Bejtlich Considered Wrong (For A Change)
Thomas Ptacek | July 13th, 2006 | Filed Under: Defenses
“Of course insiders cause fewer security incidents” preaches Richard Bejtlich, citing a SANS editor working backwards from a Computer Associates press release (really. CA.) to trendspot a “rising external threat”. Just noticing this indicates the editor “fell for the 80% myth”, which myth says that 80% of attacks are internal and is called out as a myth in Bejtlich’s own book, which book you should buy even though Bejtlich thinks “internal 80%” is a myth.
I have no earthly clue what the actual numbers are, and neither does SANS or Bejtlich (although maybe Computer Associates cracked the code), but let me point out two things:
By quantifiable damage, internal incidents almost certainly dwarf external incidents. Slammer was bad, but I worked with global-fis that got hit by it, and I’ve worked with companies that had real internal incidents, and, Richard, not the same league. Not even the same sport.
If you constrain your definition of “attack” to “things typically detected by network security monitoring tools” (of any stripe), you have a pretty serious selection bias. To approach the true number, remove “network” from the equation.
Richard confuses threats with countermeasures, saying:
Since organizations have the tools to largely remove the insider threat, but security incidents continue to be a problem, insiders must be dwarfed by the size of the outsider threat community.
… and I’m not sure I buy the syllogism either. What does “ability to locate, fire, and prosecute attackers” have to do with “number of attackers”? People get caught stealing office supplies too. Where are you drawing the line on “internal attack”? They don’t all halt trading.
wpn
July 13th, 2006 3:18 pm>Where are you drawing the line on “internal attack”? They don’t all halt trading.
Good point. The definition of “security incident” can range from turf wars over the root password on a shared server to deliberate destruction of data in a fit of pique. There is still a big disconnect, in my experience, between recognizing something as an internal security incident and taking disciplinary action on it. The most frustrating thing for a security person is trying to protect systems against an employee who is repeatedly violating policy and yet is still being protected by his management.
Besides, when you’re looking at an incident on your systems, you won’t know at first whether it’s really caused by an insider or an external attacker. Who’s running nmap without permission? It’s coming from Joe’s machine. Is Joe doing it, or has someone taken over his login? You treat the attack the same way until you figure out who it is; after that, the steps you take are usually radically different based on whether you’re going to take disciplinary action, prosecute, or just bar the door and hope it doesn’t happen again.
Richard Bejtlich
July 14th, 2006 9:21 pmI’ve worked $10 million dollar external attacker incidents. How’s that for quantifiable damage?
I am not confusing threats with countermeasures. When I say remove the internal threat, I literally mean remove the internal threat — walking people out the door and removing all access to their previous employers.
Thomas Ptacek
July 14th, 2006 11:36 pmWhat I’m asking is, what does your ability to fire an employee have to do with the number of rogue employees you’re likely to have?
Throwing damage numbers we’ve seen seems crass. CardSystems was internal, and fatal. My response to 10MM is, halt trading, see how fast you can lap that number.
Richard Bejtlich
July 18th, 2006 8:43 amExternal intruder (”outsider”) scenario:
1. Outsider attacks and compromises victim.
2. Victim recovers, outsider remains at large.
3. Return to step 1, except add to the number of outsiders.
Internal intruder (”insider”) scenario:
1. Insider attacks and compromises victim.
2. Victim recovers, and removes insider.
3. The insider population has decreased. Until a new malicious insider is hired, the threat has actually decreased — as opposed to the external intruder scenario.
Thomas Ptacek
July 18th, 2006 10:11 amAgain I perceive you’re confusing countermeasures with threats.
The “until a malicious insider is hired” clause is as meaningful as “until a new outsider gains access to the internal network”. Both are functions of a practically unlimited population of bad actors.
Chris_B
July 19th, 2006 6:04 amPardon me for intruding, but the problem with the whole debate is that the terms are not qualified. In that sense Richard is just as wrong as what he tries to refute. I’m not even sure the terms can be qualifed or the statement can be made meaningful without 20 pages of disclaimers.
Leave a reply