The Blog Inspired By The Book
Last week, I spoke at the Open Group meeting here in Seattle, and then recorded a podcast with Dana Gardner, Jim Hietala and Vicente Aceituno about ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT (audio) or you can read the transcript.
It was fun, and the podcast is short and to the point. Take a listen!
As best as I can describe the characteristics of the threat agents that would fit the label of APT, that threat community is very, very real. It’s been around forever (someone mentioned first use of the term being 1993 or something) – we dealt with threat agents you would describe as “APT” at MicroSovled when I was there in 2001-2005. We dealt with it as a firewall vendor at Progressive Systems in 1998. This isn’t a “is the APT real?” blogpost.
That said, I wanted to talk about why there should be still more discussion around the APT. Hogfly at the Forensic Incident Response blog asks:
“What should matter is how successful they have been. What should matter is defending ourselves. What should matter is how and where we share this information. What should matter is taking this information to those with the ability to do something about it. What should matter is taking the fight to the enemy.
So I ask again, does it matter if this threat is new?”
My response is that it actually matters very much.
We are hearing a new label. Whether the label originated from “the cool kids” or not, it’s being co-opted by marketing. And right now, we’re sort of in this important window of trying to get some understanding, some significant amount of intersubjectivity about what the APT is and what it means to a broader audience. Once that’s established, then we can try to understand what to do. But why does it matter if the threat is new or old?
There is a significant increase in the use of the term. When it’s a BusinessWeek cover story (2008, btw), it gets seen by people. What we need to understand is if this “new” visibility is the result of either a change in the threat landscape or a change in the marketing landscape.
IS APT A SHIFT IN FREQUENCY, A SHIFT IN CAPABILITY, OR A SHIFT IN BOTH FREQUENCY AND CAPABILITY?
If it is a change in the threat landscape, we need to understand what aspect of the landscape is changing. The shift could be said to be one of a few scenarios:
1.) More attacks on the same targets by the same actors. That is, is the government, defense industrial base, or other targets attractive to certain nation-states are experiencing a new amount of threat events.
2.) More attacks on new targets by the same actors. That is, are the nation-state actors finding new targets? If so, are their targets of choice changing from organizations that are antagonistic to the policy desires of the sponsor state (certainly the Mandiant report reads like the Chinese are after anyone who threatens their political stability), to other targets – like retailers or hospitals (has, as Mandiant says, the APT become *everyone’s* problem)?
3.) More attacks on the same targets by new actors. That is, it’s not just the usual suspects. If *this* is the case, then we’re seeing a fundamental shift in the capabilities of threats. That is, bad guys who used to be dumb just got a lot smarter thanks to the dissemination of skills/resources (sharing of technique, new access to advanced toolsets, etc) and they are going after all those people who were worrying about the APT in 2003.
4.) More attacks on new targets by new actors. That is, the bad guys who used to be dumb just got a lot smarter and are now trying to use their new smarts against victims who heretofore had not had to worry about the APT.
Finally, the other option is that there is no shift in frequency or capability, but there is a shift in marketing budgets. I tried to run a google trend on “Advanced Persistent Threat” but got:
Your terms – “Advanced Persistent Threat” – do not have enough search volume to show graphs.
And “APT” trend search was clouded by other things that shared the same TLA.
WHAT DO YOU THINK?
I’m not sure what we’re seeing. I was personally disappointed by the Mandiant report’s lack of demographics and frequency information. I’m ready to believe that we’re seeing a fundamental shift in distributions concerning the threat agents, but there wasn’t anything in the report to support that notion. I will leave you with a couple of items from the Verizon Report, though, and I’ll let you draw your own conclusions, given that the Verizon data set isn’t heavy on what we might call the Defense Industrial Base – those folks already live and breathe this stuff – and this data is from 2008.
SOURCE OF ATTACKING IP
TARGETED VS. OPPORTUNISTIC ATTACKS
TREND IN USE OF CUSTOMIZED MALWARE
TIME TO DISCOVERY
From Less Wrong: http://lesswrong.com/lw/1qk/applying_utility_functions_to_humans_considered/
I’m at The Open Group Security Forum this week in Seattle, speaking about risk and stuff. Adam gave a great talk about Security: From Art to Science. One recurring theme all week was the need to borrow from disciplines outside of Comp Sci and Engineering. When we think about the data owner and their decisions regarding “guns vs. butter” – I’d be willing to bet that utility theory and decision theory have plenty of wonderful bits of experience and knowledge we should be familiar with.
In a private conversation, someone said “has anyone in company’s IT staff been fired for letting people do use that software?”
I did some searching for “firing offenses” and I found a bunch of interesting random things. I’d like to quote one, “How can I fire a non-performer in today’s environment:”
You may have some offenses which are no-appeal firing offenses. If you do, those need to be told to employees at the moment of hiring and then the rules need to be enforced.
So I’m curious. What are such offenses in an IT environment? Does anyone out there have a clear written list? I’m not looking for “violations of this policy may lead to consequences up to and including termination.” I’m looking for a list of things that will get you fired, like suggesting your secretary’s job is dependent on sex. I want clear measurable statements like “IT staff will be canned if they don’t change the default password within 7 days of deployment of any IT system or device.”
Absent such up front guidance, we can’t go making statements like that and expect to have any credibility.
So, does anyone have such clear policies?
Metrics seem to be yet another way in which Angry Bear noticed that the V-22 Osprey program has hidden from its failure to deliver on its promises:
Generally, mission capability runs 20% higher than availability, but availability is hidden on new stuff, while shouted about on older stuff, because there would be severe embarrassment if you considered that 40% of the brand new V-22 were not available (okay 60% available sounds much better, buy a car which is broke 40% of the time, how good does the warranty service need to be?).
The Navy and GAO are not sure which metrics to use. One of the reasons that US quality fell in the 70’s was avoiding measuring the hard things [that] gets you in trouble; a weakness of the DoD acquisition process. But the spending is more important than meaningful results.
Missing mission capable suggests that basic reliability and maintenance performance are not part of V-22 repertoire. Quality may not have been affordable during the long development cycle, and the savings are now costing in added support and lost use of the V-22
And as one commenter notes, the problem is even more fundamental than poor quality–the Osprey “cannot do a lot of what it is replacing: HH 53 and HH 46.” I would pretty much guarantee that no one is measuring the number of missions that are not performed by the Osprey but which could have been by the helicopters it replaced.
Metrics are powerful tools, but they can be as much a force for evil as a force for good. Choosing the easy-to-gather metrics or the metrics that make the thing being measured look better may play well in Slide-Deck-Land, but it doesn’t change the fact that there is still a reality lurking underneath there which isn’t going away just because someone refuses to measure it.
What people choose to measure can tell you a lot about both their competence and their motivations. Ignore it at your peril.
Ian Grigg seems to have kicked off a micro-trend with “The most magical question of all — why are so many bright people fooling themselves about the science in information security?.” Gunnar Peterson followed up with “Most Important Security Question: Cui Bono?” Both of these are really good questions, but I’m going to take issue with Gunnar’s claim. Who benefits is a great analytic tool to bring to the table, but it’s not the most important. The most important question isn’t even “Are you getting the outcomes you want?” or even “Are your controls producing the outcomes you want?”
I really like both of those questions, but I don’t think they quite capture the position of best. They’re better than many, which is an important step forward. But we can still do better. Security isn’t something people want in and of itself. It’s a property that you want for things. In the same way that people don’t go and buy a usability product, they don’t really want to buy security products. They might buy a reliability product (like a fail over system, or a high availability storage system), but they’re buying it to enable something else. And even as we work on our speciality, and even as I think it’s important, it’s part of the business, and so my proposal for today’s most important question in to ask security is:
How’s that working out for you?
It’s sad how often that brings smart folks in security to a dead stop. We can and should do better, and I think that “How’s that working out for you” helps us get better outcomes faster than “qui bono.”
And I’m optimistic that someone will say that question isn’t working very well for them, and offer up something better.
Taboos are willful ignorance, socially-enforced. They are so not New School. We have to deal with them, but we don’t have to be happy about it.
The Great Family Shame of incest between Oedipus and Jocasta
The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.). It’s unfolding almost like a like a Greek tragedy.
Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success). Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.
Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“ (or “Advanced Persistent Adversaries“, a term I prefer).
Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland. While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:
“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]
The Business Week article is here. (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)
While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved. While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.
So last night the family and I sat down and watched a little TV together for the first time in ages. We happened to settle on the X-Games on ESPN, purely because they were showing a sport that I can only describe as Artistic Snowmobile Jumping. Basically, these guys get on snowmobiles, jump them in the air flip around and stuff, and then a panel of judges score their efforts. I suppose the criteria is like ice skating or gymnastics where they score creativity and technique and so forth… If you haven’t seen this sport, here’s a little youtube video of what it’s like:
So we’re watching this sport on ESPN, and after a while I’m noticing a couple of things about the scores. First, they’re using a 100 point scale, and all the scores are coming in between 85 and 92. Fine, I suppose they’re summing up a number of elements.
Then this one rider scores an 88.3. Point Three. Seriously, what judge decides to go decimal? You know, a 100 point scale isn’t good enough, I really need the precision of that tenth of a point to determine if the member of “Team Slednecks” is that much better than the “Red Bull Rockstars” or whatever.
Their judgment was based on wishful thinking rather than on sound calculation of probabilities; for the usual thing among men, is when they want something, they will, without any reflection, leave that to hope; which they will employ the full force of reasoning in rejecting what they find unpalatable.
— Thucydides
The EFF is doing some measurement of browser uniqueness and privacy. It takes ten seconds.
Before you go, why not estimate what fraction of users have the same
transmitted/discoverable browser settings as you, and then check your
accuracy at https://panopticlick.eff.org. Or start at http://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking for a bit more detail.
What You’ve Said