I had a very sad friend. His company bought all kinds of really cool stuff for security monitoring, detection, and response and told him to point it all at the firm’s offices in the Russian Federation. Because Russia is loaded with hackers, right? That’s where they are, right?
Well, he’d been running the pilot for a week and had nothing to show for it. He knows that the tools have a value, and that his firm would benefit greatly from their widespread deployment, but he’s worried that, because he didn’t find no hackers nowhere in the Hackerland Federation, his executives are going to think that these tools are useless and they won’t purchase them.
So I asked him, “Do you have any guidance from above on what to look for?”
“Hackers. They want me to look for hackers.”
“Right. But did they give you a software whitelist, so that if a process was running that wasn’t on the list, you could report on it?”
“No. No whitelist.”
“What about a blacklist? Forbidden software? It won’t have everything on it, but it’s at least a start.”
“Yes, I have a blacklist.”
“Great! What’s on it?”
“Hacker tools.”
“OK, and what are listed as hacker tools?”
My friend sighed the sigh of a thousand years of angst. “That’s all it says. Hacker tools. I asked for clarification and they said I was the security guy, make a list.”
“Well, what’s on your list?”
“I went to Wikipedia and found some names of programs there. So I put them on the list.”
“And did you find any?”
“Some guys are running the Opera browser, which has a native torrenting client. I figured that was hacker enough.”
Well, security fans, that’s something. We got us a proof of concept: we can find active processes. I described this to my friend, and hoped that he could see the sun peeking around the clouds. But it was of no help.
“They’re not going to spend millions on products that will tell them we’re running Opera on a handful of boxes!”
He had a point, there. Who cares about Opera? That’s not a hacker tool as featured on the hit teevee show with hackers on it. And, to be honest, the Russian offices were pretty much sales staff and a minor production site. The big stashes of intellectual property and major production sites were in the home office, in Metropolis, USA.
So I asked, “Any chance you could point all that stuff at the head office?”
“What do you mean?”
“Well, it’s the Willie Sutton principle.”
“Who was Willie Sutton?”
I smiled. “Willie Sutton was a famous bank robber. His principle was to always rob banks, because that’s where the money was. Still is, for the most part. Russia in your firm is kind of like an ATM at a convenience store. There’s some cash in it, but the big haul is at the main office. Point your gear where the money is – or intellectual property – and see if you don’t get a lot more flashing lights.”
My friend liked that. He also liked the idea of getting a software whitelist so he’d know what was good and be able to flag the rest as suspect. He liked the idea of asking the execs if they had any guidance on what information was most valuable, so that he could really take a hard look at how that was accessed – and who was accessing it.
And maybe there were tons of hackers in Russia, but they weren’t hacking anything actually in Russia. And maybe said hackers weren’t doing anything that was hacking-as-seen-on-television. Maybe they were copying files that they had legitimate access to… just logging on, opening spreadsheets, and then doing “Save As…” to a USB drive. Or sending it to a gmail account. Or loading it to a cloud share…
The moral of the story is: If your security policy is driven by the popular media, you don’t have a security policy.