Best of TaoSecurity Blog Kindle Edition Sale

I'm running a #BlackFriday #CyberMonday sale on my four newest #Kindle format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are here. There also appears to be a daily deal right now for the paperback of Volume 2, 45% off at $8.96.

TaoSecurity on Mastodon

Posted 2 years ago by Richard Bejtlich

I am now using Mastodon as a replacement for the blue bird. This is my attempt to verify myself via my blog. I am no longer posting to my old bird account.

The Humble Hub

Posted 3 years ago by Richard Bejtlich

Over the weekend I organized some old computing equipment. I found this beauty in one of my boxes. It's a Netgear EN104TP hub. I've mentioned this device before, in this blog and my books. This sort of device was the last of the true hubs. In an age where cables seem reserved for data centers or industrial facilities, and wireless rules the home and office, this hub is a relic of days gone past.

To give you a sense of how old this device is, the Netgear documentation (still online -- well done) offers a PDF created in August 1998. (Again, well done Netgear, not mucking about with the timestamps.) I'm not sure how old my specific device is. Seeing as I started working in the AFCERT in the fall of 1998, I could see this hub being easily over 20 years old.

A hub is a network device that accepts traffic from its ports and repeats the traffic to all other ports. This is different from a switch, which maintains a table identifying which MAC addresses are in use on which ports. Before building this CAM (content addressable memory, IIRC) table, traffic to a new previously unforeseen MAC address will appear on all ports save the sender.

This is a "true hub" because all of the ports are 10 Mbps. Yes, that is 100 times "slower" than the Gigabit ports on modern devices, if they have Ethernet ports at all. Starting with 10/100 Mbps devices, they all became switches. I never encountered a 100 Mbps "hub." Every device I ever had hands on was a 10/100 Mbps switch. That meant you were unlikely to see traffic on all ports when using a 10/100 Mbps device or even a 100 Mbps device (which I never saw anyway). There were no Gigabit (1000 Mbps) hubs built. I don't think the specification even supports it.

These little boxes were network monitoring enablers. If you wanted to learn, or troubleshoot, or possibly even add monitoring to a production network, you could connect an upstream cable, a downstream cable, and a monitoring cable to the hub. The upstream could be a router and the downstream might be a firewall, and the monitoring would be your NSM server. If you were looking at traffic between two individual computers and needed visibility for a NSM laptop, you would plug all three into the hub, and plug your Internet upstream into the fourth port.

I haven't needed this device in years, but I plan to keep it as a physical artifact of a time long past. At least this one still powers on, unlike my first computer, a Timex Sinclair ZX-80.

Zeek in Action Videos

Posted 4 years ago by Richard Bejtlich

This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project.

Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.

I am especially pleased with Video 6 on monitoring wireless networks. It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot.

Please like and subscribe, and let me know if there is a topic you think might make a good video.

New Book! The Best of TaoSecurity Blog, Volume 4

Posted 4 years ago by Richard Bejtlich

I've completed the TaoSecurity Blog book series.

The new book is The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship.

It's available now for Kindle, and I'm working on the print edition.

I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up.

I described the new title thus:

Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich.
In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.
In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives.
Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or policy audiences. It features posts from other blogs or news outlets, as well as some of his written testimony from eleven Congressional hearings. For the first time, Mr. Bejtlich publishes documents that he wrote as part of his abandoned war studies PhD program. This last batch of content was only available to his advisor, Dr. Thomas Rid, and his review committee at King's College London.
Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.

This will likely be my final collection of writings. I've discovered some documents that may be of interest to historians, so I may contribute those to a national security archive like my friend Jay Healey did a few years ago.

The only other work I might do for these four volumes is to record Audible editions. That would take a while, but I'm thinking about it.

The Origins of the Names TaoSecurity and the Unit Formerly Known as TAO

Posted 4 years ago by Richard Bejtlich

What are the origins of the names TaoSecurity and the unit formerly known as TAO?

Introduction

I've been reading Nicole Perlroth's new book This Is How They Tell Me the World Ends. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that arose in the 2000s. I had heard through back channels that some members of that group were upset that I was operating using the name TaoSecurity. In the 2000s and early 2010s I taught classes under the TaoSecurity brand, and even ran TaoSecurity as a single-person consultancy from 2005-2007.

The purpose of this post is to explain why, how, and when I chose the TaoSecurity identity, and to show that it is contemporaneous with the formal naming of the TAO group. The most reliable accounts indicate TaoSecurity predates the TAO brand.

TaoSecurity Began with Kung Fu and Taoism

With Sifu Michael Macaris, 21 June 1996

In the summer of 1994, after graduating from the Air Force Academy and before beginning my graduate program at what is now called the Harvard Kennedy School, I started watching re-runs of the 1970s David Carradine Kung Fu TV series, created by Ed Spielman. I was so motivated by the philosophical message of the program that I joined a kung fu school in Massachusetts. I trained there for two years, and studied what I could about Chinese history and culture. I learned from the show and that it was based on Taoism (for example) so I bought a copy of the Tao Te Ching by Lao Tzu and devoured it.

Visiting China

Tai Chi on the Yangtze, May 1999

In the spring of 1999 my wife and I took a three week trip to China for our honeymoon. We were both interested in Chinese culture so it seemed like a great opportunity. It was an amazing trip, despite the fact that we were in China when the United States bombed the Chinese embassy in Belgrade.

I include these details to show that I was quite the fan of Chinese culture, well before any formal cyber threat intelligence reports associated me with China. I read books on Taoism and embraced its concepts.

Creating TaoSecurity

WHOIS lookup for taosecurity.com

In the summer of 2000 I was a captain at the Air Force Computer Emergency Response Team, within the 33rd Information Operations Squadron. I decided I wanted to try creating a Web presence, so I registered the TaoSecurity domain name on 4 July 2000. The WHOIS record above shows 3 July, which is odd, because a previous post on the topic captured the correct date of 4 July 2000. I also coined the phrase "the way of digital security."

My wife commissioned an artist to design the TaoSecurity logo, which I have used continuously since then. At the time I had never heard of TAO. There was a good reason for that. TAO was just being born as well.

General Hayden on Creating TAO

Playing to the Edge by General Michael Hayden

The first public source on the history of TAO appeared in a 2013 story for Foreign Policy by Matthew M. Aid. He claimed that the agency created TAO in 1997. While it is possible that members of what would later be named TAO were working a similar mission in 1997, his story requires details that I add next.

A succinct source on the origins of the unit previously known as the TAO is the 18 October 2018 article by Steven Loleski. He wrote a piece called From cold to cyber warriors: the origins and expansion of NSA’s Tailored Access Operations (TAO) to Shadow Brokers (PDF). Mr. Loleski cited General Michael Hayden's 2016 book Playing to the Edge, which I quote more extensively here:

"In the last days of 2000, as we were rewiring the entire agency’s organizational chart (see chapter 2), we set up an enterprise called TAO, Tailored Access Operations, in the newly formed SIGINT Directorate (SID). We had toyed with some boutique end-point efforts before, but this was different. This was going to be industrial strength...And, even in a period of generalized growth, TAO became the fastest-growing part of NSA post-9/11, bar none."

Seeing as General Hayden was in charge of NSA at the time, that would seem to make it clear that TaoSecurity preceded TAO by several months, at least.

I also looked for details in the 2016 book Dark Territory: The Secret History of Cyber War by Fred Kaplan. I've enjoyed several of his previous books, and he interviewed and cited me for the text.

Mr. Kaplan explained how General Michael Hayden, NSA director from March 1999 to April 2005, named the unit, as part of a general reorganization effort. Thanks to Cryptome and FOIA requests by Inside Defense we can read the October 1999 report recommending organizational changes. That reorganization was the genesis for creating TAO.

Kaplan on Creating TAO

External Team Report Recommended Organization, 22 October 1999, Cryptome

This document, titled EXTERNAL TEAM REPORT: A Management Review for the Director, NSA, October 22, 1999 mentions the need to reorganize the "Signals Intelligence Mission (SIM)" into "three offices, Global Response, Tailored Access and Global Network." The October 2000 public news story by Inside Defense about the reorganization implies that it did not happen overnight.

Mr. Kaplan notes that General Hayden initiated his "One Hundred Days of Change" program on 15 November 1999. A three-day server crash in January 2000 hampered reform efforts, prompting big changes in NSA approaches to computing. However, TAO was eventually operating some time in 2000. Mr. Kaplan notes the following in his book:

"It began, even under his expansion, as a small outfit: a few dozen computer programmers who had to pass an absurdly difficult exam to get in. The organization soon grew into an elite corps as secretive and walled off from the rest of the NSA as the NSA was from the rest of the defense establishment. Located in a separate wing of Fort Meade, it was the subject of whispered rumors, but little solid knowledge, even among those with otherwise high security clearances...

Early on, TAO hacked into computers in fairly simple ways: phishing for passwords (one such program tried out every word in the dictionary, along with variations and numbers, in a fraction of a second) or sending emails with alluring attachments, which would download malware when opened.

Once, some analysts from the Pentagon’s Joint Task Force-Computer Network Operations were invited to Fort Meade for a look at TAO’s bag of tricks. The analysts laughed: this wasn’t much different from the software they’d seen at the latest DEF CON Hacking Conference; some of it seemed to be repackaged versions of the same software. Gradually, though, the TAO teams sharpened their skills and their arsenal."

It's clear from this passage that TAO started as a small unit that conducted less exotic operations. It was difficult to join, but a far cry from the powerhouse it would soon become. It's also clear that knowledge of this organization was tightly controlled. Even the term "tailored access" was not associated publicly with NSA until the October 2000 reporting by Inside Defense, reproduced by Cryptome.

Minihan's Role

Dark Territory by Fred Kaplan

Circling back to the mention of 1997 in Mr. Aid's article, we do find the following in Mr. Kaplan's reporting:

"Fort Meade’s would be the third box on the new SIGINT organizational chart—“tailored access.”

[Lt Gen Kenneth] Minihan [NSA director 1996-1999] had coined the phrase. During his tenure as director, he pooled a couple dozen of the most creative SIGINT operators into their own corner on the main floor and gave them that mission. What CIA black-bag operatives had long been doing in the physical world, the tailored access crew would now do in cyberspace, sometimes in tandem with the black-baggers, if the latter were needed—as they had been in Belgrade—to install some device on a crucial piece of hardware.

The setup transformed the concept of signals intelligence, the NSA’s stock in trade. SIGINT had long been defined as passively collecting stray electrons in the ether; now, it would also involve actively breaking and entering into digital machines and networks.

Minihan had wanted to expand the tailored access shop into an A Group of the digital era, but he ran out of time. When Hayden launched his reorganization, he took the baton and turned it into a distinct, elite organization—the Office of Tailored Access Operations, or TAO."

This reporting indicates that there was a tailored access group operating at NSA prior to General Hayden, but it was not actually named "TAO" and was not as large or exotic as what was to come.

Conclusion

"Tao inside," TAO's play on the Intel Inside marketing campaign

To summarize, General Hayden assigned the name TAO to a group inside NSA in late 2000, months after I registered the TaoSecurity domain name. Although General Minihan had created a tailored access group during his tenure, the existence of that team, as well as what was later formally called TAO, was a close-held secret. The term "tailored access" did not appear in the public until Inside Defense's reporting of October 2000.

Although I worked in the unit (Air Intelligence Agency) that served as the cryptologic service group for NSA (the Air Force contribution to the agency), I was not aware of any tailored access teams when I chose TaoSecurity as the name for my repository of security ideas. I selected TaoSecurity to reflect my interest in Taoism, and it had nothing to do with TAO or the NSA.

Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem

Posted 4 years ago by Richard Bejtlich

Proposition

Digital offense capabilities are currently net negative for the security ecosystem.[0]

The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the security one percent (#securityonepercent), and to intelligence, military, and law enforcement agencies. The derived defensive benefits depend on the nature of the defender. The entire security ecosystem bears the costs, and in some cases even those who see tangible benefit may suffer costs exceeding those benefits.

The Reason

Limitations of scaling are the reason why digital offense capabilities are currently net negative.

Consider the case of an actor developing a digital offense capability, and publishing it to the general public.

From the target side, limitations on scaling prevent complete mitigation or remediation of the vulnerability.

The situation is much different from the offense perspective.

Any actor may leverage the offense capability against any Internet-connected target on the planet.

The actor can scale that capability across the entire range of vulnerable or exposed targets.

The Three

Only three sets of actors are able to possibly leverage an offense capability for defensive purposes.

First, the organization responsible for developing and maintaining the vulnerable or exposed asset can determine if there is a remedy for the new offense capability. (This is typically a "vendor," but could be a noncommercial entity. As a shorthand, I will use "vendor.") The vendor can try to develop and deploy a patch or mitigation method.

Second, major consumers of the vulnerable or exposed asset can take similar steps, usually by implementing the vendor's patch or mitigation.

Third, the security one percent can take some defensive measures, either by implementing the vendor's patch or mitigation, or by developing and acting upon detection and response processes.

The combination of the actions by these three sets of actors will not completely remediate the digital offense capability. The gap can be small, or it can be exceptionally large, hence the net negative cost to the digital ecosystem.

The Insight

From the intruder side, little to no limitations on scaling mean the intruder can leverage the digital offense capability against all vulnerable targets.

This is the key insight that produces digital offense capabilities as net negative for the entire security ecosystem:

Offensive scale is superior to defensive scale.

Stated differently:

An intruder actor can leverage an offense capability against any vulnerable target.

Few (if any) defenders can leverage a derived defense capability against all vulnerable targets.

Those who object to this argument are likely one of the three actors.

Objections: Vendors

Vendors may have the strongest case for being able to scale defense, depending on the nature of the vendor's offering.

Vendors who provide software or other capabilities that require customer action for updates are in the weakest position. If customers do not update, they remain vulnerable.

Vendors who mandate automatic updating are in a stronger position. Customers receive the update, with the effectiveness of the update mechanism being the major limitation.

Vendors who operate "as a service" offerings, such as the major cloud and email providers, are in the strongest position. They can silently improve their offering without user involvement. They can scale defense across their service as they more or less completely control it.

Objections: Major Consumers

Major consumers may operate with or without the involvement or action of vendors. When the major consumer is operating an on-premise instance, for example, they can be in a position to implement a mitigation or remediation. Such major consumers have teams that qualify them as being in the security one percent, so in some ways this dual-counts the defensive benefit.

Some major consumers may remain vulnerable, however, regardless of their relative size or nature. The SolarWinds case has shown that organizations with multi-billion-dollar information technology budgets can be as helpless as those outside the security one percent.

Objections: The Security One Percent

The security one percent is likely to voice the loudest objections. The security one percent are individuals working in entities with the budget to fund a blue (defense) team, and probably a red (offense) team.

As mentioned in a previous blog post, the security one percent can use offensive tools to equip their red or penetration testing teams. Those teams, nonexistent outside the security one percent, can work with or against blues team to determine if countermeasures are effective.

The security one percent is generally oblivious to their privilege. I was personally not aware of this mindset until the rise of ransomware in 2018-2020.

The exceptions are two-fold. One group who is aware of their privilege comes from "the other side of the tracks." They worked for an entity without a security team, perhaps in a non-IT role, or a non-security role. Another exception involves people who volunteer or consult with entities outside the security one percent. They see the gap between their own capabilities and those they are trying to help.

One portion of the security one percent is particularly critical: those who rely upon offense for their income, or enjoy it as a hobby. They reject any sentiment or policy prescription that threatens their livelihood or enjoyment, regardless of the larger societal cost. Addressing the concerns of this group requires a separate blog post.

Summary

The difference in the capabilities of the vendor/major consumer/security one percent triad and the rest of the security ecosystem is the result of defense failing to scale as effectively as offense.

When an actor publicly releases a digital offensive capability, especially in the form of working code, generally any threat actor can leverage that capability against any vulnerable target.

The inverse is not true. Any defensive capability, derived from the offensive capability, can generally not be leveraged to protect any vulnerable target.

Free or open source tools, training, or knowledge are helpful, but they require deployment, tuning, comprehension, commitment, and a host of other capabilities that do not scale as effectively as offensive code. While using offensive code has a learning and operational curve, it is nowhere as steep as that facing defenders.

The strongest and most helpful exception is found in vendors who offer "as a service" capabilities. They can independently and comprehensively improve their security posture with little to no involvement from the vulnerable population. (An exception, for example, is offering, but not mandating, multi-factor authentication. Only by adopting MFA does the population improve its security.)

Conclusion

The summary yields three conclusions:

1. Limiting the availability of digital offense capabilities, such that they are not public and within the reach of any threat actor, will likely limit offensive options for intruders, thereby increasing their operational costs to research, develop, deploy, and maintain offensive tools.

2. Increasing the use and reliance upon "as a service" offerings will likely improve the security of the ecosystem, as defensive measures can be scaled across the entire vulnerable population.

3. The rise of "as a service" offerings will likely drive intruders to target those offerings directly, rather than the independent assets distributed across the ecosystem.

There are no "solutions" in digital security -- only trade-offs.[1]

I am cautiously optimistic that some combination of the first two conclusions would offset the rise of the third conclusion, generating a net positive improvement in digital security.

Too many in the digital world have treated security as a technical problem with technical solutions. While technical matters play a role, the centrality of the digital ecosystem means that it should be treated as a public policy concern. That strategy is at least two decades overdue.

Please direct comments on this post to Mastodon.

Endnotes

[0] I'm very confident this argument holds for public digital offense capabilities. After publishing this post I realized I assumed this perspective but did not make it explicit. Hence, this note.

[1] I derive this phrase from one of my public policy professors, Philip D. Zelikow, who noted that there are no solutions in public policy -- only trade-offs.

New Book! The Best of TaoSecurity Blog, Volume 3

Posted 4 years ago by Richard Bejtlich

Introduction

I published a new book!

The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices is the third title in the TaoSecurity Blog series.

It's in the Kindle Store, and if you have an Unlimited account, it's free.

I also published a print edition, which is 485 pages.

Book Description

The book features the following description on the back cover:

Since 2003, cybersecurity author Richard Bejtlich has been publishing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 stories and approximately one million words, he has selected and republished the very best entries from 17 years of writing, along with commentaries and additional material.

In the third volume of the TaoSecurity Blog series, Mr. Bejtlich addresses the evolution of his security mindset, influenced by current events and advice from his so-called set of "wise people." He talks about why speed is not the key to John Boyd's OODA loop, and why security strategies designed for and by the "security 1%" may be irrelevant at best, or harmful at worst, for the remaining "99%". His history section explores the origins of the terms threat hunting and indicators of compromise, and reveals who really created the quote "there are two types of companies." His chapter on law highlights traps that might catch security teams, with advice to chief information security officers.

This volume contains some of Mr. Bejtlich’s favorite posts, such as Marcus Ranum's answer to what happens when security teams confront professionals, or how the Internet continues to function despite constant challenges, or reactions to comments by Dan Geer, Bruce Schneier, Marty Roesch, and other security leaders. Mr. Bejtlich has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right. Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.

Writing the Series

Although I had written and self-published a book in early 2019, I had used Blurb and stayed in print format.

For this new project, I wanted to publish "reflowable" (not print replica) Kindle editions, along with print versions, through Amazon.

I started the project in September 2019 by labelling 300 or so out of the 3,050 blog posts as candidates for inclusion in a "best of" book. I quickly realized that "only" 300 posts, plus new material and commentary, would result in a very large project, so I decided to break it into three volumes.

I created twelve categories and began sorting and commenting on the posts in March 2020. I decided to assign four categories to each volume, with an "appendices" category for the last volume if necessary.

I chose the 5.5 inch by 8.5 inch "statement" print size since it was supported by Google Docs and was a standard print size for Amazon.

Eventually I selected almost 375 posts for the book and began the real work!

I published volume 1 in May 2020. The print edition features 85,030 words in 357 pages, or about 238 words per page.

I published volume 2 in September 2020. The print edition features 96,288 words in 429 pages, or about 224 words per page

Now, volume 3 has arrived in November 2020. The print edition features 90,190 words in 485 pages, or about 185 words per page.

In total, the project resulted in 271,508 words over 1,271 pages, or about 214 words per page.

What's Next?

Originally I wanted to add a few items outside TaoSecurity Blog to the third volume, in a section called "Appendices." As I discovered and collected this material, I realized that adding it would essentially double the size of the third volume. As it was over 400 pages at that time, I decided I would save most of this material for another project.

That other project is Beyond TaoSecurity Blog, Volume 1: Columns, Papers, PhD Work, and Testimonies. At the moment, I believe I have a handle on what to include in that title. I don't expect to have a volume 2, but I thought it best to give this a volume number as I may have more material to publish in the future.

My goal is to publish this "Beyond" book during the next few weeks -- perhaps during or after Thanksgiving.

Conclusion

I wrote this series of books because I fear that this blog has become too unwieldy for its own good. Revisiting 17 years of posts, adding commentaries, and collecting related material has helped me better understand my own journey in security. The new "Beyond" book reaches a bit farther past the three blog volumes and includes material never before published, primarily from my abandoned PhD effort. I'll have more to say when I published that book before the end of the year.

If you've read any of the books in the TaoSecurity Blog series, I would great appreciate a positive review! Thank you.

Security and the One Percent: A Thought Exercise in Estimation and Consequences

Posted 4 years ago by Richard Bejtlich

There's a good chance that if you're reading this post, you're the member of an exclusive club. I call it the security one percent, or the security 1% or #securityonepercent on Twitter. This is shorthand for the assortment of people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs, especially those with the detection and response capabilities and not just planning and resistance/"prevention" functions.

Introduction

This post will estimate the size of the security 1% in the United States. It will then briefly explain how the security strategies of the 1% might be irrelevant at best or damaging at worse to the 99%.

A First Cut with FIRST

It's difficult to measure the size of the security 1%, but not impossible. My goal is to ascertain the correct orders of magnitude.

One method is to review entities who are members of the Forum of Incident Response and Security Teams, or FIRST. FIRST is an organization to which high-performing computer incident response teams (CIRTs) may apply once their processes and data handling meet standards set by FIRST.

I learned of FIRST when the AFCERT was a member in the late 1990s. I also assisted with FIRST duties when Foundstone was a member in the early 2000s. I helped or sponsored membership when I worked at General Electric in the 2000s and Mandiant in the 2010s. I encourage all capable security teams to join FIRST.

Being a FIRST member means having a certain degree of incident response and data handling capability, and it signals to the world and to other FIRST teams that the member entity is serious about incident detection and response.

As of the writing of this post, there are 540 FIRST teams worldwide. Slightly more than 100 of them are based in the United States.

To put that in perspective, there are less than 4,000 publicly traded companies in the US. That means that even if every single US FIRST member represented a publicly traded company -- and that is not the case -- FIRST representation for US publicly traded companies is only 2.5%.

Beyond FIRST

Some of you might claim FIRST membership is no big deal. My current employer, Corelight, isn't a member, you might say.

Perhaps you could argue that for every US FIRST member, there are 9 others which have equivalent or better security teams. That would increase the cadre of entities with respectable detection and response capabilities from 100 to 1,000. That would still mean an estimate that says 75% of publicly traded US companies have sub-par or non-existent security programs.

Remember that we've only been talking about a population of 4,000 publicly traded US companies. The US Small Business and Entrepreneurship Council estimates that there were 5.6 million employer firms in the United States in 2016. Let's sadly reduce that to 4 million to account for the devastation of Covid.

(This reduction actually makes the situation actually look better for security, as terrible as it is either way. In other words, if I used a denominator of 5.6 million and not 4 million, security estimates would be 40% worse.)

Small Business and Entrepreneurship Council

Let's be really generous and assume that only 1 in 100 of those 4 million businesses have any sensitive data. (That's again very generous.)

That leaves us with 400,000 entities with data worth defending. (Again, all of these estimates make it look like we're doing better than we actually are. The reality is probably a lot worse.)

Remember that we only had 100 US teams in FIRST, and we assumed an incredible 10-to-1 ratio to add another 900 non-FIRST organizations to the list of entities with decent security.

Now let's be generous again and assume a 4-to-1 ratio, such that for every 1 team in the publicly traded world there are 3 in the private world that also have decent security.

This creates a total of 4,000 US organizations with decent security, out of 400,000 that need it. Those 4,000 are the security 1%.

If you think of the "best of the best," there's probably only about 40 US security teams that qualify as global leaders and innovators. These are the teams that can stand toe-to-toe with most foes, and still struggle due to the nature of the security challenge. You and I could probably name them: Lockheed Martin, Google, General Electric, etc.

That group of 40 is the 1% of the 1%, being 40 of the 4,000 of the 400,000. These 40 are the US .01%.

If you think I'm being too conservative with only 40 teams, then feel free to increase it to 400. I'd be really curious to see someone compile a list of 400 world-beating security teams. That would still mean that US group of 400 is the .1%.

Sanity Check: A Few Statistics

To give you a sense of my numbers, and whether they are of the right order of magnitude at least, here are a few statistics:

1. The 2020 Accenture Security Third Annual State of Cyber Resilience Report featured responses from 4,644 "executives," This is the same order of magnitude of my estimates here, diluted due to a global perspective. (In other words, there are actually less US executives responding to this survey due to the global respondent pool.)

2020 Accenture Security Third Annual State of Cyber Resilience Report, p 46

2. The 2021 PWC Global Digital Trust Insights Report featured responses from "3,249 business and technology executives around the world." This is again the same order of magnitude, again diluted due to global responses.

2021 PWC Global Digital Trust Insights Report, Web summary

3. A 2019 report by Bitglass found that 38% of the Fortune 500 do not have a CISO. That's 190 publicly traded companies! Hopefully it's less in 2020. Let's be crazy and assume the CISO count is 400 out of 500?

2019 Bitglass Report

4. The Verizon DBIR featured reporting from 81 entities, the highest number in the history of the report. I do not know how many are in the US, but it's obviously less than 100, so the order of magnitude is again preserved. In other words, of the 4,000 capable security organizations in the US, less than 2.5% of them contributed to the DBIR. That would be less than 100, or the number of US FIRST teams.

2020 Verizon DBIR Report

Remember that my focus here is the United States. This means the numbers from PWC, Accenture, and Verizon need to be reduced because they represent global audiences. However, the original FIRST count of roughly 100 American entities, and the statistic about the Fortune 500, which is just American companies, are already appropriately sized.

Security and the One Percent

What do these numbers mean for security?

Speaking first just for the US, it means that most of the conversations among security practitioners on Twitter, in mailing lists, during Webinars, within classes, and other gatherings of people take place within a very small grouping. These are the 1% that are part of the roughly 4,000 entities in the US that have a decent security capability.

If those are the 1%, it means that the 99% are not included in these discussions.

This means that free threat intelligence, or free classes, or free post-exploitation security tools, or other free capabilities mean nothing, or almost nothing to those 99% of organizations that do not have security capabilities, or whose capabilities are so low or stretched that they cannot take advantage of whatever the 1% offers.

An Analogy: Personal Finance

I almost became a certified financial planner. Had I not secured a job in the AFCERT, I planned to separate from the Air Force, earn my CFP designation, and advise people on how to manage their assets and prepare for retirement.

I've come to realize that discussions I witness in the "security community" are like the discussions I see in the finance community. It requires taking a big step back to appreciate this situation.

People at the 1% level in finance want to know how to manage their stock options, or how to save money for their child's college tuition through specialized savings vehicle, or, at the highest ends, how to move assets throughout "Moneyland" in pursuit of ever lower taxes.

These concerns are light-years away from the person who has a few dollars saved in an employer-provided 401(k) program, or who has little to no savings whatsoever.

The Consequences of the Security One Percent

So what's the big deal?

The consequence of the existence and mindshare dominance of the security 1% is that the strategies and tactics they employ may work for the 1%, but not the 99%.

I'm not talking about the "rich" preying on the "poor." That's neither my message nor my philosophical outlook.

Rather, I mean that methods that the security 1% use to defend themselves are irrelevant at best to the 99%, and damaging at worst to the 99%.

An example of irrelevance would be providing free indicators of compromise (IOCs) or other forms of threat intelligence. It's well-meaning but ultimately of no help to the 99%. If an entity in the 99% has a rudimentary security capability, or essentially zero security capability, threat intelligence is irrelevant.

An example of damage would be publication of post-exploitation security tools, or PESTs. The 1% may have the ability to use such tools to equip their red or penetration testing teams, determining if the countermeasures implemented by their blue team can resist or detect and respond to their simulated and later actual attacks. The 99%, however, have little to no ability to leverage PESTs. They end up simply being victims when actual intruders use PESTs to pillage the 99%'s assets.

Conclusion

Readers can argue with my numbers. These are estimates, yes, but I believe I've gotten the orders of magnitude right, at least in the US. It's probably worse overseas, especially in the developing world.

The point of this exercise is to propose the idea that the benefits of certain activities that may accrue to the 1% may be, and likely are, irrelevant and/or damaging to the 99%.

In brief:

I challenge the security 1% to first recognize their elite status, and second, to think how their beliefs and actions affect the 99% -- especially for the worse.

As this is a wicked problem, there is no easy answer. That may be worth a future blog post.

MITRE ATT&CK Tactics Are Not Tactics

Posted 4 years ago by Richard Bejtlich

Just what are "tactics"?

Introduction

MITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.

The MITRE ATT&CK Design and Philosophy document from March 2020 says the following:

At a high-level, ATT&CK is a behavioral model that consists of the following core components:

• Tactics, denoting short-term, tactical adversary goals during an attack;

• Techniques, describing the means by which adversaries achieve tactical goals;

• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and

• Documented adversary usage of techniques, their procedures, and other metadata.

My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.

The key word in the tactics definition is goals. According to MITRE, "tactics" are "goals."

Examples of ATT&CK Tactics

ATT&CK lists the following as "Enterprise Tactics":

MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/

Looking at this list, the first 11 items could indeed be seen as goals. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.

Military Theory and Definitions

As a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.

I'd like to share three resources that offer a different perspective on tactics. Although all three are military, my argument does not depend on that association.

The DOD Dictionary of Military and Associated Terms defines tactics as "the employment and ordered arrangement of forces in relation to each other. See also procedures; techniques. (CJCSM 5120.01)" (emphasis added)

In his book On Tactics, B. A. Friedman defines tactics as "the use of military forces to achieve victory over opposing enemy forces over the short term." (emphasis added)

Dr. Martin van Creveld, scholar and author from the military strategy world, wrote the excellent Encyclopedia Britannica entry on tactics. His article includes the following:

"Tactics, in warfare, the art and science of fighting battles on land, on sea, and in the air. It is concerned with the approach to combat; the disposition of troops and other personalities; the use made of various arms, ships, or aircraft; and the execution of movements for attack or defense...

The word tactics originates in the Greek taxis, meaning order, arrangement, or disposition -- including the kind of disposition in which armed formations used to enter and fight battles. From this, the Greek historian Xenophon derived the term tactica, the art of drawing up soldiers in array. Likewise, the Tactica, an early 10th-century handbook said to have been written under the supervision of the Byzantine emperor Leo VI the Wise, dealt with formations as well as weapons and the ways of fighting with them.

The term tactics fell into disuse during the European Middle Ages. It reappeared only toward the end of the 17th century, when “Tacticks” was used by the English encyclopaedist John Harris to mean 'the Art of Disposing any Number of Men into a proposed form of Battle...'"

From these three examples, it is clear that tactics are about use and disposition of forces or capabilities during engagements. Goals are entirely different. Tactics are the methods by which leaders achieve goals.

How Did This Happen?

I was not a fly on the wall when the MITRE team designed ATT&CK. Perhaps the MITRE team fixated on the phrase "tactics, techniques, and procedures," or "TTPs," again derived from military examples, when they were designing ATT&CK? TTPs became hot during the 2000s as incident responders with military experience drew on that language when developing concepts like indicators of compromise. That fixation might have led MITRE to use "tactics" for their top-level structure.

It would have made more sense for MITRE to have just said "goal" or "objective," but "GTP" isn't recognized by the digital defender world.

It's Not Just the Military

Some readers might think "ATT&CK isn't a military tool, so your military examples don't apply." I use the military references to show that the word tactic does have military origins, like the word "strategy," from the Greek Strategos or strategus, plural strategoi, (Greek: στρατηγός, pl. στρατηγοί; Doric Greek: στραταγός, stratagos; meaning "army leader").

That said, I would be surprised to see the word tactics used as "goals" anywhere else. For example, none of these examples from the non-military world involve tactics as goals:

This Harvard Business Review article defines tactics as "the day-to-day and month-to-month decisions required to manage a business."

This guide for ice hockey coaches mentions tactics like "give and go’s, crossing attacks, cycling the puck, chipping the puck to space and overlapping."

The guide for small business marketing lists tactics like advertising, grass-roots efforts, trade shows, website optimization, and email and social marketing.

In the civilian world, tactics are how leaders achieve goals or objectives.

Conclusion

In the big picture, it doesn't matter that much to ATT&CK content that MITRE uses the term "tactics" when it really means "goals."

However, I wrote this article because the ATT&CK design and philosophy emphasizes a common language, e.g., ATT&CK "succinctly organizes adversary tactics and techniques along with providing a common language used across security disciplines."

If we want to share a common language, it's important that we recognize that the ATT&CK use of the term "tactics" is an anomaly. Perhaps a future edition will change the terminology, but I doubt it given how entrenched it is at this point.

Update: This Tweet from Matt Brady made this point:

"Agreed - for example, supply chain compromise is a tactic used for initial access, whereas software supply chain compromise (ShadowHammer) is a specific technique."