Security: Is it Who or What That is Important?

Friday, May 04, 2012

PCI Guru


There is a very active discussion going on in security circles about understanding adversaries and how that impacts security strategy. I have taken a contrarian position in this argument and have stated that, in the scheme of things, I do not believe that you need to waste time understanding your enemy. 

What I think matters most is what needs to be secured and how it needs to be secured.  This post is to discuss my rationale for this approach and relies on my prior post regarding The Fort Knox Approach to Security.

Sun Tzu famously said it was important to, “Keep your friends close and your enemies closer.”  The biggest difference with cyber-attacks is that the enemy are true mercenaries in that they come together because of an interest in a target, an interest in achieving their own particular goal, such as proving they are the best hacker or social engineer, or just because. 

As a result, when your enemies can number in the hundreds or even thousands and have their own potentially unique motives for why they are attacking, it is near to impossible to do an analysis of the enemy, such as Sun Tzu suggests, that provides you with any sort of significant defensive advantage.

But what about advanced persistent threat (APT) attacks?  There is usually a common actor in APT, either a competitor, organized crime or a government.  However these sponsors usually hire the technical “muscle” for the actual attack.  The backer of the APT attack provides these mercenaries with a list of information they wish to be retrieved from the target organization(s). 

So while APT can provide you with a traditional enemy, that enemy is obscured by the mercenaries actually conducting the attack.  Again, an analysis of the enemy provides limited to no advantage in your defense because you only see the mercenaries, not the sponsor.

But I think the biggest nail in the coffin for enemy analysis is related to attack strategies.  When reports from Verizon, Trustwave and other forensic examination firms consistently report that the same basic attack strategies are successful, it does not matter who the enemy is and why they are attacking when anyone from a neophyte to expert can break into your systems because of the same stupid mistakes or human errors.  By the time you have the enemy analysis done, your organization’s information is long gone.

In my opinion, ‘WHAT’ is more important in that organizations understand ‘WHAT’ information they need to protect and then go about appropriately protecting it.  If that sounds familiar, it should because that was the basis of my Fort Knox post.  If you think about it, a Fort Knox strategy does not worry about ‘WHO’ is trying to get the gold, it is all about protecting the gold regardless of ‘WHO’.

The bottom line is that in a cyber-attack, ‘WHO’ is attacking you is irrelevant.  You do not need to waste your time figuring out ‘WHO’ the attacker is and what are their motives.  It is all about your information that they wish to obtain. 

So stop wasting time on enemy analysis and start properly protecting your organization’s critical, sensitive information.  I think you will find that the Fort Knox strategy will make your security efforts much more easy to implement and maintain.

UPDATE: In a brief moment of clarity on my part, I realized after making this post that the Fort Knox security approach is just another way of looking at the ‘Zero Trust’ security model that was proposed by John Kindervag of Forrester a while back.  See my earlier posts on the Zero Trust security approach for more information.

Cross-posted from PCI Guru

Possibly Related Articles:
Information Security
Forensics Incident Response Attacks Advanced Persistent Threats hackers Information Security Resilience Attribution Analysis
Post Rating I Like this!
Jeffrey Carr There are many legitimate and in some cases necessary reasons for knowing the "who" part of an attack; particularly when we're talking about government agencies and the military. If you can determine who attacked you, you can create effective policy around cyber deterrence.

Furthermore, none of the companies that I've consulted for can provide an inventory of their critical data nor do they know where such data resides on their network. The Fort Knox school of security only works when a company knows which files among their millions of files is mission-critical. One way that companies can discover their critical data is to know what the needs of particular nation states are. By knowing "who" needs what, a company can begin to understand which data is most essential to protect.
Phil Klassen I agree w/the post that to understand a specific enemy or enemies may be futile in an ever changing threat-scape. But to totally disregard tactics and methodology would seem to be a perilous stance to adopt. As Jeffery states, you have to know the tactics and methods being used in order to properly form a security posture. I dont think its feasible to try and simply deploy defenses without some type of strategy at detecting and defeating the enemy.
PCI Guru I see and understand your points, however, I think security professionals are focusing too much on the 'WHO' and not enough on how to properly protect the 'WHAT'. I would argue that 99.9999% of the tactics used are already known as vendors publish them. Regardless of whether you have patched a vulnerability, you should have many other ways to protect your assets and minimize risk. But that is where things go wrong is that most organizations never reconcile their risks to how to protect things from those risks or minimize the risks, and then they wonder why they got compromised.
PCI Guru I thought about this some more.

We have firewall, IDS, IPS and anti-virus vendors as well as software vendors all doing analysis of the tactics, who else do we need to get involved? Yeah, I know its sexy to have a group doing tactic analysis, but with everyone else doing it and publishing their results, do we really need to expend a lot of time on such efforts?

IMHO there is more than enough analysis of the 'HOW'. How about the rest of us focus on the 'WHAT'?
Jeffrey Carr I don't know how much direct experience you have with incident response, PCI Guru but in my experience there's very little known by most companies outside of the very narrow range of "APT" style threat intelligence.

And as I said earlier, companies don't want to deal with a solution that requires them to identify which of their millions of files needs to be protected and which can be let go. I believe that they're wrong to feel that way but that's the fact of the matter.
PCI Guru I have managed networks off and on for years, so I do know what people are up against. That said, if you are doing the proper vulnerability scanning and penetration testing, you know the universe of what you could be up against. The one wild card is the targeted attack through spear phishing where they create a beachhead inside your network. However, even then, you should know where you are vulnerable.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.