Dailydave mailing list archives
Re: Late Friday thoughts on the Kevin Mandia RSAC keynote.
From: "Halvar Flake" <HalVar () gmx de>
Date: Tue, 25 Mar 2014 22:52:45 +0100
Hey all, I will stay out of the quickly escalating discussion about "threshold of proof" required for successful attribution. Depending on your field - intelligence, legal, mathematics - you will have a very different definition of what you consider plausible. Legal proof comes nowhere close to mathematical proof, and intelligence "slam dunks" don't necessarily come close to meeting the standard for legal proof. All in all, all cyber-attribution work I have seen so far is at *least* as good as the intelligence on WMD that was available to the only superpower prior to the Iraq invasion. So whatever negative things you wish to say about the cyber-attribution folks - they are at least up to the professional standard of their field. Let's be clear - attribution doesn't need legal levels of proof; if the collected data and Occam's Razor hint one way, and it is sufficient to convince decision makers, it has worked. People have waged wars and lost billions of dollars on flimsier evidence. I would like to throw more rocks into this minefield of ours, though: 1) There is a fascinating obsession with C2 domains in our field, and I have been watching this for years with a mixture of amusement and bewilderment. The only way I can explain this is through the anecdote of Nasreddin's ring: "Mulla had lost his ring in the living room. He searched for it for a while, but since he could not find it, he went out into the yard and began to look there. His wife, who saw what he was doing, asked: 'Mulla, you lost your ring in the room, why are you looking for it in the yard?' Mulla stroked his beard and said: 'The room is too dark and I can’t see very well. I came out to the courtyard to look for my ring because there is much more light out here.'" DNS is easy to monitor, so because everything else is hard, we have *somewhere* to start. The common obsession with DNS is doubly fascinating in a world full of QUANTUM-like techniques (why not be *any* IP behind the great firewall of China? This surely can't be hard for them?) and Web 2.0 websites that easily allow the sharing of large quantities of data via SSL. So why this obsession, if it is not Nasreddin's ring? 2) What good is attribution if the other side is sufficiently powerful / heavily armed / gung-ho to ignore it? It is not terribly hard to plausibly attribute the origin of the RPGs the pro-russian militants in Crimea - but what does one do about it? Ask Russian law enforcement to prevent arms from crossing the border? Does it help the US to attribute attacks to China? I think the effect on US network security gained by attributing a cyber campaign to the Chinese Government is similar to the effect on EU communications security of the EU successfully attributing wholesale fiber intercept to the US -- non-measurable. Anyhow, time for me to get away from the screen. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote., (continued)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 24)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. security curmudgeon (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Richard Bejtlich (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. J. Oquendo (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Alfonso De Gregorio (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Dan Guido (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Haroon Meer (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. xgermx (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Val Smith (Mar 25)
- Re: Late Friday thoughts on the Kevin Mandia RSAC keynote. Kyle Maxwell (Mar 25)