Special COIN bullet designed to only kill insurgents is like IT Security looking for a special APT detector
What? A special bullet that is designed just to kill insurgents? That’s ridiculous.
Well of course it is. No one in their right mind at the Pentagon and no chief on the Joint Chiefs of Staff would ever propose something like that. They wouldn’t because first of all, it’s not possible to create a bullet that only kills insurgents. If it was, BAE Systems, Lockheed, or any number of defense contractors out there would have come up with it.
When the United States first realized this shift in warfare towards non-uniformed combatants with women pulling Kalashnikovs out of their dress and killing our soldiers or a family driving up to a US military checkpoint in a Volkswagon and detonating it, looking for a special COIN bullet to be made is exactly what we did not do. What we did is we adapted to our new threat. We studied and operationalized new tactics, techniques, and procedures (TTPs) in how to fight in COIN operations (Army Field Manual – Tactics in Counterinsurgency (FM-90-8, FM-7-98), April 2009), ramped up our intelligence and counter-intelligence capabilities, we created new training grounds for capacity building with our warfighters in how to fight in in this new urban battlespace.
So why then are we in IT risk management looking to technology to fight this new Advanced Persistent Threat (APT)? The fact of the matter is, much like the ludicrous (no, not the R&B singer) idea of creating a special COIN bullet wouldn’t work for defending against insurgent threats, the idea of pursuing the creation of a special APT detection and response technology is nonsensical (nonsensical (adj.) lacking intelligible meaning; foolish; absurd,) as well.
What we need to do instead is start adapting to this new threat and learning, not buying new technology, but learning how to identify it more quickly than we are and respond to it more effectively using the great tools that are already available to us to combat it. The problem is, we’re not looking at the logs, events, and alarms that are being generated by these already great technologies businesses are already using.
Because, let’s face it, we aren’t facing the same 14 year-old’s picking their nose in their bedroom and defacing web sites after school with auto-defacers and wu-ftpd scanners. We’re facing heavily funded, very sophisticated threats now, many of whom work for the intelligence agencies of rogue nation states. They are trolling your LinkedIn profiles and looking at those recommendations to see who in your organization they can pretend to be when spear phishing you. “Yes, I said it! It had to be said!” (shameless Chris Rock reference). Yes, multinational corporations are having their intellectual property and trade secrets stolen at unprecedented rates, not by “skript kiddies” but by soldiers wearing uniforms sitting behind a computer monitor. A recent survey by ASIS International estimated the annual value of stolen corporate intellectual property at $300 Bn in the United States alone, more than $1 Tn globally. Yes, that’s a capital “T” — Trillion dollars globally.
I listen to a lot of NPR (National Public Radio) — and there was this story on the growing problem of alarms, beeps, and noises in emergency rooms. This constant noise is causing nurses to tune the noise out — causing a sort of deafness to the alarms going on around them — or alarm fatigue. They are being inundated with so much noise, they are ignoring alarms for real issues causing harm to patients. I see this same problem as happening in information security. Our IT organizations are turning a deaf ear to all the noise and just turning them off leaving alerts to real threats going ignored.
So what’s the answer? Human analytic rigor. See, I eventually got to my point. Understanding and looking at the logs and events that are being generated when these APT attacks are in process. Our firm, Brier & Thorn (yes, shameless plug, but come-on, you’ve read the same social network marketing books I have) has responded to numerous APT incidents where significant amounts of data, even in biotechnology companies, such as cancer treatments and drug trials left the network in petabytes over an eight month period. Several tickets were closed in that time span as false positives. No one once thought to look at the netflow graphs from the switches to find that the network utilization had more than doubled overnight when the data started to leave the building. Was it some fancy APT detection device specially designed to detect APTs? No, a free tool they could have downloaded from the web that’s open source.
Okay, in anticipation of getting hate mail from all of the VC funded technology startups out there making COIN bullets — I mean — APT detection technologies, there is some wildly cool tech out there aiming to do just that! AAMOF, one I even worked closely with in the initial days when the company first started as we tried to productize the Indicators of Compromise from our APT investigations (CyberFlow Analytics). So maybe that COIN bullet for information security really is just around the corner. I’ll never say that something is impossible, but what I will say is this. Even with the APT detection technologies that are available in the market today, even the ones that come out tomorrow, you’ll still need a human behind it to make sense of the data, analyze it, and respond to it. You’ll still need a SIEM like AlienVault, an MSSP with a SOC full of analysts to monitor and respond to it, or a central log solution like Splunk to put everything in your enterprise in one place. The point is, it isn’t about the technology.
“If you wouldn’t choose a plumber for the type of wrench she uses, than why would you choose an MSSP because of the SIEM they use?”
The fact is this, there will still be false positives, heck, even false negatives. At the end of the day, the net-net is, “what can be made by humans, can be broken by humans. – Alissa Knight” (trademarked and copyrighted, patented, and registered with the USPTO by Alissa Knight – you owe me royalties if you repeat that quote.)
P.S. can the security vendors out there please stop using the Anonymous images for their advertisement? It’s ridiculous. That’s like the US military using pictures of ISIS on their recruiting posters and advertisements.