by Anton Chuvakin
I have not done a philosophical security blog post for a long time – and now I was suddenly inspired to write one while installing – rather, replacing with an HD version – security cameras at my house.
Given the house we have, I can imagine a physical security setup where every possible entrance (including second floor windows) and every camera is in the view of at least one security camera. That will take between 12 and 16 cameras. Coupling this with tamper-proof camera enclosures and protected cables, as well as smartly placed indoor cameras and a couple of hidden devices, one can … waste a lot of money.
Am I doing this? No, I don’t! I just want coverage of common ingress points
My focus here is a commodity attack, not a targeted one. Making a regular house resistant to dedicated burglar is an impossible affair, and the law of diminishing returns kicks hard – and early (I also have a dog — and not just any dog …)
In any case, why all this? I hear that many organizations developed a sudden, vendor-marketing-infused interest to fight advanced and targeted attacks. But guess what? More than a few of said organizations actually aren’t that good at fighting basic, commodity attacks – and they are NOT improving.
So, it is a free country and it is [in most industries] legal to really suck at infosec / “cyber.” However, I find it highly illogical and, in fact, wasteful, to attempt stopping or detecting an advanced attacker before you managed to succeed with a common one.
Along the same vein, I worry about people who are “concerned about targeted attacks” but lack any ability to tell that “yes, this attack IS in fact targeted” and , moreover, lack moderately effective defenses against opportunistic attacks in the first place.
So, yes, advanced attacks ARE real. Persistent threats ARE real. 0h-day-wielding state-sponsored superhackers ARE real. But, by god, why focus there if you can barely detect a more traditional intrusion, one that utilizes mid-1990s style tools, exploits and tactics!?
Focus on improving your security maturity – not on randomly picking high-maturity tools (like NFT) and practices (like hunting) and then declaring success! Before you buy another “anti-advanced-anything” box, THINK – are you handling the basics well already and, if YES, what is the best direction for improvement from your current position?