RE: .gov/.mil threat ID

["Crumrine, Gary L" <CrumrineGL () state gov>]

Your reply is right on Paul.

Sounds like the gentleman should be more interested in tightening up his
systems than complaining on how DOD reacted to someone knocking on their
door.  

You read it in the press every day how the BIG BAD DOD stood by and did
nothing, or didn't see something etc.  

No matter what they do, they will get criticized for it.  

Before someone goes flaming the practices of different people and agencies,
I suggest they step outside of the academic realm and walk in the DOD's
shoes for a while.  Maybe then they'd understand a little more.  It is not a
game.

> -----Original Message-----
> From: Paul D. Robertson [SMTP:proberts () clark net]
> Sent: Tuesday, January 26, 1999 10:24 PM
> To:   AI mailer v .1 alpha
> Cc:   firewall-wizards () nfr net
> Subject:      Re: .gov/.mil threat ID
>
> On Fri, 22 Jan 1999, AI mailer v .1 alpha wrote:
>
> > I think the government and military may be the only organizations with
> the
> > resources to respond to potential threats, but they still do not know
> how
>
> Lots of commercial organizations respond to potential and actual threats 
> and it happens every day.  I'm not sure where you drew this conclusion 
> from, but I don't accept it.
>
> > to effectively respond, or even to decide which events their threat
> > detection systems log should be responded to.  Apparently someone sent a
> > "small number of probes" to a .mil site spoofed from one of my
> computers'
> > addresses a few weeks ago, and they were quite paranoid about it.  If
> the
> > government can log but doesn't have the resources to decide what to do
>
> "The government" is a lot of departments with a lot of machines and a lot 
> of administrators, just like everyone else.  It's always a choice between 
> what resources to spend on a negligable threat, wheather it's people, 
> money, or time.  There are a lot of quite paranoid administrators out
> there,
> even in .com and .net.  There are also a lot of .mil sites, some with 
> more sensative and critical missions than others.  Just like in the 
> commercial world, that means that the threat profile of the day, as well 
> as the risk/reward ratio of the current operational level dictates how to 
> respond to what.  Even then, it's always a matter of balancing the cost 
> of dealing with an unsuccessful attempt against ignoring it, or making an 
> example.  
>
> > with that potential threat information, what good would it do a company
> > with alot less resources?  Or is the military just inept at their
>
> It depends on the company's perception of the threat and what resources 
> they want to use.  For instance, if a criminal statute has been broken, 
> then they can attempt to have most of the work done by the 
> jurisdictionally correct government entity, if it's a civil law, or if a 
> civil remedy seems more appropriate, then they can sick their lawyers on 
> the offender.  Sometimes they'll do both, and sometimes they'll decide 
> it's not worth the expense.  
>
> > analysis?
>
> Analysis varies from person-to-person, and even day-to-day in the same 
> person.  Most of us do what we can to analyze, categorize and profile 
> threats, events, and risks.  Sometimes we do well, sometimes we do badly, 
> and it really doesn't make a lot of difference who our employers are when 
> we do it.  Everyone fights to get INFOSEC resources budgeted, clueful 
> administrative staff, and cooperation.  If you have 5 probes or attempts 
> a day, it's a lot easier to respond to each one than if you get 5,000.  
>
> Attempting to generalize the response of "the government" (pick your 
> favorite country), "the military", "big corporations", "educational 
> institutions" other than in the case of specific common policy issues is 
> a losing game.  
>
> I've seen good and bad responses from all the TLDs I've contacted or who 
> have contacted me.  In some cases, the original contact was a 
> less-clueful individual responding to a percieved direct threat, and a 
> follow-up conversation with someone else later took only two sentences.  
> Just like anywhere else, .mil has people who will correctly escallate to 
> a higher authority for an incident, and people who will take action 
> themselves.  Either case may be valid for a particular installation, 
> unit, or system. 
>
> I wouldn't expect all of my co-workers to do the same level of analysis 
> that I do prior to making a call simply because they don't all have the
> same 
> level of experience that I have.  I also wouldn't expect them to make the 
> same recommendations to the lawyers that I would if it turned out to be 
> worth persuing.  I know it'd take them more time to decide that part of 
> the process since it's not an easy and clearly-written policy decision, 
> and they don't have a great deal of experience doing it.
>
> If you look closely at your own analysis of "spoofed packets", unless 
> you've got traffic lots of all the packets, can you be totally sure it 
> wasn't (a) a compromised host, or (b) a compromised service (such as an 
> FTP bounce attack)?  If the victim takes the tack that you're more likely 
> to be (a) or (b) than either (c) a malicious site or (d) a blind spoof,
> then 
> shouldn't they take the time to think about what a reasonable response to 
> your potentially inept administrative capabilities, or potentially buggy 
> vendor code?  
>
> Heck, it's be pretty trivial to make a probe *look* like a blind spoof,
> and 
> even create "network logs" that don't show the traffic.  Given that, and
> given
> no logging upstream of your host, what exactly do you think an
> administrator 
> should do?  
>
> If you were probing them, then you're probably going to stop now, if you
> were 
> compromised, perhaps you'll look closely at your machines now (or at least
>
> start logging connection attempts), and if not then they need to figure
> out 
> how to proceede in such a way that any further attempts are met with the 
> appropriate response.  
>
> Unless an attacker has control of, or promiscuous access to either their
> or 
> your network, upstream, or a common exchange point, a completely blind
> spoof 
> would seem to be unproductive, so I'd be extremely skeptical of that 
> analysis without further evidence to the contrary.
>
> Since it's not that obvious where the packets originated, I'd expect 
> someone to take some time figuring out if and how to respond.  I certainly
>
> would - mostly because it takes a few days to get the lawyers to dig up 
> all the prosecutorial options in each jurisdiction.  Of course I'd have 
> you filtered out while we were looking :)  
>
> Maybe you don't have network problems (or don't notice them if you do), or
>
> maybe all of yours have been fairly easy to resolve.  That's not true of 
> every incident, and if it isn't cut and dried, it takes good policies, 
> procedures, and most of all clue in the right places.  Sometimes you have 
> them, sometimes you don't.
>
> Paul
> --------------------------------------------------------------------------
> ---
> Paul D. Robertson      "My statements in this message are personal
> opinions
> proberts () clark net      which may have no basis whatsoever in fact."
>  
> PSB#9280