This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-03T22:32:40+00:00 www.secnews.physaphae.fr taosecurity - Blog Sécurité Chinois À l'automne 1998, j'ai rejoint l'AFCERT.Je me suis familiarisé avec le livre incroyable TCP / IP Illustrated, Volume 1: The Protocols & nbsp; par W. Richard Stevens.Environ un an plus tard, j'ai échangé des courriels avec M. Stevens.Voici le dernier échange, comme transféré de mon adresse e-mail AFCERT à mon e-mail domestique. De "Capt Richard Bejtlich - Chief en temps réel" LON SEP & NBSP;6 18:27:35 1999 x-mozilla-keys: & nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp;& nbsp; reçu: de kinda.csap.af.mil (kinda.csap.af.mil [192.203.2.250]) & nbsp;& nbsp;& nbsp;& nbsp;& nbsp;par mw4.texas.net (2.4 / 2.4) avec smtp & nbsp;id raa22116 pour ;Lun, 6 septembre 1999 17:27:38 -0500 (CDT) Reçu: par Kinda.csap.af.mil (smail3.1.29.1 # 7) id m11o7ee-000ncwc;Lun, 6 sept. 99 17:27 CDT reçu: de Walt.ip.af.mil (192.168.1.142) par Kinda via SMAP (v1.3) id sma014865;LON SEP & NBSP;6 17:27:36 1999 reçu: de kinda.csap.af.mil by walt.ip.af.mil avec smtp (Smail3.1.29.1 # 6) ID M11O7ED-000VRUC;Lun, 6 sept. 99 22:27 gmt Sender: Bejtlich > Message-id: Date: lun, 06 septembre 1999 22:27:35 +0000 De: Capt Richard Bejtlich - RealTime Chief & nbsp; & nbsp; Organisation: afcert X-Mailer: Mozilla 4.6 [en] (x11; u; Sunos 5.6 Sun4u) X-Accept-Language: en MIME-Version: 1.0 à: bejtlich@texas.net Sujet: [FWD:Re: TCP / IP Illustrated Vol I 2nd ed?] ]]> 2023-06-25T15:02:12+00:00 https://taosecurity.blogspot.com/2023/06/my-last-email-with-w-richard-stevens.html www.secnews.physaphae.fr/article.php?IdArticle=8349158 False None None 2.0000000000000000 taosecurity - Blog Sécurité Chinois C'est unis.J'ai trouvé ce diagramme de "radar d'intérêt" que j'ai créé en juillet 2005. Cela ressemble à ma tentative de capture et de hiérarchise les intérêts techniques.À l'époque, j'étais sur le point de commencer à consulter par moi-même, iirc. Copyright 2003-2020 Richard Bejtlich et Taosecurity (taosecurity.blogspot.com et www.taosecurity.com)

---

This is unusual. I found this "skills and interest radar" diagram I created in July 2005. It looks like my attempt to capture and prioritize technical interests. At the time I was about to start consulting on my own, IIRC.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2023-06-25T14:36:50+00:00 https://taosecurity.blogspot.com/2023/06/bejtlich-skills-and-interest-radar-from.html www.secnews.physaphae.fr/article.php?IdArticle=8349159 False None None 2.0000000000000000 taosecurity - Blog Sécurité Chinois ]]> 2023-06-25T12:23:23+00:00 https://taosecurity.blogspot.com/2023/06/key-network-questions.html www.secnews.physaphae.fr/article.php?IdArticle=8349133 False Cloud None 2.0000000000000000 taosecurity - Blog Sécurité Chinois 2023-06-25T12:17:25+00:00 https://taosecurity.blogspot.com/2023/06/cybersecurity-is-social-policy-and.html www.secnews.physaphae.fr/article.php?IdArticle=8349134 False None None 3.0000000000000000 taosecurity - Blog Sécurité Chinois Notez les nombres de mots et de pages dans mes écrits de sécurité principaux. Le tao de la surveillance de la sécurité du réseau /236K MOTS / 833 pages Détection d'extrusion / 113k Mots / 417 pages La pratique de la surveillance de la sécurité du réseau / 97k mots / 380 pages Le meilleur de la taosecurityBlog, Vol 1/84K Words / 357 pages The Best of Taosecurity Blog, Vol 2 / 96K Words / 429 Pages Le Best of Taosecurity Blog, Vol 3 / 89K Words /485 pages Le blog Best of Tosecurity, Vol 4 / 96K Words / 429 pages Le total est 811k mots et 3 330 pages. Copyright 2003-2020 Richard Bejtlich et TaoseCurity (taosecurity.blogspot.com et www.taosecurity.com)

---

I want to make a note of the numbers of words and pages in my core security writings.The Tao of Network Security Monitoring / 236k words / 833 pagesExtrusion Detection / 113k words / 417 pagesThe Practice of Network Security Monitoring / 97k words / 380 pagesThe Best of TaoSecurity Blog, Vol 1 / 84k words / 357 pagesThe Best of TaoSecurity Blog, Vol 2 / 96k words / 429 pagesThe Best of TaoSecurity Blog, Vol 3 / 89k words / 485 pagesThe Best of TaoSecurity Blog, Vol 4 / 96k words / 429 pagesThe total is 811k words and 3,330 pages.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2023-06-25T12:14:05+00:00 https://taosecurity.blogspot.com/2023/06/core-writing-word-and-page-counts.html www.secnews.physaphae.fr/article.php?IdArticle=8349135 False None None 2.0000000000000000 taosecurity - Blog Sécurité Chinois Happy 20th birthday TaoSecurity Blog, born on 8 January 2003. Thank you BloggerBlogger (now part of Google) has continuously hosted this blog for 20 years, for free. I'd like to thank Blogger and Google for providing this platform for two decades. It's tough to find extant self-hosted security content that was born at the same time, or earlier. Bruce Schneier's Schneier on Security is the main one that comes to mind. If not for the wonderful Internet Archive, many blogs from the early days would be lost.StatisticsIn my 15 year post I included some statistics, so here are a few, current as of the evening of 7 January:I think it's cool to see almost 29 million "all time" views, but that's not the whole story.Here are the so-called "all time" statistics:It turns out that Blogger only started capturing these numbers in January 2011. That means I've had almost 29 million views in the last 12 years. I don't know what happened on 20 April 2022, when I had almost 1.5 million views?Top Ten Posts Since January 2011]]> 2023-01-08T10:00:00+00:00 https://taosecurity.blogspot.com/2023/01/happy-20th-birthday-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=8298985 False Ransomware,Studies,Guideline Solardwinds 2.0000000000000000 taosecurity - Blog Sécurité Chinois I'm running a #BlackFriday #CyberMonday sale on my four newest #Kindle format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are here.  There also appears to be a daily deal right now for the paperback of Volume 2, 45% off at $8.96. Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2022-11-20T09:30:10+00:00 https://taosecurity.blogspot.com/2022/11/best-of-taosecurity-blog-kindle-edition.html www.secnews.physaphae.fr/article.php?IdArticle=8133424 False None None None taosecurity - Blog Sécurité Chinois I am now using Mastodon as a replacement for the blue bird. This is my attempt to verify myself via my blog. I am no longer posting to my old bird account.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2022-11-18T15:37:23+00:00 https://taosecurity.blogspot.com/2022/11/taosecurity-on-mastodon.html www.secnews.physaphae.fr/article.php?IdArticle=8094712 False None None None taosecurity - Blog Sécurité Chinois  Over the weekend I organized some old computing equipment. I found this beauty in one of my boxes. It's a Netgear EN104TP hub. I've mentioned this device before, in this blog and my books. This sort of device was the last of the true hubs. In an age where cables seem reserved for data centers or industrial facilities, and wireless rules the home and office, this hub is a relic of days gone past.To give you a sense of how old this device is, the Netgear documentation (still online -- well done) offers a PDF created in August 1998. (Again, well done Netgear, not mucking about with the timestamps.) I'm not sure how old my specific device is. Seeing as I started working in the AFCERT in the fall of 1998, I could see this hub being easily over 20 years old. A hub is a network device that accepts traffic from its ports and repeats the traffic to all other ports. This is different from a switch, which maintains a table identifying which MAC addresses are in use on which ports. Before building this CAM (content addressable memory, IIRC) table, traffic to a new previously unforeseen MAC address will appear on all ports save the sender.This is a "true hub" because all of the ports are 10 Mbps. Yes, that is 100 times "slower" than the Gigabit ports on modern devices, if they have Ethernet ports at all. Starting with 10/100 Mbps devices, they all became switches. I never encountered a 100 Mbps "hub." Every device I ever had hands on was a 10/100 Mbps switch. That meant you were unlikely to see traffic on all ports when using a 10/100 Mbps device or even a 100 Mbps device (which I never saw anyway). There were no Gigabit (1000 Mbps) hubs built. I don't think the specification even supports it.These little boxes were network monitoring enablers. If you wanted to learn, or troubleshoot, or possibly even add monitoring to a production network, you could connect an upstream cable, a downstream cable, and a monitoring cable to the hub. The upstream could be a router and the downstream might be a firewall, and the monitoring would be your NSM server. If you were looking at traffic between two individual computers and needed visibility for a NSM laptop, you would plug all three into the hub, and plug your Internet upstream into the fourth port.I haven't needed this device in years, but I plan to keep it as a physical artifact of a time long past. At least this one still powers on, unlike my first computer, a Timex Sinclair ZX-80.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2022-08-10T09:30:00+00:00 https://taosecurity.blogspot.com/2022/08/the-humble-hub.html www.secnews.physaphae.fr/article.php?IdArticle=6230137 False None None None taosecurity - Blog Sécurité Chinois This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project. Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on. I am especially pleased with Video 6 on monitoring wireless networks. It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot. Please like and subscribe, and let me know if there is a topic you think might make a good video.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2021-07-29T14:34:54+00:00 https://taosecurity.blogspot.com/2021/07/zeek-in-action-videos.html www.secnews.physaphae.fr/article.php?IdArticle=3148988 False None None None taosecurity - Blog Sécurité Chinois I've completed the TaoSecurity Blog book series.The new book is The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship. It's available now for Kindle, and I'm working on the print edition. I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up.I described the new title thus:Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich.In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material. In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives.Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or policy audiences. It features posts from other blogs or news outlets, as well as some of his written testimony from eleven Congressional hearings. For the first time, Mr. Bejtlich publishes documents that he wrote as part of his abandoned war studies PhD program. This last batch of content was only available to his advisor, Dr. Thomas Rid, and his review committee at King's College London.Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.This will likely be my final collection of writings. I've discovered some documents that may be of interest to historians, so I may contribute those to a national security archive like my friend Jay Healey did a few years ago.The only other work I might do for these four volumes is to record Audible editions. That would take a while, but I'm thinking about it.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2021-04-13T11:00:00+00:00 https://taosecurity.blogspot.com/2021/04/new-book-best-of-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=2630962 False Studies None None taosecurity - Blog Sécurité Chinois What are the origins of the names TaoSecurity and the unit formerly known as TAO? IntroductionI've been reading Nicole Perlroth's new book This Is How They Tell Me the World Ends. Her discussion of the group formerly known as Tailored Access Operations, or TAO, reminded me of a controversy that arose in the 2000s. I had heard through back channels that some members of that group were upset that I was operating using the name TaoSeurity. In the 2000s and early 2010s I taught classes under the TaoSecurity brand, and even ran TaoSecurity as a single-person consultancy from 2005-2007. The purpose of this post is to explain why, how, and when I chose the TaoSecurity identity, and to show that it is contemporaneous with the formal naming of the TAO group. The most reliable accounts indicate TaoSecurity predates the TAO brand.TaoSecurity Began with Kung Fu and TaoismWith Sifu Michael Macaris, 21 June 1996In the summer of 1994, after graduating from the Air Force Academy and before beginning my graduate program at what is now called the Harvard Kennedy School, I started watching re-runs of the 1970s David Carradine Kung Fu TV series, created by Ed Spielman. I was so motivated by the philosophical message of the program that I joined a kung fu school in Massachusetts. I trained there for two years, and studied what I could about Chinese history and culture. I learned from the show and that it was based on Taoism (for example) so I bought a copy of the Tao Te Ching by Lao Tzu and devoured it. Visiting ChinaTai Chi on the Yangtze, May 1999In the spring of 1999 my wife and I took a three week trip to Chin]]> 2021-04-01T14:00:00+00:00 https://taosecurity.blogspot.com/2021/04/the-origins-of-names-taosecurity-and.html www.secnews.physaphae.fr/article.php?IdArticle=2572324 False Malware,Threat None None taosecurity - Blog Sécurité Chinois PropositionDigital offense capabilities are currently net negative for the security ecosystem.[0]The costs of improved digital offense currently outweigh the benefits. The legitimate benefits of digital offense accrue primarily to the security one percent (#securityonepercent), and to intelligence, military, and law enforcement agencies. The derived defensive benefits depend on the nature of the defender. The entire security ecosystem bears the costs, and in some cases even those who see tangible benefit may suffer costs exceeding those benefits.The ReasonLimitations of scaling are the reason why digital offense capabilities are currently net negative.Consider the case of an actor developing a digital offense capability, and publishing it to the general public. From the target side, limitations on scaling prevent complete mitigation or remediation of the vulnerability.The situation is much different from the offense perspective.Any actor may leverage the offense capability against any Internet-connected target on the planet. The actor can scale that capability across the entire range of vulnerable or exposed targets.The ThreeOnly three sets of actors are able to possibly leverage an offense capability for defensive purposes.First, the organization responsible for developing and maintaining the vulnerable or exposed asset can determine if there is a remedy for the new offense capability. (This is typically a "vendor," but could be a noncommercial entity. As a shorthand, I will use "vendor.") The vendor can try to develop and deploy a patch or mitigation method.Second, major consumers of the vulnerable or exposed asset can take similar steps, usually by implementing the vendor's patch or mitigation.Third, the security one percent can take some defensive measures, either by implementing the vendor's patch or mitigation, or by developing and acting upon detection and response processes.The combination of the actions by these three sets of actors will not completely remediate the digital offense capability. The gap can be small, or it can be exceptionally large, hence the net negative cost to the digital ecosystem.]]> 2021-02-18T10:53:39+00:00 https://taosecurity.blogspot.com/2021/02/digital-offense-capabilities-are.html www.secnews.physaphae.fr/article.php?IdArticle=2366167 False Ransomware,Threat None None taosecurity - Blog Sécurité Chinois Introduction I published a new book!The Best of TaoSecurity Blog, Volume 3: Current Events, Law, Wise People, History, and Appendices is the third title in the TaoSecurity Blog series. It's in the Kindle Store, and if you have an Unlimited account, it's free. I also published a print edition, which is 485 pages. Book DescriptionThe book features the following description on the back cover:Since 2003, cybersecurity author Richard Bejtlich has been publishing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 stories and approximately one million words, he has selected and republished the very best entries from 17 years of writing, along with commentaries and additional material. In the third volume of the TaoSecurity Blog series, Mr. Bejtlich addresses the evolution of his security mindset, influenced by current events and advice from his so-called set of "wise people." He talks about why speed is not the key to John Boyd's OODA loop, and why security strategies designed for and by the "security 1%" may be irrelevant at best, or harmful at worst, for the remaining "99%". His history section explores the origins of the terms threat hunting and indicators of compromise, and reveals who really created the quote "there are two types of companies." His chapter on law highlights traps that might catch security teams, with advice to chief information security officers.This volume contains some of Mr. Bejtlich's favorite posts, such as Marcus Ranum's answer to what happens when security teams confront professionals, or how the Internet continues to function despite constant challenges, or reactions to comments by Dan Geer, Bruce Schneier, Marty Roesch, and other security leaders. Mr. Bejtlich has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.  Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.Writing the SeriesAlthough I had written and self-published a book in early 2019, I had used Blurb and stayed in print format. ]]> 2020-11-09T08:30:17+00:00 https://taosecurity.blogspot.com/2020/11/new-book-best-of-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=2024923 False Threat,Guideline None None taosecurity - Blog Sécurité Chinois Forum of Incident Response and Security Teams, or FIRST. FIRST is an organization to which high-performing computer incident response teams (CIRTs) may apply once their processes and data handling meet standards set by FIRST. I learned of FIRST when the AFCERT was a member in the late 1990s. I also assisted with FIRST duties when Foundstone was a member in the early 2000s. I helped or sponsored membership when I worked at General Electric in the 2000s and Mandiant in the 2010s. I encourage all capable security teams to join FIRST.Being a FIRST member means having a certain degree of incident response and data handling capability, and it signals to the world and to other FIRST teams that the member entity is serious about incident detection and response.As of the writing of this post, there are 540 FIRST teams worldwide. Slightly more than 100 of them are based in the United States. To put that in perspective, there are less than 4,000 publicly traded companies in the US. That means that even if every single US FIRST member represented a publicly traded company -- and that is not the case -- FIRST representation for US publicly traded companies is only 2.5%. Beyond FIRSTSome of you might claim FIRST membership is no big deal. My current employer, Corelight, isn't a member, you might say. Perhaps you could argue that for every US FIRST member, there are 9 others which have equivalent or better security teams. That would increase the cadre of entities with respectable detection and response capabilities from 100 to 1,000. That would still mean an estimate that says 75% of publicly traded US companies have sub-par or non-existent security programs.Remember that we've only been talking about a population of 4,000 publicly traded US companies. The US Small Business and Entrepreneurship Council estimates that there were 5.6 million employer firms in the United States in 2016. Let's sadly reduce that to 4 million to account for the devastation of Covid. ]]> 2020-10-31T16:11:10+00:00 https://taosecurity.blogspot.com/2020/10/security-and-one-percent-thought.html www.secnews.physaphae.fr/article.php?IdArticle=2007124 False Threat,Guideline None None taosecurity - Blog Sécurité Chinois Just what are "tactics"?IntroductionMITRE ATT&CK is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else.The MITRE ATT&CK Design and Philosophy document from March 2020 says the following:At a high-level, ATT&CK is a behavioral model that consists of the following core components:• Tactics, denoting short-term, tactical adversary goals during an attack;• Techniques, describing the means by which adversaries achieve tactical goals;• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and• Documented adversary usage of techniques, their procedures, and other metadata.My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive.The key word in the tactics definition is goals. According to MITRE, "tactics" are "goals."Examples of ATT&CK TacticsATT&CK lists the following as "Enterprise Tactics":MITRE ATT&CK "Tactics," https://attack.mitre.org/tactics/enterprise/Looking at this list, the first 11 items could indeed be seen as goals. The last item, Impact, is not a goal. That item is an artifact of trying to shoehorn more information into the ATT&CK structure. That's not my primary concern though.Military Theory and DefinitionsAs a service academy graduate who had to sit through many lectures on military theory, and who participated in small unit exercises, the idea of tactics as "goals" does not make any sense.]]> 2020-10-23T10:12:50+00:00 https://taosecurity.blogspot.com/2020/10/mitre-att-tactics-are-not-tactics.html www.secnews.physaphae.fr/article.php?IdArticle=1992755 False Guideline None None taosecurity - Blog Sécurité Chinois I was so pleased to read this Tweet yesterday from Greg Rattray:"Back in 2007, I coined the term “Advanced Persistent Threat” to characterize emerging adversaries that we needed to work with the defense industrial base to deal with... Since then both the APT term and the nature of our adversaries have evolved. What hasn't changed is that in cyberspace, advanced attackers will persistently go after targets with assets they want, no matter the strength of defenses."BackgroundFirst, some background. Who is Greg Rattray?First, you could call him Colonel or Doctor. I will use Col as that was the last title I used with him, although these days when we chat I call him Greg. Col Rattray served 21 years in the Air Force and also earned his PhD in international security from Tufts University. His thesis formed the content for his 2001 book Strategic Warfare in Cyberspace, which I reviewed in 2002 and rated 4 stars. (Ouch -- I was a bit stingy with the stars back then. I was more of an operator and less of a theorist or historian in those days. Such was my bias I suppose.)Col Rattray is also a 1984 graduate of the Air Force Academy. He studied history and political science there and returned as an assistant professor in the early 1990s. He was one of my instructors when I was a cadet there. (I graduated in 1994 with degrees in history and political science.) Col Rattray then earned a master of public policy degree at Harvard Kennedy School. (I did the same, in 1996.) Do you see a pattern here? He is clearly a role model. Of course, I did not stay in the Air Force as long, earn the same rank, or survive my PhD program!After the Academy, Col Rattray served as commander of the 23rd Information Operations Squadrons on Security Hill in San Antonio, Texas. I was working in the AFCERT at the time. ]]> 2020-10-10T11:30:12+00:00 https://taosecurity.blogspot.com/2020/10/greg-rattray-invented-term-advanced.html www.secnews.physaphae.fr/article.php?IdArticle=1967756 False Threat,Guideline None None taosecurity - Blog Sécurité Chinois U.S. notified 3,000 companies in 2013 about cyberattacks. The story noted the following:"Federal agents notified more than 3,000 U.S. companies last year that their computer systems had been hacked, White House officials have told industry executives, marking the first time the government has revealed how often it tipped off the private sector to cyberintrusions...About 2,000 of the notifications were made in person or by phone by the FBI, which has 1,000 people dedicated to cybersecurity investigations among 56 field offices and its headquarters. Some of the notifications were made to the same company for separate intrusions, officials said. Although in-person visits are preferred, resource constraints limit the bureau's ability to do them all that way, former officials said...Officials with the Secret Service, an agency of the Department of Homeland Security that investigates financially motivated cybercrimes, said that they notified companies in 590 criminal cases opened last year, officials said. Some cases involved more than one company."The reason this program is so important is that it shattered the delusion that some executives used to reassure themselves. When the FBI visits your headquarters to tell you that you are compromised, you can't pretend that intrusions are "someone else's problem."It may be difficult for some readers to appreciate how prevalent this mindset was, from the beginnings of IT to about the year 2010.I do not know exactly when the FBI began notifying victims, but I believe the mid-2000's is a safe date. I can personally attest to the program around that time.I was reminded of the importance of this program by Andy Greenberg's new story The FBI Botched Its DNC Hack Warning in 2016-but Says It Won't Next Time. I strongly disagree with this "botched" characterization. Andy writes:"[S]omehow this breach [of the Democratic National Committee] had come as a terrible surprise-despite an FBI agent's warning to [IT staffer Yared] Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.The FBI agent's warnings had 'never used alarming language,' Tamene would tell the Senate committee, and never reached higher than the DNC's IT director, who dismissed them after a cursory search of the network for signs of foul play."As with all intrusions, criminal responsibility lies with the intruder. However, I do not see why the FBI is supposed to carry the blame for how this intrusion unfolded. According to investigatory documents and this Crowdstrike blog post on their involvement, at least seven months passed from the time the FBI notified the DNC (sometime in September 2015) and when they contacted Crowdstrike (30 April 2015). That is ridiculous. If I received a call from the FBI even hinting at a Russian presence in my network, I would be on the phone with a professional incident response firm right after I briefed the CEO about the call.I'm glad the FBI continues to improve its victim notification procedures, but it doesn't make much of a difference if the individuals running IT and the organization are negligent, either through incompetence or inaction.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and w]]> 2020-09-03T11:11:10+00:00 https://taosecurity.blogspot.com/2020/09/the-fbi-intrusion-notification-program.html www.secnews.physaphae.fr/article.php?IdArticle=1896679 False Hack None None taosecurity - Blog Sécurité Chinois  I published a new book!The Best of TaoSecurity Blog, Volume 2: Network Security Monitoring, Technical Notes, Research, and China and the Advanced Persistent ThreatIt's in the Kindle Store, and if you're Unlimited it's free. Print edition to follow.The book lists as having 413 pages (for the Kindle edition at least) at it's almost 95,000 words. I started working on it in June after finishing Volume 1.Here is the book description:Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing. In the second volume of the TaoSecurity Blog series, Mr. Bejtlich addresses how to detect and respond to intrusions using third party threat intelligence sources, network data, application and infrastructure data, and endpoint data. He assesses government and private security initiatives and applies counterintelligence and counteradversary mindsets to defend digital assets. He documents the events of the last 20 years of Chinese hacking from the perspective of a defender on the front lines, in the pre- and post-APT era. This volume contains some of Mr. Bejtlich's favorite posts, such as histories of threat hunting, so-called black and white hat budgeting, attribution capabilities and limits, and rating information security incidents. He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.  Read how the security industry, defensive methodologies, and strategies to improve national security have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.I have a third volume planned. I will publish it by the end of the year. If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and there is a sample that lets you download and read some of the book. Enjoy!Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2020-09-01T08:30:06+00:00 https://taosecurity.blogspot.com/2020/09/new-book-best-of-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=1892549 False Threat None None taosecurity - Blog Sécurité Chinois this post. $ zgrep "CLkXf2CMo11hD8FQ5" 2020-08-16/* | sed 's/.*gz://' | jq .{  "_path": "conn",  "_system_name": "ds61",  "_write_ts": "2020-08-16T06:26:10.266225Z",  "_node": "worker-01",]]> 2020-08-19T11:17:40+00:00 https://taosecurity.blogspot.com/2020/08/one-weird-trick-for-reviewing-zeek-logs.html www.secnews.physaphae.fr/article.php?IdArticle=1870770 False None None None taosecurity - Blog Sécurité Chinois Fake Book Someone published a "book" on Amazon and claimed that I wrote it! I had NOTHING to do with this. I am working with Amazon now to remove it, or at least remove my name. Stay away from this garbage!Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2020-07-16T11:04:59+00:00 https://taosecurity.blogspot.com/2020/07/i-did-not-write-this-book.html www.secnews.physaphae.fr/article.php?IdArticle=1808174 False None None None taosecurity - Blog Sécurité Chinois I'm very pleased to announce that I've published a new book!It's The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice. It's available now in the Kindle Store, and if you're a member of Kindle Unlimited, it's currently free. I may also publish a print version. If you're interested, please tell me on Twitter.The book lists at 332 pages and is over 83,000 words. I've been working on it since last year, but I've used the time in isolation to carry the first volume over the finish line.The Amazon.com description says:Since 2003, cybersecurity author Richard Bejtlich has been writing posts on TaoSecurity Blog, a site with 15 million views since 2011. Now, after re-reading over 3,000 posts and approximately one million words, he has selected and republished the very best entries from 17 years of writing.In the first volume of the TaoSecurity Blog series, Bejtlich addresses milestones, philosophy and strategy, risk, and advice. Bejtlich shares his thoughts on leadership, the intruder's dilemma, managing burnout, controls versus assessments, insider versus outsider threats, security return on investment, threats versus vulnerabilities, controls and compliance, the post that got him hired at a Fortune 5 company as their first director of incident response, and much more.He has written new commentaries to accompany each post, some of which would qualify as blog entries in their own right.  Read how the security industry, defensive methodologies, and strategies to improve career opportunities have evolved in this new book, written by one of the authors who has seen it all and survived to blog about it.Finally, if you're interested in subsequent volumes, I have two planned.I may also have a few other book projects in the pipeline. I'll have more to say on that in the coming weeks.If you have any questions about the book, let me know. Currently you can see the table of contents via the "Look Inside" function, and ther]]> 2020-05-04T11:51:25+00:00 https://taosecurity.blogspot.com/2020/05/new-book-best-of-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=1690468 False Guideline None None taosecurity - Blog Sécurité Chinois CVE-2020-0688 Scan Results, per Rapid7tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It."I read a disturbing story today with the following news:"Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.As they found, 'at least 357,629 (82.5%) of the 433,464 Exchange servers' are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.To make matters even worse, some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable given that 'the related Microsoft update wasn't always updating the build number.'Furthermore, 'there are over 31,000 Exchange 2010 servers that have not been updated since 2012,' as the Rapid7 researchers observed. 'There are nearly 800 Exchange 2010 servers that have never been updated.'They also found 10,731 Exchange 2007 servers and more than 166,321 Exchange 2010 ones, with the former already running End of Support (EoS) software that hasn't received any security updates since 2017 and the latter reaching EoS in October 2020."In case you were wondering, threat actors have already been exploiting these flaws for weeks, if not months.Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide.In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them.It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives -- namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others.I expect some readers are saying "I would never put my email in the hands of those big companies!" That's fine, and I know several highly competent individuals who run their own email infrastructure. The problem is that they represent the small fraction of individuals and organizations who can do so. Even being extremely generous with the numbers, it appears that less than 20%, and probably less than 15% according to other estimates, can even keep their Exchange servers patched, let alone properly configured.If you think it's still worth the risk, and your organization isn't able to patch, because you want to avoid megacorp email providers or government access to your email, you've made a critical miscalculation. You've essentially decided that it's more important for you to keep your email out of megacorp or government hands than it is to keep i]]> 2020-04-07T11:28:11+00:00 https://taosecurity.blogspot.com/2020/04/if-you-cant-patch-your-email-server-you.html www.secnews.physaphae.fr/article.php?IdArticle=1642868 False Tool None None taosecurity - Blog Sécurité Chinois I have a confession... for me, the best part of virtual calls, or seeing any reporter or commentator working for home, is being able to check out their book shelves. I never use computer video, because I want to preserve the world's bandwidth. That means I don't share what my book shelves look like when I'm on a company call. Therefore, I thought I'd share my book shelves with the world.My big categories of books are martial arts, mixed/miscellaneous, cybersecurity and intelligence, and military and Civil War history. I've cataloged about 400 print books and almost 500 digital titles. Over the years I've leaned towards buying Kindle editions of any book that is mostly print, in order to reduce my footprint.For the last many years, my book shelving has consisted of three units, each with five shelves. Looking at the topic distribution, as of 2020 I have roughly 6 shelves for martial arts, 4 for mixed/miscellaneous, 3 for cybersecurity and intelligence, and 2 for military and Civil War history.This is interesting to me because I can compare my mix from five years ago, when I did an interview for the now defunct Warcouncil Warbooks project.In that image from 2015, I can see 2 shelves for martial arts, 4 for mixed/miscellaneous, 7 for cybersecurity and intelligence, and 2 for military and Civil War history.What happened to all of the cybersecurity and intelligence books? I donated a bunch of them, and the rest I'm selling on Amazon, along with books (in new or like new condition) that my kids decided they didn't want anymore.I've probably donated hundreds, possibly approaching a thousand, cyber security and IT books over the years. These were mostly books sent by publishers, although some were those that I bought and no longer needed. Some readers from northern Virginia might remember me showing up at ISSA or NoVASec meetings with a boxes of books that I would leave on tables. I would say "I don't want to come home with any of these. Please be responsible. And guess what -- everyone was!If anyone would like to share their book shelves, the best place would be as a reply to my Tweet on this post. I look forward to seeing your book shelves, fellow bibliophiles.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2020-04-02T19:05:11+00:00 https://taosecurity.blogspot.com/2020/04/seeing-book-shelves-on-virtual-calls.html www.secnews.physaphae.fr/article.php?IdArticle=1634925 False None None None taosecurity - Blog Sécurité Chinois Two posts in one day? These are certainly unusual times.I was thinking about words to describe different skill levels in digital security. Rather than invent something, I decided to review terms that have established meaning. Thanks to Google Books I found this article in a 1922 edition of the Archives of Psychology that mentioned four key terms:The novice is a (person) who has no trade ability whatever, or at least none that could not be paralleled by practically any intelligent (person).An apprentice has acquired some of the elements of the trade but is not sufficiently skilled to be trusted with any important task.The journey(person) is qualified to perform almost any work done by members of the trade.An expert can perform quickly and with superior skill any work done by (people) in the trade.I believe these four categories can apply to some degree to the needs of the digital security profession.At GE-CIRT we had three levels -- event analyst, incident analyst, and incident handler. We did not hire novices, so those three roles map in some ways to apprentice, journeyperson, and expert. One difference with the classical description applies to how we worked with apprentices. We trusted apprentices, or event analysts, with specific tasks. We thought of this work as important, just as every role on a team is important. It may not have been leading an incident response, but without the work of the event and incident analysts, we may not have discovered many incidents!Crucially, we encouraged event analysts, and incident analysts for that matter, to always be looking to exceed the parameters of their assigned duties.However, we stipulated that if a person was working beyond their assigned duties, they had to have their work product reviewed by the next level of analysis. This enabled mentoring among the various groups. It also helped identify people who were candidates for promotion. If a person consistently worked beyond their assigned duties, and eventually reached a near-perfect or perfect ability to do that work, that proved he or she was ready to assume the next level.This ability to access work beyond assigned duties is one reason I have problems with limiting data by role. I think everyone who works in a CIRT should have access to all of the data, assuming there are no classification, privacy, or active investigation constraints.One of my laws is the following:Analysts are good because they have good data. An expert with bad data is helpless. An apprentice with good data has a chance to do good work.I've said it more eloquently elsewhere but this is the main point. For more information on the apprenticeship model, this article might be useful.Copyright 2003-2020 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2020-03-27T11:15:36+00:00 https://taosecurity.blogspot.com/2020/03/skill-levels-in-digital-security.html www.secnews.physaphae.fr/article.php?IdArticle=1622928 False Guideline None None taosecurity - Blog Sécurité Chinois I saw my like-minded, friend-that-I've-never-met Andrew Thompson Tweet a poll, posted above.I was about to reply with the following Tweet:"If I'm struggling to figure out how to capture a thought in just 1 Tweet, that's a sign that a blog post might be appropriate. I only use a thread, and no more than 2, and hardly ever 3 (good Lord), when I know I've got nothing more to say. "1/10," "1/n," etc. are not for me."Then I realized I had something more to say, namely, other reasons blog posts are better than Tweets. For the briefest moment I considered adding a second Tweet, making, horror of horrors, a THREAD, and then I realized I would be breaking my own guidance.Here are three reasons to consider blogging over Tweeting.1. If you find yourself trying to pack your thoughts into a 280 character limit, then you should write a blog post. You might have a good idea, and instead of expressing it properly, you're falling into the trap of letting the medium define the message, aka the PowerPoint trap. I learned this from Edward Tufte: let the message define the medium, not the other way around.2. Twitter threads lose the elegance and readability of the English language as our ancestors created it, for our benefit. They gave us structures, like sentences, lists, indentation, paragraphs, chapters, and so on. What does Twitter provide? 280 character chunks. Sure, you can apply feeble "1/n" annotations, but you've lost all that structure and readability, and for what?3. In the event you're writing a Tweet thread that's really worth reading, writing it via Twitter virtually guarantees that it's lost to history. Twitter is an abomination for citation, search, and future reference. In the hierarchy of delivering content for current researchers and future generations, the hierarchy is the following, from lowest to highest:"Transient," "bite-sized" social media, e.g., Twitter, Instagram, Facebook, etc. postsBlog postsWhitepapersAcademic papers in "electronic" journalsElectronic (e.g., Kindle) only formatted booksPrint books (that may be stand-alone works, or which may contain journal articles)Print book are the apex communication medium because we have such references going back hundreds of years. Hundreds of years from now, I doubt the first five formats above will be easily accessible, or accessible at all. However, in a library or personal collection somewhere, printed books will endure.The bottom line is that if you think what you're writing is important enough to start a "1/n" Tweet thread, you've already demonstrated that Twitter is the wrong medium.The natural follow-on might be: what is Twitter good for? Here are my suggestions:Announcing a link to another, in-depth news resource, like a news article, blog post, whitepaper, etc.Offering a comment on an in-depth news resource, or replying to another person's announcement.Asking a poll question.Asking for help on a topic.Engaging in a short exchange with another user. Long exchanges on hot topics typically devolve into a confusing mess of messages and replies, that delivery of which Twitter has never really managed to figure out.I understand the seduction of Twitter. I use it every da]]> 2020-03-27T08:59:19+00:00 https://taosecurity.blogspot.com/2020/03/when-you-should-blog-and-when-you.html www.secnews.physaphae.fr/article.php?IdArticle=1622628 False None None None taosecurity - Blog Sécurité Chinois Tweeted a poll last night which asked the following:"I have an interesting ethical quandary. Is it ethically okay to use COVID-19 themed phishing emails for assessments and user awareness training right now? Please read the thread before responding and RT for visibility. 1/"Ultimately he decided:"My gut feeling is to not use COVID-19 themed emails in assessments/training, but to TELL users to expect them, though I understand even that might discourage consumption of legitimate information, endangering public health. 6/"I responded by saying this was the right answer.Thankfully there were many people who agreed, despite the fact that voting itself was skewed towards the "yes" answer.There were an uncomfortable number of responses to the Tweet that said there's nothing wrong with red teams phishing users with COVID-19 emails. For example:"Do criminals abide by ethics? Nope. Neither should testing.""Yes. If it's in scope for the badguys [sic], it's in scope for you.""Attackers will use it. So I think it is fair game."Those are the wrong answers. As a few others outlined well in their responses, the fact that a criminal or intruder employs a tactic does not mean that it's appropriate for an offensive security team to use it too.I could imagine several COVID-19 phishing lures that could target school districts and probably cause high double-digit click-through rates. What's the point of that? For a "community" that supposedly considers fear, uncertainty, and doubt (FUD) to be anathema, why introduce FUD via a phishing test?I've grown increasingly concerned over the past few years that there's a "cult of the offensive" that justifies its activities with the rationale that "intruders do it, so we should too." This is directly observable in the replies to Jake's Tweet. It's a thin veneer that covers bad behavior, outweighing the small benefit accrued to high-end, 1% security shops against the massive costs suffered by the vast majority of networked global organizations.The is a selfish, insular mindset that is reinforced by the echo chamber of the so-called "infosec community." This "tribe" is detached from the concerns and ethics of the larger society. It tells itself that what it is doing is right, oblivious or unconcerned with the costs imposed on the organizations they are supposedly "protecting" with their backwards actions.We need people with feet in both worlds to tell this group that their approach is not welcome in the broader human community, because the costs it imposes vastly outweigh the benefits.I've written here about ethics before, usually in connection with the only real value I saw in the CISSP -- its code of ethics. Reviewing the "code," as it appears now, shows the following:"There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.Code of Ethics Preamble:The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.Therefore, strict adherence to this Code is a condition of certification.Code of Ethics Canons:Protect society, the common good, necessary public trust and confidence, and the infrastructure.Act honorably, honestly, justly, responsibly, and legally.Provide diligent and competent service to principals.Advance and protect the profession."This is ]]> 2020-03-12T09:29:36+00:00 https://taosecurity.blogspot.com/2020/03/covid-19-phishing-tests-wrong.html www.secnews.physaphae.fr/article.php?IdArticle=1593657 False Malware None None taosecurity - Blog Sécurité Chinois 2019-11-06T16:12:52+00:00 https://taosecurity.blogspot.com/2019/11/seven-security-strategies-summarized.html www.secnews.physaphae.fr/article.php?IdArticle=1450341 False Vulnerability,Threat None None taosecurity - Blog Sécurité Chinois In the September/October issue of Foreign Affairs magazine, Richard Clarke and Rob Knake published an article titled "The Internet Freedom League: How to Push Back Against the Authoritarian Assault on the Web," based on their recent book The Fifth Domain. The article proposes the following:The United States and its allies and partners should stop worrying about the risk of authoritarians splitting the Internet. Instead, they should split it themselves, by creating a digital bloc within which data, services, and products can flow freely, excluding countries that do not respect freedom of expression or privacy rights, engage in disruptive activity, or provide safe havens to cybercriminals...The league would not raise a digital Iron Curtain; at least initially, most Internet traffic would still flow between members and nonmembers, and the league would primarily block companies and organizations that aid and abet cybercrime, rather than entire countries. Governments that fundamentally accept the idea of an open, tolerant, and democratic Internet but that struggle to live up to such a vision would have an incentive to improve their enforcement efforts in order join the league and secure connectivity for their companies and citizens. Of course, authoritarian regimes in China, Russia, and elsewhere will probably continue to reject that vision. Instead of begging and pleading with such governments to play nice, from now on, the United States and its allies should lay down the law: follow the rules, or get cut off.My initial reaction to this line of thought was not encouraging. Rather than continue exchanging Twitter messages, Rob and I had a very pleasant phone conversation to help each other understand our points of view. Rob asked me to document my thoughts in a blog post, so this is the result.Rob explained that the main goal of the IFL is to create leverage to influence those who do not implement an open, tolerant, and democratic Internet (summarized below as OTDI). I agree that leverage is certainly lacking, but I wondered if the IFL would accomplish that goal. My reservations included the following.1. Many countries that currently reject the OTDI might only be too happy to be cut off from the Western Internet. These countries do not want their citizens accessing the OTDI. Currently dissidents and others seeking news beyond their local borders must often use virtual private networks and other means to access the OTDI. If the IFL went live, those dissidents and others would be cut off, thanks to their government's resistance to OTDI principles.2. Elites in anti-OTDI countries would still find ways to access the Western Internet, either for personal, business, political, military, or intelligence reasons. The common person would be mostly likely to suffer.3. Segregating the OTDI would increase the incentives for "network traffic smuggling," whereby anti-OTDI elites would compromise, bribe, or otherwise corrupt Western Internet resources to establish surreptitious methods to access the OTDI. This would increase the intrusion pressure upon o]]> 2019-09-13T11:00:00+00:00 https://taosecurity.blogspot.com/2019/09/five-thoughts-on-internet-freedom-league.html www.secnews.physaphae.fr/article.php?IdArticle=1324464 False Guideline None None taosecurity - Blog Sécurité Chinois Nineteen years ago this week I registered the domain taosecurity.com:Creation Date: 2000-07-04T02:20:16ZThis was 2 1/2 years before I started blogging, so I don't have much information from that era. I did create the first taosecurity.com Web site shortly thereafter.I first started hosting it on space provided by my then-ISP, Road Runner of San Antonio, TX. According to archive.org, it looked like this in February 2002.That is some fine-looking vintage hand-crafted HTML. Because I lived in Texas I apparently reached for the desert theme with the light tan background. Unfortunately I didn't have the "under construction" gif working for me.As I got deeper into the security scene, I decided to simplify and adopt a dark look. By this time I had left Texas and was in the DC area, working for Foundstone. According to archive.org, the site look like this in April 2003.Notice I've replaced the oh-so-cool picture of me doing American Kenpo in the upper-left-hand corner with the classic Bruce Lee photo from the cover of The Tao of Jeet Kune Do. This version marks the first appearance of my classic TaoSecurity logo.A little more than two years later, I decided to pursue TaoSecurity as an independent consultant. To launch my services, I painstakingly created more hand-written HTML and graphics to deliver this beauty. According to archive.org, the site looked like this in May 2005.]]> 2019-07-01T10:00:03+00:00 https://taosecurity.blogspot.com/2019/07/happy-birthday-taosecuritycom.html www.secnews.physaphae.fr/article.php?IdArticle=1181426 False None None None taosecurity - Blog Sécurité Chinois YouTube. Thank you to Sqrrl for making the reunion possible. Mr. Bejtlich's latest book was inducted into the Cybersecurity Canon. Mr. Bejtlich is doing limited security consulting. See this blog post for details. 2016 Mr. Bejtlich organized and hosted the Management track (now "Executive track") at the 7th annual Mandiant MIRCon (now "FireEye Cyber Defense Summit") on 29-30 November 2016. Mr. Bejtlich delivered the keynote to the 2016 Air Force Senior Leaders Orientation Conference at Joint Base Andrews on 29 July 2016. Mr. Bejtlich delivered the keynote to the FireEye Cyber Defense Live Tokyo event in Tokyo on 12 July 2016. Mr. Bejtlich delivered the keynote to the New Zealand Cyber Security Summit in Auckland on 6 May 2016. Mr. Bejtlich delivered the keynote to the Lexpo Summit in Amsterdam on 21 April 2016. Video posted here. Mr. Bejtlich discussed cyber security campaigns at the 2016 War Studies Cumberland Lodge Conference near London on 30 March 2016. Mr. Bejtlich offered a guest lecture to the Wilson Center Congressional Cybersecurity Lab on 5 February 2016. Mr. Bejtlich delivered the keynote to the SANS Cyber Threat Intelligence Summit on 4 February 2016. Slides and video available. 2015 Mr. Bejtlich spoke on a panel at the DefenseOne Summit on 2 November 2015. Mr. Bejtlich spoke on a panel at the AEI Internet Strategy event on 27 October 2015. Mr. Bejtlich organized and hosted the Management track at the 6th annual Mandiant MIRCon on 13-14 October 2015. Mr. Bejtlich testified to the House Foreign Affairs Committee on 7 October 2015. Mr. Bejtlich testified to the House Armed Services Committee on 30 September 2015. Mr. Bejtlich delivered a keynote at the 2015 Army Cyber Institute Cyber Talks on 22 September 2015 in Washington, DC. Mr. Bejtlich delivered a keynote at the 2015 Security Onion Conference on 11 September 2015 in Augusta, GA. Mr. Bejtlich delivered a keynote at the 2015 World Services Group Conference on 10 S]]> 2019-07-01T08:00:07+00:00 https://taosecurity.blogspot.com/2019/07/reference-taosecurity-news.html www.secnews.physaphae.fr/article.php?IdArticle=1181236 False Guideline APT 1 None taosecurity - Blog Sécurité Chinois Academia.edu for Mr. Bejtlich's most recent research.2014 and earlier: Seven Tips for Small Business Security, in the Huffington Post, 18 June 2014Strategy, Not Speed: What Today's Digital Defenders Must Learn From Cybersecurity's Early Thinkers, for the Brookings Institution, 7 May 2014What Federal Cyber Breach Notifications Really Mean for Business, for the Brookings Institution, 25 March 2014Don't Underestimate Cyber Spies: How Virtual Espionage Can Lead to Actual Destruction in Foreign Affairs, 2 May 2013Become a Hunter in the targeted-threat-centric Information Security Magzine, July-August 2011 (.pdf) Directions in Incident Detection and Response (.pdf) in the January/February 2011 issue of IEEE Security and Privacy magazineUnderstanding the Advanced Persistent Threat in Information Security Magazine, July 2010Traffic Talk issues 1, 2, 3, 4, 5, 6, 7, 8, 9, 10Snort Report issues 1, 2, 3, 4, 5, 6, ]]> 2019-07-01T08:00:04+00:00 https://taosecurity.blogspot.com/2019/07/reference-taosecurity-research.html www.secnews.physaphae.fr/article.php?IdArticle=1181235 False Guideline None None taosecurity - Blog Sécurité Chinois Meet the US's First Ever Cyber Chief, published 8 September 2016.Mr. Bejtlich was interviewed for the NPR story Cybersecurity: Who's Vulnerable To Attack?, aired 30 July 2016.Mr. Bejtlich was interviewed for the Washington Post story It's not just the DNC; we all send emails we probably shouldn't, published 25 July 2016.Mr. Bejtlich was interviewed for the New Scientist story NATO says the internet is now a war zone – what does that mean?, published 22 June 2016.Mr. Bejtlich was interviewed for the Military Times story The Pentagon's controversial plan to hire military leaders off the street, published 19 June 2016.Mr. Bejtlich was interviewed for the Idealog story Idealog talks with a cyber-war expert, published 6 May 2016.Mr. Bejtlich was cited in the New Zealand Herald story Cyber-attacks part of doing business with China - experts, published 5 May 2016.Mr. Bejtlich was cited in the Christian Science Monitor story Iran hacking indictment highlights US naming and shaming strategy, published 30 March 2016.Mr. Bejtlich was cited in the Financial Times story Defence groups take aim at cyber security, published 28 March 2016.Mr. Bejtlich was interviewed for the Security Management story A Chinese New Year, published 4 January 2016.2015Mr. Bejtlich was cited in the AP story US Advised to Examine "Hack Back" Options against China, published 17 November 2015.Mr. Bejtlich was cited in the Reuters story Data from US agency cyber breach not on black market - researcher, published 2 November 2015.Mr. Bejtlich was cited in the NextGov story Creative, Audacious or Destructive: The Different Personalities of Nation-State Hackers, published 2 November 2015.Mr. Bejtlich was cited in the Baltimore Sun story As more devices go online, hackers hunt for vulnerabilities, published 24 October 2015.Mr. Bejtlich was cited in the Atlantic story Can Campus Networks Ever Be Secure?, published 12 October 2015.Mr. Bejtlich was cited in the Info Security story ]]> 2019-07-01T08:00:01+00:00 https://taosecurity.blogspot.com/2019/07/reference-taosecurity-press.html www.secnews.physaphae.fr/article.php?IdArticle=1181234 False Guideline Yahoo None taosecurity - Blog Sécurité Chinois At the end of the 1973 Clint Eastwood movie Magnum Force, after Dirty Harry watches his corrupt police captain explode in a car, he says "a man's got to know his limitations."I thought of this quote today as the debate rages about compromising municipalities and other information technology-constrained yet personal information-rich organizations.Several years ago I wrote If You Can't Protect It, Don't Collect It. I argued that if you are unable to defend personal information, then you should not gather and store it.In a similar spirit, here I argue that if you are unable to securely operate information technology that matters, then you should not be supporting that IT.You should outsource it to a trustworthy cloud provider, and concentrate on managing secure access to those services.If you cannot outsource it, and you remain incapable of defending it natively, then you should integrate a capable managed security provider.It's clear to me that a large portion of those running PI-processing IT are simply not capable of doing so in secure manner, and they do not bear the full cost of PI breaches.They have too many assets, with too many vulnerabilities, and are targeted by too many threat actors.These organizations lack sufficient people, processes, and technologies to mitigate the risk.They have successes, but they are generally due to the heroics of individual IT and security professionals, who often feel out-gunned by their adversaries.If you can't patch a two-year-old vulnerability prior to exploitation, or detect an intrusion and respond to the adversary before he completes his mission, then you are demonstrating that you need to change your entire approach to information technology.The security industry seems to think that throwing more people at the problem is the answer, yet year after year we read about several million job openings that remain unfilled. This is a sign that we need to change the way we are doing business. The fact is that those organziations that cannot defend themselves need to recognize their limitations and change their game.I recognize that outsourcing is not a panacea. Note that I emphasized "IT" in my recommendation. I do not see how one could outsource the critical technology running on-premise in the industrial control system (ICS) world, for example. Those operations may need to rely more on outsourced security providers, if they cannot sufficiently detect and respond to intrusions using in-house capabilities.Remember that the vast majority of organizations do not exist to run IT. They run IT to support their lines of business. Many older organizations have indeed been migrating legacy applications to the cloud, and most new organizations are cloud-native. These are hopeful signs, as the older organizations could potentially  "age-out" over time.This puts a burden on the cloud providers, who fall into the "managed service provider" category that I wrote about in my recent Corelight blog. However, the more trustworthy providers have the people, proc]]> 2019-05-29T09:55:00+00:00 https://taosecurity.blogspot.com/2019/05/know-your-limitations.html www.secnews.physaphae.fr/article.php?IdArticle=1130914 False Vulnerability,Threat None None taosecurity - Blog Sécurité Chinois This is a normal frame with Ethernet II encapsulation. It begins with 6 bytes of the destination MAC address, 6 bytes of the source MAC address, and 2 bytes of an Ethertype, which in this case is 0x0800, indicating an IP packet follows the Ethernet header. There is no TCP payload as this is an ACK segment.You can also see this in Tshark.$ tshark -Vx -r frame4238.pcapFrame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)    Encapsulation type: Ethernet (1)    Arrival Time: May  7, 2019 18:19:10.071831000 UTC    [Time shift for this packet: 0.000000000 seconds]    Epoch Time: 1557253150.071831000 seconds    [Time delta from previous captured frame: 0.000000000 seconds]    [Time delta from previous displayed frame: 0.000000000 seconds]    [Time since reference or first frame: 0.000000000 seconds]    Frame Number: 1    Frame Length: 66 bytes (528 bits)    Capture Length: 66 bytes (528 bits)    [Frame is marked: False]    [Frame is ignored: False]    [Protocols in frame: eth:ethertype:ip:tcp]Ethernet II, Src: IntelCor_12:7d:bb (38:ba:f8:12:7d:bb), Dst: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)    Destination: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)        Address: Ubiquiti_49:e0:10 (fc:ec:da:49:e0:10)        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)]]> 2019-05-09T10:30:01+00:00 https://taosecurity.blogspot.com/2019/05/dissecting-weird-packets.html www.secnews.physaphae.fr/article.php?IdArticle=1100750 False None None None taosecurity - Blog Sécurité Chinois I spent a chunk of the day troubleshooting a network security monitoring (NSM) problem. I thought I would share the problem and my investigation in the hopes that it might help others. The specifics are probably less important than the general approach.It began with ja3. You may know ja3 as a set of Zeek scripts developed by the Salesforce engineering team to profile client and server TLS parameters.I was reviewing Zeek logs captured by my Corelight appliance and by one of my lab sensors running Security Onion. I had coverage of the same endpoint in both sensors.I noticed that the SO Zeek logs did not have ja3 hashes in the ssl.log entries. Both sensors did have ja3s hashes. My first thought was that SO was misconfigured somehow to not record ja3 hashes. I quickly dismissed that, because it made no sense. Besides, verifying that intution required me to start troubleshooting near the top of the software stack.I decided to start at the bottom, or close to the bottom. I had a sinking suspicion that, for some reason, Zeek was only seeing traffic sent from remote systems, and not traffic originating from my network. That would account for the creation of ja3s hashes, for traffic sent by remote systems, but not ja3 hashes, as Zeek was not seeing traffic sent by local clients.I was running SO in VirtualBox 6.0.4 on Ubuntu 18.04. I started sniffing TCP network traffic on the SO monitoring interface using Tcpdump. As I feared, it didn't look right. I ran a new capture with filters for ICMP and a remote IP address. On another system I tried pinging the remote IP address. Sure enough, I only saw ICMP echo replies, and no ICMP echoes. Oddly, I also saw doubles and triples of some of the ICMP echo replies. That worried me, because unpredictable behavior like that could indicate some sort of software problem.My next step was to "get under" the VM guest and determine if the VM host could see traffic properly. I ran Tcpdump on the Ubuntu 18.04 host on the monitoring interface and repeated my ICMP tests. It saw everything properly. That meant I did not need to bother checking the switch span port that was feeding traffic to the VirtualBox system.It seemed I had a problem somewhere between the VM host and guest. On the same VM host I was also running an instance of RockNSM. I ran my ICMP tests on the RockNSM VM and, sadly, I got the same one-sided traffic as seen on SO.Now I was worried. If the problem had only been present in SO, then I could fix SO. If the problem is present in both SO and RockNSM, then the problem had to be with VirtualBox -- and I might not be able to fix it.I reviewed my configurations in VirtualBox, ensuring that the "Promiscuous Mode" under the Advanced options was set to "Allow All". At this point I worried that there was a bug in VirtualBox. I did some Google searches and reviewed some forum posts, but I did not see anyone reporting issues with sniffing traffic inside VMs. Still, my use case might have been weird enough to not have been reported.I decided to try a different approach. I wondered if running VirtualBox with elevated privileges might make a difference. I did not want to take ownership of my user VMs, so I decided to install a new VM and run it with elevated privileges.Let me stop here to note that I am breaking one of the rules of troubleshooting. I'm introducing two new variables, when I should]]> 2019-04-08T16:56:12+00:00 https://taosecurity.blogspot.com/2019/04/troubleshooting-nsm-virtualization.html www.secnews.physaphae.fr/article.php?IdArticle=1091766 False None None None taosecurity - Blog Sécurité Chinois Last week I attended my first OSSEC conference. I first blogged about OSSEC in 2007, and wrote other posts about it in the following years.OSSEC is a host-based intrusion detection and log analysis system with correlation and active response features. It is cross-platform, such that I can run it on my Windows and Linux systems. The moving force behind the conference was a company local to me called Atomicorp.In brief, I really enjoyed this one-day event. (I had planned to attend the workshop on the second day but my schedule did not cooperate.) The talks were almost uniformly excellent and informative. I even had a chance to talk jiu-jitsu with OSSEC creator Daniel Cid, who despite hurting his leg managed to travel across the country to deliver the keynote.I'd like to share a few highlights from my notes.First, I had been worried that OSSEC was in some ways dead. I saw that the Security Onion project had replaced OSSEC with a fork called Wazuh, which I learned is apparently pronounced "wazoo." To my delight, I learned OSSEC is decidedly not dead, and that Wazuh has been suffering stability problems. OSSEC has a lot of interesting development ahead of it, which you can track on their Github repo.For example, the development roadmap includes eliminating Logstash from the pipeline used by many OSSEC users. OSSEC would feed directly into Elasticsearch. One speaker noted that Logstash has a 1.7 GB memory footprint, which astounded me.On a related note, the OSSEC team is planning to create a new Web console, with a design goal to have it run in an "AWS t2.micro" instance. The team noted that instance offers 2 GB memory, which doesn't match what AWS says. Perhaps they meant t2.micro and 1 GB memory, or t2.small with 2 GB memory. I think they mean t2.micro with 1 GB RAM, as that is the free tier. Either way, I'm excited to see this later in 2019.Second, I thought the presentation by security personnel from USA Today offered an interesting insight. One design goal they had for monitoring their Google Cloud Platform (GCP) was to not install OSSEC on every container or on Kubernetes worker nodes. Several times during the conference, speakers noted that the transient nature of cloud infrastructure is directly antithetical to standard OSSEC usage, whereby OSSEC is installed on servers with long uptime and years of service. Instead, USA Today used OSSEC to monitor HTTP logs from the GCP load balancer, logs from Google Kubernetes Engine, and monitored processes by watching output from successive kubectl invocations.Third, a speaker from Red Hat brought my attention to an aspect of containers that I had not considered. Docker and containers had made software testing and deployment a lot easier for everyone. However, those who provide containers have effectively become Linux distribution maintainers. In other words, who is responsible when a security or configuration vulnerability in a Linux component is discovered? Will the container maintainers be responsive?Another speaker emphasized the difference between "security of the cloud," offered by cloud providers, and "security in the cloud," which is supposed to be the customer\]]> 2019-03-28T16:40:01+00:00 https://taosecurity.blogspot.com/2019/03/thoughts-on-ossec-con-2019.html www.secnews.physaphae.fr/article.php?IdArticle=1085953 False Vulnerability Uber None taosecurity - Blog Sécurité Chinois Recently I've been reading about cloud security and security with respect to DevOps. I'll say more about the excellent book I'm reading, but I had a moment of déjà vu during one section.The book described how cloud security is a big change from enterprise security because it relies less on IP-address-centric controls and more on users and groups. The book talked about creating security groups, and adding users to those groups in order to control their access and capabilities.As I read that passage, it reminded me of a time long ago, in the late 1990s, when I was studying for the MCSE, then called the Microsoft Certified Systems Engineer. I read the book at left, Windows NT Security Handbook, published in 1996 by Tom Sheldon. It described the exact same security process of creating security groups and adding users. This was core to the new NT 4 role based access control (RBAC) implementation.Now, fast forward a few years, or all the way to today, and consider the security challenges facing the majority of legacy enterprises: securing Windows assets and the data they store and access. How could this wonderful security model, based on decades of experience (from the 1960s and 1970s no less), have failed to work in operational environments?There are many reasons one could cite, but I think the following are at least worthy of mention.The systems enforcing the security model are exposed to intruders.Furthermore:Intruders are generally able to gain code execution on systems participating in the security model.Finally:Intruders have access to the network traffic which partially contains elements of the security model.From these weaknesses, a large portion of the security countermeasures of the last two decades have been derived as compensating controls and visibility requirements.The question then becomes:Does this change with the cloud?In brief, I believe the answer is largely "yes," thankfully. Generally, the systems upon which the security model is being enforced are not able to access the enforcement mechanism, thanks to the wonders of virtualization.Should an intruder find a way to escape from their restricted cloud platform and gain hypervisor or management network access, then they find themselves in a situation similar to the average Windows domain network.This realization puts a heavy burden on the cloud infrastructure operators. They major players are likely able to acquire and apply the expertise and resources to make their infrastructure far more resilient and survivable than their enterprise counterparts.The weakness will likely be their personnel.Once the compute and network components are sufficiently robust from externally sourced compromise, then internal threats become the next most cost-effective and return-producing vectors for dedicated intruders.Is there anything users can do as they hand their compute and data assets to cloud operators?I suggest four moves.First, small- to mid-sized cloud infrastructure users will likely have to piggyback or free-ride on the initiatives and influence of the largest cloud customers, who have the clout and hopefully the expertise to hold the cloud operators responsible for the security of everyone's data.Second, lawmakers may also need imp]]> 2019-03-13T16:15:01+00:00 https://taosecurity.blogspot.com/2019/03/thoughts-on-cloud-security.html www.secnews.physaphae.fr/article.php?IdArticle=1068351 False None None None taosecurity - Blog Sécurité Chinois Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.We sought to make digital intrusions more expensive than physical intrusions.In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate t]]> 2019-02-09T09:30:04+00:00 https://taosecurity.blogspot.com/2019/02/forcing-adversary-to-pursue-insider.html www.secnews.physaphae.fr/article.php?IdArticle=1020293 False None None None taosecurity - Blog Sécurité Chinois DetectionLab, but noted that I was having trouble with the RDP servers offered by Virtualbox. If you remember, DetectionLab builds four virtual machines:root@LAPTOP-HT4TGVCP C:\Users\root>"c:\Program Files\Oracle\VirtualBox\VBoxManage" list runningvms"logger" {3da9fffb-4b02-4e57-a592-dd2322f14245}"dc.windomain.local" {ef32d493-845c-45dc-aff7-3a86d9c590cd}"wef.windomain.local" {7cd008b7-c6e0-421d-9655-8f92ec98d9d7}"win10.windomain.local" {acf413fb-6358-44df-ab9f-cc7767ed32bd}I was having a problem with two of the VMs sharing the same port for the RDP server offered by Virtualbox. This meant I could not access one of them. (Below, port 5932 has the conflict.)root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage" showvminfo logger | findstr /I vrde | findstr /I addressVRDE:                        enabled (Address 0.0.0.0, Ports 5955, MultiConn: off, ReuseSingleConn: off, Authentication type: null)VRDE property               : TCP/Address  = "0.0.0.0"root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage" showvminfo dc.windomain.local | findstr /I vrde | findstr /I addressVRDE:                        enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null)VRDE property               : TCP/Address = "0.0.0.0"root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage" showvminfo wef.windomain.local | findstr /I vrde | findstr /I addressVRDE:                        enabled (Address 0.0.0.0, Ports 5932, MultiConn: off, ReuseSingleConn: off, Authentication type: null)VRDE property               : TCP/Address = "0.0.0.0"root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant>"c:\Program Files\Oracle\VirtualBox\VBoxManage" showvminfo win10.windomain.local | ]]> 2019-01-29T15:30:05+00:00 https://taosecurity.blogspot.com/2019/01/fixing-virtualbox-rdp-server-with.html www.secnews.physaphae.fr/article.php?IdArticle=1014122 False None None None taosecurity - Blog Sécurité Chinois Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right?Enter DetectionLab, a project by Chris Long. Briefly, Chris built a project that uses Packer and Vagrant to create an instrumented lab environment. Chris explained the project in late 2017 in a Medium post, which I recommend reading.I can't even begin to describe all the functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running.My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed Virtualbox 6.0 with the appropriate VirtualBox Extension Pack. I had also enabled the native OpenSSH server and performed all DetectionLab installation functions over an OpenSSH session.Install ChocolateyMy first step was to install Chocolatey, a package manager for Windows. I wanted to use this to install the Git client I wanted to use to clone the DetectionLab repo. Commands I typed at each stage are in bold below.root@LAPTOP-HT4TGVCP C:\Users\root>@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"Getting latest version of the Chocolatey package for download.Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.11.Downloading 7-Zip commandline tool prior to extraction.Extracting C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\root\AppData\Local\Temp\chocolatey\chocInstall...Installing chocolatey on this machineCreating ChocolateyInstall as an environment variable (targeting 'Machine')  Setting ChocolateyInstall to 'C:\ProgramData\chocolatey'WARNING: It's very likely you will need to close and reopen your shell  before you can use choco.]]> 2019-01-28T16:00:00+00:00 https://taosecurity.blogspot.com/2019/01/trying-detectionlab.html www.secnews.physaphae.fr/article.php?IdArticle=1012586 False None None None taosecurity - Blog Sécurité Chinois Today, 8 January 2019, is TaoSecurity Blog's 16th birthday! This is also my 3,041st blog post.I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone.Here are a few statistics on the blog. Blogger started providing statistics in May 2010, so these apply to roughly the past 9 years only.As of today, since May 2010 the blog has nearly 9.4 million all time page views, up from 7.7 million a year ago.Here are the most popular posts of the last 9 years, as of today:I'm blogging a bit more recently, with 22 posts in 2018 -- more than my total for 2016 and 2017 combined, but still not half as much as 2015, which saw 55 posts.Twitter continues to play a role in the way I communicate. Last year @taosecurity had nearly 49,000 followers with less than 18,000 Tweets. Today I have nearly 53,000 followers with 19,000 Tweets.My rule is generally this: if I start wondering how to fit an idea in 280 characters on Twitter, then a blog post is a better idea. If I start a Twitter "thread," then I really need to write a blog post!I continue to blog about martial arts and related topics at Rejoining the Tao, which incidentally will be three years old later this month, and is currently 11 posts shy of 100. You can see that during my burnout period I shifted my writing and creativity outside of security.Thank you to everyone who has been part of this blog's journey since 2003!Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2019-01-08T09:03:39+00:00 https://taosecurity.blogspot.com/2019/01/happy-16th-birthday-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=981001 False None None None taosecurity - Blog Sécurité Chinois In this post I would like to share a few thoughts on self-publishing a book, in case anyone is considering that option.As I mentioned in my post on burnout, one of my goals was to publish a book on a subject other than cyber security. A friend from my Krav Maga school, Anna Wonsley, learned that I had published several books, and asked if we might collaborate on a book about stretching. The timing was right, so I agreed.I published my first book with Pearson and Addison-Wesley in 2004, and my last with No Starch in 2013. 14 years is an eternity in the publishing world, and even in the last 5 years the economics and structure of book publishing have changed quite a bit.To better understand the changes, I had dinner with one of the finest technical authors around, Michael W. Lucas. We met prior to my interest in this book, because I had wondered about publishing books on my own. MWL started in traditional publishing like me, but has since become a full-time author and independent publisher. He explained the pros and cons of going it alone, which I carefully considered.By the end of 2017, Anna and I were ready to begin work on the book. I believe our first "commits" occurred in December 2017.For this stretching book project, I knew my strengths included organization, project management, writing to express another person's message, editing, and access to a skilled lead photographer. I learned that my co-author's strengths included subject matter expertise, a willingness to be photographed for the book's many pictures, and friends who would also be willing to be photographed.None of us was very familiar with the process of transforming a raw manuscript and photos into a finished product. When I had published with Pearson and No Starch, they took care of that process, as well as copy-editing.Beyond turning manuscript and photos into a book, I also had to identify a publication platform. Early on we decided to self-publish using one of the many newer companies offering that service. We wanted a company that could get our book into Amazon, and possibly physical book stores as well. We did not want to try working with a traditional publisher, as we felt that we could manage most aspects of the publishing process ourselves, and augment with specialized help where needed.After a lot of research we chose Blurb. One of the most attractive aspects of Blurb was their expert ecosystem. We decided that we would hire one of these experts to handle th]]> 2018-12-31T17:46:00+00:00 https://taosecurity.blogspot.com/2018/12/notes-on-self-publishing-book.html www.secnews.physaphae.fr/article.php?IdArticle=972073 False Guideline None None taosecurity - Blog Sécurité Chinois This is not strictly an information security post, but the topic likely affects a decent proportion of my readership.Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for advice on how to handle burnout.I want to share my story in the hopes that it helps others in the security scene, either by coping with existing burnout or preparing for a possible burnout.How did burnout manifest for me? It began with FireEye's acquisition of Mandiant, almost exactly five years ago. 2013 was a big year for Mandiant, starting with the APT1 report in early 2013 and concluding with the acquisition in December.The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye's culture and managerial habits, and I wondered what I was doing inside such a different company.(It's important to note that the appointment of Kevin Mandia as CEO in June 2016 began a cultural and managerial shift. I give Kevin and his lieutenants credit for helping transform the company since then. Kevin's appointment was too late for me, but I applaud the work he has done over the last few years.)Starting in late 2014 and progressing in 2015, I became less interested in security. I was aggravated every time I saw the same old topics arise in social or public media. I did not see the point of continuing to debate issues which were never solved. I was demoralized and frustrated.At this time I was also working on my PhD with King's College London. I had added this stress myself, but I felt like I could manage it. I had earned two major and two minor degrees in four years as an Air Force Academy cadet. Surely I could write a thesis!Late in 2015 I realized that I needed to balance the very cerebral art of information security with a more physical activity. I took a Krav Maga class the first week of January 2016. It was invigorating and I began a new blog, Rejoining the Tao, that month. I began to consider options outside of informations security.In early 2016 my wife began considering ways to rejoin the W-2 workforce, after having stayed home with our kids for 12 years. We discussed the possibility of me leaving my W-2 job and taking a primary role with the kids. By mid-2016 she had a new job and I was open to departing FireEye.By late 2016 I also realized that I was not cut out to be a PhD candidate. Although I had written several books, I did not have the right mindset or attitude to continue writing my thesis. After two years I quit my PhD program. This was the first time I had quit anything significant in my life, and it was the right decision for me. (The Churchill "never, never, never give up" speech is fine advice when defending your nation's existence, but it's stupid advice if you're not happy with the path you're following.)In March 2017 I posted Bejtlich Moves On, where I said I was leaving FireEye. I would offer security consulting in the short term, and would open a Krav Maga school in the long-term. This was my break with the security ]]> 2018-12-21T16:30:11+00:00 https://taosecurity.blogspot.com/2018/12/managing-burnout.html www.secnews.physaphae.fr/article.php?IdArticle=959069 False None APT 1 None taosecurity - Blog Sécurité Chinois While listening to a webcast this morning, I heard the speaker mentionThere are two types of companies: those who have been hacked, and those who don't yet know they have been hacked.He credited Cisco CEO John Chambers but didn't provide any source.That didn't sound right to me. I could think of two possible antecedents. so I did some research. I confirmed my memory and would like to present what I found here.John Chambers did indeed offer the previous quote, in a January 2015 post for the World Economic Forum titled What does the Internet of Everything mean for security? Unfortunately, neither Mr Chambers nor the person who likely wrote the article for him decided to credit the author of this quote.Before providing proper credit for this quote, we need to decide what the quote actually says. As noted in this October 2015 article by Frank Johnson titled Are there really only “two kinds of enterprises”?, there are really (at least) two versions of this quote:A popular meme in the information security industry is, “There are only two types of companies: those that know they've been compromised, and those that don't know.”And the second is like unto it: “There are only two kinds of companies: those that have been hacked, and those that will be.”We see that the first is a version of what Mr Chambers said. Let's call that 2-KNOW. The second is different. Let's call that 2-BE.The first version, 2-KNOW, can be easily traced and credited to Dmitri Alperovitch. He stated this proposition as part of the publicity around his Shady RAT report, written while he worked at McAfee. For example, this 3 August 2011 story by Ars Technica, Operation Shady RAT: five-year hack attack hit 14 countries, quotes Dmitri in the following:So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world's biggest firms, there are just two kinds: those that know they've been compromised, and those that still haven't realized they've been compromised.Dmitri used slightly different language in this popular Vanity Fair article from September 2011, titled Enter the Cyber-Dragon:Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies-those that know they've been compromised, and those that don't know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”No doubt former FBI Director Mueller read this report (and probably spoke with Dmitri). He delivered a speech at RSA on 1 March 2012 that introduced question 2-BE into the lexicon, plus a little more:For it is no longer a question of “if,” but “when” and]]> 2018-12-18T11:22:26+00:00 https://taosecurity.blogspot.com/2018/12/the-origin-of-quote-there-are-two-types.html www.secnews.physaphae.fr/article.php?IdArticle=952646 False Hack,Threat None None taosecurity - Blog Sécurité Chinois I am an historian. I practice digital security, but I earned a bachelor's of science degree in history from the United States Air Force Academy. (1)Historians create products by analyzing artifacts, among which the most significant is the written word.In my last post, I talked about IOCs, or indicators of compromise. Do you know the origin of the term? I thought I did, but I wanted to rely on my historian's methodology to invalidate or confirm my understanding.I became aware of the term "indicator" as an element of indications and warning (I&W), when I attended Air Force Intelligence Officer's school in 1996-1997. I will return to this shortly, but I did not encounter the term "indicator" in a digital security context until I encountered the work of Kevin Mandia.In August 2001, shortly after its publication, I read Incident Response: Investigating Computer Crime, by Kevin Mandia, Chris Prosise, and Matt Pepe (Osborne/McGraw-Hill). I was so impressed by this work that I managed to secure a job with their company, Foundstone, by April 2002. I joined the Foundstone incident response team, which was led by Kevin and consisted of Matt Pepe, Keith Jones, Julie Darmstadt, and me.I Tweeted earlier today that Kevin invented the term "indicator" (in the IR context) in that 2001 edition, but a quick review of the hard copy in my library does not show its usage, at least not prominently. I believe we were using the term in the office but that it had not appeared in the 2001 book. Documentation would seem to confirm that, as Kevin was working on the second edition of the IR book (to which I contributed), and that version, published in 2003, features the term "indicator" in multiple locations.In fact, the earliest use of the term "indicators of compromise," appearing in print in a digital security context, appears on page 280 in Incident Response & Computer Forensics, 2nd Edition.From other uses of the term "indicators" in that IR book, you can observe that IOC wasn't a formal, independent concept at this point, in 2003. In the same excerpt above you see "indicators of attack" mentioned.The first citation of the term "indicators" in the 2003 book shows it is meant as an investigative lead or tip:]]> 2018-11-25T15:48:54+00:00 https://taosecurity.blogspot.com/2018/11/the-origin-of-term-indicators-of.html www.secnews.physaphae.fr/article.php?IdArticle=918838 False Malware,Tool,Guideline None None taosecurity - Blog Sécurité Chinois In response to my post More on Threat Hunting, Rob Lee asked:[D]o you consider detection through ID'ing/“matching” TTPs not hunting?To answer this question, we must begin by clarifying "TTPs." Most readers know TTPs to mean tactics, techniques and procedures, defined by David Bianco in his Pyramid of Pain post as:How the adversary goes about accomplishing their mission, from reconnaissance all the way through data exfiltration and at every step in between.In case you've forgotten David's pyramid, it looks like this.It's important to recognize that the pyramid consists of indicators of compromise (IOCs). David uses the term "indicator" in his original post, but his follow-up post from his time at Sqrrl makes this clear:There are a wide variety of IoCs ranging from basic file hashes to hacking Tactics, Techniques and Procedures (TTPs). Sqrrl Security Architect, David Bianco, uses a concept called the Pyramid of Pain to categorize IoCs. At this point it should be clear that I consider TTPs to be one form of IOC.In The Practice of Network Security Monitoring, I included the following workflow:You can see in the second column that I define hunting as "IOC-free analysis." On page 193 of the book I wrote:Analysis is the process of identifying and validating normal, suspicious, and malicious activity. IOCs expedite this process. Formally, IOCs are manifestations of observable or discernible adversary actions. Informally, IOCs are ways to codify adversary activity so that technical systems can find intruders in digital evidence...I refer to relying on IOCs to find intruders as IOC-centric analysis, or matching. Analysts match IOCs to evidence to identify suspicious or malicious activity, and then validate their findings.Matching is not the only way to find intruders. More advanced NSM operations also pursue IOC-free analysis, or hunting. In the mid-2000s, the US Air Force popularized the term hunter-killer in the digital world. Security experts perfo]]> 2018-11-24T15:23:09+00:00 https://taosecurity.blogspot.com/2018/11/even-more-on-threat-hunting.html www.secnews.physaphae.fr/article.php?IdArticle=916533 False Malware,Threat None None taosecurity - Blog Sécurité Chinois Earlier this week hellor00t asked via Twitter:Where would you place your security researchers/hunt team?I replied:For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend more time matching. Senior people spend more time hunting. Both can and should do both functions.This inspired Rob Lee to blog a response, from which I extract his core argument:[Hunting] really isn't, to me, about detecting threats...Hunting is a hypothesis-led approach to testing your environment for threats. The purpose, to me, is not in finding threats but in determining what gaps you have in your ability to detect and respond to them...In short, hunting, to me, is a way to assess your security (people, process, and technology) against threats while extending your automation footprint to better be prepared in the future. Or simply stated, it's incident response without the incident that's done with a purpose and contributes something. As background for my answer, I recommend my March 2017 post The Origin of Threat Hunting, which cites my article "Become a Hunter," published in the July-August 2011 issue of Information Security Magazine. I wrote it in the spring of 2011, when I was director of incident response for GE-CIRT.For the term "hunting," I give credit to briefers from the Air Force and NSA who, in the mid-2000s briefed "hunter-killer" missions to the Red Team/Blue Team Symposium at the Johns Hopkins University Applied Physics Lab in Laurel, MD.As a comment to that post, Tony Sager, who ran NSA VAO at the time I was briefed at ReBl, described hunting thus:[Hunting] was an active and sustained search for Attackers...For us, "Hunt" meant a very planned and sustained search, taking advantage of the existing infrastructure of Red/Blue Teams and COMSEC Monitoring, as well as intelligence information to guide the search. For the practice of hunting, as I experienced it, I give credit to our GE-CIRT incident handlers -- David Bianco,  Ken Bradley, Tim Crothers, Tyler Hudak, Bamm Visscher, and Aaron Wade -- who took junior analysts on "hunting trips," starting in 2008-2009.It is very clear, to me, that hunting has always been associated with detecting an adversary, not "determining what gaps you have in your ability to detect and respond to them," as characterized by Rob.For me, Rob is describing the job of an enterprise visibility architect, which I described in a 2007 post:[W]e are stuck with numerous platforms, operating systems, applications, and data (POAD) for which we have zero visibility. I suggest that enterprises consider hiring or assigning a new role -- Enterprise Visibility Architect. The role of the EVA is to identify visibility deficiencies in existing and future POAD and]]> 2018-11-23T12:36:47+00:00 https://taosecurity.blogspot.com/2018/11/more-on-threat-hunting.html www.secnews.physaphae.fr/article.php?IdArticle=914308 False Threat None None taosecurity - Blog Sécurité Chinois I was considering another debate about appropriate cybersecurity measures and I had the following thought: not all networks are the same. Profound, right? This is so obvious, yet so obviously forgotten.Too often when confronting a proposed defensive measure, an audience approaches the concept from their own preconceived notion of what assets need to be protected.Some think about an information technology enterprise organization with endpoints, servers, and infrastructure. Others think about an industrial organization with manufacturing equipment. Others imagine an environment with no network at all, where constituents access cloud-hosted resources. Still others think in terms of being that cloud hosting environment itself.Beyond those elements, we need to consider the number of assets, their geographic diversity, their relative value, and many other aspects that you can no doubt imagine.This made me wonder if we need some sort of easy reference term to capture the essential nature of these sorts of diverse environments. I thought immediately of the term "class M planet," from Star Trek. From the Wikipedia entry:[An] Earth-like planet, the Class M designation is similar to the real-world astronomical theory of life-supporting planets within the habitable zone... Class M planets are said to possess an atmosphere composed of nitrogen and oxygen as well as an abundance of liquid water necessary for carbon-based life to exist. Extensive plant and animal life often flourishes; often, a sentient race is also present. In contrast, consider a class Y planet:Class Y planets are referred to as "demon" worlds, where surface conditions do not fall into any other recognized category. Such worlds are usually hostile and lethal to humanoid life. If life forms develop on these worlds they usually take on many bizarre forms, like living crystal or rock, liquid or gaseous physical states, or incorporeal, dimensional, or energy-based states. Given their work providing names for various offensive security activities in ATT&CK, I wonder if MITRE might consider creating a naming scheme to capture this idea? For example, a "class M" network might be an enterprise organization with endpoints, servers, and infrastructure, of a certain size. Or perhaps M1 might be "small," M2 "medium," and M3 "large," where each is associated with a user count.Perhaps an environment with no network at all, where constituents access cloud-hosted resources, would be a class C network. (I'm not sure "network" is even the right term, if there is no "network" for which the organization is responsible.)With such a scheme in place, we could begin a cybersecurity discussion by asking, "given a class M network, what defensive processes, people, or technology are appropriate," versus "given a class C network, what defensive processes, people, or technology are appropriate."This is only an idea, and I'd be happy if something was already created to address this problem. Comments below are welcome (pending moderation to repel trolls and spammers.) Alternatively, reply to my announcement of this post via @taosecurity on Twitter.Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecuri]]> 2018-11-02T09:20:23+00:00 https://taosecurity.blogspot.com/2018/11/cybersecurity-and-class-m-planets.html www.secnews.physaphae.fr/article.php?IdArticle=876246 False None None None taosecurity - Blog Sécurité Chinois I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company (Corelight), but I am not writing this post in any corporate capacity.There is a tendency in many aspects of the security operations community to shy away from network-centric approaches. The rise of encryption and cloud platforms, the argument goes, makes methodologies like NSM less relevant. The natural response seems to be migration towards the endpoint, because it is still possible to deploy agents on general purpose computing devices in order to instrument and interdict on the endpoint itself.It occurred to me this morning that this tendency ignores the fact that the trend in computing is toward closed computing devices. Mobile platforms, especially those running Apple's iOS, are not friendly to introducing third party code for the purpose of "security." In fact, one could argue that iOS is one of, if not the, most security platform, thanks to this architectural decision. (Timely and regular updates, a policed applications store, and other choices are undoubtedly part of the security success of iOS, to be sure.)How is the endpoint-centric security strategy going to work when security teams are no longer able to install third party endpoint agents? The answer is -- it will not. What will security teams be left with?The answer is probably application logging, i.e., usage and activity reports from the software with which users interact. Most of this will likely be hosted in the cloud. Therefore, security teams responsible for protecting work-anywhere-but-remote-intensive users, accessing cloud-hosted assets, will have really only cloud-provided data to analyze and escalate.It's possible that the endpoint providers themselves might assume a greater security role. In other words, Apple and other manufacturers provide security information directly to users. This could be like Chase asking if I really made a purchase. This model tends to break down when one is using a potentially compromised asset to ask the user if that asset is compromised.In any case, this vision of the future ignores the fact that someone will still be providing network services. My contention is that if you are responsible for a network, you are responsible for monitoring it.It is negligent to provide network services but ignore abuse of that service.If you disagree and cite the "common carrier" exception, I would agree to a certain extent. However, one cannot easily fall back on that defense in an age where Facebook, Twitter, and other platforms are being told to police their infrastructure or face ever more government regulation.At the end of the day, using modern Internet services means, by definition, using someone's network. Whoever is providing that network will need to instrument it, if only to avoid the liability associated with misuse. Therefore, anyone operating a network would do well to continue to deploy and operate network security monitoring capabilities.We may be in a golden age of endpoint visibility, but closure of those platforms will end the endpoint's viability as a source of security logging. So long as there are networks, we will need network security monitoring.Copyright 2003-2018 Richard Bejtlich and TaoSec]]> 2018-10-25T10:31:27+00:00 https://taosecurity.blogspot.com/2018/10/have-network-need-network-security.html www.secnews.physaphae.fr/article.php?IdArticle=862505 False None None None taosecurity - Blog Sécurité Chinois On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America's technology supply chain, according to extensive interviews with government and corporate sources.” From the article:Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device's operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.Companies mentioned in the story deny the details, so this post does not debate the merit of the Bloomberg reporters' claims. Rather, I prefer to discuss how a computer incident response team (CIRT) and a chief information security officer (CISO) should handle such a possibility. What should be done when hardware-level attacks enabling remote access via the network are possible?This is not a new question. I have addressed the architecture and practices needed to mitigate this attack model in previous writings. This scenario is a driving force behind my recommendation for network security monitoring (NSM) for any organization running a network, of any kind. This does not mean endpoint-centric security, or other security models, should be abandoned. Rather, my argument shows why NSM offers unique benefits when facing hardware supply chain attacks.The problem is one of trust and detectability. The problem here is that one loses trust in the integrity of a computing platform when one suspects a compromised hardware environment. One way to validate whether a computing platform is trustworthy is to monitor outside of it, at places where the hardware cannot know it is being monitored, and cannot interfere with that monitoring. Software installed on the hardware is by definition untrustworthy because the hardware backdoor may have the capability to obscure or degrade the visibility and control provided by an endpoint agent.Network security monitoring applied outside the hardware platform does not suffer this limitation, if certain safeguards are implemented. NSM suffers limitations unique to its deployment, of course, and they will be outlined shortly. By watching traffic to and from a suspected computing platform, CIRTs have a chance to identify suspicious and malicious activity, such as contact with remote command and control (C2) infrastructure. NSM data on this C2 activity can be collected and stored in many forms, such as any of the seven NSM data types: 1) full content; 2) extracted content; 3) session data; 4) transaction data; 5) statistical data; 6) metadata; and 7) alert data.Most likely session and transaction data would have been most useful for the case at hand. Once intelligence agencies identified that command and control infrastructure used by the alleged Chinese agents in this example, they could provide that information to the CIRT, who could then query historical NSM data for connectivity between enterprise a]]> 2018-10-05T18:00:07+00:00 https://taosecurity.blogspot.com/2018/10/network-security-monitoring-vs-supply.html www.secnews.physaphae.fr/article.php?IdArticle=832501 False None None None taosecurity - Blog Sécurité Chinois slides (pdf) from a 2011 Network Startup Resource Center presentation. These two caught my attention:This bothered me, so I Tweeted about it.This started some discussion, and prompted me to see what NSRC suggests for architecture these days. You can find the latest, from April 2018, here. Here is the bottom line for their suggested architecture:What do you think of this architecture?My Tweet has attracted some attention from the high speed network researcher community, some of whom assume I must be a junior security apprentice who equates "firewall" with "security." Long-time blog readers will laugh at that, like I did. So what was my problem with the ]]> 2018-09-18T09:48:27+00:00 https://taosecurity.blogspot.com/2018/09/firewalls-and-need-for-speed.html www.secnews.physaphae.fr/article.php?IdArticle=814050 False Threat None None taosecurity - Blog Sécurité Chinois I am really fired up to join Corelight. I've had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast the future.Twenty years ago this month I joined the Air Force Computer Emergency Response Team (AFCERT) at then-Kelly Air Force Base, located in hot but lovely San Antonio, Texas. I was a brand new captain who thought he knew about computers and hacking based on experiences from my teenage years and more recent information operations and traditional intelligence work within the Air Intelligence Agency. I was desperate to join any part of the then-five-year-old Information Warfare Center (AFIWC) because I sensed it was the most exciting unit on “Security Hill.”I had misjudged my presumed level of “hacking” knowledge, but I was not mistaken about the exciting life of an AFCERT intrusion detector! I quickly learned the tenets of network security monitoring, enabled by the custom software watching and logging network traffic at every Air Force base. I soon heard there were three organizations that intruders knew to be wary of in the late 1990s: the Fort, i.e. the National Security Agency; the Air Force, thanks to our Automated Security Incident Measurement (ASIM) operation; and the University of California, Berkeley, because of a professor named Vern Paxson and his Bro network security monitoring software.When I wrote my first book in 2003-2004, The Tao of Network Security Monitoring, I enlisted the help of Christopher Jay Manders to write about Bro 0.8. Bro had the reputation of being very powerful but difficult to stand up. In 2007 I decided to try installing Bro myself, thanks to the introduction of the “brolite” scripts shipped with Bro 1.2.1. That made Bro easier to use, but I didn't do much analysis with it until I attended the 2009 Bro hands-on workshop. There I met Vern, Robin Sommer, Seth Hall, Christian Kreibich, and other Bro users and developers. I was lost most of the class, saved only by my knowledge of standard Unix command line tools like sed, awk, and grep! I was able to integrate Bro traffic analysis and logs into my TCP/IP Weapons School 2.0 class, and subsequent versions, which I taught mainly to Black Hat students. By the time I wrote my last book, The Practice of Network Security Monitoring, in 2013, I was heavily relying on Bro logs to demonstrate many sorts of network activity, thanks to the high-fidelity nature of Bro data.In July of this year, Seth Hall emailed to ask if I might be interested in keynoting the upcoming Bro users conference in Washington, D.C., on October 10-12. I was in a bad mood due to being unhappy with the job I had at that time, and I told him I was useless as a keynote speaker. I followed up with another message shortly after, explained my depressed mindset, and asked how he liked working at Corelight. That led to interviews with the Corelight team and a job offer. The opportunity to work with people who really understood the need for network security monitoring, and were writing the world's most powerful software to generate NSM data, was so appealing! Now that I'm on the team, I can share how I view Corelight's contribution to the security challenges we face.For me, Corelight solves the problems I encountered all those years ago when I first looked at Bro. The Corelight embodiment of Bro is ready to go when you deploy it. It's developed and ma]]> 2018-09-11T12:07:37+00:00 https://taosecurity.blogspot.com/2018/09/twenty-years-of-network-security.html www.secnews.physaphae.fr/article.php?IdArticle=803374 False None None None taosecurity - Blog Sécurité Chinois I've written about counterintelligence (CI) before, but I realized today that some of my writing, and the writing of others, may be confused as to exactly what CI means.The authoritative place to find an American definition for CI is the United States National Counterintelligence and Security Center. I am more familiar with the old name of this organization, the  Office of the National Counterintelligence Executive (ONCIX).The 2016 National Counterintelligence Strategy cites Executive Order 12333 (as amended) for its definition of CI:Counterintelligence – Information gathered and activities conducted to identify, deceive,exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities. (emphasis added)The strict interpretation of this definition is countering foreign nation state intelligence activities, such as those conducted by China's Ministry of State Security (MSS), the Foreign Intelligence Service of the Russian Federation (SVR RF), Iran's Ministry of Intelligence, or the military intelligence services of those countries and others.In other words, counterintelligence is countering foreign intelligence. The focus is on the party doing the bad things, and less on what the bad thing is.The definition, however, is loose enough to encompass others; "organizations," "persons," and "international terrorist organizations" are in scope, according to the definition. This is just about everyone, although criminals are explicitly not mentioned.The definition is also slightly unbounded by moving beyond "espionage, or other intelligence activities," to include "sabotage, or assassinations." In those cases, the assumptions is that foreign intelligence agencies and their proxies are the parties likely to be conducting sabotage or assassinations. In the course of their CI work, paying attention to foreign intelligence agents, the CI team may encounter plans for activities beyond collection.The bottom line for this post is a cautionary message. It's not appropriate to call all intelligence activities "counterintelligence." It's more appropriate to call countering adversary intelligence activities counterintelligence.You may use similar or the same approaches as counterintelligence agents when performing your cyber threat intelligence function. For example, you may recruit a source inside a carding forum, or you may plant your own source in a carding forum. This is similar to turning a foreign intelligence agent, or inserting your own agent in a foreign intelligence service. However, activities directing against a carding forum are not counterintelligence. Activities directing against a foreign intelligence service are counterintelligence.The nature and target of your intelligence activities are what determine if it is counterintelligence, not necessarily the methods you use. Again, this is in keeping with the stricter definition, and not becoming a victim of scope creep.Copyright 2003-2018 Richard Bejtlich and TaoSecurity (taosecurity.b]]> 2018-07-22T10:05:07+00:00 https://taosecurity.blogspot.com/2018/07/defining-counterintelligence.html www.secnews.physaphae.fr/article.php?IdArticle=748424 False Threat None None taosecurity - Blog Sécurité Chinois It's a screen capture from the go for launch sequence. It shows mission control in Houston, Texas. If you'd like to see video of the actual center from 1970, check out This Is Mission Control.Mission control looks remarkably like a SOC, doesn't it? When builders of computer security operations centers imagined what their "mission control" rooms would look like, perhaps they had Houston in mind?Or perhaps they thought of the 1983 movie War Games?Reality was way more boring however:I visited NORAD under Cheyenne Mountain in 1989, I believe, when visiting the Air Force Academy as a high school senior. I can confirm it did not look like the movie depiction!Let's return to mission control. Look at the resources available to personnel manning the mission control room. The big screens depict two main forms of data: telemetry and video of the rocket. What about the individual screens, where people sit? They are largely customized. Each station presents data or buttons specific to the role of the person sitting there. Listen to Ed Harris' character calling out the stations: booster, retro, vital, etc. For example:This is one of the key differences between mission control and any modern computerized operations center. In the 1960s and 1970s, workstations (literally, places where people worked) had to be customized. They lacked the technology to have generic workstations where customization was done via screen, keyboard, and mouse. They also lacked the ability to display video on demand, and relied on large televi]]> 2018-06-28T10:08:22+00:00 https://taosecurity.blogspot.com/2018/06/why-do-socs-look-like-this.html www.secnews.physaphae.fr/article.php?IdArticle=726971 False None None None taosecurity - Blog Sécurité Chinois Before reading the rest of this post, I suggest reading Mandiant/FireEye's statement Doing Our Part -- Without Hacking Back.I would like to add my own color to this situation.First, at no time when I worked for Mandiant or FireEye, or afterwards, was there ever a notion that we would hack into adversary systems. During my six year tenure, we were publicly and privately a "no hack back" company. I never heard anyone talk about hack back operations. No one ever intimated we had imagery of APT1 actors taken with their own laptop cameras. No one even said that would be a good idea.Second, I would never have testified or written, repeatedly, about our company's stance on not hacking back if I knew we secretly did otherwise. I have quit jobs because I had fundamental disagreements with company policy or practice. I worked for Mandiant from 2011 through the end of 2013, when FireEye acquired Mandiant, and stayed until last year (2017). I never considered quitting Mandiant or FireEye due to a disconnect between public statements and private conduct.Third, I was personally involved with briefings to the press, in public and in private, concerning the APT1 report. I provided the voiceover for a 5 minute YouTube video called APT1: Exposing One of China's Cyber Espionage Units. That video was one of the most sensitive, if not the most sensitive, aspects of releasing the report. We showed the world how we could intercept adversary communications and reconstruct it. There was internal debate about whether we should do that. We decided to cover the practice it in the report, as Christopher Glyer Tweeted:In none of these briefings to the press did we show pictures or video from adversary laptops. We did show the video that we published to YouTube.Fourth, I privately contacted former Mandiant personnel with whom I worked during the time of the APT1 report creation and distribution. Their reaction to Mr Sanger's allegations ranged from "I've never heard of that" to "completely false." I asked former Mandiant colleagues, like myself,]]> 2018-06-25T15:03:20+00:00 https://taosecurity.blogspot.com/2018/06/bejtlich-on-apt1-report-no-hack-back.html www.secnews.physaphae.fr/article.php?IdArticle=722517 False Hack APT 1 None taosecurity - Blog Sécurité Chinois Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests, helped more with home duties, and consulted through TaoSecurity.Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining the Splunk team. I will be Senior Director for Security and Intelligence Operations, reporting to our CISO, Joel Fulton. I will help build teams to perform detection and monitoring operations, digital forensics and incident response, and threat intelligence. I remain in the northern Virginia area and will align with the Splunk presence in Tyson's Corner.I'm very excited by this opportunity for four reasons. First, the areas for which I will be responsible are my favorite aspects of security. Long-time blog readers know I'm happiest detecting and responding to intruders! Second, I already know several people at the company, one of whom began this journey by Tweeting about opportunities at Splunk! These colleagues are top notch, and I was similarly impressed by the people I met during my interviews in San Francisco and San Jose.Third, I respect Splunk as a company. I first used the products over ten years ago, and when I tried them again recently they worked spectacularly, as I expected. Fourth, my new role allows me to be a leader in the areas I know well, like enterprise defense and digital operational art, while building understanding in areas I want to learn, like cloud technologies, DevOps, and security outside enterprise constraints.I'll have more to say about my role and team soon. Right now I can share that this job focuses on defending the Splunk enterprise and its customers. I do not expect to spend a lot of time in sales cycles. I will likely host visitors in the Tyson's areas from time to time. I do not plan to speak as much with the press as I did at Mandiant and FireEye. I'm pleased to return to operational defense, rather than advise on geopolitical strategy.If this news interests you, please check our open job listings in information technology. As a company we continue to grow, and I'm thrilled to see what happens next!Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2018-05-15T14:40:48+00:00 https://taosecurity.blogspot.com/2018/05/bejtlich-joining-splunk.html www.secnews.physaphae.fr/article.php?IdArticle=651282 False Guideline None None taosecurity - Blog Sécurité Chinois I first used Splunk over ten years ago, but the first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try the Splunk Cloud.Splunk Cloud is the company's hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day.If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.)I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox.First I registered for the free Splunk Cloud trial online.After I had a Splunk Cloud instance running, I consulted the documentation for Forward data to Splunk Cloud from Linux. I am running a "self-serviced" instance and not a "managed instance," i.e., I am the administrator in this situation.I learned that I needed to install a software package called the Splunk Universal Forwarder on my Linux VM.I downloaded a 64 bit Linux 2.6+ kernel .deb file to the /home/Downloads directory on the Linux VM.richard@debian:~$ cd Downloads/richard@debian:~/Downloads$ lssplunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.debWith elevation permissions I created a directory for the .deb, changed into the directory, and installed the .deb using dpkg.richard@debian:~/Downloads$ sudo bash[sudo] password for richard: root@debian:/home/richard/Downloads# mkdir /opt/splunkforwarderroot@debian:/home/richard/Downloads# mv splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb /opt/splunkforwarder/root@debian:/home/richard/Downloads# cd /opt/splunkforwarder/root@debian:/opt/splunkforwarder# ls]]> 2018-05-07T14:26:52+00:00 https://taosecurity.blogspot.com/2018/05/trying-splunk-cloud.html www.secnews.physaphae.fr/article.php?IdArticle=632348 False None None None taosecurity - Blog Sécurité Chinois Within the last week, Doug Burks of Security Onion (SO) added a new script that revolutionizes the use case for his amazing open source network security monitoring platform.I have always used SO in a live production mode, meaning I deploy a SO sensor sniffing a live network interface. As the multitude of SO components observe network traffic, they generate, store, and display various forms of NSM data for use by analysts.The problem with this model is that it could not be used for processing stored network traffic. If one simply replayed the traffic from a .pcap file, the new traffic would be assigned contemporary timestamps by the various tools observing the traffic.While all of the NSM tools in SO have the independent capability to read stored .pcap files, there was no unified way to integrate their output into the SO platform.Therefore, for years, there has not been a way to import .pcap files into SO -- until last week!Here is how I tested the new so-import-pcap script. First, I made sure I was running Security Onion Elastic Stack Release Candidate 2 (14.04.5.8 ISO) or later. Next I downloaded the script using wget from https://github.com/Security-Onion-Solutions/securityonion-elastic/blob/master/usr/sbin/so-import-pcap.I continued as follows:richard@so1:~$ sudo cp so-import-pcap /usr/sbin/richard@so1:~$ sudo chmod 755 /usr/sbin/so-import-pcapI tried running the script against two of the sample files packaged with SO, but ran into issues with both.richard@so1:~$ sudo so-import-pcap /opt/samples/10k.pcapso-import-pcapPlease wait while......creating temp pcap for processing.mergecap: Error reading /opt/samples/10k.pcap: The file appears to be damaged or corrupt(pcap: File has 263718464-byte packet, bigger than maximum of 262144)Error while merging!I checked the file with capinfos.richard@so1:~$ capinfos /opt/samples/10k.pcapcapinfos: An error occurred after reading 17046 packets from "/opt/samples/10k.pcap": The file appears to be damaged or corrupt.(pcap: File has 263718464-byte packet, bigger than maximum of 262144)]]> 2018-02-26T12:02:04+00:00 http://taosecurity.blogspot.com/2018/02/importing-pcap-into-security-onion.html www.secnews.physaphae.fr/article.php?IdArticle=490982 False None None None taosecurity - Blog Sécurité Chinois Following the release of the Spectre and Meltdown CPU attacks, the security community wondered if other researchers would find related speculative attack problems. When the following appeared, we were concerned:"Skyfall and SolaceMore vulnerabilities in modern computers.Following the recent release of the Meltdown and Spectre vulnerabilities, CVE-2017-5175, CVE-2017-5753 and CVE-2017-5754, there has been considerable speculation as to whether all the issues described can be fully mitigated. Skyfall and Solace are two speculative attacks based on the work highlighted by Meltdown and Spectre.Full details are still under embargo and will be published soon when chip manufacturers and Operating System vendors have prepared patches.Watch this space..."It turns out this was a hoax. The latest version of the site says, in part:"With little more than a couple of quickly registered domain names, thousands of people were hooked...SkyfallThe idea here was to suggest a link to Intel's Skylake processor.SolaceThe idea here was to suggest a link to the Solaris operating system.Copy the styling of the original Meltdown and Spectre sites and add a couple of favicons based loosely on the Intel and Solaris logos and I was nearly done.The final step was to add on https, because if a site's got an SSL certificate it must be legitimate, and the bait was set."The problem with this "explanation" is that it wasn't just a logo, domain name and SSL certificate. The "security professional" who created this site outright lied, as shown at the top of this post. Don't fall for his false narrative.I'm not naming names or linking to the sites here, because the person responsible already thinks he's too clever.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2018-01-22T09:30:58+00:00 http://taosecurity.blogspot.com/2018/01/lies-and-more-lies.html www.secnews.physaphae.fr/article.php?IdArticle=459738 False None None None taosecurity - Blog Sécurité Chinois Anyone involved in cybersecurity reporting needs a strong sense of numeracy, or mathematical literacy. I see two sorts of examples of innumeracy repeatedly in the media.The first involves the time value of money. Recently CNN claimed Amazon CEO Jeff Bezos was the "richest person in history" and Recode said Bezos was "now worth more than Bill Gates ever was." Thankfully both Richard Steinnon and Noah Kirsch recognized the foolishness of these reports, correctly noting that Bezos would only rank number 17 on a list where wealth was adjusted for inflation.This failure to recognize the time value of money is pervasive. Just today I heard the host of a podcast claim that the 1998 Jackie Chan movie Rush Hour was "the top grossing martial arts film of all time." According to Box Office Mojo, Rush Hour earned $244,386,864 worldwide. Adjusting for inflation, in 2017 dollars that's $367,509,865.67 -- impressive!For comparison, I researched the box office returns for Bruce Lee's Enter the Dragon. Box Office Mojo lacked data, but I found a 2017 article stating his 1973 movie earned "$25 million in the U.S. and $90 million worldwide, excluding Hong Kong." If I adjust the worldwide figure of $90 million for inflation, in 2017 dollars that's $496,864,864.86 -- making Enter the Dragon easily more successful than Rush Hour.If you're wondering about Crouching Tiger, Hidden Dragon, that 2000 movie earned $213,525,736 worldwide. That movie earned less than Rush Hour, and arrived two years later, so it's not worth doing the inflation math.The take-away is that any time you are comparing dollars from different time periods, you must adjust for inflation to have your comparisons have any meaning whatsoever.Chart by @CanadianFlagsThe second sort of innumeracy I'd like to highlight today also involves money, but in a slightly different way. This involves changes in values over time.For example, a company may grow revenue from 2015 to 2016, with 2015 revenue being $100,000 and 2016 being $200,000. That's a 100% gain.If the company grows another $100,000 from 2016 to 2017, from $200,000 to $300,000, the growth rate has declined to 50%. To have maintained a 100% growth rate, the comp]]> 2018-01-16T12:31:57+00:00 http://taosecurity.blogspot.com/2018/01/addressing-innumeracy-in-reporting.html www.secnews.physaphae.fr/article.php?IdArticle=459739 False Guideline None None taosecurity - Blog Sécurité Chinois Last week I Tweeted the following on the 8th anniversary of Google's blog post about its compromise by Chinese threat actors:This intrusion made the term APT mainstream. I was the first to associate it with Aurora, in this post https://taosecurity.blogspot.com/2010/01/google-v-china.htmlMy first APT post was a careful reference in 2007, when we all feared being accused of "leaking classified" re China: https://taosecurity.blogspot.com/2007/10/air-force-cyberspace-report.htmlI should have added the term "publicly" to my original Tweet. There were consultants with years of APT experience involved in the Google incident response, and they recognized the work of APT17 at that company and others. Those consultants honored their NDAs and have stayed quiet.I wrote my original Tweet as a reminder that "APT" was not a popular, recognized term until the Google announcement on 12 January 2010. In my Google v China blog post I wrote:Welcome to the party, Google. You can use the term "advanced persistent threat" (APT) if you want to give this adversary its proper name.I also Tweeted a similar statement on the same day:This is horrifying: http://bit.ly/7x7vVW Google admits intellectual property theft from China; it's called Advanced Persistent Threat, GOOGI made the explicit link of China and APT because no one had done that publicly.This slide from a 2011 briefing I did in Hawaii captures a few historical points:The Google incident was a watershed, for reasons I blogged on 16 January 2010. I remember the SANS DFIR 2008 event as effectively "APTCon," but beyond Mandiant, Northrup Grumman, and NetWitness, no one was really talking publicly about the APT until after Google.As I noted in the July 2009 blog post, You Down With APT? (ugh):Aside from Northrup Grumman, Mandiant, and a few vendors (like NetWitness, one of the full capture vendors out there) mentioning APT, there's not much else available. A Google search for "advanced persistent threat" -netwitness -mandiant -Northrop yields 34 results (prior to this blog post). (emphasis added)Today that search yields 244,000 results.I would argue we're "past APT." APT was the buzzword for ]]> 2018-01-14T14:08:40+00:00 http://taosecurity.blogspot.com/2018/01/remembering-when-apt-became-public.html www.secnews.physaphae.fr/article.php?IdArticle=459740 False None APT 17,APT 1 None taosecurity - Blog Sécurité Chinois Today, 8 January 2018, is the 15th birthday of TaoSecurity Blog! This is also my 3,020th blog post.I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone.I don't believe I've released statistics for the blog before, so here are a few. Blogger started providing statistics in May 2010, so these apply to roughly the past 8 years only!As of today, since May 2010 the blog has nearly 7.7 million all time page views.Here are the most popular posts as of today:Twitter continues to play a role in the way I communicate. When I last reported on a blog birthday two years ago, I said that I had nearly 36,000 Twitter followers for @taosecurity, with roughly 16,000 Tweets. Today I have nearly 49,000 followers with less than 18,000 Tweets. As with most people on social media, blogging has taken a back seat to more instant forms of communication.These days I am active on Instagram as @taosecurity as well. That account is a departure from my social media practice. On Twitter I have separate accounts for cybersecurity and intelligence (@taosecurity), martial arts (@rejoiningthetao), and other purposes. My Instagram @taosecurity account is a unified account, meaning I talk about whatever I feel like. During the last two years I also started another blog to which I regularly contribute -- Rejoining the Tao. I write about my martial arts journey there, usually once a week.Once in a while I post to LinkedIn, but it's usually news of a blog post like this, or other LinkedIn content of interest.What's ahead? You may remember I was working on a PhD and I had left FireEye. I decided to abandon my PhD in the fall of 2016. I realized I was not an academic, although I had written four books.I have also changed all the goals I named in my post-FireEye announcement.For the last year I have been doing limited security consulting, but that has been increasing in recent months. I continue to be involved in martial arts, but I no longer plan to be a Krav Maga instructor nor to open my own school.For several months I've been working with a co-author and subject matter expert on a new book with martial arts applicability. I've been responsible for editing and publishing. I'll say more about that at Rejoining the Tao when the time is right.Thank you to everyone who]]> 2018-01-08T14:49:05+00:00 http://taosecurity.blogspot.com/2018/01/happy-15th-birthday-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=456646 False None None None taosecurity - Blog Sécurité Chinois Today, 8 January 2016, is the 13th birthday of TaoSecurity Blog! This is also my 3,000th blog post.I wrote my first post on 8 January 2003 while working as an incident response consultant for Foundstone. Kevin Mandia was my boss. Today I am starting my third year as Chief Security Strategist at FireEye, still working for Kevin Mandia. (It's a small world. In April I will hit my five year anniversary with the Mandiant part of FireEye.)In 2015 my blogging frequency increased dramatically, with 55 posts, more than double my 2014 total of 23 and triple my 2013 output of 18. In 2012 I posted 60 stories, so I was close to that level in 2015. It's still nothing like my writing from 2003-2011 however!Why the drop over the years? I "blame" my @taosecurity Twitter account. With almost 36,000 followers, easy posting from mobile devices, and greater interactivity, Twitter is an addictive platform. I have authored roughly 16,000 Tweets since first posting in July 2009.Second, blogging used to be the primary way I could share my ideas with the community. These days, speaking and writing are a big part of my professional duties. I try to track media reports here and I archive my non-blog writing at my Academia.edu account.Third, time is precious, and blogging often takes a back seat. I'd rather spend time with my family, write and research my PhD, collaborate with think tanks, and so on.I still plan to keep blogging in 2016. Twitter's only a 140 character platform, and some days I have the time and inclination to share a few thoughts beyond what I've said or written for work. I have to decide if I want to write about strategy here, or move to another location.Thanks you to Google for providing me this free platform for the past 13 years, and to you for reading what I post. I'm one of the few original "security bloggers" still active, though not writing in the same way as I did in 2003.I realize my transition from technical details to strategic considerations has alienated some readers, but I am comfortable with my interests and I believe the greater security community needs to hear from people who think outside the tools and tactics box. This is especially true when the majority of the security community isn't aware they are inside such a box, or that there is another set of ideas and people available to contribute to the world's digital safety and security.TweetCopyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2018-01-08T14:47:20+00:00 http://taosecurity.blogspot.com/2016/01/happy-13th-birthday-taosecurity-blog.html www.secnews.physaphae.fr/article.php?IdArticle=456648 False None None None taosecurity - Blog Sécurité Chinois Longtime readers know that I have no problem with foreign countries replacing American vendors with local alternatives. For example, see Five Reasons I Want China Running Its Own Software. This is not a universal principle, but as an American I am fine with it. Putting my computer network operations (CNO) hat on, I want to share a few thoughts about the intersection of the anti-American vendor mindset with the recent Spectre and Meltdown attacks.There are probably non-Americans, who, for a variety of reasons, feel that it would be "safer" for them to run their cloud computing workloads on non-American infrastructure. Perhaps they feel that it puts their data beyond the reach of the American Department of Justice. (I personally feel that it's an over-reach by DoJ to try to access data beyond American borders, eg Microsoft Corp. v. United States.)The American intelligence community and computer network operators, however, might prefer to have that data outside American borders. These agencies are still bound by American laws, but those laws generally permit exploitation overseas.Now put this situation in the context of Spectre and Meltdown. Begin with the attack scenario mentioned by Nicole Perlroth, where an attacker rents a few minutes of time on various cloud systems, then leverages Spectre and/or Meltdown to try to gather sensitive data from other virtual machines on the same physical hardware.No lawyer or judge would allow this sort of attack scenario if it were performed in American systems. It would be very difficult, I think, to minimize data in this kind of "fishing expedition." Most of the data returned would belong to US persons and would be subject to protection. Sure, there are conspiracy theorists out there who will never trust that the US government follows its own laws. These people are sure that the USG already knew about Spectre and Meltdown and ravaged every American cloud system already, after doing the same with the "Intel Management Engine backdoors."In reality, US law will prevent computer network operators from running these sorts of missions on US cloud infrastructure. Overseas, it's a different story. Non US-persons do not enjoy the same sorts of privacy protections as US persons. Therefore, the more "domestic" (non-American) the foreign target, the better. For example, if the IC identified a purely Russian cloud provider, it would not be difficult for the USG to authorize a Spectre-Meltdown collection operation against that target.I have no idea if this is happening, but this was one of my first thoughts when I first heard about this new attack vector.Bonus: it's popular to criticize academics who research cybersecurity. They don't seem to find much that is interesting or relevant. However, academics played a big role in discovering Spectre and Meltdown. Wow!Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2018-01-05T10:18:35+00:00 http://taosecurity.blogspot.com/2018/01/spectre-and-meltdown-from-cno.html www.secnews.physaphae.fr/article.php?IdArticle=456067 False None None None taosecurity - Blog Sécurité Chinois My TaoSecurity News page says I taught 41 classes lasting a day or more, from 2002 to 2014. All of these involved some aspect of network security monitoring (NSM). Many times students would ask me when I would create the "advanced" version of the class, usually in the course feedback. I could never answer them, so I decided to do so in this blog post.The short answer is this: at some point, advanced NSM is no longer NSM. If you consider my collection - analysis - escalation - response model, NSM extensions from any of those phases quickly have little or nothing to do with the network.Here are a few questions I have received concerned "advanced NSM," paired with the answers I could have provided.Q: "I used NSM to extract a binary from network traffic. What do I do with this binary?"A: "Learn about reverse engineering and binary analysis."Or:Q: "I used NSM to extra Javascript from a malicious Web page. What do I do with this Javascript?"A: "Learn about Javascript de-obfuscation and programming."Or:Q: "I used NSM to capture an exchange between a Windows client and a server. What does it mean?"A: "Learn about Server Message Block (SMB) or Common Internet File System (CIFS)."Or:Q: "I used NSM to capture cryptographic material exchanged between a client and a server. How do I understand it?"A: "Learn about cryptography."Or:Q: "I used NSM to grab shell code passed with an exploit against an Internet-exposed service. How do I tell what it does?"A: "Learn about programming in assembly."Or:Q: "I want to design custom hardware for packet capture. How do I do that?"A: "Learn about programming ASICs (application specific integrated circuits)."I realized that I had the components of all of this "advanced NSM" material in my library. I had books on reverse engineering and binary analysis, Javascript, SMB/CIFS, cryptography, assembly programming, ASICs, etc.The point is that eventually the NSM road takes you to other aspects of the cyber security landscape.Are there *any* advanced area for NSM? One could argue that protocol analysis, as one finds in tools like Bro, Suricata, Snort, Wireshark, and so on constitute advanced NSM. However, you could just as easily argue that protocol analysis becomes more about understanding the programming and standards behind each of the protocols.In brief, to learn advanced NSM, expand beyond NSM.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2017-12-04T11:30:48+00:00 http://taosecurity.blogspot.com/2017/12/on-advanced-network-security-monitoring.html www.secnews.physaphae.fr/article.php?IdArticle=444318 False None None None taosecurity - Blog Sécurité Chinois I am hopeful that President Trump will not block release of the remaining classified documents addressing the 1963 assassination of President John F. Kennedy. I grew up a Roman Catholic in Massachusetts, so President Kennedy always fascinated me.The 1991 Oliver Stone movie JFK fueled several years of hobbyist research into the assassination. (It's unfortunate the movie was so loaded with fictional content!) On the 30th anniversary of JFK's death in 1993, I led a moment of silence from the balcony of the Air Force Academy chow hall during noon meal. While stationed at Goodfellow AFB in Texas, Mrs B and I visited Dealey Plaza in Dallas and the Sixth Floor Museum.Many years later, thanks to a 1992 law partially inspired by the Stone movie, the government has a chance to release the last classified assassination records. As a historian and former member of the intelligence community, I hope all of the documents become public. This would be a small but significant step towards minimizing the culture of information leaking in Washington, DC. If prospective leakers were part of a system that was known for releasing classified information prudently, regularly, and efficiently, it would decrease the leakers' motivation to evade the formal declassification process.Many smart people have recommended improvements to the classification system. Check out this 2012 report for details.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2017-10-21T15:43:50+00:00 http://taosecurity.blogspot.com/2017/10/how-to-minimize-leaking.html www.secnews.physaphae.fr/article.php?IdArticle=422105 False None None None taosecurity - Blog Sécurité Chinois Thursday evening Mrs B and I were pleased to attend an awards seminar for the Cybersecurity Canon. This is a project sponsored by Palo Alto Networks and led by Rick Howard. The goal is "identify a list of must-read books for all cybersecurity practitioners."Rick reviewed my fourth book The Practice of Network Security Monitoring in 2014 and someone nominated it for consideration in 2016. I was unaware earlier this year that my book was part of a 32-title "March Madness" style competition. My book won the five rounds, resulting in its conclusion in the 2017 inductee list! Thank you to all those that voted for my book.Ben Rothke awarded me the Canon trophy.Ben Rothke interviewed me prior to the induction ceremony. We discussed some current trends in security and some lessons from the book. I hope to see that interviewed published by Palo Alto Networks and/or the Cybersecurity canon project in the near future.In my acceptance speech I explained how I wrote the book because I had not yet dedicated a book to my youngest daughter, since she was born after my third book was published.A teaching moment at Black Hat Abu Dhabi in December 2012 inspired me to write the book. While teaching network security monitoring, one of the students asked "but where do I install the .exe on the server?"I realized this student had no idea of physical access to a wire, or using a system to collect and store network traffic, or any of the other fundamental concepts inherent to NSM. He thought NSM was another magical software package to install on his domain controller.Four foreign language editions.Thanks to the interpretation assistance of a local Arabic speaker, I was able to get through to him. However, the experience convinced me that I needed to write a new book that built NSM from the ground up, hence the selection of topics and the order in which I presented them.While my book has not (yet?]]> 2017-05-08T11:20:15+00:00 http://taosecurity.blogspot.com/2017/05/latest-book-inducted-into-cybersecurity.html www.secnews.physaphae.fr/article.php?IdArticle=363216 False None None None taosecurity - Blog Sécurité Chinois Periodically I read about efforts by China, or Russia, or North Korea, or other countries to replace American software with indigenous or semi-indigenous alternatives. I then reply via Twitter that I love the idea, with a short reason why. This post will list the top five reasons why I want China and other likely targets of American foreign intelligence collection to run their own software.1. Many (most?) non-US software companies write lousy code. The US is by no means perfect, but our developers and processes generally appear to be superior to foreign indigenous efforts. Cisco vs Huawei is a good example. Cisco has plenty of problems, but it has processes in place to manage them, plus secure code development practices. Lousy indigenous code means it is easier for American intelligence agencies to penetrate foreign targets. (An example of a foreign country that excels in writing code is Israel, but thankfully it is not the same sort of priority target like China, Russia, or North Korea.)2. Many (most?) non-US enterprises are 5-10 years behind US security practices. Even if a foreign target runs decent native code, the IT processes maintaining that code are lagging compared to American counterparts. Again, the US has not solved this problem by any stretch of the imagination. However, relatively speaking, American inventory management, patch management, and security operations have the edge over foreign intelligence targets. Because non-US enterprises running indigenous code will not necessarily be able to benefit from American expertise (as they might if they were running American code), these deficiencies will make them easier targets for foreign exploitation.3. Foreign targets running foreign code is win-win for American intel and enterprises. The current vulnerability equities process (VEP) puts American intelligence agencies in a quandary. The IC develops a zero-day exploit for a vulnerability, say for use against Cisco routers. American and Chinese organizations use Cisco routers. Should the IC sit on the vulnerability in order to maintain access to foreign targets, or should it release the vulnerability to Cisco to enable patching and thereby protect American and foreign systems?This dilemma disappears in a world where foreign targets run indigenous software. If the IC identifies a vulnerability in Cisco software, and the majority of its targets run non-Cisco software, then the IC is more likely (or should be pushed to be more likely) to assist with patching the vulnerable software. Meanwhile, the IC continues to exploit Huawei or other products at its leisure.4. Writing and running indigenous code is the fastest way to improve. When foreign countries essentially outsource their IT to vendors, they become program managers. They lose or never develop any ability to write and run quality software. Writing and running your own code will enroll foreign organizations in the security school of hard knocks. American intel will have a field day for 3-5 years against these targets, as they flail around in a perpetual state of compromise. However, if they devote the proper native resources and attention, they will learn from their mistakes. They will write and run better software. Now, this means they will become harder targets for American intel, but American intel will retain the advantage of point 3.5. Trustworthy indigenous code will promote international stability. Countries like China feel especially vulnerable to American exploitation. They have eve]]> 2017-03-23T10:26:11+00:00 http://taosecurity.blogspot.com/2017/03/five-reasons-i-want-china-running-its.html www.secnews.physaphae.fr/article.php?IdArticle=361041 False Guideline None None taosecurity - Blog Sécurité Chinois FireEye released the 2017 edition of the Mandiant M-Trends report yesterday. I've been a fan of this report since the 2010 edition, before I worked at the company.Curiously for a report with the name "trends" in the title, this and all other editions do not publish the sorts of yearly trends I would expect. This post will address that limitation.The report is most famous for its "dwell time" metric, which is the median (not average, or "mean") number of days an intruder spends inside a target company until he is discovered.Each report lists the statistic for the year in consideration, and compares it to the previous year. For example, the 2017 report, covering incidents from 2016, notes the dwell time has dropped from 146 days in 2015, to 99 days in 2016.The second most interesting metric (for me) is the split between internal and external notification. Internal notification means that the target organization found the intrusion on its own. External notification means that someone else informed the target organization. The external party is often a law enforcement or intelligence agency, or a managed security services provider. The 2016 split was 53% internal vs 47% external.How do these numbers look over the years that the M-Trends report has been published? Inquiring minds want to know.The 2012 M-Trends report was the first edition to include these statistics. I have included them for that report and all subsequent editions in the table below. Year Days Internal External 2011 416 6 94 2012 243 37 63 2013 229 33 67 2014 205 31 69 2015 146 47 53 2016 99 53 47 As you can see, all of the numbers are heading in the right direction. We are finally into double digits for dwell time, but over 3 months is still far too long. Internal detection continues to rise as well. This is a proxy for the maturity ]]> 2017-03-23T08:43:25+00:00 http://taosecurity.blogspot.com/2017/03/the-missing-trends-in-m-trends-2017.html www.secnews.physaphae.fr/article.php?IdArticle=361044 False None None None taosecurity - Blog Sécurité Chinois Last month I retweeted an image labelled "The Map of Cybersecurity Domains (v1.0)". I liked the way this graphic divided "security" into various specialties. At the time I did not do any research to identify the originator of the graphic.Last night before my Brazilian Jiu-Jitsu class I heard some of the guys talking about certifications. They were all interested in "cybersecurity" but did not know how to break into the field. The domain image came to mind as I mentioned that I had some experience in the field. I also remembered an article Brian Krebs asked me to write titled "How to Break Into Security, Bejtlich Edition," part of a series on that theme. I wrote:Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual's background and tastes.I offered to help the guys in my BJJ class find the area of security that interests them and get started in that space. I thought the domains graphic might facilitate that conversation, so I decided to identify the originator so as to give proper credit.It turns out that that CISO at Oppenheimer & Co, Henry Jiang, created the domains graphic. Last month at LinkedIn he published an updated Map of Cybersecurity Domains v2.0:Map of Cybersecurity Domains v2.0 by Henry JiangIf I could suggest a few changes for an updated version, I would try to put related disciplines closer to each other. For example, I would put the Threat Intelligence section right next to Security Operations. I would also swap the locations of Risk Assessment and Governance. Governance is closer to the Framework and Standard arena. I would also move User Education to be near Career Development, since both deal with people.On a more substantive level, I am not comfortable with the Risk Assessment section. Blue Team and Red Team are not derivatives of a Penetration test, for example. I'm not sure how to rebuild that section.These are minor issues overall. The main reason I like this graphic is that it largely captures the vario]]> 2017-03-21T09:17:10+00:00 http://taosecurity.blogspot.com/2017/03/cybersecurity-domains-mind-map.html www.secnews.physaphae.fr/article.php?IdArticle=361042 False None None None taosecurity - Blog Sécurité Chinois Exactly six years ago today I announced that I was joining Mandiant to become the company's first CSO. Today is my last day at FireEye, the company that bought Mandiant at the very end of 2013.The highlights of my time at Mandiant involved two sets of responsibilities.First, as CSO, I enjoyed working with my small but superb security team, consisting of Doug Burks, Derek Coulsen, Dani Jackson, and Scott Runnels. They showed that "a small team of A+ players can run circles around a giant team of B and C players."Second, as a company spokesperson, I survived the one-of-a-kind ride that was the APT1 report. I have to credit our intel and consulting teams for the content, and our marketing and government teams for keeping me pointed in the right direction during the weeks of craziness that ensued.At FireEye I transitioned to a strategist role because I was spending so much time talking to legislators and administration officials. I enjoyed working with another small but incredibly effective team: government relations. Back by the combined FireEye-Mandiant intel team, we helped policy makers better understand the digital landscape and, more importantly, what steps to take to mitigate various risks.Where do I go from here?Twenty years ago last month I started my first role in the information warfare arena, as an Air Force intelligence officer assigned to Air Intelligence Agency at Security Hill in San Antonio, Texas. Since that time I've played a small part in the "cyber wars," trying to stop bad guys while empowering good guys.I've known for several years that my life was heading in a new direction. It took me a while, but now I understand that I am not the same person who used to post hundreds of blog entries per year, and review 50 security books per year, and write security books and articles, and speak to reporters, and testify before Congress, and train thousands of students worldwide.That mission is accomplished. I have new missions waiting.My near-term goal is to identify opportunities in the security space which fit with my current interests. These include:Promoting open source software to protect organizations of all sizesAdvising venture capitalists on promising security start-upsHelping companies to write more effective security job descriptions and to interview and select the best candidates availableMy intermediate-term goal is to continue my Krav Maga training, which I started in January 2016. My focus is the General Instructor Course pr]]> 2017-03-17T08:00:00+00:00 http://taosecurity.blogspot.com/2017/03/bejtlich-moves-on.html www.secnews.physaphae.fr/article.php?IdArticle=361043 False None APT 1 None taosecurity - Blog Sécurité Chinois 2011 Article "Become a Hunter"The term "threat hunting" has been popular with marketers from security companies for about five years. Yesterday Anton Chuvakin asked about the origin of the term.I appear to have written the first article describing threat hunting in any meaningful way. It was published in the July-August 2011 issue of Information Security Magazine and was called "Become a Hunter." I wrote it in the spring of 2011, when I was director of incident response for GE-CIRT. Relevant excerpts include:"To best counter targeted attacks, one must conduct counter-threat operations (CTOps). In other words, defenders must actively hunt intruders in their enterprise. These intruders can take the form of external threats who maintain persistence or internal threats who abuse their privileges. Rather than hoping defenses will repel invaders, or that breaches will be caught by passive alerting mechanisms, CTOps practitioners recognize that defeating intruders requires actively detecting and responding to them. CTOps experts then feed the lessons learned from finding and removing attackers into the software development lifecycle (SDL) and configuration and IT management processes to reduce the likelihood of future incidents...In addition to performing SOC work, CTOps requires more active, unstructured, and creative thoughts and approaches. One way to characterize this more vigorous approach to detecting and responding to threats is the term “hunting.” In the mid-2000s, the Air Force popularized the term “hunter-killer” for a missions whereby teams of security experts performed “friendly force projection” on their networks. They combed through data from systems and in some cases occupied the systems themselves in order to find advanced threats. The concept of “hunting” (without the slightly more aggressive term “killing”) is now gaining ground in the civilian world.2013 Book "The Practice of NSM"If the SOC is characterized by a group that reviews alerts for signs of intruder action, the CIRT is recognized by the likelihood that senior analysts are taking junior analysts on “hunting trips.” A senior investigator who has discovered a novel or clever way to possibly detect intruders guides one or more junior analysts through data and systems looking for signs of the enemy. Upon validating the technique (and responding to any enemy actions), the hunting team should work to incorporate the new detection method in]]> 2017-03-14T10:33:39+00:00 http://taosecurity.blogspot.com/2017/03/the-origin-of-threat-hunting.html www.secnews.physaphae.fr/article.php?IdArticle=361045 False None None None taosecurity - Blog Sécurité Chinois Chris Sanders started a poll on Twitter asking "Would you rather get a real-time alert with partial context immediately, or a full context alert delayed by 30 mins?" I answered by saying I would prefer full context delayed by 30 minutes. I also replied with the text at left, from my first book The Tao of Network Security Monitoring (2004). It's titled "Real Time Isn't Always the Best Time."Dustin Webber then asked "if you have [indicators of compromise] IOC that merit 'real-time' notification then you should be in the business of prevention. Right?"Long ago I decided to not have extended conversations over Twitter, as well as to not try to compress complex thoughts into 140 characters -- hence this post!There is a difference, in my mind, between high-fidelity matching (using the vernacular from my newest book, The Practice of Network Security Monitoring, 50% off now with code RSAREADING) and prevention.To Dustin's point, I agree that if it is possible to generate a match (or "alert," etc.) with 100% accuracy (or possibly near 100%, depending on the severity of the problematic event), i.e., with no chance or almost no chance of a false positive, then it is certainly worth seeking a preventive action for that problematic event. To use a phrase from the last decade, "if you can detect it, why can't you prevent it?"However, there are likely cases where zero- or low-false positive events do not have corresponding preventive actions. Two come to mind.First, although you can reliably detect a problem, you may not be able to do anything about it. The security team may lack the authority, or technical capability, to implement a preventive action.Second, although you can reliably detect a problem, you may not want to do anything about it. The security team may desire to instead watch an intruder until such time that containment or incident mitigation is required.This, then, is my answer to Dustin's question!Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2017-02-13T18:22:47+00:00 http://taosecurity.blogspot.com/2017/02/does-reliable-real-time-detection.html www.secnews.physaphae.fr/article.php?IdArticle=361046 False None None None taosecurity - Blog Sécurité Chinois Yesterday my friend Bamm Visscher published a series of Tweets on detection. I thought readers might like to digest it as a lightly edited blog post. Here, then, is the first ever (as far as I can remember) guest post on TaoSecurity Blog. Enjoy.When you receive new [threat] intel and apply it in your detection environment, keep in mind all three analysis opportunities: RealTime, Batch, and Hunting.If your initial intelligence analysis produces high context and quality details, it's a ripe candidate for RealTime detection.If analysts can quickly and accurately process events generated by the [RealTime] signature, it's a good sign the indicator should be part of RealTime detection. If an analyst struggles to determine if a [RealTime alert] has detected malicious activity, it's likely NOT appropriate for RealTime detection.If [the threat] intelligence contains limited context and/or details, try leveraging Batch Analysis with scheduled data reports as a better detection technique. Use Batch Analysis to develop better context (both positive and negative hits) to identify better signatures for RealTime detection.Hunting is the soft science of detection, and best done with a team of diverse skills. Intelligence, content development, and detection should all work together. Don't fear getting skunked on your hunting trips. Keep investing time. The rewards are accumulative. Be sure to pass Hunting rewards into Batch Analysis and RealTime detection operations in the form of improved context.The biggest mistake organizations make is not placing emphasis outside of RealTime detection, and "shoe-horning" [threat] intelligence into RealTime operations. So called "Atomic Indicators" tend to be the biggest violator of shoe-horning. Atomic indicators are easy to script into signature driven detection devices, but leave an analyst wondering what he is looking at and for.Do not underestimate the NEGATIVE impact of GOOD [threat] intelligence inappropriately placed into RealTime operations! Mountains of indiscernible events will lead to analyst fatigue and increase the risk of good analyst missing a real incident.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2017-02-12T07:59:45+00:00 http://taosecurity.blogspot.com/2017/02/guest-post-bamm-visscher-on-detection.html www.secnews.physaphae.fr/article.php?IdArticle=361047 False Guideline None None taosecurity - Blog Sécurité Chinois TaoSecurity Books page, you will see two different types of books. The first type involves books which list me as author or co-author. The second involves books to which I have contributed a chapter, section, or foreword.This post will only discuss books which list me as author or co-author.In July 2004 I published The Tao of Network Security Monitoring: Beyond Intrusion Detection. This book was the result of everything I had learned since 1997-98 regarding detecting and responding to intruders, primarily using network-centric means. It is the most complete examination of NSM philosophy available. I am particularly happy with the NSM history appendix. It cites and summarizes influential computer security papers over the four decade history of NSM to that point.The main problem with the Tao is that certain details of specific software versions are very outdated. Established software like Tcpdump, Argus, and Sguil function much the same way, and the core NSM data types remain timeless. You would not be able to use the Bro chapter with modern Bro versions, for example. Still, I recommend anyone serious about NSM read the Tao.The introduction describes the Tao using these words:Part I offers an introduction to Network Security Monitoring, an operational framework for the collection, analysis, and escalation of indications and warnings (I&W) to detect and respond to intrusions.   Part I begins with an analysis of the terms and theory held by NSM practitioners.  The first chapter discusses the security process and defines words like security, risk, and threat.  It also makes assumptions about the intruder and his prey that set the stage for NSM operations.  The second chapter addresses NSM directly, explaining why NSM is not implemented by modern NIDS' alone.  The third chapter focuses on deployment considerations, such as how to access traffic using hubs, taps, SPAN ports, or inline devices.  Part II begins an exploration of the NSM “product, process, people” triad.  Chapter 4 is a case study called the “reference intrusion model.”  This is an incident explained from the point of view of an omniscient observer.  During this intrusion, the victim collected full content data in two locations.  We will use those two trace files while explaining the tools discussed in Part II.  Following the reference intrusion model, I devote chapters to each of the four types of data which must be collected to perform network security monitoring – full content, session, statistical, and alert data.  Each chapter describes open source tools tested on the FreeBSD operating system and available on other UNIX derivatives.  Part II also includes a look at tools to ma]]> 2017-02-09T10:36:49+00:00 http://taosecurity.blogspot.com/2017/02/bejtlich-books-explained.html www.secnews.physaphae.fr/article.php?IdArticle=361048 False Guideline None None taosecurity - Blog Sécurité Chinois Today I had the chance to meet the man who unintentionally invented the modern digital forensics practice, Cliff Stoll. In 1989 he published a book about his 1986-87 detection and response against KGB-backed spies who hacked his lab and hundreds of government, military, and university computers. I read his book in high school and it later inspired my military and private computer security services. Cliff was kind enough to take a photo with me today at the SANS Institute Cyber Threat Intelligence Summit in Virginia.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2017-02-01T09:19:15+00:00 http://taosecurity.blogspot.com/2017/01/meeting-cliff-stoll.html www.secnews.physaphae.fr/article.php?IdArticle=361049 False None None None taosecurity - Blog Sécurité Chinois Over the years fans of this blog have asked if I would consider selling merchandise with the TaoSecurity logo. When I taught classes for TaoSecurity from 2005-2007 I designed T-shirts for my students and provided them as part of the registration package. This weekend I decided to exercise my creative side by uploading some designs to TeePublic.TeePublic offers clothing along with mugs, phone cases, notebooks, and other items.Two are based on the TaoSecurity logo. One includes the entire logo, along with the company motto of "The Way of Digital Security." The second is a close-up of the TaoSecurity S, which is a modified yin-yang symbol.Two other designs are inspired by network security monitoring. One is a 1989-era map of MilNet, the United States' military network. This image is found in many places on the Internet, and I used it previously in my classes. The second is a close-up of a switch and router from the TaoSecurity labs. I used this equipment to create packet captures for teaching network security monitoring.I hope you like these designs. I am particularly partial to the TaoSecurity Logo mug, the TaoSecurity S Logo Mug, and TaoSecurity S Logo t-shirt.Let me know what you think via comments here.Update 28 Dec 2016:Check out the MilNet mug!Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2016-12-28T11:50:45+00:00 http://taosecurity.blogspot.com/2016/12/check-out-my-teepublic-designs.html www.secnews.physaphae.fr/article.php?IdArticle=361050 False None None None taosecurity - Blog Sécurité Chinois PhD. Articles like Nothing Brings Banks Together Like A Good Hack drive me up the wall, however, and a Tweet rant is insufficient. What fired me up, you might ask? Please read the following excerpt:[Troels] Oerting, with no small dose of grudging admiration, says his adversaries excel at something that can't be addressed with deep pockets or killer software: They're superb networkers. “The organized crime groups in cyber are sharing much better than we are at the moment,” says Oerting, a Dane with a square jaw and the watchful eyes of a cop who's investigated the underworld for 35 years. “They are sharing methodologies, knowledge, tools, practices-what works and what doesn't.”Statements like these are regularly submitted without evidence. In response, I provide five sources of evidence why organized crime groups do not share more than defenders.1. Solution providers share. Both commercial and not-for-profit solution providers share enormous amounts of information on the security landscape. Some of it is free, and some of it is sold as products or consulting. Thousands of security companies and not-for-profit providers compete for your attention, producing white papers, Webinars, and other resources. You might argue that all of them claim to be the answer to your problem. However, this situation is infinitely better than the 1980s and early 1990s. Back then, hardly any solutions, or even security companies and organizations, existed at all.Criminal solution providers share, but they do so by selling their wares. This is true for the open world as well, but the volume of the open world is orders of magnitude greater.2. Government agencies share. My fellow Americans, has your organization you been visited by the FBI? Federal agents notified more than 3,000 U.S. companies [in 2013] that their computer systems had been hacked. The agents didn't just walk in, drop a letter, and leave. If a relationship did not exist previously, it will now be developed.Beyond third party breach notifications, agencies such as NIST, DHS, and others regularly share information with organizations. They may not share as much as we would like, but again, historical perspective reveals great progress.3. Books, articles, and social media share. The amount of readable material on security is astounding. Again, in the late 1980s and early 1990s hardly any books or articles were available. Now, thousands of resources exist, with new material from publishers like No Starch arriving monthly. Where are the books written by the underground?4. Security conferences share. You could spend every week of the year at a security conference. If you happen to miss a talk, it's likely the incomparable Iron Geek recorded it. Does the underground offer similar opportunities?5. Private groups and limited information exchange groups share. A final category of defender sharing takes place in more controlled settings. These involve well-established Information Sharing and Analysis Centers (ISACs), developing Information Sharing and Analysis Organizations (ISAOs), and private mailing lists and forums with limited membership. These could possibly be the closest analogue to the much-esteemed underground. Even if you disregard points 1-4 above, the quality of information shared in this final category a]]> 2016-10-18T11:17:49+00:00 http://taosecurity.blogspot.com/2016/10/five-ways-that-good-guys-share-more.html www.secnews.physaphae.fr/article.php?IdArticle=361051 False None None None taosecurity - Blog Sécurité Chinois In January I posted Why a War Studies PhD? I recently decided to revise my title and abstract to include attention to both offensive and defensive aspects of intrusion campaigns.I thought some readers might be interested in reading about my current plans for the thesis, which I plan to finish and defend in early 2018.The following offers the title and abstract for the thesis.Network Intrusion Campaigns: Operational Art in Cyberspace Campaigns, Not Duels: The Operational Art of Cyber Intrusions*Intruders appear to have the upper hand in cyberspace, eroding users' trust in networked organizations and the data that is their lifeblood. Three assumptions prevail in the literature and mainstream discussion of digital intrusions. Distilled, these assumptions are that attacks occur at blinding speed with immediate consequences, that victims are essentially negligent, and that offensive initiative dominates defensive reaction. This thesis examines these assumptions through two research questions. First, what characterizes network intrusions at different levels of war? Second, what role does operational art play in network intrusion campaigns? By analyzing incident reports and public cases, the thesis refutes the assumptions and leverages the results to improve strategy.  The thesis reveals that strategically significant attacks are generally not "speed-of-light" events, offering little chance for recovery.  Digital defenders are hampered by a range of constraints that reduce their effectiveness while simultaneously confronting intruders who lack such restrictions. Offense does not necessarily overpower defense, constraints notwithstanding, so long as the defenders conduct proper counter-intrusion campaigns. The thesis structure offers an introduction to the subject, and an understanding of cybersecurity challenges and trade-offs. It reviews the nature of digital intrusions and the levels of war, analyzing the interactions at the levels of tools/tactics/technical details, operations and campaigns, and strategy and policy. The thesis continues by introducing historical operational art, applying lessons from operational art to network intrusions, and applying lessons from network intrusions to operational art. The thesis concludes by analyzing the limitations of operational art in evolving digital environments.*See the post Updated PhD Thesis Title for details on the new title.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2016-06-28T09:42:23+00:00 http://taosecurity.blogspot.com/2016/06/latest-phd-thesis-title-and-abstract.html www.secnews.physaphae.fr/article.php?IdArticle=361053 False None None None taosecurity - Blog Sécurité Chinois Yesterday I posted Latest PhD Thesis Title and Abstract. One of my colleagues Ben Buchanan subsequently contacted me via Twitter and we exchanged a few messages. He prompted me to think about the title.Later I ruminated on the title of a recent book by my advisor, Dr. Thomas Rid. He wrote Cyber War Will Not Take Place. One of the best parts of the book is the title. In six words you get his argument as succinctly as possible. (It could be five words if you pushed "cyber" and "war" together, but the thought alone makes me cringe, in the age of cyber-everything.)I wondered if I could transform my latest attempt at a thesis title into something that captured my argument in a succinct form.I thought about the obsession of the majority of the information security community on the tool and tactics level of war. Too many technicians think about security as a single-exchange contest between an attacker and a defender, like a duel.That reminded me of a problem I have with Carl von Clausewitz's definition of war.We shall not enter into any of the abstruse definitions of war used by publicists. We shall keep to the element of the thing itself, to a duel. War is nothing but a duel on an extensive scale.- On War, Chapter 1Clausewitz continues by mentioning "the countless number of duels which make up a war," and then makes his famous statement that "War therefore is an act of violence to compel our opponent to fulfill our will." However, I've never liked the tactically-minded idea that war is a "duel."This concept, plus the goal to deliver a compact argument, inspired me to revise my thesis title and subtitle to the following:Campaigns, Not Duels: The Operational Art of Cyber IntrusionsIn the first three words I deliver my argument, and in the subtitle I provide context by including my key perspective ("operational art"), environment ("cyber," yes, a little part of me is dying, but it's a keyword), and "intrusions."When I publish the thesis as a book in 2018, I hope to use the same words in the book title.Copyright 2003-2016 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)]]> 2016-06-27T11:24:15+00:00 http://taosecurity.blogspot.com/2016/06/updated-phd-thesis-title.html www.secnews.physaphae.fr/article.php?IdArticle=361052 False None None None