Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday July 20 2015, @01:54PM   Printer-friendly
from the penny-is-dropping dept.

Imagine a security researcher has plucked your customer invoice database from a command and control server. You're nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how.

But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction.

Thats my takeaway after exploring the cyber crime attribution debate for several months, and although it's not the industry's unanimous position: defence intelligence officials, top security thinkers, serving CISOs, ex-cops, and former bank boffins speaking don't entirely agree on on the value of pinning a hack on an individual or group.

A case in point: top security boffins from security firm FireEye -- which carves a name for itself identifying malware groups -- offered polarised opinions on the worth of attribution in two articles posted within 10 days on the very same news site.

That difference of opinion between two senior security people in one of the world's top infosec firms shows that while identifying actors is simultaneously a difficult and expensive diversion of resources, it can also identify how attacks were executed.

Threat intelligence marketers and executives are two forces driving the need for actor attribution. The former is riding something of an industry boom and has irked William Peteroy, owner of startup ICEBRG, and a former security incident responder at Microsoft and technical director of the US Department of Defence's offensive hacker red team.

He and Microsoft mate Paul McKitrick detailed at the Kiwicon conference in Wellington last year what they see as the snake oil elements of threat intelligence, including unnecessary bolt-ons, feeds, and emphasis on actor attribution.

"Attribution has largely become an exercise in scaring potential customers with marketing fear uncertainty and doubt," Peteroy says. "Our main goal in that part of the talk was to call out a lot of the FUD around threat intelligence marketing; specifically we feel like it places emphasis on attribution and quantity rather than actionable components like context and confidence."

Source: SANS whitepaper [PDF]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by archfeld on Monday July 20 2015, @06:50PM

    by archfeld (4650) <treboreel@live.com> on Monday July 20 2015, @06:50PM (#211509) Journal

    Send a few of these delinquents to prison for 25 years and suddenly others might think of something else better to do with their time. We've been letting them get away with it for 20 years and it hasn't helped, time to try the ROD, with a few MAXIMUM whacks. Hacking into a 50,000$ server should easily get you 20 years in prison...

    --
    For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2