I had a pleasant Twitter conversation with the prolific Wh1t3Rabbit today about disclosure, namely discussing why companies should be more open about their breaches, and more specifically, about the tactics that were successful in breaching the company.
I’ve been fortunate enough to have been involved in some lengthy (and admittedly gray-scale) discussions with senior business leaders about disclosing breaches; however, those discussions are all about customer/brand/reputation impact, not necessarily for the benefit of the security community itself. Sure, a high-profile organization admitting that it’s been attacked, as so few have (Google and….well, at least Google has) will increase general awareness.
My contention though is that there needs to be more sharing of specifics around the attacks so others can learn, adapt, adjust, etc. I understand that dealing with a human adversary means that any tactic is subject to a quick pivot, but at the same time, there’s literally no benefit to a company disclosing they were breached by an extremely sophisticated attack.
Having been through more than my fair share of big security incidents, I’m skeptical that these attacks are necessarily that sophisticated. More often than not, my experience is that the ingress point into a company is a well-crafted, authentic looking spearphishing message. From there, excessive workstation admin rights are leveraged and elevated and from there, you can hear the fat lady singing. If that was the case, what would the company disclose to the security community: “an end user clicked on a spam message”? That happens at every company in the world, every day, but it’s a defeatist comment in that it’s challenging (but not impossible) to protect against (which I’ll post about tomorrow). Instead, my gut says that the PR machines say that it was extremely sophisticated to cover their back ends and the entire security community takes nothing away from the event.
The obvious near-term answer to disclosure is doing so in industry groups (e.g., FS-ISAC, HITRUST) where trust has been earned, and non-dislosure agreements in place. This is a good starting point, but the benefit is limited.
Here’s hoping the next time you read about a sophisticated attack, you learn more about it than the level of savvy from the company’s public relations office.
