This weeks invited guest post is from Richard Bejtlich – a true thought leader in the incident response space.  Here he shares his insights on threat-centric thinking, FUD & how we can all make a difference.  Thanks Richard – appreciate it!

Richard Bejtlich
Director of Incident Response at General Electric and TaoSecurity blogger.

A lot of people have been discussing denial of service attacks against various Important Sites earlier this month.  It struck me that the focus of the discussion, really to the exclusion of anything else, has been one question: “who did it?”

Think about that for a second.  If this attack had happened in 1996, we would have asked “how did that happen?”  In other words, network DoS was new enough to warrant a technical examination of the event.  Attribution would be a concern, but most people would want to know how it happened.

The same thinking held true for many years.  Numerous technical variations of DoS ensued, moving from the elegance of the original SYN flood (allowing very few packets per minute to completely disable a service on a Windows NT computer) to the brutality of bandwidth consumption attacks.  Distributed DoS became popular as the last decade ended, but really only law enforcement cared about who was responsible for attacks on several high profile sites in early 2000.

For much of this decade we have continued to focus on the how, not the who.  This focus slowly changed over the last few years, to the point where “who did it” dominates all other discussion.  I had to spend a decent amount of time trying to find any site that explained the nature of these DoS attacks, while trying to sift out the FUD over “who.”

Is this focus on “who” good?  Shouldn’t we care about addressing vulnerabilities that make targets susceptible to attack, zombies prone to compromise, and the like?  On the contrary, I think focusing on “who” is the best approach we could take.  Trying to assign attribution is what real professionals do.  They think in terms of threats, not vulnerabilities.

People who can make a real difference, a lasting difference, frame almost all productive security work using threat-centric thinking.

These people are called governments, and they control military, police, intelligence, diplomatic, and economic levers of power.

Vulnerabilities are for people who don’t have the power to make a difference.  People who think in terms of vulnerabilities aren’t allowed to arrest or shoot anyone; they work for companies, non-profits, universities, and so on.  They have no choice but to patch and hope for the best while the marauding hordes surround their circled wagons.

Those who defend assets should work with threat-centric groups to deter and eliminate threats.  In fact, we should *demand* that we get help from these government forces.  We can also educate these parties, since their technical acumen is uneven at best and counterproductive at worst.

Asking “who” is the right question, finally. Now we can all try making a difference.