fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry 
« Back to blog
Viewed 4065 times
Favorited 0 times
July 24, 2009

Threat-Centric Thinking on the Rise

This weeks invited guest post is from Richard Bejtlich - a true thought leader in the incident response space.  Here he shares his insights on threat-centric thinking, FUD & how we can all make a difference.  Thanks Richard - appreciate it!

Director of Incident Response at General Electric and TaoSecurity blogger.

A lot of people have been discussing denial of service attacks against various Important Sites earlier this month.  It struck me that the focus of the discussion, really to the exclusion of anything else, has been one question: "who did it?"

Think about that for a second.  If this attack had happened in 1996, we would have asked "how did that happen?"  In other words, network DoS was new enough to warrant a technical examination of the event.  Attribution would be a concern, but most people would want to know how it happened.

The same thinking held true for many years.  Numerous technical variations of DoS ensued, moving from the elegance of the original SYN flood (allowing very few packets per minute to completely disable a service on a Windows NT computer) to the brutality of bandwidth consumption attacks.  Distributed DoS became popular as the last decade ended, but really only law enforcement cared about who was responsible for attacks on several high profile sites in early 2000.

For much of this decade we have continued to focus on the how, not the who.  This focus slowly changed over the last few years, to the point where "who did it" dominates all other discussion.  I had to spend a decent amount of time trying to find any site that explained the nature of these DoS attacks, while trying to sift out the FUD over "who."

Is this focus on "who" good?  Shouldn't we care about addressing vulnerabilities that make targets susceptible to attack, zombies prone to compromise, and the like?  On the contrary, I think focusing on "who" is the best approach we could take.  Trying to assign attribution is what real professionals do.  They think in terms of threats, not vulnerabilities.

People who can make a real difference, a lasting difference, frame almost all productive security work using threat-centric thinking.

These people are called governments, and they control military, police, intelligence, diplomatic, and economic levers of power.

Vulnerabilities are for people who don't have the power to make a difference.  People who think in terms of vulnerabilities aren't allowed to arrest or shoot anyone; they work for companies, non-profits, universities, and so on.  They have no choice but to patch and hope for the best while the marauding hordes surround their circled wagons.

Those who defend assets should work with threat-centric groups to deter and eliminate threats.  In fact, we should *demand* that we get help from these government forces.  We can also educate these parties, since their technical acumen is uneven at best and counterproductive at worst.

Asking "who" is the right question, finally. Now we can all try making a difference.

Loading mentions Retweet

Comments (4)

Jul 24, 2009
dunsany said...
Nice post but not entirely correct when you say: "They have no choice but to patch and hope for the best while the marauding hordes surround their circled wagons." There is a choice and there is a way to fight back. I just did a whole talk on Toorcamp about it (iedtalk.com). And a key is knowing something about the threat and their goals is critical to using deceptive defenses.
Jul 28, 2009
Marcin Antkiewicz said...
Very nice port.

While reading it, it struck me that while you do a very good job covering "who" and "how" nothing was said about "why". who/how/why form audit trial, and all are required to make the records useful.

In this context, "how" is a technical issue, "who" is interesting to the enforcers (lawyers/HR/Marines), and management needs to know "why".

In general, once I know what the threat is I can remove it (process or force), remove the opportunity (how will you do it?) for the threat to cause damage, or I can remove the incentive (why do it?) the threat has to take whatever action hurts me.

Forcibly removing threats is illegal, and in many cases legal action is not possible (what jurisdiction is N Korea again?), or it can be less than cost-efficient.

Most companies try to do their best to remove the opportunities by controlling their security posture.

Removing the incentives can be done by making yourself less interesting than other targets, or by not having what the attacker seeks. If I know who targets me, be it helpdesk employees or the students from the Philippines, I can try to discover what they seek, and remove the item or put it behind access controls that will make it less interesting.

In general, you are right - while secrecy is a staple of security, safety of the Internet requires open cooperation.

Jul 29, 2009
fudsec said...
Marcin

Thanks for the comment. If the incentive is the blueprints to the very thing that your company makes, you can't really remove the incentive. You can only increase the cost/risk to the attacker.

If I missed your point, lemme know.

Cheers!

Jul 29, 2009
Marcin Antkiewicz said...
You are correct, but that's the point. Just like wire snips are the ultimate access control tool, it's hardly an acceptable solution.

Firewalls/IDS/IdM/etc are piled on top of the wire connection, because connectivity brings more worth than it costs in the losses.

Removing incentives works best, because it deals with the issue before even the perpetrator is created. It's hardly possible to recommend this approach as the base for your security posture, but it will help in the long term. The very nature of security is that risk is controlled by a circle formed of checks and balances, which together are supposed to bring the cost of security down to an acceptable level.

To give you a concrete example, I am trying to complete support for rewriting our 3rd party connection agreement in a way that will make our control over the partner (vendors/contractors/etc) connection much better. It will not add any more access controls but, if I am successful, the end result will be that the non-employees will be less likely to ignore the policy that governs their access. It's done by improving the contract language, improving their ability to request additional access, and our ability to audit their access. In the end we run the same firesieve, but fitted with a finer mesh.

Can someone sneak by and do something bad? Sure. It's the same technology, the same rules will apply to their access.

Will I be in much better position to detect it, and to prosecute them? Sure. Better provisioning allows us to create and disable accounts easier, which limits the number of group accounts, which increases accountability, which raises our change to even consider recovering damages, which makes the 3rd party pay more attention (hopefully) in order to limit their losses, which should result in better processes on their end, and make them notifying us when, for example, they fire someone, much much quicker, etc, etc. It's a process that, when the number of external entities is multiplied by the amount of work they do, gives a very good chance of being worth the time and effort that it requires.

Cost? Internal labor and skill, which are in high demand, which makes me work really hard to state and defend the case for this project :-)

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter