Because I'm all about the "good enough."

Thursday, February 21, 2013

Pack all the things!!

It's almost RSA time. I haven't figured out yet how many pallets of business cards to bring along, but I have got my two dozen Band-Aids and blister cream, three pairs of shoes, and two backup power supplies. So I'm pretty well set.

I'm looking forward to spending at least some of Sunday at B-Sides San Francisco, where there are some cool talks such as "Sorry Your Princess is in Another Castle: Intrusion Deception to Protect the Web" by Kyle Adams, and "My First Incident Response Team: DFIR for Beginners" by Chort (I feel as though the latter one should come with a picture book and a juice box).

I missed TongaCon last year, and I simply can't do that any more; if @Gillis57 is going to rickroll the Tonga Room again, I need to be there to lend a hand.

On Monday I'll be moderating two panels at the AGC Partners' 9th Annual West Coast Emerging Growth Conference (and that's the only time I'll try to type that again or say it out loud for the week). "New Frontiers in Endpoint Security" and "Taking the Fight to the Adversary: Threat Intelligence in 2013" are both going to be fun -- not just because there are going to be great panelists from many companies, but also because there have been some recent headlines that fit very well with both topics.

Tuesday is our company's breakfast event, and it's another chance to catch up with a lot of people I missed seeing last year. Wednesday morning is my panel with esteemed colleague Daniel Kennedy, "Psychographics of the CISO," also starring two actual live rockstar CISO types. And it'll be great to see the crowd at the Security Bloggers' Meetup in the evening. Rumor also has it that the Girls of Misogyny Networks will be in evidence somewhere on the RSA exhibit floor.

Friday is my talk with Andy Ellis (@csoandy) on "Living Below the Security Poverty Line: Coping Mechanisms," and I'm happy to be able to present this topic in front of an important audience.

And the rest of the time? Well, my Outlook calendar view for the week currently says "66 items."

See you there.

Tuesday, February 19, 2013

Exercises left to the reader.

The Mandiant report on the threat group it calls APT1 has made a big splash, and deservedly so: the combination of juicy details and actual data such as IOCs (indicators of compromise) is another example of groundbreaking data-sharing around security breaches. Of course, the other side to the publication is its assertion that APT1 is Chinese in origin, and most likely a part of the Chinese government; this is going to provoke a lot of heated discussion.

I've seen some responses already from skeptics, casting doubt on the report's conclusions based on the fact that it didn't include any alternative conclusions other than two that pointed at China (operating either officially or unofficially). Before I get into my own opinion on it, I'd just like to throw out some considerations.

First of all, read the report in its entirety. The authors spent a lot of time connecting every dot they listed, with the proper amount of hedging words in place. Like other high-data reports such as the Verizon DBIR, this one included alternative explanations and caveats in many places. Follow the chain of logic and look at all the data presented before you start to poke holes in it.

Now let's think about some of the assumptions, either implicit or explicit, in the report's assertions. We can call out some alternatives, whether they're realistically possible or not. In no particular order:

Because of the scale of its operations, APT1 must be centrally organized and funded. 
Alternatives: it could be organized, but not from within China; it could be loosely affiliated without being centrally so; it could be using individually contributed resources.

Only the Chinese government has the resources for such an operation.
Alternatives: a very large company or extremely wealthy individual could provide the necessary resources; a different government could be providing them.

An operation that large in scale could not go unnoticed by the Chinese government; therefore it would be operating at least with approval, if not support.
Alternatives: it could be an operation outside of China, faking very large amounts of China-based IP blocks, domain registrations, and other indicators of origin (such as phone numbers); the Chinese government might not know about it, might be unable to stop it, or might simply not care to.

Bad English speakers that use simplified Chinese keyboard layout settings must be native Chinese speakers.
Alternatives: the APT1 group is very good at planting false flags using Chinese speakers (native or not) and using bad English.

Because the three revealed personas appear to be working together and sharing resources in the same geographic location, they must be working for 61398.
Alternatives: they could simply be three people in a social group or other organization that is also located in the region, or is using the same false flags.

Because this linked activity has been going on for so many years (with domain registrations starting as early as 2004), it must be using the same people, the same resources and be supported by the same central organization.
Alternatives: it could be the same people over time, but not affiliated with the same organization; it could be different individuals who "take the reins" and continue the same general activity.

Because APT1 is attacking industries listed in China's strategic five-year-plan, it must be furthering China's goals.
Alternatives: those industries could be on the strategic lists of a lot of countries, and the match with China could be a coincidence.

These are just the ones coming off the top of my head. Now, let's take a step back:

Would any one of these alternatives, if it proved to be correct, torpedo all the other assumptions? Or would a large number of all the alternatives have to be correct, and fit all the available evidence?

In other words, how probable do these alternatives need to be in order to supplant all these assumptions?

(This is my amateur version of an ACH, because I am not in that line of work.)

Now, bear in mind that the evidence laid out in the report may not be all the evidence; it might just be the parts that Mandiant feels are safe to disclose. So the evidence may be even more compelling than we know. Working with what we're given, it appears to me that unless you assume a large-scale conspiracy or an equally well-resourced organization that can fake being sourced in China extremely well (without the knowledge or cooperation of the Chinese government), the preponderance of the evidence points most simply to Mandiant's conclusion. To put it another way, an alternative conclusion would have to be supported by a larger number of less probable, more complicated scenarios that would all have to fit themselves to the facts even better than the China theory does.

It could be that the evidence in the report is either partially or wholly incorrect, or there's a bunch of evidence that contradicts it (and supports the alternative conclusions) that we just don't see. What other evidence would need to show up to do the trick? And how probable is that?

So it's kind of like insisting that the Moon landing was faked -- it would require a perfect conspiracy of silence from hundreds of people over decades, and more sophisticated special effects technology than we know to be available at the time. Sure, you could come up with an alternative conclusion that fits the same evidence, but you'd have to work a lot harder at it.

Would you rather believe that there's an extremely clever and powerful organization out there that is managing to look over years as though it's sourced in China -- without making any mistakes to give it away -- and that the Chinese government can't do anything about? Or would you rather believe that there's a long-term, Chinese government-approved hacking group that isn't perfect and has left quite a few clues behind?

There will never be an airtight case one way or the other, but these things aren't binary. From what Mandiant has presented, the simplest explanation is the one it's offering. It's politically explosive, of course, and that's why belief comes into play. But if you have to do more work to deny something than to accept it, you might want to reconsider your chain of logic.

Saturday, February 9, 2013

All up in your bitness.

We knew it would happen: another security vendor gets hit: this time Bit9, which was admirably quick to disclose after it got in touch with its affected customers (and that's the order it should have happened in, folks). We also knew this would follow: the piling-on (I think Bromium wins the ambulance-chasing award this time around). Which is only fair, in that everyone is tempted to pile on every time there's a failure that is linked to a competitor.

But there's a big gap between those who are all pointing and laughing and those who sympathize. It falls along very clear lines: those who have spent time in defense and those who only know offense; those who enjoy pointing out flaws and claiming to have the answers, and those who have had to clean up after the proof that there are no complete answers.

Guess what? If your "solution" needs to be 100% implemented to be successful, then it's never going to solve the problem. Because in the real world, there's no such thing as 100%.

Security is an unrelenting business, one that you can never prove is done adequately. You'll never be finished, and you can never know if you can even take a break. And it's never fully appreciated by the people who make a living based on that reality: the vulnerability finders and the "solution" providers.

You may walk into an enterprise as a consultant, and you may be focused on addressing one particular problem (let's say, implementing monitoring). You may just assess the current situation, prescribe some controls, wish the customer luck, and be on your way to the next gig. Or you might even stick around to see that one project to its "completion" -- in which case, you'll be there for months or years. But unless you spend a year in the captain's chair, trying to cover every possible contingency with fallible humans, limited budget and "helpful" researchers coming up with new ways that your systems are attackable, you don't understand a thing about real defense.

If you are playing just one position, you don't understand the whole game.

Defense is frustrating; it's boring; it's tedious. It's not sexy when you are sitting in a boardroom with an auditor, or when you are looking at a list of scanner findings and trying to manage the year-long projects to fix them. You need an accountant's attention to detail, the skills of a master social engineer, the diagnostic skills of a doctor, and the patience of a saint. In short, you need to know everything that every possible attacker does, and you need to block all of it, all the time, immediately, using resources that you will never completely control.

So if you're one of the ones scolding a breach victim, you're just displaying your own ignorance of the reality of security in front of those who know better. Think about that for a while, before you're tempted to pile on.