Saturday, February 22, 2014

The Limits of Tool- and Tactics-Centric Thinking

Earlier today I read a post by Dave Aitel to his mailing list titled Drinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cool-aid. Because it includes a chart you should review, I included a screenshot of it in this blog, below. Basically Dave lists several gross categories of defensive digital security technology and tools, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n lists what he perceives as deficiencies and benefits of each. Embedded in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se pluses and minuses are several tactical elements as well. Please take a look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original or my screenshot.



I had three reactions to this post.

First, I recognized that it's written by someone who is not responsible for defending any network of scale or significance. Network defense is more than tools and tactics. It's more often about people and processes. My initial response is unsatisfying and simplistic, however, even though I agree broadly with his critiques of anti-virus, firewalls, WAFs, and some traditional security technology.

Second, staying within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 realm of tools and tactics, Dave is just wrong on several counts:
  • He emphasizes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of encryption to defeat many defensive tools, but ignores that security and information technology architects regularly make deployment decisions to provide visibility in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of encryption.
  • He ignores or is ignorant of technology to defeat obfuscation and encryption used by intruders.
  • He says "archiving large amounts of traffic is insanely expensive and requires massive analytics to process," which is wrong on both counts. On a shoestring budget my team deployed hundreds of open source NSM sensors across my previous employer to capture data on gateways of up to multi-Gbps bandwidth. Had we used commercial packet capture platforms we would have needed a much bigger budget, but open source software like Security Onion has put NSM in everyone's hands, cheaply. Regarding "massive analytics," it's easier all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to get what you need for solid log technology. You can even buy awesome commercial technology to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job done in ways you never imagined.
I could make ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r arguments regarding tactics and tools, but you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three I listed.

Third, and this is really my biggest issue with Dave's post, is that he demonstrates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 all-too-common tendency for security professionals to constrain cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir thinking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 levels of tactics and tools. What do I mean? Consider this diagram from my O'Reilly Webinar on my newest book:


A strategic security program doesn't start with tools and tactics. Instead, it starts with one or more overall program goals. The strategy-minded CISO gets executive buy-in to those goals; this works at a level understood by technicians and non-technicians alike. Next cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISO develops strategies to implement those goals, organizes and runs campaigns and operations to support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategies, helps his team use tactics to realize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 campaigns and operations, and procures tools and technology to equip his team.

Here is an example of one strategic security approach to minimize loss due to intrusions, using a strategy of rapid detection, response, and containment, and NSM-inspired operations/campaigns, tactics, and tools.




Now I don't want to seem too harsh, because tool- and tactics-centric thinking is not just endemic to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security world. I read how it played out during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 planning and execution of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air campaign during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first Gulf War.

I read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wonderful John Warden and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Renaissance of American Air Power and learned how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 US Air Force at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time suffered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same problems. The Air Force was very tactics- and technology-focused. They cared about how to defeat ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r aircraft in aerial combat and sought to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Army happy by making close air support cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir main contribution to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "joint" fight. The Air Force managed to quickly deploy planes to Saudi Arabia but had little idea how to use those forces in a campaign, let alone to achieve strategic or policy goals. It took visionaries like John Warden and David Deptula to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 air campaign a reality, and forever change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of air warfare.

I was a cadet when this all happened and remember my instructors exhibiting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contemporary obsession with tactics and tech we've seen in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security world for decades. Only later in my Air Force career did I see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategic viewpoint gain acceptance.

Expect to hear more from me about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for strategic thinking in digital security. I intend to apply to a PhD program this spring and begin research in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fall. I want to apply strategic thinking to private sector digital defense, because that is where a lot of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 action is and where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need is greatest.

For now, I talked about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need for strategy in my O'Reilly Webinar.




Thursday, February 06, 2014

More Russian Information Warfare

In all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hype about "cyberspace" and "cyberwar," it's easy to forget about information warfare. This term was in vogue in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military when I was an Air Force intelligence officer in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 1990s. The Russians were considered to be experts at using information to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir advantage and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y appear to continue to wield that expertise on a regular basis. The latest incarnation goes like this:

1. Unknown parties, probably Russian SIGINT operators, intercept and record a phone call between US Assistant Secretary of State Victoria Nuland and US Ambassador to Ukraine, Geoffrey Pyatt. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone call, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parties use language which could be considered inflammatory or insulting to EU politicians.

2. The interceptors pass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone call recording to a private third party.

3. Eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r that third party, or some recipient down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 line, posts cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audio and a video overlay on Youtube.



4. The third party Tweets about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video.



5. Russian-sponsored television begins broadcasting stories about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video.


6. Reputable news media begin broadcasting stories about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video.


7. The rift between American and European leaders widens (possibly).

I find several aspects of this story fascinating.

First, I am surprised that whomever intercepted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 phone call decided it was worthwhile to probably burn an intelligence source. It's possible cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Americans were using consumer cell phones, subject to monitoring by foreign intelligence services. If true, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Americans were not very OPSEC-aware. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Americans were using a line which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y thought was secure, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interceptors just revealed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know how to access it.

Second, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 use of third parties is characteristic of Russian activities. We are all familiar with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 role of patriotic hackers, youth groups, etc. when doing normal "cyber" activities. This sort of propaganda activity, with direct ties to a probable SIGINT operation, is interesting.

Third, I wonder about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cost of this operation. In some ways it is very cheap -- Youtube, Twitter, etc. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ways, it may be expensive -- interception and probable manual auditing of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audio to identify divisive and "offensive" content.

I don't pretend to be a Russian SIGINT expert, but I wanted to document this case in my blog. Constructive commentary is welcome but subject to moderation due to spam countermeasures. Incidentally, if I got cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 origin or order of any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se events wrong, I'm open to that too. I didn't ask my Russian-speaking friends to comment -- I'm just noting this story for future reference.

Update: I noticed that sources like Kyiv Post say:

Among cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first to tweet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audio recording was an aide to Russian Deputy Prime Minister Dmitry Rogozin, named Dmitry Loskutov, who also wrote: "Sort of controversial judgment from Assistant Secretary of State Victoria Nuland speaking about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EU."

However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timestamp on this Russian aide Tweet is "11:35 PM - 5 Feb 2014" whereas cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private Tweet I mentioned earlier shows "9:36 pm - 4 Feb 2014" -- a day earlier.