The current operational environment in Europe is so lax that it seems there is literally no security error ISIS terrorists can make that will derail their plans. – Interviewed in Dabiq #7Escapes arrest after rest of cell killed in a raid – Make plans over mobile phone callsDiscuss plans using game consoles (PS4) – Video driving a truck dragging mutilated corpses in Syria – Majority of cell known to intelligence agencies – Post pictures of weapons on Facebook – Raise funds through petty crime – Raise funds by selling a bar (drastic life change)
This piece by @thegrugq is spectacular. It covers the myriad of failures that occurred within the intelligence community leading up to the Paris attacks.
Several lessons can be learned from these fundamental misses on the part of the intelligence community, but I want to focus on a single, underlying theme: reaching for the advanced before you have mastered the basics.
Governments have been scrambling to create new legislation that would give new tools to law enforcement, presumably to stop future attacks from occurring. But law enforcement doesn’t need new tools. They need to learn how to use the ones they have.
The failure is in basic police work. Basic investigation. Basic follow-through on obvious, clear, and tangible leads.
The attackers were largely known. The communications were largely unencrypted. And the intentions to perform the attacks were largely in the open for anyone to see.
These signs aren’t handled better by adding new tools. They’re handled better by focusing on basics.
We see the same thing in corporate information security, where millions are spent every year to buy the newest, shiniest tools. But if you ask most companies for a list of every website they own, or a list of every service that faces the internet, they are unable to provide these.
And they get hacked. Repeatedly.
The solution? Buy more things. Hire more staff. Install more products.
A unifying concept for intelligence and infosec
Master the basics first. Do not purchase more products. Do not create new legislation. Here are some prescriptive recommendations for each area:
- Document where your sensitive data is
- Document how that data moves as part of your normal business processes
- Create a list of all hosts in your environments
- Document every service that faces the internet, and the hosts that they’re associated with
- Keep your systems patched
- Perform extensive filtering on the traffic that moves within your environment, with focus on the flows that involve your sensitive data
These are Day 1 basics, yet far too few companies are doing them.
- Create a list of known malicious actors
- Track their whereabouts
- Within the boundaries of the law, monitor their communications and determine their intentions
- If their intentions are to launch an attack, try to stop it
Seems simple enough, yet for some reason we’re seeing attacks committed by people who were so plainly malicious, and who were not even hiding their intentions or their communications. And often they were already on known lists of malicious people.
But what are we working on? Parsing the metadata of millions of people, looking for SETI signals.
STOP. Both of you.
If you’re getting successfully attacked by people on known terror lists, speaking out in the open over unencrypted channels, then you don’t get encryption legislation. That’s for grown-ups who’ve used their existing tools to the fullest.
If you’re getting compromised inside your network on hosts you don’t even have records of, that haven’t been patched in months, you don’t get user behavior analytics. That’s for grown-ups who’ve used their existing tools to the fullest.
If you haven’t mastered the basics, stop everything else and work on them first. Because if you’re not doing well at the fundamentals, there’s no legislation or product that can help you.