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-NDUaYxxTE9c/YC54161pT5I/AAAAAAABIok/Lyz65CtEMHY01n64_UlyKkG9bry49RTAgCLcBGAsYHQ/s800/scales%2Bcolor.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="710" data-original-width="800" src="https://1.bp.blogspot.com/-NDUaYxxTE9c/YC54161pT5I/AAAAAAABIok/Lyz65CtEMHY01n64_UlyKkG9bry49RTAgCLcBGAsYHQ/s320/scales%2Bcolor.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;"><br /></div><h1 style="text-align: left;"><b>Proposition</b></h1><div style="text-align: left;">Digital offense capabilities are currently net negative for the security ecosystem.[0]</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the <a href="https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html" target="_blank">security one percent</a>&nbsp;(<a href="https://twitter.com/hashtag/securityonepercent" target="_blank">#securityonepercent</a>), and to intelligence, military, and law enforcement agencies. The derived defensive benefits depend on the nature of the defender. The entire security ecosystem bears the costs, and in some cases even those who see tangible benefit may suffer costs exceeding those benefits.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">The Reason</h1><div style="text-align: left;">Limitations of scaling are the reason why digital offense capabilities are currently net negative.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Consider the case of an actor developing a digital offense capability, and publishing it to the general public.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>From the target side, limitations on scaling prevent complete mitigation or remediation of the vulnerability.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The situation is much different from the offense perspective.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>Any actor may leverage the offense capability against any Internet-connected target on the planet.&nbsp;</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">The actor can scale that capability across the entire range of vulnerable or exposed targets.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">The Three</h1><div style="text-align: left;">Only three sets of actors are able to possibly leverage an offense capability for defensive purposes.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">First, the<b> organization responsible for developing and maintaining the vulnerable or exposed asset</b> can determine if there is a remedy for the new offense capability. (This is typically a "vendor," but could be a noncommercial entity. As a shorthand, I will use "vendor.") The vendor can try to develop and deploy a patch or mitigation method.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Second, <b>major consumers</b> of the vulnerable or exposed asset can take similar steps, usually by implementing the vendor's patch or mitigation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Third, the <b>security one percent</b> can take some defensive measures, either by implementing the vendor's patch or mitigation, or by developing and acting upon detection and response processes.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The combination of the actions by these three sets of actors will not completely remediate the digital offense capability. The gap can be small, or it can be exceptionally large, hence the net negative cost to the digital ecosystem.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">The Insight</h1><div style="text-align: left;">From the intruder side, little to no limitations on scaling mean the intruder can leverage the digital offense capability against all vulnerable targets.</div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;">This is the key insight that produces digital offense capabilities as net negative for the entire security ecosystem:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>Offensive scale is superior to defensive scale.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Stated differently:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">An intruder actor can leverage an offense capability against any vulnerable target.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Few (if any) defenders can leverage a derived defense capability against all vulnerable targets.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div>Those who object to this argument are likely one of the three actors.</div></div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Objections: Vendors</h1><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors may have the strongest case for being able to scale defense, depending on the nature of the vendor's offering.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors who provide software or other capabilities that require customer action for updates are in the weakest position. If customers do not update, they remain vulnerable.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors who mandate automatic updating are in a stronger position. Customers receive the update, with the effectiveness of the update mechanism being the major limitation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Vendors who operate "as a service" offerings, such as the major cloud and email providers, are in the strongest position. They can silently improve their offering without user involvement. They can scale defense across their service as they more or less completely control it.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Objections: Major Consumers</h1><div style="text-align: left;"><br /></div><div style="text-align: left;">Major consumers may operate with or without the involvement or action of vendors. When the major consumer is operating an on-premise instance, for example, they can be in a position to implement a mitigation or remediation. Such major consumers have teams that qualify them as being in the security one percent, so in some ways this dual-counts the defensive benefit.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Some major consumers may remain vulnerable, however, regardless of their relative size or nature. The SolarWinds case has shown that organizations with multi-billion-dollar information technology budgets can be as helpless as those outside the security one percent.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Objections: The Security One Percent</h1><div style="text-align: left;">The security one percent is likely to voice the loudest objections. The security one percent are individuals working in entities with the budget to fund a blue (defense) team, and probably a red (offense) team.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">As mentioned in a <a href="https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html" target="_blank">previous blog post</a>,&nbsp;the security one percent can use offensive tools to equip their red or penetration testing teams. Those teams, nonexistent outside the security one percent, can work with or against blues team to determine if countermeasures are effective.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The security one percent is generally oblivious to their privilege. I was personally not aware of this mindset until the rise of ransomware in 2018-2020.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The exceptions are two-fold. One group who is aware of their privilege comes from "the other side of the tracks." They worked for an entity without a security team, perhaps in a non-IT role, or a non-security role. Another exception involves people who volunteer or consult with entities outside the security one percent. They see the gap between their own capabilities and those they are trying to help.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">One portion of the security one percent is particularly critical: those who rely upon offense for their income, or enjoy it as a hobby. They reject any sentiment or policy prescription that threatens their livelihood or enjoyment, regardless of the larger societal cost. Addressing the concerns of this group requires a separate blog post.</div><div style="text-align: left;"><br /></div><h1 style="text-align: left;">Summary</h1><div style="text-align: left;">The difference in the capabilities of the <b>vendor/major consumer/security one percent triad</b> and the rest of the security ecosystem is the result of <b>defense failing to scale as effectively as offense</b>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">When an actor publicly releases a digital offensive capability, especially in the form of working code, generally any threat actor can leverage that capability against any vulnerable target.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The inverse is not true. Any defensive capability, derived from the offensive capability, can generally <b>not </b>be leveraged to protect any vulnerable target.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Free or open source tools, training, or knowledge are helpful, but they require deployment, tuning, comprehension, commitment, and a host of other capabilities that do not scale as effectively as offensive code. While using offensive code has a learning and operational curve, it is nowhere as steep as that facing defenders.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The strongest and most helpful exception is found in vendors who offer "as a service" capabilities. They can independently and comprehensively improve their security posture with little to no involvement from the vulnerable population. (An exception, for example, is offering, but not mandating, multi-factor authentication. Only by adopting MFA does the population improve its security.)</div><h1 style="text-align: left;">Conclusion</h1><div style="text-align: left;">The summary yields three conclusions:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">1.<b> Limiting the availability of digital offense capabilities</b>, such that they are not public and within the reach of any threat actor, will likely limit offensive options for intruders, thereby increasing their operational costs to research, develop, deploy, and maintain offensive tools.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">2. <b>Increasing the use and reliance upon "as a service" offerings</b> will likely improve the security of the ecosystem, as defensive measures can be scaled across the entire vulnerable population.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">3. The rise of "as a service" offerings will likely <b>drive intruders to target those offerings directly</b>, rather than the independent assets distributed across the ecosystem.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">There are no "solutions" in digital security -- only trade-offs.[1]&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I am cautiously optimistic that some combination of the first two conclusions would offset the rise of the third conclusion, generating a net positive improvement in digital security.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Too many in the digital world have treated security as a technical problem with technical solutions. While technical matters play a role, the centrality of the digital ecosystem means that it should be treated as a public policy concern. That strategy is at least two decades overdue.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Please direct comments on this post to <a href="https://twitter.com/taosecurity" target="_blank">Twitter</a>.</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Endnotes</h2><div style="text-align: left;">[0] I'm very confident this argument holds for <b>public digital offense capabilities</b>. After publishing this post I realized I assumed this perspective but did not make it explicit. Hence, this note.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">[1] I derive this phrase from one of my public policy professors,&nbsp;Philip D. Zelikow, who noted that there are no solutions in public policy -- only trade-offs.&nbsp;</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-12335232503053756542020-11-09T08:30:00.011-05:002020-11-09T08:30:17.912-05:00New Book! The Best of TaoSecurity Blog, Volume 3 <div style="text-align: left;">&nbsp;<div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-CF9UkuFGRFs/X6gJBNU43xI/AAAAAAABFVU/Ot5WsC5dYhkHwhbLgZkOuf739aupwR4PQCLcBGAsYHQ/s2048/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="640" src="https://1.bp.blogspot.com/-CF9UkuFGRFs/X6gJBNU43xI/AAAAAAABFVU/Ot5WsC5dYhkHwhbLgZkOuf739aupwR4PQCLcBGAsYHQ/w400-h640/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B3.png" width="400" /></a></div><br /></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Introduction&nbsp;</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">I published a new book!</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div><a href="https://amzn.to/3578myH" target="_blank">The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices</a> is the third title in the <a href="https://amzn.to/3p7Z3qb">TaoSecurity Blog series</a>.&nbsp;</div><div><br /></div><div>It's in the <a href="https://amzn.to/3578myH" target="_blank">Kindle Store</a>, and if you have an Unlimited account, it's free.&nbsp;</div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">I also published a <a href="https://amzn.to/3lbnNeQ" target="_blank">print edition</a>, which is 485 pages.&nbsp;</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Book Description</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">The book features the following description on the back cover:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div>Since 2003, cybersecurity author Richard Bejtlich has been publishing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 stories and approximately one million words, he has selected and republished the very best entries from 17 years of writing, along with commentaries and additional material.&nbsp;</div><div><br /></div><div>In the third volume of the TaoSecurity Blog series, Mr. Bejtlich addresses the evolution of his security mindset, influenced by current events and advice from his so-called set of "wise people." He talks about why speed is not the key to John Boyd's OODA loop, and why security strategies designed for and by the "security 1%" may be irrelevant at best, or harmful at worst, for the remaining "99%". His history section explores the origins of the terms threat hunting and indicators of compromise, and reveals who really created the quote "there are two types of companies." His chapter on law highlights traps that might catch security teams, with advice to chief information security officers.</div><div><br /></div><div>This volume contains some of Mr. Bejtlich’s favorite posts, such as Marcus Ranum's answer to what happens when security teams confront professionals, or how the Internet continues to function despite constant challenges, or reactions to comments by Dan Geer, Bruce Schneier, Marty Roesch, and other security leaders. Mr. Bejtlich has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.&nbsp; Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.</div><div><br /></div></div><h3 style="text-align: left;">Writing the Series</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">Although I had written and self-published a <a href="https://amzn.to/36dDR9H" target="_blank">book in early 2019</a>, I had used <a href="https://www.blurb.com/b/9204875-reach-your-goal-collector-s-edition" target="_blank">Blurb</a> and stayed in print format.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">For this new project, I wanted to publish "reflowable" (not print replica) Kindle editions, along with print versions, through Amazon.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I started the project in September 2019 by labelling 300 or so out of the 3,050 blog posts as candidates for inclusion in a "best of" book. I quickly realized that "only" 300 posts, plus new material and commentary, would result in a very large project, so I decided to break it into three volumes.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I created twelve categories and began sorting and commenting on the posts in March 2020. I decided to assign four categories to each volume, with an "appendices" category for the last volume if necessary.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I chose the 5.5 inch by 8.5 inch "statement" print size since it was supported by Google Docs and was a standard print size for Amazon.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Eventually I selected almost 375 posts for the book and began the real work!</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I published <a href="https://amzn.to/2GFNXat" target="_blank">volume 1</a> in May 2020. The <a href="https://amzn.to/3paOEKg" target="_blank">print edition</a> features 85,030 words in 357 pages, or about 238 words per page.&nbsp;</div><div style="text-align: left;"><div><br /></div><div>I published <a href="https://amzn.to/36fnTMe" target="_blank">volume 2</a> in September 2020. The <a href="https://amzn.to/2UjskQJ" target="_blank">print edition</a> features 96,288 words in 429 pages, or about 224 words per page</div><div><br /></div><div>Now, <a href="https://amzn.to/369jZEo" target="_blank">volume 3</a> has arrived in November 2020. The <a href="https://amzn.to/3n8LODF" target="_blank">print edition</a> features 90,190 words in 485 pages, or about 185 words per page.</div><div><br /></div><div>In total, the project resulted in 271,508 words over 1,271 pages, or about 214 words per page.</div></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">What's Next?</h3><div style="text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-BZOew2-EM8g/X6gOX_U2djI/AAAAAAABFVg/4Z20IFZtN_0p0kCDDySoE9E-a55nVUIJACLcBGAsYHQ/s2048/Beyond%2BTaoSecurity%2BBlog%252C%2BVolume%2B1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="400" src="https://1.bp.blogspot.com/-BZOew2-EM8g/X6gOX_U2djI/AAAAAAABFVg/4Z20IFZtN_0p0kCDDySoE9E-a55nVUIJACLcBGAsYHQ/w250-h400/Beyond%2BTaoSecurity%2BBlog%252C%2BVolume%2B1.png" width="250" /></a></div><br /><div style="text-align: left;"><br /></div><div style="text-align: left;">Originally I wanted to add a few items outside TaoSecurity Blog to the third volume, in a section called "Appendices." As I discovered and collected this material, I realized that adding it would essentially double the size of the third volume. As it was over 400 pages at that time, I decided I would save most of this material for another project.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">That other project is <b>Beyond TaoSecurity Blog, Volume 1: Columns, Papers, PhD Work, and Testimonies. </b>At the moment, I believe I have a handle on what to include in that title. I don't expect to have a volume 2, but I thought it best to give this a volume number as I may have more material to publish in the future.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">My goal is to publish this "Beyond" book during the next few weeks -- perhaps during or after Thanksgiving.&nbsp;</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Conclusion</h3><div><br /></div><div>I wrote this series of books because I fear that this blog has become too unwieldy for its own good. Revisiting 17 years of posts, adding commentaries, and collecting related material has helped me better understand my own journey in security. The new "Beyond" book reaches a bit farther past the three blog volumes and includes material never before published, primarily from my abandoned PhD effort. I'll have more to say when I published that book before the end of the year.</div><div><br /></div><div>If you've read any of the books in the&nbsp;<a href="https://amzn.to/3p7Z3qb">TaoSecurity Blog series</a>, I would great appreciate a positive review! Thank you.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-17041408355947091192020-10-31T16:11:00.003-04:002021-02-06T17:45:11.620-05:00Security and the One Percent: A Thought Exercise in Estimation and Consequences<div style="text-align: left;">There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the <b>security 1% </b>or <a href="https://twitter.com/search?q=%23securityonepercent" target="_blank">#securityonepercent</a> on Twitter. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions.&nbsp;</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Introduction&nbsp;</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">A First Cut with FIRST</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">One method is to review entities who are members of the <a href="https://www.first.org/members/teams/" target="_blank">Forum of Incident Response and Security Teams, or FIRST</a>. FIRST is an organization to which high-performing computer incident response teams (CIRTs) may apply once their processes and data handling meet standards set by FIRST.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I learned of FIRST when the AFCERT was a member in the late 1990s. I also assisted with FIRST duties when Foundstone was a member in the early 2000s. I helped or sponsored membership when I worked at General Electric in the 2000s and Mandiant in the 2010s. I encourage all capable security teams to join FIRST.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Being a FIRST member means having a certain degree of incident response and data handling capability, and it signals to the world and to other FIRST teams that the member entity is serious about incident detection and response.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">As of the writing of this post, there are 540 FIRST teams worldwide. Slightly more than 100 of them are based in the United States.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">To put that in perspective, there are less than 4,000 publicly traded companies in the US. That means that <b>even if every single US FIRST member represented a publicly traded company</b> -- and that is not the case -- <b>FIRST representation for US publicly traded companies is only 2.5%</b>.&nbsp;</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Beyond FIRST</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">Some of you might claim FIRST membership is no big deal. My current employer, Corelight, isn't a member, you might say.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Perhaps you could argue that for every US FIRST member, there are 9 others which have equivalent or better security teams. That would increase the cadre of entities with respectable detection and response capabilities from 100 to 1,000. That would still mean an <b>estimate that says&nbsp;75% of publicly traded US companies have sub-par or non-existent security programs.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Remember that we've only been talking about a population of 4,000 publicly traded US companies. The US Small Business and Entrepreneurship Council estimates that there were <b>5.6 million employer firms in the United States in 2016.</b> Let's sadly reduce that to 4 million to account for the devastation of Covid.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">(This reduction actually makes the situation actually look better for security, as terrible as it is either way. In other words, if I used a denominator of 5.6 million and not 4 million, security estimates would be 40% worse.)</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-IYoG2n_Bu-c/X521tGQ3fZI/AAAAAAABFJw/nBW3HuDl9Ochg6lRiegxwwStZhpoKVM8ACLcBGAsYHQ/s2043/capture_004_31102020_150603.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1033" data-original-width="2043" height="203" src="https://1.bp.blogspot.com/-IYoG2n_Bu-c/X521tGQ3fZI/AAAAAAABFJw/nBW3HuDl9Ochg6lRiegxwwStZhpoKVM8ACLcBGAsYHQ/w400-h203/capture_004_31102020_150603.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">Small Business and Entrepreneurship Council</span></td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">Let's be really generous and assume that only 1 in 100 of those 4 million businesses have any sensitive data. (That's again very generous.)&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">That leaves us with 400,000 entities with data worth defending. (Again, all of these estimates make it look like we're doing better than we actually are. The reality is probably a lot worse.)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Remember that we only had 100 US teams in FIRST, and we assumed an incredible 10-to-1 ratio to add another 900 non-FIRST organizations to the list of entities with decent security.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now let's be generous again and assume a 4-to-1 ratio, such that for every 1 team in the publicly traded world there are 3 in the private world that also have decent security.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>This creates a total of 4,000 US organizations with decent security, out of 400,000 that need it. Those 4,000 are the security 1%.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you think of the "best of the best," there's probably only about <b>40 US security teams that qualify as global leaders and innovators</b>. These are the teams that can stand toe-to-toe with most foes, and still struggle due to the nature of the security challenge. You and I could probably name them: Lockheed Martin, Google, General Electric, etc.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">That group of 40 is the 1% of the 1%, being 40 of the 4,000 of the 400,000. <b>These 40 are the US .01%.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">If you think I'm being too conservative with only 40 teams, then feel free to increase it to 400. I'd be really curious to see someone compile a list of 400 world-beating security teams. That would still mean <b>that US group of 400 is the .1%.</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><h3 style="text-align: left;">Sanity Check: A Few Statistics</h3></div><div style="text-align: left;"><br /></div><div style="text-align: left;">To give you a sense of my numbers, and whether they are of the right order of magnitude at least, here are a few statistics:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">1. The 2020 <i>Accenture Security Third Annual State of Cyber Resilience Report</i> featured responses from 4,644 "executives," This is the same order of magnitude of my estimates here, diluted due to a global perspective. (In other words, there are actually less US executives responding to this survey due to the global respondent pool.)</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-ZzYhiW21CR0/X52uAM57zDI/AAAAAAABFJA/_9tSloZlapIPyRrgNqzhH_dIvhbSScMaQCLcBGAsYHQ/s2048/capture_001_31102020_143246.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1152" data-original-width="2048" height="225" src="https://1.bp.blogspot.com/-ZzYhiW21CR0/X52uAM57zDI/AAAAAAABFJA/_9tSloZlapIPyRrgNqzhH_dIvhbSScMaQCLcBGAsYHQ/w400-h225/capture_001_31102020_143246.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">2020 <i>Accenture Security Third Annual State of Cyber Resilience Report</i>, p 46</span></td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">2. The 2021 <i>PWC Global Digital Trust Insights Report</i> featured responses from "3,249 business and technology executives around the world." This is again the same order of magnitude, again diluted due to global responses.</div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-AVqFpkpEygI/X52x8z-XwQI/AAAAAAABFJk/kbQcGnwFr2IdnloYZ0VdB2BZWKhwHaymQCLcBGAsYHQ/s1651/capture_003_31102020_144757.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="341" data-original-width="1651" height="83" src="https://1.bp.blogspot.com/-AVqFpkpEygI/X52x8z-XwQI/AAAAAAABFJk/kbQcGnwFr2IdnloYZ0VdB2BZWKhwHaymQCLcBGAsYHQ/w400-h83/capture_003_31102020_144757.png" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="text-align: left;">2021 <i>PWC Global Digital Trust Insights Report</i>, Web summary</span></td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">3. A 2019 report by Bitglass found that&nbsp;38% of the Fortune 500 do not have a CISO. That's 190 publicly traded companies! Hopefully it's less in 2020. Let's be crazy and assume the CISO count is 400 out of 500?</div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-P7wPJsxoGVg/X52vRAmWfFI/AAAAAAABFJM/WfJiQ8UWnxYqahKESNI7gLwfVstVSFgnwCLcBGAsYHQ/s650/bitglass-ciso-092019.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="367" data-original-width="650" height="226" src="https://1.bp.blogspot.com/-P7wPJsxoGVg/X52vRAmWfFI/AAAAAAABFJM/WfJiQ8UWnxYqahKESNI7gLwfVstVSFgnwCLcBGAsYHQ/w400-h226/bitglass-ciso-092019.jpg" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2019 Bitglass Report</td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">4. The Verizon <i>DBIR</i> featured reporting from 81 entities, the highest number in the history of the report. I do not know how many are in the US, but it's obviously less than 100, so the order of magnitude is again preserved. In other words, of the 4,000 capable security organizations in the US, less than 2.5% of them contributed to the <i>DBIR</i>. That would be less than 100, or the number of US FIRST teams.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-JkqI_HCfjNM/X52w46CPJiI/AAAAAAABFJY/Ra2hgiNlAUUrQNbTWtS2b__lstCDdBO7QCLcBGAsYHQ/s2809/capture_002_31102020_144516.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="612" data-original-width="2809" src="https://1.bp.blogspot.com/-JkqI_HCfjNM/X52w46CPJiI/AAAAAAABFJY/Ra2hgiNlAUUrQNbTWtS2b__lstCDdBO7QCLcBGAsYHQ/s320/capture_002_31102020_144516.png" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">2020 Verizon <i>DBIR </i>Report</td></tr></tbody></table><div style="text-align: left;"><br /><br /></div><div style="text-align: left;">Remember that my focus here is the United States. This means the numbers from PWC, Accenture, and Verizon need to be reduced because they represent global audiences. However, the original FIRST count of roughly 100 American entities, and the statistic about the Fortune 500, which is just American companies, are already appropriately sized.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Security and the One Percent</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">What do these numbers mean for security?&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Speaking first just for the US, it means that most of the conversations among security practitioners on Twitter, in mailing lists, during Webinars, within classes, and other gatherings of people take place within a very small grouping. <b>These are the 1%</b> that are part of the roughly 4,000 entities in the US that have a decent security capability.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>If those are the 1%, it means that the 99% are not included in these discussions.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">This means that free threat intelligence, or free classes, or free post-exploitation security tools, or other free capabilities <b>mean nothing, or almost nothing to those 99% of organizations that do not have security capabilities</b>, or whose capabilities are so low or stretched that they cannot take advantage of whatever the 1% offers.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">An Analogy: Personal Finance</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">I almost became a certified financial planner. Had I not secured a job in the AFCERT, I planned to separate from the Air Force, earn my CFP designation, and advise people on how to manage their assets and prepare for retirement.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I've come to realize that discussions I witness in the "security community" are like the discussions I see in the finance community. It requires taking a big step back to appreciate this situation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">People at the 1% level in finance want to know how to manage their stock options, or how to save money for their child's college tuition through specialized savings vehicle, or, at the highest ends, how to move assets throughout "Moneyland" in pursuit of ever lower taxes.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">These concerns are light-years away from the person who has a few dollars saved in an employer-provided 401(k) program, or who has little to no savings whatsoever.&nbsp;&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">The Consequences of the Security One Percent</h3><div><br /></div><div style="text-align: left;">So what's the big deal?</div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><b>The consequence of the existence and mindshare dominance of the security 1% is that the strategies and tactics they employ may <u>work for the 1%</u>, but not the 99%.</b>&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I'm not talking about the "rich" preying on the "poor." That's neither my message nor my philosophical outlook.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Rather, I mean that <b>methods that the security 1% use to defend themselves are irrelevant at best to the 99%, and damaging at worst to the 99%.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">An example of irrelevance would be providing free indicators of compromise (IOCs) or other forms of threat intelligence. It's well-meaning but ultimately of no help to the 99%. If an entity in the 99% has a rudimentary security capability, or essentially zero security capability, threat intelligence is irrelevant.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">An example of damage would be publication of post-exploitation security tools, or PESTs. The 1% may have the ability to use such tools to equip their red or penetration testing teams, determining if the countermeasures implemented by their blue team can resist or detect and respond to their simulated and later actual attacks. The 99%, however, have little to no ability to leverage PESTs. <b>They end up simply being victims when actual intruders use PESTs to pillage the 99%'s assets.</b></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">Conclusion</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">Readers can argue with my numbers. These are estimates, yes, but I believe I've gotten the orders of magnitude right, at least in the US. It's probably worse overseas, especially in the developing world.&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The point of this exercise is to propose the idea that <b>the benefits of certain activities that may accrue to the 1% may be, and likely are, irrelevant and/or damaging to the 99%.</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;">In brief:</div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><b>I challenge the security 1% to first recognize their elite status, and second, to think how their beliefs and actions affect the 99% -- especially for the worse.</b></div><div style="text-align: left;"><br /></div><div style="text-align: left;">As this is a wicked problem, there is no easy answer. That may be worth a future blog post.</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-23822966881913251232020-10-23T10:00:00.015-04:002020-10-23T11:33:15.767-04:00MITRE ATT&CK Tactics Are Not Tactics<div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-98j4l3PuIJY/X5Lkc3MRlLI/AAAAAAABE9E/MmsGZ8Mes2kXgZqYjUxC3CisUL_EzAUDQCLcBGAsYHQ/s1016/on%2Btactics.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="389" data-original-width="1016" src="https://1.bp.blogspot.com/-98j4l3PuIJY/X5Lkc3MRlLI/AAAAAAABE9E/MmsGZ8Mes2kXgZqYjUxC3CisUL_EzAUDQCLcBGAsYHQ/s320/on%2Btactics.jpg" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="text-align: left;">Just what are "tactics"?</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Introduction</h2><div><br /></div><div style="text-align: left;"><a href="https://attack.mitre.org/" target="_blank">MITRE ATT&amp;CK</a>&nbsp;is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The <a href="https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf" target="_blank">MITRE ATT&amp;CK Design and Philosophy</a> document from March 2020 says the following:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div><i>At a high-level, ATT&amp;CK is a behavioral model that consists of the following core components:</i></div><div><i><br /></i></div><div><i>• Tactics, denoting short-term, tactical adversary goals during an attack;</i></div><div><i>• Techniques, describing the means by which adversaries achieve tactical goals;</i></div><div><i>• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and</i></div><div><i>• Documented adversary usage of techniques, their procedures, and other metadata.</i></div><div><br /></div><div>My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.</div><div><br /></div><div>The key word in the tactics definition is <b>goals</b>. According to MITRE, "tactics" are "goals."</div><div><br /></div><h2 style="text-align: left;">Examples of ATT&amp;CK Tactics</h2><div><br /></div><div>ATT&amp;CK lists the following as "<a href="https://attack.mitre.org/tactics/enterprise/" target="_blank">Enterprise Tactics</a>":</div></div><div style="text-align: left;"><br /></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-sgfJU4xVNF8/X5LQX_FrqZI/AAAAAAABE8s/Wy5ifE75Q5wJhSC4x6PPNKBexROc6sHhwCLcBGAsYHQ/s2048/capture_001_23102020_084057.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1375" data-original-width="2048" height="430" src="https://1.bp.blogspot.com/-sgfJU4xVNF8/X5LQX_FrqZI/AAAAAAABE8s/Wy5ifE75Q5wJhSC4x6PPNKBexROc6sHhwCLcBGAsYHQ/w640-h430/capture_001_23102020_084057.jpg" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">MITRE ATT&amp;CK "Tactics," https://attack.mitre.org/tactics/enterprise/</td></tr></tbody></table><div style="text-align: left;"><br />Looking at this list, the first 11 items could indeed be seen as <b>goals</b>. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&amp;CK structure. That's not my primary concern though.</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Military Theory and Definitions</h2><div><br /></div><div style="text-align: left;">As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The <a href="https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/dictionary.pdf" target="_blank">DOD Dictionary of Military and Associated Terms</a>&nbsp;defines tactics as "the <b>employment and ordered arrangement of forces in relation to each other. </b>See also procedures; techniques. (CJCSM 5120.01)" (emphasis added)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">In his book <i>On Tactics</i>, B. A. Friedman defines tactics as "the <b>use </b>of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Dr. Martin van Creveld, scholar and author from the military strategy world, wrote the excellent <a href="https://www.britannica.com/topic/tactics" target="_blank">Encyclopedia Britannica entry on tactics</a>. His article includes the following:</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><div>"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...</div><div><br /></div><div>The word tactics originates in the Greek <i>taxis</i>, meaning <b>order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. </b>From this, the Greek historian Xenophon derived the term <i>tactica</i>, the art of drawing up soldiers in array. Likewise, the <i>Tactica</i>, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the <b>ways of fighting</b> with them.</div><div><br /></div><div>The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of <b>Disposing </b>any Number of Men into a proposed form of Battle...'"</div><div><br /></div><div>From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. <b>Tactics are the methods by which leaders achieve goals.&nbsp;</b></div><div><b><br /></b></div><h2 style="text-align: left;">How Did This Happen?</h2><div><br /></div><div>I was not a fly on the wall when the MITRE team designed ATT&amp;CK. Perhaps the MITRE team fixated on the phrase"tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&amp;CK? TTPs became hot during the 2000s as incident responders drew with military experience drew on that language when developing concepts like <a href="https://taosecurity.blogspot.com/2018/11/the-origin-of-term-indicators-of.html" target="_blank">indicators of compromise</a>. That fixation might have led MITRE to use "tactics" for their top-level structure.&nbsp;</div><div><br /></div><div>It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.</div><div><br /></div><h2 style="text-align: left;">It's Not Just the Military</h2><div><br /></div><div>Some readers might think "ATT&amp;CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek&nbsp;<i>Strategos </i>or <i>strategus</i>, plural <i>strategoi</i>, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, <i>stratagos</i>; meaning "army leader").&nbsp;</div><div><br /></div><div>That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:</div><div><br /></div><div>This <a href="https://hbr.org/1987/11/strategy-vs-tactics-from-a-venture-capitalist" target="_blank">Harvard Business Review article</a> defines tactics as "the day-to-day and month-to-month decisions required to manage a business."&nbsp;</div></div><div style="text-align: left;"><br /></div><div style="text-align: left;">This <a href="https://www.omha.net/news_article/show/590082">guide for ice hockey coaches</a> mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The <a href="https://www.thehartford.com/business-insurance/strategy/first-marketing-plan/marketing-tactics" target="_blank">guide for small business marketing</a> lists tactics like advertising, grass-roots efforts, trade shows, website optimization, and email and social marketing.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">In the civilian world, tactics are how leaders achieve goals or objectives.</div><div style="text-align: left;"><br /></div><h2 style="text-align: left;">Conclusion</h2><div><br /></div><div style="text-align: left;">In the big picture, it doesn't matter that much to ATT&amp;CK content that MITRE uses the term "tactics" when it really means "goals."&nbsp;</div><div style="text-align: left;"><br /></div><div style="text-align: left;">However, I wrote this article because the ATT&amp;CK design and philosophy emphasizes a common language, e.g., ATT&amp;CK "succinctly organizes adversary tactics and techniques along with providing a <b>common language</b> used across security disciplines."</div><div style="text-align: left;"><br /></div><div style="text-align: left;">If we want to share a common language, it's important that we recognize that the ATT&amp;CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><b>Update</b>: This <a href="https://twitter.com/mattyb1512/status/1319661359940984834" target="_blank">Tweet from Matt Brady</a> made this point:</div><div style="text-align: left;"><br /></div><div style="text-align: left;">"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-63851256708047277292020-10-10T11:30:00.004-04:002020-10-11T11:40:16.936-04:00Greg Rattray Invented the Term Advanced Persistent Threat<p>&nbsp;</p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-5JbRi2XMXHw/X4HL1Vb_4_I/AAAAAAABEyY/4nWwFCEfyhMHtzZNkivGHNfEW2idreH6ACLcBGAsYHQ/s1691/capture_001_10102020_105629.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1691" data-original-width="1338" height="640" src="https://1.bp.blogspot.com/-5JbRi2XMXHw/X4HL1Vb_4_I/AAAAAAABEyY/4nWwFCEfyhMHtzZNkivGHNfEW2idreH6ACLcBGAsYHQ/w506-h640/capture_001_10102020_105629.jpg" width="506" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">I was so pleased to read this <a href="https://twitter.com/GregRattray_/status/1314650788984229889">Tweet</a> yesterday from Greg Rattray:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">"<b>Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with</b>...&nbsp;Since then both the APT term and the nature of our adversaries have evolved. What hasn’t changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses."</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 style="clear: both; text-align: left;">Background</h2><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">First, some background. Who is Greg Rattray?</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">First, you could call him Colonel or Doctor. I will use Col as that was the last title I used with him, although these days when we chat I call him Greg.&nbsp;</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Col Rattray served 21 years in the Air Force and also earned his PhD in international security from Tufts University. His thesis formed the content for his 2001 book <a href="https://amzn.to/36NJY6t" target="_blank">Strategic Warfare in Cyberspace</a>, which I reviewed in 2002 and <a href="https://www.amazon.com/gp/customer-reviews/RR0C0U97V748M/ref=cm_cr_dp_d_rvw_ttl?ie=UTF8&amp;ASIN=0262182092" target="_blank">rated 4 stars</a>. (Ouch -- I was a bit stingy with the stars back then. I was more of an operator and less of a theorist or historian in those days. Such was my bias I suppose.)</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Col Rattray is also a 1984 graduate of the Air Force Academy. He studied history and political science there and returned as an assistant professor in the early 1990s. He was one of my instructors when I was a cadet there. (I graduated in 1994 with degrees in history and political science.) Col Rattray then earned a master of public policy degree at Harvard Kennedy School. (I did the same, in 1996.)&nbsp;</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Do you see a pattern here? He is clearly a role model. Of course, I did not stay in the Air Force as long, earn the same rank, or survive my PhD program!</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">After the Academy, Col Rattray served as commander of the 23rd Information Operations Squadrons on Security Hill in San Antonio, Texas. I was working in the AFCERT at the time.&nbsp;</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">One of the last duties I had in uniform was to travel to Nellis AFB outside Las Vegas and participate in a doctrine writing project for information warfare. At the time I was not a fan of the idea, but Col Rattray convinced me someone needed to write down how we did computer network defense in the AFCERT.&nbsp;</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">He didn't order me to participate, which I always appreciated. Years later I told him it was a good idea to organize that project and that I was probably just grumpy because of the way the Air Force personnel system had treated me at the end of my military career.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 style="clear: both; text-align: left;">Why The Tweet Matters</h2><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">For years I've had to dance around the issue of who invented the term "APT." In most narratives I say that an Air Force colonel invented the term in 2006. I based this on discussions I had with colleagues in the defense industrial base who were working with said colonel and his team from the Air Force. I did not know back then that it was Col Rattray and his team from the Air Force Information Warfare Center.&nbsp;</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Years later I learned of Rattray's role, but not directly from him. Only this year did Col Rattray confirm to me that he had invented the term, and that 2007 was the correct year. I encouraged him to say something, because as an historian I appreciate the value of facts and narrative. As I <a href="https://twitter.com/taosecurity/status/1314662363233165314" target="_blank">Tweeted</a> after seeing Greg's Tweet:</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">"Security, like any other field, has HISTORY, which means there are beginnings, and stories, and discoveries, and innovators, and leaders, and first steps, and pioneers. I'm so pleased to see people like @GregRattray_ feel comfortable enough after all these years to say something."</div><p></p><p></p><div class="separator" style="clear: both; text-align: left;">I don't think many people in the security field think about history. Security tends to be obsessed with the "new" and the "shiny." Not enough people wonder how we got to this point, or what decisions led to the current situation. The security scene in 2020 is very different from the scene in 1960, or 1970, or 1980, or 1990, or 2000, or even 2010. This is not the time to describe how or why that is the case. I'm just glad a very important piece of the puzzle is now public.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><h2 style="clear: both; text-align: left;">More on the APT</h2><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-NFfk1OEcfek/X4HS5tyhEYI/AAAAAAABEzE/3d2Zb9MDvaoxcJLooqS_rcJepGQY5PukwCLcBGAsYHQ/s2048/BoTB%2BDec%2B2020%2Bvol%2B3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1030" data-original-width="2048" height="322" src="https://1.bp.blogspot.com/-NFfk1OEcfek/X4HS5tyhEYI/AAAAAAABEzE/3d2Zb9MDvaoxcJLooqS_rcJepGQY5PukwCLcBGAsYHQ/w640-h322/BoTB%2BDec%2B2020%2Bvol%2B3.jpg" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">If you'd like to learn more about this history of the APT, check out my newest book -- <a href="https://amzn.to/2GJt9yW" target="_blank">The Best of TaoSecurity Blog, Volume 2</a>. I devote an entire chapter to blog posts and new commentary on the APT. Volume 1 arrived a few months before this new book, and I'm working on Volume 3 now.</div><br /><p></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-33507347954595883572020-09-03T11:07:00.004-04:002020-09-03T11:19:18.938-04:00The FBI Intrusion Notification Program<p>The FBI intrusion notification program is one of the most important developments in cyber security during the last 15 years.&nbsp;</p><p>This program achieved mainstream recognition on 24 March 2014 when Ellen Nakashima reported on it for the Washington Post in her story&nbsp;<a href="https://web.archive.org/web/20140325052838/https://www.washingtonpost.com/world/national-security/2014/03/24/74aff686-aed9-11e3-96dc-d6ea14c099f9_story.html" target="_blank">U.S. notified 3,000 companies in 2013 about cyberattacks</a>.&nbsp;</p><p>The story noted the following:</p><p>"Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions...</p><p>About 2,000 of the notifications were made in person or by phone by the FBI, which has 1,000 people dedicated to cybersecurity investigations among 56 field offices and its headquarters. Some of the notifications were made to the same company for separate intrusions, officials said. Although in-person visits are preferred, resource constraints limit the bureau’s ability to do them all that way, former officials said...</p><p>Officials with the Secret Service, an agency of the Department of Homeland Security that investigates financially motivated cybercrimes, said that they notified companies in 590 criminal cases opened last year, officials said. Some cases involved more than one company."</p><p>The reason this program is so important is that it shattered the delusion that some executives used to reassure themselves. When the FBI visits your headquarters to tell you that you are compromised, you can't pretend that intrusions are "someone else's problem."</p><p>It may be difficult for some readers to appreciate how prevalent this mindset was, from the beginnings of IT to about the year 2010.</p><p>I do not know exactly when the FBI began notifying victims, but I believe the mid-2000's is a safe date. I can personally attest to the program around that time.</p><p>I was reminded of the importance of this program by Andy Greenberg's new story&nbsp;<a href="https://www.wired.com/story/fbi-hacking-victim-notifications/" target="_blank">The FBI Botched Its DNC Hack Warning in 2016—but Says It Won’t Next Time</a>.&nbsp;</p><p>I strongly disagree with this "botched" characterization. Andy writes:</p><p>"[S]omehow this breach [of the Democratic National Committee] had come as a terrible surprise—despite an FBI agent's warning to [IT staffer Yared] Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.</p><p>The FBI agent's warnings had 'never used alarming language,' Tamene would tell the Senate committee, and never reached higher than the DNC's IT director, who dismissed them after a cursory search of the network for signs of foul play."</p><p>As with all intrusions, criminal responsibility lies with the intruder. However, I do not see why the FBI is supposed to carry the blame for how this intrusion unfolded.&nbsp;</p><p>According to investigatory documents and this <a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/">Crowdstrike blog post</a> on their involvement, at least seven months passed from the time the FBI notified the DNC (sometime in September 2015) and when they contacted Crowdstrike (30 April 2016). That is ridiculous.&nbsp;</p><p>If I received a call from the FBI even hinting at a Russian presence in my network, I would be on the phone with a professional incident response firm right after I briefed the CEO about the call.</p><p>I'm glad the FBI continues to improve its victim notification procedures, but it doesn't make much of a difference if the individuals running IT and the organization are negligent, either through incompetence or inaction.</p><p><b>Note: Fixed year typo.</b></p><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-29670898030636872262020-09-01T08:30:00.002-04:002020-11-08T10:02:53.857-05:00New Book! The Best of TaoSecurity Blog, Volume 2<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-Xw4k9xETOAk/X049OPx3eLI/AAAAAAABES4/u_8avBh78HwD_k7SNtalriiarCu9xzPAQCLcBGAsYHQ/s2048/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2048" data-original-width="1283" height="640" src="https://1.bp.blogspot.com/-Xw4k9xETOAk/X049OPx3eLI/AAAAAAABES4/u_8avBh78HwD_k7SNtalriiarCu9xzPAQCLcBGAsYHQ/s640/The%2BBest%2Bof%2BTaoSecurity%2BBlog%252C%2BVolume%2B2.jpg" /></a></div><br />&nbsp;<p></p><p>I published a new book!</p><p><a href="https://amzn.to/3lHm1D0" target="_blank">The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent Threat</a></p><p>It's in the <a href="https://amzn.to/3lHm1D0" target="_blank">Kindle Store</a>, and if you're Unlimited it's free. Print edition to follow.</p><p>The book lists as having 413 pages (for the Kindle edition at least) at it's almost 95,000 words. I started working on it in June after finishing <a href="https://amzn.to/2YSlmVt" target="_blank">Volume 1</a>.</p><p>Here is the book description:</p><p>Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.&nbsp;</p><p>In the second volume of the TaoSecurity Blog series, Mr. Bejtlich addresses how to detect and respond to intrusions using third party threat intelligence sources, network data, application and infrastructure data, and endpoint data. He assesses government and private security initiatives and applies counterintelligence and counteradversary mindsets to defend digital assets. He documents the events of the last 20 years of Chinese hacking from the perspective of a defender on the front lines, in the pre- and post-APT era.&nbsp;</p><p>This volume contains some of Mr. Bejtlich’s favorite posts, such as histories of threat hunting, so-called black and white hat budgeting, attribution capabilities and limits, and rating information security incidents. He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.&nbsp; Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.</p><div>I have a third volume planned. I will publish it by the end of the year.&nbsp;</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-ofg2qWIViiI/X0498WizfsI/AAAAAAABETA/c4g-vvla5xElSVmrtszMFaxZDJcJZ27gACLcBGAsYHQ/s1380/capture_001_18062020_154748.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="697" data-original-width="1380" src="https://1.bp.blogspot.com/-ofg2qWIViiI/X0498WizfsI/AAAAAAABETA/c4g-vvla5xElSVmrtszMFaxZDJcJZ27gACLcBGAsYHQ/s640/capture_001_18062020_154748.png" width="640" /></a></div><br /><div>If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!</div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-10663516703321764332020-08-19T11:17:00.003-04:002020-08-20T11:49:30.850-04:00One Weird Trick for Reviewing Zeek Logs on the Command Line!Are you a network security monitoring dinosaur like me? Do you prefer to inspect your Zeek logs using the command line instead of a Web-based SIEM?<div><br /></div><div>If yes, try this <b>one weird trick!</b></div><div><br /></div><div>I store my Zeek logs in JSON format. Sometimes I like to view the output using jq.</div><div><br /></div><div>If I need to search directories of logs for a string, like a UID, I might* use something like zgrep with the following syntax:</div><div><br /></div><div><div><span style="font-family: courier; font-size: small;">$ <b>zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/*</b></span></div><div><span style="font-family: courier; font-size: small;"><br /></span></div><div><span style="font-family: courier; font-size: small;">2020-08-16/conn_20200816_06:00:00-07:00:00+0000.log.gz:{"_path":"conn","_system_name":"ds61","_write_ts":"2020-08-16T06:26:10.266225Z","_node":"worker-01","ts":"2020-08-16T06:26:01.485394Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"proto":"tcp","service":"ftp","duration":3.780829906463623,"orig_bytes":184,"resp_bytes":451,"conn_state":"SF","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"ShAdDafF","orig_pkts":20,"orig_ip_bytes":1232,"resp_pkts":17,"resp_ip_bytes":1343,"community_id":"1:lEESxqaSVYqFZvWNb4OccTa9sTs="}</span></div><div><span style="font-family: courier; font-size: small;">2020-08-16/ftp_20200816_06:26:04-07:00:00+0000.log.gz:{"_path":"ftp","_system_name":"ds61","_write_ts":"2020-08-16T06:26:04.077276Z","_node":"worker-01","ts":"2020-08-16T06:26:03.553287Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"user":"anonymous","password":"ftp@example.com","command":"EPSV","reply_code":229,"reply_msg":"Entering Extended Passive Mode (|||31746|).","data_channel.passive":true,"data_channel.orig_h":"192.168.2.76","data_channel.resp_h":"196.216.2.24","data_channel.resp_p":31746}</span></div><div><span style="font-family: courier; font-size: small;">2020-08-16/ftp_20200816_06:26:04-07:00:00+0000.log.gz:{"_path":"ftp","_system_name":"ds61","_write_ts":"2020-08-16T06:26:05.117287Z","_node":"worker-01","ts":"2020-08-16T06:26:04.597290Z","uid":"CLkXf2CMo11hD8FQ5","id.orig_h":"192.168.2.76","id.orig_p":53380,"id.resp_h":"196.216.2.24","id.resp_p":21,"user":"anonymous","password":"ftp@example.com","command":"RETR","arg":"ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5","file_size":74,"reply_code":226,"reply_msg":"Transfer complete.","fuid":"FueF95uKPrUuDnMc4"}</span></div><div><br /></div><div>That is tough on the eyes. I cannot simply pipe that output to Jq however:</div><div><br /></div><div><span style="font-family: courier; font-size: small;">$ <b>zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | jq .</b></span></div><div><span style="font-family: courier; font-size: small;">parse error: Invalid numeric literal at line 1, column 28</span></div><div><br /></div><div>What I need to do is strip out the filename and colon before the JSON. I learned how to use sed to do this thanks to <a href="https://unix.stackexchange.com/questions/136794/how-to-use-sed-to-replace-all-characters-before-colon" target="_blank">this post</a>.&nbsp;</div><div><br /></div><div><span style="font-family: courier; font-size: small;">$ <b>zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | sed 's/.*gz://' | jq .</b></span></div><div><span style="font-family: courier; font-size: small;"><b><br /></b></span></div><div><span style="font-family: courier; font-size: small;">{</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_path": "conn",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_system_name": "ds61",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_write_ts": "2020-08-16T06:26:10.266225Z",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_node": "worker-01",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "ts": "2020-08-16T06:26:01.485394Z",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "uid": "CLkXf2CMo11hD8FQ5",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.orig_p": 53380,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.resp_p": 21,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "proto": "tcp",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "service": "ftp",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "duration": 3.780829906463623,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "orig_bytes": 184,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "resp_bytes": 451,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "conn_state": "SF",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "local_orig": true,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "local_resp": false,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "missed_bytes": 0,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "history": "ShAdDafF",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "orig_pkts": 20,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "orig_ip_bytes": 1232,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "resp_pkts": 17,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "resp_ip_bytes": 1343,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "community_id": "1:lEESxqaSVYqFZvWNb4OccTa9sTs="</span></div><div><span style="font-family: courier; font-size: small;">}</span></div><div><span style="font-family: courier; font-size: small;">{</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_path": "ftp",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_system_name": "ds61",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_write_ts": "2020-08-16T06:26:04.077276Z",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_node": "worker-01",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "ts": "2020-08-16T06:26:03.553287Z",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "uid": "CLkXf2CMo11hD8FQ5",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.orig_p": 53380,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.resp_p": 21,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "user": "anonymous",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "password": "ftp@example.com",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "command": "EPSV",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "reply_code": 229,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "reply_msg": "Entering Extended Passive Mode (|||31746|).",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "data_channel.passive": true,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "data_channel.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "data_channel.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "data_channel.resp_p": 31746</span></div><div><span style="font-family: courier; font-size: small;">}</span></div><div><span style="font-family: courier; font-size: small;">{</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_path": "ftp",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_system_name": "ds61",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_write_ts": "2020-08-16T06:26:05.117287Z",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "_node": "worker-01",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "ts": "2020-08-16T06:26:04.597290Z",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "uid": "CLkXf2CMo11hD8FQ5",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.orig_h": "192.168.2.76",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.orig_p": 53380,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.resp_h": "196.216.2.24",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "id.resp_p": 21,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "user": "anonymous",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "password": "ftp@example.com",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "command": "RETR",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "arg": "ftp://196.216.2.24/pub/stats/afrinic/delegated-afrinic-extended-latest.md5",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "file_size": 74,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "reply_code": 226,</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "reply_msg": "Transfer complete.",</span></div><div><span style="font-family: courier; font-size: small;">&nbsp; "fuid": "FueF95uKPrUuDnMc4"</span></div><div><span style="font-family: courier; font-size: small;">}</span></div></div><div><br /></div><div>Maybe this will help you too.</div><div><br /></div><div>*I use the find command in other circumstances.</div><div><br /></div><div><b>Update:</b>&nbsp;Twitter user @captainGeech42 <a href="https://twitter.com/captainGeech42/status/1296110420428599302" target="_blank">noted</a> that I could use grep -h and omit the sed pipe, e.g.:</div><div><br /></div><div><div>$ zgrep -h "CLkXf2CMo11hD8FQ5" 2020-08-16/* | jq .</div></div><div><br /></div><div>Thanks for the tip!</div><div><br /></div><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-82206192942460851712020-07-16T11:04:00.004-04:002020-07-27T17:53:34.898-04:00I Did Not Write This Book<br /> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody> <tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-07Eh99V2HeQ/XxBsUp_lHKI/AAAAAAABCyI/C5Km9c74Zv8K9T3grqd7tL-OOjKy9K83QCLcBGAsYHQ/s2938/capture_001_16072020_104430.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Fake Book" border="0" data-original-height="1071" data-original-width="2938" height="234" src="https://1.bp.blogspot.com/-07Eh99V2HeQ/XxBsUp_lHKI/AAAAAAABCyI/C5Km9c74Zv8K9T3grqd7tL-OOjKy9K83QCLcBGAsYHQ/w640-h234/capture_001_16072020_104430.png" title="Fake Book" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Fake Book&nbsp;</td></tr> </tbody></table> <br /> <div> Someone published a "book" on Amazon and claimed that I wrote it! I had NOTHING to do with this. I am working with Amazon now to remove it, or at least remove my name. Stay away from this garbage!<br /> <br /> <b>Update: </b>Thankfully, within a day or so of this post, the true author of this work removed it from Amazon. It has not returned, at least as far as I have seen.</div> <div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-57819846340686615932020-05-04T11:51:00.000-04:002020-05-04T11:51:25.347-04:00New Book! The Best of TaoSecurity Blog, Volume 1<div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-4UBAy0GSqtI/XrA11_5aZXI/AAAAAAABANs/biGL-LMrUXk48c8H8p_7yzKnJCdJozmAQCLcBGAsYHQ/s1600/The%2BBest%2Bof%2BTaoSecurity%2BBlog%2Bvol%2B1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1003" height="640" src="https://1.bp.blogspot.com/-4UBAy0GSqtI/XrA11_5aZXI/AAAAAAABANs/biGL-LMrUXk48c8H8p_7yzKnJCdJozmAQCLcBGAsYHQ/s640/The%2BBest%2Bof%2BTaoSecurity%2BBlog%2Bvol%2B1.png" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> I'm very pleased to announce that I've published a new book!<br /> <br /> It's&nbsp;<a href="https://amzn.to/2SBsB0H" target="_blank">The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice</a>. It's available now in the <a href="https://amzn.to/2SBsB0H" target="_blank">Kindle Store</a>, and if you're a member of Kindle Unlimited, it's currently free. I may also publish a print version. If you're interested, please tell me on <a href="https://twitter.com/taosecurity" target="_blank">Twitter</a>.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-2v3kOh-QWNs/XrA2s5frkqI/AAAAAAABAN0/NUERAcjQnLIEUBuSStUP3TrwSlELJRzTwCLcBGAsYHQ/s1600/capture_001_04052020_113014.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="928" data-original-width="1600" height="370" src="https://1.bp.blogspot.com/-2v3kOh-QWNs/XrA2s5frkqI/AAAAAAABAN0/NUERAcjQnLIEUBuSStUP3TrwSlELJRzTwCLcBGAsYHQ/s640/capture_001_04052020_113014.png" width="640" /></a></div> <br /> <br /> The book lists at 332 pages and is over 83,000 words. I've been working on it since last year, but I've used the time in isolation to carry the first volume over the finish line.<br /> <br /> The Amazon.com description says:<br /> <br /> Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.<br /> <br /> In the first volume of the TaoSecurity Blog series, Bejtlich addresses milestones, philosophy and strategy, risk, and advice. Bejtlich shares his thoughts on leadership, the intruder's dilemma, managing burnout, controls versus assessments, insider versus outsider threats, security return on investment, threats versus vulnerabilities, controls and compliance, the post that got him hired at a Fortune 5 company as their first director of incident response, and much more.<br /> <br /> He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.&nbsp; Read how the security industry, defensive methodologies, and strategies to improve career opportunities have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.<br /> <br /> Finally, if you're interested in subsequent volumes, I have two planned.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-OeaTQaBEcbY/XrA3CAs0lMI/AAAAAAABAOA/fwVL_WsUpncbLQ7jeCVvaXx3IbxHMVnNwCLcBGAsYHQ/s1600/capture_001_03052020_215637.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="680" data-original-width="1365" height="318" src="https://1.bp.blogspot.com/-OeaTQaBEcbY/XrA3CAs0lMI/AAAAAAABAOA/fwVL_WsUpncbLQ7jeCVvaXx3IbxHMVnNwCLcBGAsYHQ/s640/capture_001_03052020_215637.png" width="640" /></a></div> <br /> I may also have a few other book projects in the pipeline. I'll have more to say on that in the coming weeks.<br /> <br /> If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!<br /> <div> <br /></div> <div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-14541102955187866952020-04-07T11:28:00.000-04:002020-04-07T11:28:11.590-04:00If You Can't Patch Your Email Server, You Should Not Be Running It<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody> <tr><td style="text-align: center;"><a href="https://1.bp.blogspot.com/-3z5xWliAyNA/XoyXtcOtaNI/AAAAAAAA_oc/Uy9Yzi4j07AtCMWr2pqem1y9kOOxa8gmQCLcBGAsYHQ/s1600/Servers%2Bvulnerable%2Bto%2BCVE-2020-0688.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="439" data-original-width="697" height="402" src="https://1.bp.blogspot.com/-3z5xWliAyNA/XoyXtcOtaNI/AAAAAAAA_oc/Uy9Yzi4j07AtCMWr2pqem1y9kOOxa8gmQCLcBGAsYHQ/s640/Servers%2Bvulnerable%2Bto%2BCVE-2020-0688.png" width="640" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">CVE-2020-0688 Scan Results, per Rapid7</td></tr> </tbody></table> <br /> tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It."<br /> <br /> I read a <a href="https://www.bleepingcomputer.com/news/security/80-percent-of-all-exposed-exchange-servers-still-unpatched-for-critical-flaw/" target="_blank">disturbing story today</a> with the following news:<br /> <br /> "Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.<br /> <br /> As they found, <b>'at least 357,629 (82.5%) of the 433,464 Exchange servers' are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.</b><br /> <br /> To make matters even worse,<b> some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable</b> given that 'the related Microsoft update wasn’t always updating the build number.'<br /> <br /> Furthermore, <b>'there are over 31,000 Exchange 2010 servers that have not been updated since 2012</b>,' as the Rapid7 researchers observed. '<b>There are nearly 800 Exchange 2010 servers that have never been updated</b>.'<br /> <br /> They also found <b>10,731 Exchange 2007 servers</b> and more than 166,321 Exchange 2010 ones, with the former<b> already running End of Support (EoS) software that hasn't received any security updates since 2017</b> and the latter reaching EoS in October 2020."<br /> <br /> In case you were wondering, <a href="https://www.bleepingcomputer.com/news/security/nsa-warns-about-microsoft-exchange-flaw-as-attacks-start/" target="_blank">threat actors have already been exploiting these flaws</a> for weeks, if not months.<br /> <br /> Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide.<br /> <br /> In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them.<br /> <br /> It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives -- namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others.<br /> <br /> I expect some readers are saying "I would never put my email in the hands of those big companies!" That's fine, and I know several highly competent individuals who run their own email infrastructure. The problem is that they represent the small fraction of individuals and organizations who can do so. Even being extremely generous with the numbers, it appears that less than 20%, and probably less than 15% according to other estimates, can even keep their Exchange servers patched, let alone properly configured.<br /> <br /> If you think it's still worth the risk, and your organization isn't able to patch, because you want to avoid megacorp email providers or government access to your email, you've made a critical miscalculation. You've essentially decided that it's more important for you to keep your email out of megacorp or government hands than it is to keep it from targeted or opportunistic intruders across the Internet.<br /> <br /> Incidentally, you've made another mistake. Those same governments you fear, at least many of them, will just leverage Metasploit to break into your janky email server anyway.<br /> <br /> The bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization's information, but the information of anyone with whom you exchange emails.<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-4165037078184904902020-04-02T19:03:00.001-04:002020-04-02T19:05:11.326-04:00Seeing Book Shelves on Virtual Calls<div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-3YGsBqPCe_M/XoZrH6JmHpI/AAAAAAAA_kY/BaNA39XQ1CsAKcLktGZiNxR2PVcP19qGwCLcBGAsYHQ/s1600/IMG_0866.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="480" src="https://1.bp.blogspot.com/-3YGsBqPCe_M/XoZrH6JmHpI/AAAAAAAA_kY/BaNA39XQ1CsAKcLktGZiNxR2PVcP19qGwCLcBGAsYHQ/s640/IMG_0866.png" width="640" /></a></div> <br /> I have a confession... for me, the best part of virtual calls, or seeing any reporter or commentator working for home, is being able to check out their book shelves. I never use computer video, because I want to preserve the world's bandwidth. That means I don't share what my book shelves look like when I'm on a company call. Therefore, I thought I'd share my book shelves with the world.<br /> <br /> My big categories of books are martial arts, mixed/miscellaneous, cybersecurity and intelligence, and military and Civil War history. I've cataloged about 400 print books and almost 500 digital titles. Over the years I've leaned towards buying Kindle editions of any book that is mostly print, in order to reduce my footprint.<br /> <br /> For the last many years, my book shelving has consisted of three units, each with five shelves. Looking at the topic distribution, as of 2020 I have roughly 6 shelves for martial arts, 4 for mixed/miscellaneous, 3 for cybersecurity and intelligence, and 2 for military and Civil War history.<br /> <br /> This is interesting to me because I can compare my mix from five years ago, when I did an interview for the now defunct <a href="https://web.archive.org/web/20150603062402/http://www.warcouncil.org/warbooks/?author=54bb7722e4b095413a5b551f" target="_blank">Warcouncil Warbooks project</a>.<br /> <br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-pTt2LDfK2IE/XoZsrw4EcPI/AAAAAAAA_kk/o2mZEVHKkMM49a7M4raZVSveaziJICUHwCLcBGAsYHQ/s1600/IMG_0100.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://1.bp.blogspot.com/-pTt2LDfK2IE/XoZsrw4EcPI/AAAAAAAA_kk/o2mZEVHKkMM49a7M4raZVSveaziJICUHwCLcBGAsYHQ/s640/IMG_0100.JPG" width="640" /></a></div> <br /> In that image from 2015, I can see 2 shelves for martial arts, 4 for mixed/miscellaneous, 7 for cybersecurity and intelligence, and 2 for military and Civil War history.<br /> <br /> What happened to all of the cybersecurity and intelligence books? I donated a bunch of them, and the rest I'm selling on Amazon, along with books (in new or like new condition) that my kids decided they didn't want anymore.<br /> <br /> I've probably donated hundreds, possibly approaching a thousand, cyber security and IT books over the years. These were mostly books sent by publishers, although some were those that I bought and no longer needed. Some readers from northern Virginia might remember me showing up at ISSA or NoVASec meetings with a boxes of books that I would leave on tables. I would say "I don't want to come home with any of these. Please be responsible. And guess what -- everyone was!<br /> <br /> If anyone would like to share their book shelves, the best place would be as a <a href="https://twitter.com/taosecurity/status/1245849700386902018" target="_blank">reply to my Tweet on this post</a>. I look forward to seeing your book shelves, fellow bibliophiles.<br /> <br /><div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-82678549066518266902020-03-27T11:15:00.000-04:002020-03-27T11:15:36.751-04:00Skill Levels in Digital Security<div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-7NN1Ink6OAs/Xn4USx1WMOI/AAAAAAAA_Yk/vYQpiKJyGPULDM2FQvvp7IeCUlaWG-qSACLcBGAsYHQ/s1600/capture_001_27032020_105607.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="729" data-original-width="1232" height="378" src="https://1.bp.blogspot.com/-7NN1Ink6OAs/Xn4USx1WMOI/AAAAAAAA_Yk/vYQpiKJyGPULDM2FQvvp7IeCUlaWG-qSACLcBGAsYHQ/s640/capture_001_27032020_105607.png" width="640" /></a></div> <br /> Two posts in one day? These are certainly unusual times.<br /> <br /> I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to <a href="https://www.google.com/books/edition/Archives_of_Psychology/U6RGAQAAMAAJ?hl=en&amp;gbpv=1&amp;dq=novice+apprentice+journeyman+expert&amp;pg=RA2-PA12&amp;printsec=frontcover" target="_blank">Google Books</a> I found this article in a 1922 edition of the&nbsp;Archives of Psychology that mentioned four key terms:<br /> <br /> <ol> <li>The <b>novice </b>is a (person) who has no trade ability whatever, or at least none that could not be paralleled by practically any intelligent (person).</li> <li>An <b>apprentice </b>has acquired some of the elements of the trade but is not sufficiently skilled to be trusted with any important task.</li> <li>The <b>journey(person)</b> is qualified to perform almost any work done by members of the trade.</li> <li>An <b>expert </b>can perform quickly and with superior skill any work done by (people) in the trade.</li> </ol> <div> I believe these four categories can apply to some degree to the needs of the digital security profession.</div> <div> <br /></div> <div> At GE-CIRT we had three levels -- event analyst, incident analyst, and incident handler. We did not hire novices, so those three roles map in some ways to apprentice, journeyperson, and expert.&nbsp;</div> <div> <br /></div> <div> One difference with the classical description applies to how we worked with apprentices. We trusted apprentices, or event analysts, with specific tasks. We thought of this work as important, just as every role on a team is important. It may not have been leading an incident response, but without the work of the event and incident analysts, we may not have discovered many incidents!</div> <div> <br /></div> <div> Crucially, we encouraged event analysts, and incident analysts for that matter, to always be looking to <i>exceed the parameters</i> of their assigned duties.</div> <div> <br /></div> <div> However, we stipulated that if a person was working beyond their assigned duties, they had to have their work product reviewed by the next level of analysis. This enabled mentoring among the various groups. It also helped identify people who were candidates for promotion. If a person consistently worked beyond their assigned duties, and eventually reached a near-perfect or perfect ability to do that work, that proved he or she was ready to assume the next level.</div> <div> <br /></div> <div> This ability to access work beyond assigned duties is one reason I have problems with limiting data by role. I think everyone who works in a CIRT should have access to all of the data, assuming there are no classification, privacy, or active investigation constraints.</div> <div> <br /></div> <div> One of my laws is the following:</div> <div> <br /></div> <div> <b>Analysts are good because they have good data. An expert with bad data is helpless. An apprentice with good data has a chance to do good work.</b></div> <div> <b><br /></b></div> <div> I've said it more eloquently elsewhere but this is the main point.&nbsp;</div> <div> <br /></div> <div> For more information on the apprenticeship model, this <a href="https://www.classicalu.com/the-apprenticeship-model-three-levels-to-mastery/" target="_blank">article</a> might be useful.</div> <div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-72896419636651703902020-03-27T08:54:00.000-04:002020-05-03T11:13:10.500-04:00When You Should Blog and When You Should Tweet<div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-85vLQlijaHo/Xn3ybrTYruI/AAAAAAAA_YY/sbXaJCMHFQcuJm2xCsmM7AKrgX8llSVAgCLcBGAsYHQ/s1600/capture_001_27032020_083234.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="810" data-original-width="1493" height="346" src="https://1.bp.blogspot.com/-85vLQlijaHo/Xn3ybrTYruI/AAAAAAAA_YY/sbXaJCMHFQcuJm2xCsmM7AKrgX8llSVAgCLcBGAsYHQ/s640/capture_001_27032020_083234.png" width="640" /></a></div> <br /> I saw my like-minded, friend-that-I've-never-met Andrew Thompson <a href="https://twitter.com/QW5kcmV3/status/1243495792561786880" target="_blank">Tweet a poll</a>, posted above.<br /> <br /> I was about to reply with the following Tweet:<br /> <br /> "If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and no more than 2, and hardly ever 3 (good Lord), when I know I've got nothing more to say. "1/10," "1/n," etc. are not for me."<br /> <br /> Then I realized I had something more to say, namely, other reasons blog posts are better than Tweets. For the briefest moment I considered adding a second Tweet, making, horror of horrors, a THREAD, and then I realized I would be breaking my own guidance.<br /> <br /> Here are three reasons to consider blogging over Tweeting.<br /> <br /> 1. If you find yourself trying to pack your thoughts into a 280 character limit, then you should write a blog post. You might have a good idea, and instead of expressing it properly, you're falling into the trap of <b>letting the medium define the message</b>, aka the PowerPoint trap. I learned this from Edward Tufte: <b>let the message define the medium</b>, not the other way around.<br /> <br /> 2. Twitter threads lose the elegance and readability of the English language as our ancestors created it, for our benefit. They gave us structures, like sentences, lists, indentation, paragraphs, chapters, and so on. What does Twitter provide? 280 character chunks. Sure, you can apply feeble "1/n" annotations, but you've lost all that structure and readability, and for what?<br /> <br /> 3. In the event you're writing a Tweet thread that's really worth reading, writing it via Twitter virtually guarantees that it's lost to history. Twitter is an abomination for citation, search, and future reference. In the hierarchy of delivering content for current researchers and future generations, the hierarchy is the following, from lowest to highest:<br /> <br /> <ul> <li>"Transient," "bite-sized" social media, e.g., Twitter, Instagram, Facebook, etc. posts</li> <li>Blog posts</li> <li>Whitepapers</li> <li>Academic papers in "electronic" journals</li> <li>Electronic (e.g., Kindle) only formatted books</li> <li>Print books (that may be stand-alone works, or which may contain journal articles)</li> </ul> <br /> Print book are the apex communication medium because we have such references going back hundreds of years. Hundreds of years from now, I doubt the first five formats above will be easily accessible, or accessible at all. However, in a library or personal collection somewhere, printed books will endure.<br /> <br /> The bottom line is that if you think what you're writing is important enough to start a "1/n" Tweet thread, you've already demonstrated that Twitter is the wrong medium.<br /> <br /> The natural follow-on might be: what is Twitter good for? Here are my suggestions:<br /> <br /> <ul> <li>Announcing a link to another, in-depth news resource, like a news article, blog post, whitepaper, etc.</li> <li>Offering a comment on an in-depth news resource, or replying to another person's announcement.</li> <li>Asking a poll question.</li> <li>Asking for help on a topic.</li> <li>Engaging in a short exchange with another user. Long exchanges on hot topics typically devolve into a confusing mess of messages and replies, that delivery of which Twitter has never really managed to figure out.</li> </ul> <br /> I understand the seduction of Twitter. I use it every day. However, when it really matters, blogging is preferable, followed by the other media I listed in point 3 above.<br /> <br /> <b>Update 0930 ET 27 Mar 2020:</b> I forgot to mention that in extenuating circumstances, like live-Tweeting an emergency, Twitter threads on significant matters are fine because the urgency of the situation and the convenience or plain logistical limitations of the situation make Twitter indispensable. I'm less thrilled by live-Tweeting in conferences, although I'm guilty of it in the past. I'd prefer a thoughtful wrap-up post following the event, which I did a lot before Twitter became popular.<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-48448443218628401702020-03-12T09:29:00.002-04:002020-03-12T09:29:36.968-04:00COVID-19 Phishing Tests: WRONGMalware Jake <a href="https://twitter.com/MalwareJake/status/1237871580094459907?s=20" target="_blank">Tweeted</a> a poll last night which asked the following:<br /> <br /> "I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/"<br /> <br /> Ultimately he <a href="https://twitter.com/MalwareJake/status/1237871592840949761?s=20" target="_blank">decided</a>:<br /> <br /> "My gut feeling is to not use COVID-19 themed emails in assessments/training, but to TELL users to expect them, though I understand even that might discourage consumption of legitimate information, endangering public health. 6/"<br /> <br /> I responded by saying this was the right answer.<br /> <br /> Thankfully there were many people who agreed, despite the fact that voting itself was skewed towards the "yes" answer.<br /> <br /> There were an uncomfortable number of responses to the Tweet that said there's nothing wrong with red teams phishing users with COVID-19 emails. For example:<br /> <br /> "Do criminals abide by ethics? Nope. Neither should testing."<br /> <br /> "Yes. If it's in scope for the badguys [sic], it's in scope for you."<br /> <br /> "Attackers will use it. So I think it is fair game."<br /> <br /> Those are the wrong answers. As a few others outlined well in their responses, the fact that a criminal or intruder employs a tactic does not mean that it's appropriate for an offensive security team to use it too.<br /> <br /> I could imagine several COVID-19 phishing lures that could target school districts and probably cause high double-digit click-through rates. What's the point of that? For a "community" that supposedly considers fear, uncertainty, and doubt (FUD) to be anathema, why introduce FUD via a phishing test?<br /> <br /> I've grown increasingly concerned over the past few years that there's a "cult of the offensive" that justifies its activities with the rationale that "intruders do it, so we should too." This is directly observable in the replies to Jake's Tweet. It's a thin veneer that covers bad behavior, outweighing the small benefit accrued to high-end, 1% security shops against the massive costs suffered by the vast majority of networked global organizations.<br /> <br /> The is a selfish, insular mindset that is reinforced by the echo chamber of the so-called "infosec community." This "tribe" is detached from the concerns and ethics of the larger society. It tells itself that what it is doing is right, oblivious or unconcerned with the costs imposed on the organizations they are supposedly "protecting" with their backwards actions.<br /> <br /> We need people with feet in both worlds to tell this group that their approach is not welcome in the broader human community, because the costs it imposes vastly outweigh the benefits.<br /> <br /> I've written here about <a href="https://taosecurity.blogspot.com/search/label/ethics" target="_blank">ethics</a> before, usually in connection with the only real value I saw in the <a href="https://www.isc2.org/Ethics#" target="_blank">CISSP -- its code of ethics</a>. Reviewing the "code," as it appears now, shows the following:<br /> <br /> "There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.<br /> <br /> Code of Ethics Preamble:<br /> <br /> The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.<br /> Therefore, strict adherence to this Code is a condition of certification.<br /> <br /> Code of Ethics Canons:<br /> <br /> Protect society, the common good, necessary public trust and confidence, and the infrastructure.<br /> Act honorably, honestly, justly, responsibly, and legally.<br /> Provide diligent and competent service to principals.<br /> Advance and protect the profession."<br /> <br /> This is almost worthless. The only actionable item in the "code" is the word "legally," implying that if a CISSP holder was convicted of a crime, he or she could lose their certification. Everything else is subject to interpretation.<br /> <br /> Contrast that with the <a href="https://en.wikipedia.org/wiki/Cadet_Honor_Code#U.S._Air_Force_Academy" target="_blank">USAFA Code of Conduct</a>:<br /> <br /> "We will not lie, steal, or cheat, nor tolerate among us anyone who does."<br /> <br /> While it still requires an Honor Board to determine if a cadet has lied, stolen, cheated, or tolerated, there's much less gray in this statement of the Academy's ethics. Is it perfect? No. Is it more actionable than the CISSP's version? Absolutely.<br /> <br /> I don't have "solutions" to the ethical bankruptcy manifesting in some people practicing what they consider to be "information security." However, this post is a step towards creating red lines that those who are not already hardened in their ways can observe and integrate.<br /> <br /> Perhaps at some point we will have an actionable code of ethics that helps newcomers to the field understand how to properly act for the benefit of the human community.<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-29468108281790568942019-11-06T16:10:00.002-05:002019-11-06T16:12:52.488-05:00Seven Security Strategies, SummarizedThis is the sort of story that starts as a comment on Twitter, then becomes a blog post when I realize I can't fit all the ideas into one or two Tweets. (You know how much I hate Tweet threads, and how I encourage everyone to capture deep thoughts in blog posts!)<br /> <br /> In the interest of capturing the thought, and not in the interest of thinking too deeply or comprehensively (at least right now), I offer seven security strategies, summarized.<br /> <br /> When I mention the risk equation, I'm talking about the idea that one can conceptually image the risk of some negative event using this "formula": Risk (of something) is the product of some measurements of Vulnerability X Threat X Asset Value, or R = V x T x A.<br /> <br /> <ol> <li><b>Denial and/or ignorance.</b> This strategy assumes the risk due to loss is low, because those managing the risk assume that one or more of the elements of the risk equation are zero or almost zero, or they are apathetic to the cost.</li> <li><b>Loss acceptance. </b>This strategy may assume the risk due to loss is low, or more likely those managing the risk assume that the cost of risk realization is low. In other words, incidents will occur, but the cost of the incident is acceptable to the organization.</li> <li><b>Loss transferal.</b> This strategy may also assume the risk due to loss is low, but in contrast with risk acceptance, the organization believes it can buy an insurance policy which will cover the cost of an incident, and the cost of the policy is cheaper than alternative strategies.</li> <li><b>Vulnerability elimination. </b>This strategy focuses on driving the vulnerability element of the risk equation to zero or almost zero, through secure coding, proper configuration, patching, and similar methods.</li> <li><b>Threat elimination.</b> This strategy focuses on driving the threat element of the risk equation to zero or almost zero, through deterrence, dissuasion, co-option, bribery, conversion, incarceration, incapacitation, or other methods that change the intent and/or capabilities of threat actors.&nbsp;</li> <li><b>Asset value elimination.</b> This strategy focuses on driving the threat element of the risk equation to zero or almost zero, through minimizing data or resources that might be valued by adversaries.</li> <li><b>Interdiction.</b> This is a hybrid strategy which welcomes contributions from vulnerability elimination, primarily, but is open to assistance from loss transferal, threat elimination, and asset value elimination. Interdiction assumes that <i>prevention eventually fails</i>, but that security teams can detect and respond to incidents <i>post-compromise and pre-breach</i>. In other words, some classes of intruders will indeed compromise an organization, but it is possible to detect and respond to the attack <i>before the adversary completes his mission.</i></li> </ol> <div> As you might expect, I am most closely associated with the interdiction strategy.&nbsp;</div> <div> <br /></div> <div> I believe the denial and/or ignorance and loss acceptance strategies are irresponsible.</div> <div> <br /></div> <div> I believe the loss transferal strategy continues to gain momentum with the growth of cybersecurity breach insurance policies.&nbsp;</div> <div> <br /></div> <div> I believe the vulnerability elimination strategy is important but ultimately, on its own, ineffective and historically shown to be impossible. When used in concert with other strategies, it is absolutely helpful.</div> <div> <br /></div> <div> I believe the threat elimination strategy is generally beyond the scope of private organizations. As the state retains the monopoly on the use of force, usually only law enforcement, military, and sometimes intelligence agencies can truly <i>eliminate or mitigate&nbsp;</i>threats. (Threats are not vulnerabilities.)</div> <div> <br /></div> <div> I believe asset value elimination is powerful but has not gained the ground I would like to see. This is my "<a href="https://www.brookings.edu/blog/techtank/2015/09/03/new-cybersecurity-mantra-if-you-cant-protect-it-dont-collect-it/" target="_blank">If you can’t protect it, don’t collect it</a>" message. The limitation here is obviously one's raw computing elements. If one were to magically strip down every computing asset into basic operating systems on hardware or cloud infrastructure, the fact that those assets exist and are networked means that any adversary can abuse them for mining cryptocurrencies, or as infrastructure for intrusions, or for any other uses of raw computing power.</div> <div> <br /></div> <div> Please notice that none of the strategies listed tools, techniques, tactics, or operations. Those are important but below the level of strategy in the conflict hierarchy. I may have more to say on this in the future.&nbsp;</div> <div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-11597991513633406372019-09-13T11:00:00.000-04:002019-09-13T11:00:00.922-04:00Five Thoughts on the Internet Freedom League<div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-8tXEVNgQswU/XXumA2vgfvI/AAAAAAAA8rc/1omjhfUv6tAXwD65EV-ZR5oPEmVn7VE8wCLcBGAsYHQ/s1600/ifl.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="205" data-original-width="1035" height="78" src="https://1.bp.blogspot.com/-8tXEVNgQswU/XXumA2vgfvI/AAAAAAAA8rc/1omjhfUv6tAXwD65EV-ZR5oPEmVn7VE8wCLcBGAsYHQ/s400/ifl.png" width="400" /></a></div> In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article titled "<a href="https://www.foreignaffairs.com/articles/2019-08-12/internet-freedom-league" target="_blank">The Internet Freedom League: How to Push Back Against the Authoritarian Assault on the Web</a>," based on their recent book <a href="https://amzn.to/34EnfWR" target="_blank">The Fifth Domain</a>. The article proposes the following:<br /> <br /> <i>The United States and its allies and partners should stop worrying about the risk of authoritarians splitting the Internet.&nbsp;</i><br /> <i><br /></i> <i>I</i><i>nstead, they should split it themselves, by creating a digital bloc within which data, services, and products can flow freely, excluding countries that do not respect freedom of expression or privacy rights, engage in disruptive activity, or provide safe havens to cybercriminals...</i><br /> <i><br /></i> <i>The league would not raise a digital Iron Curtain; at least initially, most Internet traffic would still flow between members and nonmembers, and the league would primarily block companies and organizations that aid and abet cybercrime, rather than entire countries.&nbsp;</i><br /> <i><br /></i> <i>Governments that fundamentally accept the idea of an open, tolerant, and democratic Internet but that struggle to live up to such a vision would have an incentive to improve their enforcement efforts in order join the league and secure connectivity for their companies and citizens.&nbsp;</i><br /> <i><br /></i> <i>Of course, authoritarian regimes in China, Russia, and elsewhere will probably continue to reject that vision.&nbsp;</i><br /> <i><br /></i> <i>Instead of begging and pleading with such governments to play nice, from now on, the United States and its allies should lay down the law: follow the rules, or get cut off.</i><br /> <br /> My i<a href="https://twitter.com/taosecurity/status/1166400211452870656" target="_blank">nitial reaction</a> to this line of thought was not encouraging. Rather than continue exchanging Twitter messages, Rob and I had a very pleasant phone conversation to help each other understand our points of view. Rob asked me to document my thoughts in a blog post, so this is the result.<br /> <br /> Rob explained that the main goal of the IFL is to create leverage to influence those who do not implement an&nbsp;open, tolerant, and democratic Internet (summarized below as OTDI). I agree that leverage is certainly lacking, but I wondered if the IFL would accomplish that goal. My reservations included the following.<br /> <br /> 1. Many countries that currently reject the OTDI might only be too happy to be cut off from the Western Internet. These countries do not want their citizens accessing the OTDI. Currently dissidents and others seeking news beyond their local borders must often use virtual private networks and other means to access the OTDI. If the IFL went live, those dissidents and others would be cut off, thanks to their government's resistance to OTDI principles.<br /> <br /> 2. Elites in anti-OTDI countries would still find ways to access the Western Internet, either for personal, business, political, military, or intelligence reasons. The common person would be mostly likely to suffer.<br /> <br /> 3. Segregating the OTDI would increase the incentives for "network traffic smuggling," whereby anti-OTDI elites would compromise, bribe, or otherwise corrupt Western Internet resources to establish surreptitious methods to access the OTDI. This would increase the intrusion pressure upon organizations with networks in OTDI and anti-OTDI locations.<br /> <br /> 4. Privacy and Internet freedom groups would likely strongly reject the idea of segregating the Internet in this manner. They are vocal and would apply heavy political pressure, similar to recent net neutrality arguments.<br /> <br /> 5. It might not be technically possible to segregate the Internet as desired by the IFL. Global business does not neatly differentiate between Western and anti-OTDI networks. Similar to the expected resistance from privacy and freedom groups, I expect global commercial lobbies to strongly reject the IFL on two grounds. First, global businesses cannot disentangle themselves from anti-OTDI locations, and second, Western businesses do not want to lose access to markets in anti-OTDI countries.<br /> <br /> Rob and I had a wide-ranging discussion, but these five points in written form provide a platform for further analysis.<br /> <br /> What do you think about the IFL? Let Rob and I know on Twitter, via <a href="https://twitter.com/robknake" target="_blank">@robknake</a> and <a href="https://twitter.com/taosecurity" target="_blank">@taosecurity</a>.<div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0tag:blogger.com,1999:blog-4088979.post-66987714380962739372019-07-01T10:00:00.000-04:002019-07-01T10:00:03.230-04:00Happy Birthday TaoSecurity.com<div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-0vP1ixy6Aok/XRoH4KUukEI/AAAAAAAA78w/RHiwoMZCrsweeklAokJiB_fhBQz0oCcLgCLcBGAs/s1600/taosecurity_high_r.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="285" data-original-width="1600" height="56" src="https://1.bp.blogspot.com/-0vP1ixy6Aok/XRoH4KUukEI/AAAAAAAA78w/RHiwoMZCrsweeklAokJiB_fhBQz0oCcLgCLcBGAs/s320/taosecurity_high_r.jpg" width="320" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> Nineteen years ago this week I registered the domain taosecurity.com:</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both;"> <span style="font-family: &quot;courier new&quot; , &quot;courier&quot; , monospace;">Creation Date: 2000-07-04T02:20:16Z</span></div> <div> <br /></div> <div> This was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first taosecurity.com Web site shortly thereafter.</div> <div> <br /></div> <div> I first started hosting it on space provided by my then-ISP, Road Runner of San Antonio, TX. <a href="https://web.archive.org/web/20020201165209/http://home.satx.rr.com/bejtlich/">According to archive.org, it looked like this in February 2002</a>.</div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-TIH5wSDQu8I/XRoI6-zKE5I/AAAAAAAA788/TPa6XiAfQyoXuSwHtvx_z1GpnonNvwoVwCLcBGAs/s1600/taosecurity-200202.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="782" data-original-width="1600" height="195" src="https://1.bp.blogspot.com/-TIH5wSDQu8I/XRoI6-zKE5I/AAAAAAAA788/TPa6XiAfQyoXuSwHtvx_z1GpnonNvwoVwCLcBGAs/s400/taosecurity-200202.jpg" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> That is some fine-looking vintage hand-crafted HTML. Because I lived in Texas I apparently reached for the desert theme with the light tan background. Unfortunately I didn't have the "under construction" gif working for me.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> As I got deeper into the security scene, I decided to simplify and adopt a dark look. By this time I had left Texas and was in the DC area, working for Foundstone. <a href="https://web.archive.org/web/20030401085833/http://mywebpages.comcast.net/taosecurity/">According to archive.org, the site look like this in April 2003</a>.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-3TtjgTsiHfs/XRoJpBUJDcI/AAAAAAAA79E/aCUVsj2S9JkK_SBv90as6hwEJsNUoeYbwCLcBGAs/s1600/taosecurity-200304.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="559" data-original-width="1434" height="155" src="https://1.bp.blogspot.com/-3TtjgTsiHfs/XRoJpBUJDcI/AAAAAAAA79E/aCUVsj2S9JkK_SBv90as6hwEJsNUoeYbwCLcBGAs/s400/taosecurity-200304.jpg" width="400" /></a></div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div> Notice I've replaced the oh-so-cool picture of me doing American Kenpo in the upper-left-hand corner with the classic Bruce Lee photo from the cover of The Tao of Jeet Kune Do. This version marks the first appearance of my classic TaoSecurity logo.</div> <div> <br /></div> <div> A little more than two years later, I decided to pursue TaoSecurity as an independent consultant. To launch my services, I painstakingly created more hand-written HTML and graphics to deliver this beauty. <a href="https://web.archive.org/web/20050519030526/http://www.taosecurity.com/">According to archive.org, the site looked like this in May 2005</a>.</div> <div> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-rImoOAPzy0Q/XRoKeHTUJzI/AAAAAAAA79M/m-hMno0wIogiB9Gmyqe-5f0lWQSCqa61ACLcBGAs/s1600/taosecurity-200505.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="907" data-original-width="1122" height="322" src="https://1.bp.blogspot.com/-rImoOAPzy0Q/XRoKeHTUJzI/AAAAAAAA79M/m-hMno0wIogiB9Gmyqe-5f0lWQSCqa61ACLcBGAs/s400/taosecurity-200505.jpg" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> I mean, can you even believe how gorgeous that site is? Look at the subdued gray TaoSecurity logo, the red-highlighted menu boxes, etc. I should have kept that site forever.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> We know that's not what happened, because that wonder of a Web site only lasted about a year. Still to this day not really understanding how to use CSS, I used a free online template by Andreas Viklund to create a new site. <a href="https://web.archive.org/web/20060721203353/http://www.taosecurity.com/">According to archive.org, the site appeared in this form in July 2006</a>.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-3f2dbOnAzqk/XRoLK1AFIII/AAAAAAAA79U/3YmZMJ5n8482Arl9rLfpcKBTsvfjef8ewCLcBGAs/s1600/taosecurity-200607.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="872" data-original-width="1000" height="348" src="https://1.bp.blogspot.com/-3f2dbOnAzqk/XRoLK1AFIII/AAAAAAAA79U/3YmZMJ5n8482Arl9rLfpcKBTsvfjef8ewCLcBGAs/s400/taosecurity-200607.jpg" width="400" /></a></div> <div class="separator" style="clear: both; text-align: center;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> After four versions in four years, my primary Web site stayed that way... <b>for thirteen years</b>. Oh, I modified the content, SSH'ing into the server hosted by my friend Phil Hagen, manually editing the HTML using vi (and careful not to touch the CSS).</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> Then, I attended AWS re:inforce the last week in June, 2019. I decided that although I had <a href="https://taosecurity.blogspot.com/2010/11/60-free-minutes-with-ubuntu-1010-in.html">tinkered</a> <a href="https://taosecurity.blogspot.com/2010/11/trying-ubuntu-1010-in-aws-free-usage.html">with</a> Amazon Web Services as early as 2010, and was keeping an eye on it as early as <a href="https://taosecurity.blogspot.com/2008/12/colin-percival-and-craig-balding-on.html">2008</a>, I had never hosted any meaningful workloads there. A migration of my primary Web site to AWS seemed like a good way to learn a bit more about AWS and an excuse to replace my teenage Web layout with something that rendered a bit better on a mobile device.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> After working with Mobirise, AWS S3, AWS Cloudfront, AWS Certificate Manager, AWS Route 53, my previous domain name servers, and my domain registrar, I'm happy to say I have a new <a href="https://taosecurity.com/" target="_blank">TaoSecurity.com</a> Web site. The front page like this:</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-vvI9VZ1BX64/XRoNNiA198I/AAAAAAAA79g/JJKStQ48fyMxSLig-NB60YJgraVI7bocACLcBGAs/s1600/taosecurity-201907.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="796" data-original-width="1600" height="198" src="https://1.bp.blogspot.com/-vvI9VZ1BX64/XRoNNiA198I/AAAAAAAA79g/JJKStQ48fyMxSLig-NB60YJgraVI7bocACLcBGAs/s400/taosecurity-201907.jpg" width="400" /></a></div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> The background is an image of Milnet from the late 1990s. I apologize for the giant logo in the upper left. It should be replaced by a resized version later today when the AWS Cloudfront cache expires.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> Scolling down provides information on my books, which I figured is what most people who visit the site care about.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://1.bp.blogspot.com/-0aTaakwz_iI/XRoNnRjCPwI/AAAAAAAA79o/i05SRIRFbw4J3i2lEeX79l1QzkOrq6NqgCLcBGAs/s1600/taosecurity-201907b.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="708" data-original-width="1600" height="176" src="https://1.bp.blogspot.com/-0aTaakwz_iI/XRoNnRjCPwI/AAAAAAAA79o/i05SRIRFbw4J3i2lEeX79l1QzkOrq6NqgCLcBGAs/s400/taosecurity-201907b.jpg" width="400" /></a></div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> For reference, I moved the content (which I haven't been updated) about <a href="https://taosecurity.blogspot.com/2019/07/reference-taosecurity-news.html" target="_blank">news</a>, <a href="https://taosecurity.blogspot.com/2019/07/reference-taosecurity-press.html" target="_blank">press</a>, and <a href="https://taosecurity.blogspot.com/2019/07/reference-taosecurity-research.html" target="_blank">research</a> to individual TaoSecurity Blog posts.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> It's possible you will not see the site, if your DNS servers have the old IP addresses cached. That should all expire no later than tomorrow afternoon, I imagine.</div> <div class="separator" style="clear: both; text-align: left;"> <br /></div> <div class="separator" style="clear: both; text-align: left;"> Let's see if the new site lasts another thirteen years?</div> <div class="blogger-post-footer">Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)</div>Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.com0