Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Businesses

EndGame CEO: Root Out Hackers Before They Strike (qz.com) 148

The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz: Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...

The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.

Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
This discussion has been archived. No new comments can be posted.

EndGame CEO: Root Out Hackers Before They Strike

Comments Filter:
  • by stealth_finger ( 1809752 ) on Monday June 06, 2016 @02:36AM (#52257631)
    Seems like you just made yourself a target.
    • by davester666 ( 731373 ) on Monday June 06, 2016 @03:07AM (#52257739) Journal

      Yeah, requires three things: time, effort and money

      1. Time and effort: Any IT working "looking for hackers attacking the network" is automatically assumed to be doing unproductive work by their immediate supervisor. Or by their supervisor. It is also pretty likely that none of his bosses will not understand anything he has done to stop a hacker, and they are also unlikely to believe him. Released to look for other opportunities.
      2. Money: any money spent on this "looking for a problem proactively" is money not available for the executive bonus pool. Since the result of anyone working on doing this at best can only claim to have stopped someone, and only MAY have prevented a loss of some kind, clearly the first executive that realizes this deserves a bonus at least equal to the budget of the department he just cut, because that is real, verifiable savings going hundreds of years into the future. He basically has just saved the company from bankruptcy.

      • "automatically assumed to be doing unproductive work by their immediate supervisor" If your job description is not related to IT security you are being unproductive in the eyes of your supervisor. For example, if you are getting paid to develop and support applications that is what you should be doing. You can work on your security concerns after hours or get a job in IT security.

        • "automatically assumed to be doing unproductive work by their immediate supervisor" If your job description is not related to IT security you are being unproductive in the eyes of your supervisor.

          And whether they are correct or a flaming idiot depends on the rest of your job description, and the job descriptions of those around you. If you are in IT, and it isn't anyone else's job to maintain IT security, then it is your job no matter what anyone else thinks. If it isn't done, you can't do any of your other jobs.

      • by Anonymous Coward

        You are missing that this is all based on hype, charisma and such. Advertising, marketing, and other forms of these get piles of money thrown on them despite having dubious effects.

        Depending on the level of FUD a CISO can persuade the company to take security seriously then proceed to spend him checks and team budget on garbage because the only thing that matters is the C levels keep receiving FUD about removing them.

        Depending on the level of FUD an army of InfoSec professionals can persuade congress to man

    • by beh ( 4759 ) *

      Stupid idea!

      You do remember older flicks like Sneakers etc and their depiction of phreaking - with the perpetrators actually monitoring how many hops the called party manage to hack their way back through.

      This will be the same - but instead of hacking multiple phone exchanges, you have to hack into multiple systems, before you attack your "true" destination.

      On the positive side, this might be a good thing - if a hacker breaks into multiple systems to build up a chain of hosts to route his attack through, th

      • by Anonymous Coward

        ... if a hacker breaks into multiple systems to build up a chain of hosts to route his attack through, that attacker now even has an incentive to harden all intermediate systems he broke into, just to slow down the "counter-attack" ...

        Semi-retired hacker here

        Hardening transit points takes time, which was / is in short supply

        Apart from spoofing addresses, I used to set up honey pot branches for those tracking me and/or to launching counter attacks

        That way if that guy actually launch his attack he gonna trash the spoofed address the midway station was pointing to --- which most probably belong to Pentagon or China or Mossad or Kremlin or Iran

        Whatever happened next will be popcorn time

  • by Anonymous Coward on Monday June 06, 2016 @02:36AM (#52257637)

    All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      and... we take another step towards Stallman's predictions of you needing a license to own a compiler or a debugger..

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...

      You forgot about the added bonus that you receive in the US for being pro-active.

      The government response is also to be "pro-active". By labeling you a "terrorist". Welcome to the No Fly club.

    • by fuzzyfuzzyfungus ( 1223518 ) on Monday June 06, 2016 @04:40AM (#52257959) Journal
      Plus, at least some of the targets of your 'proactive defense' are nation states; and they will be even less happy about being attacked than they will about you attacking 3rd parties.
    • by Anonymous Coward

      Whew, good thing governments aren't owned by corporations.

    • Yes, I know, this is Slashdot and you'll ruin your karma if you go around reading articles before commenting. Oh wait, you haven't got any. Right.

      Seriously though ... the article makes a clear distinction between looking for intruders (legal) which the article advocates and "hacking back" (illegal) which it doesn't.

      So this AC post is completely barking up the wrong tree (or a troll). I admit that the article is the usual clueless CEO bumf, but at least don't make it into something it isn't.

      Either way

  • by Anonymous Coward on Monday June 06, 2016 @02:46AM (#52257683)

    Just stop babbling nonsense. It seems that "we gotta get 'em basterds" makes for a better headline, but... every breach I've seen in the last years is due to *catastrophic negligence*. Including the (admittedly, for the time) very high tech Stuxnet thingie in Natanz. I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports? And operators willing to stuff a $RANDOM_USB_STICK into that? Seriously?

    How many levels of fail was this?

    Now go through all the last breaches, and think again: how many levels of fail?

    > Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.

    So stop buying snake oil and take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).

    Next step is implementing technical measures. Make sure that someone in-house understands thoroughly what's going on. Resist the urge to buy the next shiny thing because the salespeople of this company look smartest: remember that the investment in those smart salespeople isn't going into hard core development -- and that's what you want.

    Fick's an idiot. This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is, where well-known "products" often enlarge your attack surface instead of reducing it.

    Fick reminds me of some dictator in some semi-failed state making up an Enemy of the Nation to make people forget that their actual problem is internal corruption and missing crops.

    • by l0n3s0m3phr34k ( 2613107 ) on Monday June 06, 2016 @04:15AM (#52257907)
      End-users, the "layer 8" of the OSI model. One way to stop a good chunk of intrusions: force everyone in your organization to go back to plain-text email. No more HTML emails, no more files attached to emails, no embedded links or graphics. Almost every time I read about some new ransomware hit, or most break-ins, it's always some phishing attack via email. Obviously these end-users aren't capable of being educated how to recognize them, so to me the only way to "fix" the problem is to BOFH the situation and remove the most commonly used paths of attack. Anyone who demands these "enhanced capabilities" should also be made to sign an addendum to their employment contract that they are financially responsible for any attacks that they allowed because they just "had to have the ability for people to send them files in their Outlook".
      • Re: (Score:3, Interesting)

        by Anonymous Coward

        > End-users, the "layer 8" of the OSI model.

        They are definitely the most vulnerable part. But don't get me wrong, it's not about blaming the users. They just want to get stuff done, it's their job. And they are put under considerable pressure at that.

        It's the job of the organizations to strengthen the users and to raise their level of proficiency in understanding the issues involved. Heck, they are not stupid, in real life they wouldn't hand over their flat keys to a random stranger on the street (with a

    • by Anonymous Coward

      I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports?

      If they had plugged up the USB ports with glue, which some companies actually do by the way, would you call them more or less ridiculous?

      This comment is haxzor-smug, a form of posing.

      take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).

      Yes, please, step up to my tent. I'm offering "security training courses."

      (It's not a bad idea. I'm just saying, once you get into this tone of voice, anything can be made to seem stupid to the imaginary peanut gallery by putting it in quotes.)

      This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is

      Now we agree. The industry is in a really sad state. I'm nostalgic for the old da

  • by Anonymous Coward

    "Instead, going on the offense and hunting for adversaries entails surveying your assets stealthily and continuously."

    You mean like having a monitoring system in place? Checking for too many consecutive failed logins? Unauthorized IPs trying to connect to sensitive servers/devices? Checking to see if any IPs registered to APNIC have gotten logged in? Checking on the md5 hash of the /etc/password file and reporting whenever it changes? Installing an IPS in front of the edge of the network?

    Can someone pl

    • Read The Practice of Network Security Monitoring.

      He seems to be referring to active NSM and Hunt Teams as opposed to passive compliance and vulnerability monitoring, which is what most organizations do.

    • by Jawnn ( 445279 )

      Can someone please help me understand what's so different about what this guy is proposing, vs common practices which already exists?

      Not a damned thing different, though it might be argued that "common practices" and "best practices" are two very different things. What TFA is actually suggesting is little more than the best practice of paying attention to what's going on in your environment, as opposed to throwing up defenses and expecting them to stop all attacks. That takes effort, proper tools, and expertise. The mix of those three can vary, but the bottom line is that it costs money to be vigilant and that is not something that our i

    • The problem is that most people don't know every bit of traffic flowing on their network so you get a NIPS setup with some shitty general rules and some limited destination based filtering. It takes a lot of work to do proper source and destination based filtering which at best gets you a good firewall. Then add in that if you are doing NIPS right you need to be doing DPI (deep packet inspection) and saying that only this protocol is allowed on these ports between these hosts. That only gets you a somewhat
  • How do you 'root out' a non-domestic hacker? Drone strikes?
    • A "financial file server" honeypot full of virus / malware? lol
    • He's talking about counter-terrorism. We know there are bad guys out there; suit up and go get them before they get us.

      The problem is we don't know how many bad guys there are, who they are, what they want, where they might be, or how they might behave. You can't hunt an infinite enemy into extinction; and an enemy which is your own species is an infinite enemy. Wars haven't ended because we can't extinct bad humans without extincting all humans (and defining "bad" is hard); whereas we can extinct all

      • This was done during a war the Chinese were losing, badly, and it completely reversed the war. I keep forgetting the details because it's hardly ever relevant (it was, amusingly, referenced in Babylon 5 in exactly one scene); it's relevant here.

        When was it?

        • Referenced? Sheridan intuits the likely attack plan the Shadows are using and, as justification, claims it's what he'd do. Hilarity ensues because he's surrounded by Minbari religious caste.
  • by Anonymous Coward

    But very little content in there. I did not read any form of plan.

  • Buzzword bonanza (Score:4, Insightful)

    by Anonymous Coward on Monday June 06, 2016 @03:36AM (#52257841)

    Read the article, and I honestly don't see his end goal.
    Got the impression all he wants is penetration testing and security through obscurity, or monitor incoming traffic for "malicious intent".
    I could be mistaken as the whole article was a bit of a buzzword bonanza.

    • by Anonymous Coward

      I think all he wants is to promote his security business

  • Threat Hunting (Score:5, Insightful)

    by tero ( 39203 ) on Monday June 06, 2016 @03:51AM (#52257865)

    Threat Hunting isn't exactly a new concept, it's been around for ages.

    But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.

    So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype

    • Threat Hunting isn't exactly a new concept, it's been around for ages.

      But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.

      So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype

      Unfortuately, you had to go through 3/4 of the article before he even got to what he was talking about. I was pretty disappointed once I got there, although I was expecting it.

      Maybe it is time to set up an on-prem cloud-based hunt team solution?

  • Attack is the best form of defence.
  • by Anonymous Coward on Monday June 06, 2016 @04:30AM (#52257927)

    We should also root out murderers before they strike, by "determining" who will commit murder and punishing them while they are still innocent. Or maybe not.
    Maybe this CEO is phenomenally dumb?

  • TFA is a bit vauge (Score:5, Informative)

    by l0n3s0m3phr34k ( 2613107 ) on Monday June 06, 2016 @04:34AM (#52257933)
    But the companies' (Endgame [endgame.com]) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts [endgame.com]:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.
    • But the companies' (Endgame [endgame.com]) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts [endgame.com]:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.

      Exactly. It is not a new concept at all and something I did as a sysadmin 10 years ago when I got bored. You don't need a product, you just need to pay attention and have the management support to spend some time doing it. In more security-evolved companies, everybody contributes x% of their time doing this.

      • yes, but this software is cheaper to license than a sysadmin is to hire. at least at first, and who cares if it actually works? that's what insurance and PR is for, but you need to show "good faith measures" that you're doing something.

        in this context, the company's name is very funny.

  • I call bullshit. (Score:5, Interesting)

    by rew ( 6140 ) <r.e.wolff@BitWizard.nl> on Monday June 06, 2016 @04:55AM (#52257989) Homepage

    There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.

    And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!

    Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!

    In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.

    You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.

    • ...Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!

      In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable...

      Yes, this is likely true. They should be held liable once the issue is reported and not acted upon. Not even knowing about an issue makes it a bit harder to pin blame. IT professionals may appear to work magic at times, but they're not psychics.

      You cannot blame the guy who stumbled upon this issue for "hacking".

      Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.

      Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail?

      Unethical? Not "nice"? You have a very cute way of labeling theft, which was blatantly obvious to the person doing the "hacking", and is also blatant

      • Sorry, but allowing the client to manipulate critical data like the amount due that he should not have control over is criminal negligence. At the very least it should be, for any programmer should know that this is critical. If he doesn't know that, he has no reason creating computer programs.

        That isn't something obscure where the "oh, I didn't know that" excuse should work. That should be reserved for nontrivial cases where it did actually take a security researcher to unearth something buried in some lay

      • Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.

        The law is an ass...doubly so for computer-related laws.

        Laws have very little to do with actual right and wrong. The US has a legal system, not a justice system. Justice and/or fairness are rare occurrence in the US legal system.

        All the atrocities and war crimes that occurred in Nazi Germany and other totalitarian regimes were all according to the laws in place at the time and perfectly legal.

        Just because some politicians pass a law doesn't make it right.

        Strat

        • Yes, you can. When the law labels it as hacking, especially when the individual performing the hack knows this.

          The law is an ass...doubly so for computer-related laws.

          Laws have very little to do with actual right and wrong. The US has a legal system, not a justice system. Justice and/or fairness are rare occurrence in the US legal system.

          All the atrocities and war crimes that occurred in Nazi Germany and other totalitarian regimes were all according to the laws in place at the time and perfectly legal.

          Just because some politicians pass a law doesn't make it right.

          Strat

          There's little here that I would argue against, save for one. That whole "right and wrong" part. When you know it's illegal, it's wrong.

          Don't give a shit if you agree with it or not. You still know damn well it's wrong.

          And citizens have known this since the dawn of time. Parents instill it in their children for a valid reason. So they don't end up criminals.

          And the IT circle adopted the old-fashioned wild west mentality with it as well, putting certain color hats on your head, all based on the legali

          • When you know it's illegal, it's wrong.

            So then Rosa Parks was wrong?

            OK I can see that you've clearly not thought this one through.

            Might want to give it another good think. Just saying.

            Strat

            • When you know it's illegal, it's wrong.

              So then Rosa Parks was wrong?

              OK I can see that you've clearly not thought this one through.

              Might want to give it another good think. Just saying.

              Strat

              You had to reach back 50 years to a civil rights issue (as if that's some kind of parallel here) to provide an example, and I'm the one who hasn't thought this through...riiiiight.

              • When you know it's illegal, it's wrong.

                So then Rosa Parks was wrong?

                OK I can see that you've clearly not thought this one through.

                Might want to give it another good think. Just saying.

                Strat

                You had to reach back 50 years to a civil rights issue (as if that's some kind of parallel here) to provide an example, and I'm the one who hasn't thought this through...riiiiight.

                I chose Rosa Parks as pretty much everyone, young or old, even non-Americans, are familiar with Rosa Park's famous act of civil disobedience.

                How about Mr. Edward Snowden and his whistle-blowing on the unConstitutional spying on innocent US citizens by the NSA?

                There is such a thing as right & wrong, and in many cases what's "right" in most peoples' view is often illegal and what may be legal is wrong.

                Legal/illegal =/= right/wrong.

                It's perfectly legal for a cop to c

                • ...No one Is bound to obey an unconstitutional law and no courts are bound to enforce it.

                  Strat

                  I think we both know why this statement is VERY hard to believe anymore (cough, FISA, cough). This is unfortunately the world we live in today, as our Constitution is reduced to a tourist attraction, lacking the teeth it once had to bite back against attacks on our Rights.

                  Again, you've brought up some solid points here, and I agree with you on them, but let's bring the example you brought forth back to a proper frame of reference; a kid hacking a website for the blatant purpose of stealing a product over a

  • Is that endgame somehow connected to that "Endgame [nerdist.com]"?

    Anyone knows a site that shares the solution of those puzzles?

  • FTA:

    Some worry that such an aggressive approach to defense and security may break laws. It does not. To be clear, proactive hunting is not “hacking back” or illegally “shooting back” at cyber adversaries beyond the infrastructure you own. Hunting is essential, while hacking back is illegal.

    I can just hear it now - the sound of yet more privacy being trampled underfoot as all those 'proactive hunting' parties go traipsing through our virtual back yards.Lovely!

  • It sure sounds like the sort of thing he'd write.
  • by Opportunist ( 166417 ) on Monday June 06, 2016 @06:20AM (#52258179)

    How about rooting out future CEOs before they have harebrained ideas. It's also much easier to predict. Just shoot every CEO during his inaugural speech.

  • Please move along. This is just a man who has run out of ideas and is fantasizing about high valuations and using catch-phrases and buzzwords to paint a pretty picture for the press.
  • What if it were T-shirts that might disintegrate under certain conditions? We would know that the fabric wasn't well tested and it could break down, but we would not know exactly how, so we follow some of the steps suggested in the comments here. (1) We would find experts on disintegrating T-shirts and learn that fire would most certainly destroy them, but water might dissolve them as well. UV light might break down some of the fibers, so stay out of sunlight and don't spend too much time in certain kinds o

  • I think money was better spend learning how to properly configure you corporate systems and actually learn how to make secure applications.. Some of the hack i have read have been bossible because some idiot didn't properly secure systems installed.
    • by Jawnn ( 445279 )

      I think money was better spend learning how to properly configure you corporate systems and actually learn how to make secure applications...

      Erm..., no. The very notion that such a thing is possible is flawed, evidenced by the fact that we are having this discussion. Granted, there's a lot of room for improvement and not fixing (let alone releasing) software with known exploits is inexcusable, but the reality is that there is no substitute for vigilance.

  • Stop connecting everything to the internet
    Hold C level officers criminally liable for breaches, including in government. The OPM, IRS and Target hacks should have resulted in the enablers going to jail.
  • The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers.

    In other words, this ignore the fact that most hacking incidents are the result of gross negligence and incompetence (most of that shit would be stopped on its track if people do their security homework and put the necessary money in IT and user training.)

    Moreover, it tell us to go wild west hunting for hackers. How far would you take that? Hack others before they hack you? Block others that might be suspicious? Because if you take this shit to its logical conclusion, that is where we end up.

    Look, just

    • Look, just do your bloody homework when it comes to security.

      ...But, but, but, but offensive hunting and attacking sounds so much more fun than homework and education.. who wants to RTFM when you can pretend you're in a cheesy movie?

  • When you give a chimp a gun, and the chimp shoots someone, you don't blame the chimp.

    If we can't rely on organizations to adhere to frighteningly basic security concepts (usually at the core of these breaches) how can we trust them to hire a mercenary to go on the offensive against bad guys?

  • I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is de
  • Basically what he's saying is "Arrest these hackers before they commit a crime" without ever knowing if they're actually being targeted by hackers or if the hackers are even committing a crime in the first place.

    Sounds like wonderful precedent for a company to try establishing here in the USA.

  • If this is a cyber war we are engaged in, mere defense is not enough. DDOSing botnets for instance, or counterattacks directly against black hats, but it's fair, as in all's fair in love and war.

    I can see where a botnet seeking known MAC addresses and hammering them might result in black hats having to come up with new laptops, changing LAA, spending time responding to counterattacks, which impedes them at least minimally. Good work.

  • ... anyone thought of this before?

    How fucking clever.

    Oh, wait ...

    I had this goddam discussion with management back in 1996 all the way up until I retired in 2014.

    They said, while it's a problem, it's an IT problem, and we get no funding for training, best-practice firewalls and shit like that.

    My insistence that they change passwords at least once a decade, and to refrain from using the same simple password for EVERYTHING went ignored.

    As a courtesy, I just sent them a mass email saying that I put every one o

  • Why bother securing your Apache/Nginx installation when it gives you a chance to be a loud drama queen complaining "some bad guy" hacked you?

    Why bother migrating your outdated Windows XP machines to Linux, when you could instead have all the job security in the world - repairing virus-infected systems?

    Why not open a .exe attachment? Its just Soooo fun to play "Kim Kardashian Solitaire"!!

    If your office is lazy, uses minimal passwords, doesn't update Windows or have antivirus, open ports everywhere,
  • until executives start making security a priority, rather than a reflexive action, nothing will change. The majority of corporate boardrooms are filled with MBA types and people with sales backgrounds. Even in high tech companies, the tech founder usually gets squeezed out at some point to make room for the MBA that is going to grow the company.

    Typically, MBA's and salespeople view security as a burden, a necessary evil, a nuisance. They would rather allocate funds to marketing. Or the latest diversity flav

  • Him pointing out that $75 billion was spent reminds me of the 'Tommy Boy' speech Farley gives that ends partly with "Because they know all they sold ya was a guaranteed piece of shit. That's all it is, isn't it? Hey, if you want me to take a dump in a box and mark it guaranteed, I will. I got spare time"
  • "I hereby label Nick Fink as a security risk, a potential terrorist, a possible molester and an unperson.

    Worse, he is not a team player.

    Based on this irrefutable accusation, and the serious risk of Pre-Crime ... I demand that he be neutralised.
    Either interned for life or simply eliminated.

    I cannot allow the evidence for this to be scrutinised, since our security, nay our very freedom, depends on secrecy.

    Dissent or protest will prove the accusation."

    Fascists. We know how this ends.

  • Here we go with the punish-before-crime movement
    Did you fools learn NOTHING from Gitmo?
    All you do with arrests (or attacks) PRIOR to any crime is make angry people into enemies dedicated to your destruction
  • They've worked so well in the past! Next we just need thoughtcrime, and everyone will live happily ever after.

  • Anomaly detection and whitelisting are measures that already exist in actual code that can run on a real computer right now. Monitoring and alerting tools are becoming commonplace, and we even have an acronym or two to sum up the process (thinking of SIEM here). So this call-to-arms is either late or stupid, depending on how far it intends go.

    Assuming the attacker has half a brain, he will proxy his inputs and outputs through intermediate devices. Compromised servers, botnets, whatever. This pro-active appr

Trying to be happy is like trying to build a machine for which the only specification is that it should run noiselessly.

Working...