back to article Been hacked? Now to decide if you chase the WHO or the HOW

Imagine a security researcher has plucked your customer invoice database from a command and control server. You're nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how. But only one of these questions, the how, is worth your precious resources; …

  1. This post has been deleted by its author

    1. Little Mouse

      Absolutely right. "Who" may be unimportant if the hackers simply picked you out of the phonebook, so to speak. But how can you know whether it was a random attack or not if you don't bother to find out?

      A significant number of attacks must either be inside jobs or competitors seeking an edge. In which case, "Who" is arguably more important that "How".

  2. Six_Degrees

    Rubbish

    "Imagine a security researcher has plucked your customer invoice database from a command and control server. You're nervous and angry. Your boss will soon be something worse and will probably want you to explain who pulled off the heist, and how.

    But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction."

    Now...

    Imagine a kidnapper has plucked your child from your home You're nervous and angry. Your spouse will soon be something worse and will probably want you to explain who pulled off the kidnapping, and how.

    But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction.

    Seriously?

    The perpetrators should be named, dragged through the streets, and openly flogged in the public square. In both cases.

    1. Amphibious RawCod

      Re: Rubbish

      Well played, choosing an incredibly emotional situation (kidnapping of child) to test whether the the "who" is an emotional distraction. However I think you miss the mark. I understand your stated desire for justice, but that comes after the kidnapper has been caught. I wonder how many kidnappers are caught because their identity was revealed, as opposed to (for example) their location (possibly via some opsec fumble like a traceable phone call). Your response also relies on the existence of a legal framework within which the punishment you describe (or some form of punishment at least) is possible.

      Intelligence is only of any use if it can make a substantial contribution to our response. Let's say our company is hacked and we can solidly attribute the attack to the Elbonian Government Elite Hackers. So what? What actual difference will that make to our response in terms of how we handle the incident? What if the attack had been solidly attributed to Microlombia instead?

    2. Graf

      Re: Rubbish

      For a kidnapping (or for highly targeted attacks) I agree.

      However most attacks are run-of-the-mill crap that isn't worth chasing the who.

      Imagine a thief has broken into your home and stolen a can of beans. You're nervous and angry. Your spouse will soon be something worse and will probably want you to explain who pulled off the theft, and how.

      But only one of these questions, the how, is worth your precious resources; security experts say the who is an emotional distraction.

      Do you really care who stole your can of beans, or do you care more about how they broke into your house?

      I know which one I'd spend my time looking into

      1. Ole Juul

        Re: Rubbish

        However most attacks are run-of-the-mill crap that isn't worth chasing the who. . . . Do you really care who stole your can of beans, or do you care more about how they broke into your house? I know which one I'd spend my time looking into

        Right on. However, you've lost a can of beans. In the cyber world, chances are that you've only lost a copy of your can of beans, making your argument even stronger. It's more like the broke in and took a picture.

        1. Anonymous Coward
          Anonymous Coward

          Re: Rubbish

          As said at an event I've recently been to by people that do the post breach investigation in the payment industry - almost all breaches are the cause of failing to do the basics, number one is running unpatched web servers and then having routes from those servers to things beyond the DMZ, then unpatched desktop estates, mail servers, etc.

          Also another interesting thing was of companies investigated post breach over the last decade none were PCI compliant at the time of breach - even though all had managed to pass at a given point in time.

      2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Maybe

    We should start to worry when the knocking stops, that might mean they are no longer trying to get in.

  4. nevstah

    the who is important

    you shouldn't blindly ignore who the perpetrator is, hopefully it may become obvious while investigating how. merely, the investigation into who, shouldn't get in the way of how.

    my reasoning, i wouldn't be happy to learn the person i hired to repair my boiler was the same person who had earlier stole my last tin of beans!

    if someone had plucked my customer database, i wouldn't be happy to find i'd later employed that person, or said person had been employed by a competitor in ignorance of the theft, for example

  5. amanfromMars 1 Silver badge

    Chicken hearted and lily livered make rules and regulations and unleash CHAOS, Madness and Mayhem?

    defence intelligence officials, top security thinkers, serving CISOs, ex-cops, and former bank boffins speaking don't entirely agree on on the value of pinning a hack on an individual or group.

    No shit, Sherlock. Of course they don't want personal responsibility and accountability for that then makes they themselves legitimate targets for direct action from anyone and everyone adversely affected by their shenanigans/policy decisions/whatever you call them.

    Such is the main role of secrecy ..... to protect the untenable and inequitable? Yeah, that's the way it is, but not in a future with Brave New Orderly World Orders in AI and IT Command and Control Systems of Mass Political Administration

  6. naive

    Is there no one else ?.

    This whole vendor ecosystem resembles big white sharks, Microsoft and other major vendors, surrounded by a swarm of pilot fish, hackers, the security industry and curious governments, living from eating nasty bugs from the skin of these predators, who on their turn feed on the money the victims give them prior to being hacked.

    Most people, users and thus customers seem to find this situation normal. Buy a computer, pay some OS vendor $100, go online and get all kind of nasty stuff for free by just by visiting a website.

    Put a webserver online, and run the risk to get hacked, and it does not make much difference if one uses closed or open-source.

    We buy desktops or servers with modern i5/i7 or Xeons NOP-ing around while they are being hacked. It this where the IT industry got us ?, is this the state of affairs for days to come ?, or the more important question... Is there no one else who can pick up the glove and liberates us from the strangulation of monopolistic vendors producing software which is "Unsafe at any clock frequency" ?.

  7. Pascal Monett Silver badge

    "Find out who's attacking you and call their mum"

    Is that a revelation that most hacking attacks are made by the eponymous "script kiddies" ?

    Or just a hint that it is rather useless to know "who" if your current security status is "leaking like a sieve" ?

  8. Stevie

    Bah!

    There's plenty of white hat attention span to go round. Let's figure out the how *and* the who.

  9. netminder

    I'm aware of an instance where one group was aware of a visitor sending info to a C&C but never told the security team of the IT management because they wanted to build a case against the attacker.When the security team discovered the attack shortly after the damage was already done. The attacker turned out to be China so there was zero chance for legal action & meanwhile more systems were compromised and information stolen.

  10. Matthew Turnbull

    Why?

    I'd argue there's a third question to consider, which can change our relative perception of the other two. "Why"?

    "How" is obviously an important part of the analysis - where were you weak, and what are you going to change so you don't get hit the same way again? It should also be feeding back into your post-incident risk review, to determine whether appropriate controls were not identified, not implemented, or deemed inappropriate. It's an area that sits almost exclusively with the technical areas of the business, and is entirely reactive.

    "Who" seems to do nothing more than feed our innate desire for retribution, and as such serves no useful purpose. Unless...

    "Why" were we a target? If we can understand what made us attractive, and what the (currently unidentified) ultimate actor gained from the effort, then we gain a whole different perspective on "Who". If, for example, we determine that the end goal was a boilerplate Cryptolocker for ransom, then it is likely that we were not an explicit target and "Who" is indeed an irrelevant distraction.

    But what if someone went after sensitive intellectual property related to an as-yet unreleased product or invention, for commercial gain? If that's the case then the "Who" becomes a whole lot more important - if I know who has stolen my intellectual property then I have an option on various damage limitation exercises (injunction, PR, bringing forward product release, etc.) that are still very useful tools to protect my as-yet uncapitalised development investment. We have a time window where we may still be able to influence the ultimate outcome of the incident, if we ask the right questions and respond appropriately. This certainly seems to justify rebalancing the analysis effort.

  11. The Morgan Doctrine

    Attribution is VERY IMPORTANT

    Without the threat of overwhelming and grossly disproportionate retaliation, hackers will keep plying their trade. Details of disproportionate attack strategy in http://www.themorgandoctrine.com. Cheers!

    1. amanfromMars 1 Silver badge

      Re: Attribution is VERY IMPORTANT

      Nice idea whose time is come, The Morgan Doctrine, The Morgan Doctrine. Do it well with Media and IT Command and Control (and Proper Preparation and Positive Planning Prevents Piss Poor Performance Permitting Prime Prize Penetration and Perfect Private Pursuit of Public Projects and Pirate ProgramMING Parameters Production of the Present from the Past) and more than fabulous fortunes await delivery and spending.

      But it and IT does put Existing Legacy Systems into an Enigmatic Quandary in that they lose Command and Control and Lead.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like