Daniel Miessler's Blog, page 61

The four tiers of content value hierarchy

It’s important for content creators—especially those in the newsletter and podcast spaces—to know what level of content they’re bringing to their audience.

I highly recommend Clint’s newsletter, TL;DR Sec.

In a recent conversation with a creator friend of mine, Clint Gibler, I came up with this 4-tier hierarchy. It breaks content into four levels:

Discovery: You’re just surfacing random, interesting stuff for your audience.
Curation: You’re being extremely conscientious about the quality of what you surface.
Analysis: You don’t show them content; you’re also telling them why it matters.
Vision: You’re creating original ideas that help them navigate the world.

The context of the conversation was him asking me what part of his most recent newsletter I liked most, and I responded by telling him it was this section.

Top tier newsletters are heavy in levels 3 and 4.

An analysis section of a TL;DR Sec newsletter

When he asked why, I told him it was because it was Analysis, which is the second-highest form of newsletter content—with Vision being the top.

This quoted piece doesn’t just tell us that exploits come out faster than CVEs: it tells us how many exploits, and how much faster, and what percentage were zero-days. That’s valuable!

People are going to start unsubscribing from newsletters that don’t have level 3 or level 4 content.

In my own newsletter, I make this distinction clear with clearly labeled sections—although I don’t have a “Vision” one because that sounds ridiculous.

The Unsupervised Learning Discovery Section

It’s natural to combine Levels 1 & 2 into a single section.

This is a Level 1 and 2 (heads-up this is interesting content!) section, and it’s aptly labeled “Discovery”.

In my IDEAS, TRENDS, & ANALYSIS section, I try to combine Level 3 and Level 4 content by both commenting on what’s happening right there in the section—with a paragraph of commentary—or by linking out to full essays of original content.

Analysis (and hopefully vision) in a single section of UL

Why this matters

I think this is already happening, actually.

You should know where your podcast or newsletter content fits in this hierarchy because as those mediums continue to go mainstream people are going to tire—or become overwhelmed by—too many shows that offer only the first two levels.

Even if you have decent discovery and curation, people only have so much time.

“Prediction is hard, especially about the future.”

My prediction is that people will drop most of their first and second-level content and hold onto content that hits levels three and four.

Summary


There has been a massive adoption trend around newsletters and podcasts, with people signing up for tons of them.
Content moves through a value progression of Discovery, Curation, Analysis, and Vision.
As people get overwhelmed with all the content they’ve signed up for, they’re likely to drop most of the newsletters and podcasts at the first and second levels.
The highest chance you have of remaining on someone’s list after they cut 90% of their subscriptions is to provide analysis of what’s going on, and/or vision around what might be coming.


Notes


There could be an exception to this rule for self-help oriented content, e.g., James Clear, where he basically tells you how to be a happier or better person in very short little snippets. I think that’s producing impact at a 3-4 level, but on a completely different axis.
Entertainment value is a magnifier of all four levels, so if you only do discovery but you’re super funny while you do it, you could still hold onto an audience that likes your lens for seeing the world.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I think the best thing to happen to America was a massive influx of people with The Immigrant Mentality™. A lot of people say immigrants are great—especially near San Francisco where I live—but they rarely complete the sentence with ane explanation.

I’m not an expert on immigration, so this is really just a thought exercise.

I’m sure there’s a literature on this with some formal designations, but based on what I’ve read and experienced there are a few key attributes of the immigrant mentality that I’ll try to capture here.

They are thankful to be in the receiving country, because they acknowledge that it’s offering something not found where they came from
They’re extremely hard workers, and assume that it’ll be hard to get jobs and are willing to compete for them by working even harder
They’re extremely resilient to hardship, and simply get back up when they get knocked down
They tend not to complain about how hard things are, usually because they’ve seen much harder situations where they came from

As we’ve gone through this pandemic I’ve been thinking a lot about mental toughness. Not just for people during this very strange 2020, because yeah—there’s a lot going on—but even before then, with Americans in general.

According to the American Psychological Association, the rate of individuals reporting symptoms consistent with major depression in the last 12 months (as of March 2019) increased 52 percent in adolescents from 2005 to 2017 (from 8.7 percent to 13.2 percent) and 63 percent in young adults age 18 to 25 from 2009 to 2017 (from 8.1 percent to 13.2 percent). And again, that’s before the pandemic.

This claim could benefit from research, of course.

I have known a lot of immigrants in my life, and while I know the plural of anecdotes is not data, I generally don’t see or hear of too many depressed immigrants. Sad immigrants? Yes. They’re often separated from their families and lonely. Overworked? Absolutely. Stressed? Absolutely. But those feelings—while negative—are not the same as depression.

My loose hypothesis is that people with the immigrant mentality are resistant to depression because hardship and drive function as a depression vaccine. I think this is why so many Americans are depressed: because they have not experienced hardship and therefore lack any drive.

We can see something like this by looking at the attainment levels of immigrants vs. their children and grandchildren.
This generational gap is covered extensively in many books, but I think this New Republic piece captures it well:

The longer immigrant children live in this country, the worse, on average, their health, their attitude, and their school performance. What’s more, with each subsequent generation, immigrant children do worse and worse.

On average, first-generation children function at significantly higher levels than do typical American-born children. But, by the third generation, that advantage is gone.

Why Do Immigrant Children Struggle More Than Their Parents Did?

I think people who have purpose, or drive, naturally produce meaning when they face adversity. Or perhaps meaning is the natural exhaust of drive colliding with adversity and low-level suffering.

And the flip side of that is that depression could be the exhaust of a lack of drive colliding with nearly limitless options.

I imagine a tiny trickle of water being weekly pushed down a 10-foot pipe, vs. a massive stream of water being forced at high pressure through a tiny nozzle. The first stream of water is barely noticable as a dribble, where the second can cut through metal.

So it’s not only the water pressure that propels the water at high speed: it’s also the clear and restricted path that it must take.

Immigrants are that high-pressure water nozzle. They know what they want—or need to achieve—which is usually a steady job, shelter, and the stability to safely start a family. That’s the pressure. That’s the drive. And the restricted nozzle is the fact that many immigrants have only one trade.

Perhaps they build things, or they cook, or they clean houses, or they know information technology. But it’s not as if they can open an art gallery and explore themselves. They have a trade and they are driven to get work doing that thing as quickly as possible.

60% of gun deaths in the US are from suicide.

The reasons so many people in America are upset, depressed, angry, and are overdosing on drugs are obviously numerous. It’s not like it’s one thing.

But I think a big part of it comes down to the lack of hardship, the lack of struggle, and the lack of appreciation for how easy it is to live in the US compared to most of the world.

Perhaps everyday meaning comes from something like this equation:

Hardship/Struggle (Produces-->)

Drive/Goals (Combines with-->)

Struggle/Adversity (Results in-->)

Meaning

In this model, hardship and struggle would come from serious things, like not having a place to live in your previous country, or having seen your parents go hungry so you can eat, or having experienced hunger yourself.

Drive and goals could be anything from a determination to never feel that hunger again, or to make sure your kids never experience it, to wanting to become a famous musician, or a lawyer.

Adversity is similar to hardship, except it’s the constant grind. It’s not the hardship you faced in the past that gave you your drive, but rather the opposing force that makes you have to push everyday to avoid being crushed.

US immigrants—especially from Mexico—have this. It’s neverending. Many of them had rough lives back home, and they’re here to better themselves and their families through hard work. They have the origin story that gave them the fire, and they have the daily and mandatory grind that keeps them afloat. This is why they can experience meaning in a good meal, a good beer, and spending time with friends.

I think many multi-generational Americans have simply had it too good for too long. It’s not their fault. And it’s not their parents’ fault. It’s hard to impose hardship on children when you went through it yourself. The inclination is to do the exact opposite. To shield them from that and make things easier for them.

Think about the slow water and the giant pipe again. That’s what so many American teens seem like to me today.

They’ve had an easy path their whole lives. They’ve never been cold. They’ve never been hungry. They’ve never felt deeply or consistently unsafe. They’ve never been denied education. They’ve had it good.

That produces the slow trickle of a small amount of water (drive).

Then, they’re told by everyone, and the media, that “they can be anything.” Oh, great. Thanks. So I have no interest in anything. No passion for anything. No idea what I should feel passionate about. And your wisdom is to tell me that my options are limitless?

For someone with no direction, being told they can go anywhere just makes it worse.

This is why so many Americans are struggling with a lack of meaning. It’s not the driven people who are grinding through long days and nights to get their masters degree so they can become an archaeologist—which they’ve always wanted to do—that are hurting. They’re sleep-deprived, and exhausted, and stressed about money, etc. But they’re not as likely to be depressed.

It’s the directionless that we need to worry about. Especially the ones with “lots of options”.

Far too many of them are unable to produce a steady flow of water at useful pressure level. Instead you end up with a giant, abandoned water pipe that’s a bit swampy to walk through.

People like that are open to anything that will get the water moving. Anything to either increase their passion and drive, or to focus it into a tight stream.

People like that are easy to control.

I think if we are to have any long-lasting civilization we must learn how to imbue our youth with the memory of hardship. We must teach kids—somehow—what it’s like to struggle so that they can develop their own drive and therefore their own potential for meaning.

If we don’t learn this lesson we will end up repeating massive cycles of:

War
A couple generations of great people who now appreciate life
2-3 generations of people increasingly taking the good life for granted
War

Enough already.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

A lot of people are talking about another American Civil War.

A number of white nationalist groups are even hoping for one, and the boogaloo movement is based completely around the idea.

Nobody obviously knows if that’ll happen, or what it would look like, but there’s a deeper problem with even defining it. What does it mean to have a Civil War in a country where people aren’t separated geographically?

I’m sure there are many examples we can look at throughout the world, where there are internal conflicts between peoples, and I’m curious where the line is between internal strife, internal violence, and civil war.

As a layperson on the topic my first inclination is that you’d need the warring factions to be separated from each other, and that’s what makes it seem strange in the US today.

There are some neighborhoods that are somewhat homogenous, obviously.

If the reason for the war is race, what are the sides? Crazy white people on one side and everyone else on the other? White people against Black people? The problem there, of course, is that there are white and Black people all over the place. They’re interspersed within states, cities, and even neighborhoods, so it’d be pretty difficult to group people on one “side” vs. another.

Or maybe the idea is not race but class. But that’s the same problem. Every state and most cities have rich and poorer areas, and the forming of sides once again seems like a logistical problem that would have difficulty reaching critical mass.

But perhaps the standard is just different now. Maybe it’s not a matter of clear sides, per say, but rather just the reaching X level of unrest over Y number of distinct areas.

Civil War can’t look the same this time because there aren’t clear sides separated by geography.

Throw in some anti-Government for good measure.

So whether it’s anti-white, anti-non-white, anti-rich, or anti-elite—it’s really all the same. It’s people deciding that they don’t like the current system, going outside and getting violent. And then when those various groups meet, then you get the clashes.

As we saw from the protests and riots earlier in 2020, it’s pretty easy to have confusion at a riot or protest. People aren’t exactly wearing color-coordinated team uniforms that are associated with mission statements.

I’ve witnessed—and even been in a couple of situations—where someone tries to break up a fight among people on the same side, and they suddenly get attacked by someone thinking they’re part of the other side, which spawns a violent response.

So, yeah, I think that’s really the standard at this point—basically a certain level of unrest, spread over a certain number of cities, that lasts a certain amount of time. Whether it’s 1%-based, or race-based—I’m not sure that matters as much.

There are lots of reasons people could erupt at this point. The real question is how widespread it is, how intense, and how long-lasting.

I think that’s what Civil War means at this stage of America’s lifespan.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

You’ve reached a piece of member-only content.

Subscribe

If you’re already a subscriber, please login here.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

If you’ve been around security for a while you’ve probably used—or are still using—Fail2Ban. It reminds me of Nikto or Netcat in a way in that it’ll always have a place of respect in my heart, but while Nikto and Netcat were supplanted in many ways by other tools, Fail2Ban still seems like the best tool out there for managing abusive users on services like SSH.

With CrowdSec that appears to be changing.

Introduction

CrowdSec is more than just a Fail2Ban replacement though, and makes it a bit confusing. It calls itself:

Their team reached out to me after I featured them on Unsupervised Learning.

An open-source and crowd-powered software enabling you to detect & block attacks.

…which is definite in the Fail2Ban space, but when I had a call with their team they were thinking much bigger than that. Here are some of their described features:

From their site…

allows you to detect attacks and respond at all required levels (detect where your logs are, block at CDN or application level)
is easy to install and maintain with no technical requirement. The installer even comes with a wizard duh!
is designed to be integrated with other solutions and components (ie. use CrowdSec to read your mod_security logs and automatically block attackers at your CDN level)
is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.
is a lightweight : it runs standalone, doesn’t require much ram or CPU
can work with cold logs: you can run it on “cold” logs and see what could have happened
comes with out of the box dashboards, because we know visualisation is key

Some other features I liked were:

They’re a French company, so privacy is a huge focus. According to them, the only three things that leave your box are: a timestamp, the offending IP, and the policy they violated, and
Their tool is built on Go.


Download and install

You can install this and be up and running in like two minutes.

Download

git clone https://github.com/crowdsecurity/crow...

Install

sudo ./wizard.sh -i

As the GIF shows above, it basically walks you through a wizard to select what types of daemons/logs you want to monitor—which it also auto-detects—and you’re done.

Components

The system consists of three main components:

The CrowdSec Service, which is basically the persistent service that monitors logs, tracks attacks, etc.
The Command Line Tool, which is the cli interface for interacting with the service.
Bouncers, which are the integrations with other tools that allow actions to take place.

You can also do configuration by editing files, which we’ll talk about later.

So basically the service does all the monitoring, the cscli tool is how you do configuration, ban stuff, get metrics, etc., and the bouncers are how the system interacts with other tools to actually do things, like blocking someone in SSH or Cloudflare, etc.

Usage

So there are a few different ways you can interact with the tool. My favorite is through the cscli command, which has these options:

cscli metrics

This gives you the primary outputs of what’s been seen and acted upon within the system.

cscli metrics

The output of the ‘cscli metrics’ command

This shows you all kinds of stuff, like the number of attacks within the various collections (modules), such as—in this box’s case:

http-backdoors-attempts
http-bad-user-agent
http-crawl-non_statistics
http-path-tranversal-probing
http-probing
http-sensitive-files
http-xss-probing
ssh-bf
ssh-bf-user-enum

You also get to see which logs are being looked at, plus the metrics on how those logs were parsed.

cscli ban list

This command shows you the current contents of who’s been banned, along with what got them banned.

A look at a hosts current banned IPs

This shows you things like the IP that got banned, the number of events that were seen from them, the number of times they’ve been banned, the country they came from, as well as the IP their IP belongs to.

Configuration

In addition to the cscli method of making changes to configuration, you can also do so old-school Linux style. The main config for editing scenarios, for example, is in:

vi /etc/crowdsec/config/profiles.yaml

Editing the YAML config files for detection scenarios

The bad thing is also that it’s YAML.

The good thing about this is it’s just YAML. And you get to create your own scenarios as well.

An example of a custom configuration.

Integrations

What makes this tool more like a platform than a utility is its numerous integrations with other tools.

Some of the integrations you can do with other technologies

So the system doesn’t just detect attacks using its view into your logs, it can also trigger various actions once something is detected, such as:

Blocking people in Cloudflare
Running your own arbitrary scripts
Executing a block in netfilter/iptables
Denying an IP in Nginx
Blocking in WordPress
Etc.

This tells me they’re thinking big and long-term with this thing, and not just as a replacement for a local banning tool.

Summary

So the bottom line—at the very miniumum—is that we seem to have a modern replacement for Fail2Ban, and over time that may turn into something more.

Notes


Oct 9, 2020 — Because I mentioned them in my newsletter, and I’m super enthused about them, I’m pursuing a sponsorship engagement with them for Unsupervised Learning. But I don’t really do sponsorships like other places. I consider it more like “bi-directional positivity”, i.e., I’m going to say what I’m going to say about them regardless, and if I can get them to support the show then that’s great. They get zero creative control, and I don’t even promise to mention them any number of times, or in any format. That is 100% up to me, based on what I think is the best experience for readers and listeners. It’s completely up to me if and how I choose to raise them in the show, and they get no input into what’s said. I feel strongly that this is the only type of paid product discovery that works well with a direct-support monetization model, and with a show that’s free from outside influences. You can read more about my approach here. More
The other thing about this whole sponsorship/money business is that I tend to feature a product for around 6-12 months, so if you’re reading this after 2021 they likely won’t be a sponsor anymore.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I spend 5-20 hours a week consuming books, articles, and podcasts that explore the intersection of security, technology, and society. Then every Monday morning I send out the best of what I found. Sign up here >. Get the weekly version >.

MY ESSAYS



Operation Fortify: A US Ransomware Plan More



Cyber Pearl Harbor is Happening Right Now — It’s Ransomware More



Ransomware Groups Add a Third Threat Vector: DDoS More



SECURITY NEWS



The President of the United States, his wife, and several members of his inner circle have contracted Coronavirus. This adds an additional layer of uncertainty to US elections that are in less than a month. More



Github has rolled out its code scanning feature to all its users, which lets people know if they’ve added code with known security flaws. More



Right after Trump said he had COVID, some people on Twitter noticed some E-6B’s taking off and landing, which are used to manage US missile defense operations. They started speculating, which turned into a major Twitter event. Turns out, they fly all the time, so nothing had really changed. This is a great example of why it’s important to ask questions when you hear about something new. Questions like, “Is this new because we’re just now learning about it, or because it’s truly rare?” “When was the last time this happened, and what were the circumstances?” Etc. More



After saying for months that their breach did not affect customers’ bank details, Blackbaud has now revealed that this in fact did happen, including unencrypted versions of account numbers, social security numbers, and username/password combinations. More



Vulnerabilities: 

Grinder had a serious vulnerability that allowed you to reset anyone’s password just by having their registered email address. More
QNAP continues to tell their users to update and to be vigilant for ransomware. They seem to be in this position quite often. More

Companies:

Cloudflare has launched a free API security tool called Cloudflare API Shield. This is super smart given how much trouble people have with API security. More
Axis Security raises $32 million to help secure remote workers. More
Cisco has purchased PortShift to get into the DevOps and Kubernetes spaces. More

TECHNOLOGY NEWS



Google Assistant has an awesome new feature called “Hold For Me”, which will wait on hold for you while you do other things. I love the innovation Google is doing around phone calls. More



Amazon has launched a new product called Amazon One, which lets you scan into a location using your palm. They’re demoing it at a couple of Amazon Go stores in Washington, but hope to sell it to lots of other places. More



Tesla crushed predictions and shipped nearly 140,000 vehicles last quarter. More



Cloudflare has rolled out a web analytics offering to compete with Google that stresses privacy by not gathering information on site visitors. More



Unscreen is a new product that can remove backgrounds not just from images, but from videos. More



Twitter is continuing to roll out voice tweets to more users. More



Facebook has launched an app called Forecast, which does “crowdsourced predictions”. It lets you make predictions about things, which are then scored over time. Kind of reminds me of the book, Superforecasting. More



Companies:

Amazon’s Prime Day is October 13th and 14th. More
Golden is a company that wants to ‘map all human knowledge’, and it just raised $14.5 million in a Series A from Andreessen Horowitz, DCVC, and Gigafund. 
PandaScore has raised €5 million for its   AI-powered eSports data dashboards. More

HUMAN  NEWS



Xi Jinping has shocked the climate change community by saying he will have his country’s carbon emissions peak before 2030, and that he expects to reach carbon neutrality by 2060. More



Morgan Stanley is buying E*Trade. More



New York City thinks half of its restaurants will close permanently. More



Publishers are getting worried because digital book borrowing rates have increased by 52% since March. More



Undergraduate degree enrollment has fallen significantly during COVID, but post-grad enrollment is up. This seems like part of the disturbing trend of the marketable (those with degrees) seeking to become more so, while those who are less marketable (those without college) are giving up. More



Girls Who Code says half of young women will leave their tech jobs by age 35. More



Actively speaking multiple languages reduces the chances of cognitive impairment, with locales that speak more than one language experiencing dementia prevalence that’s 50% lower. More



Mars is as close to the Earth this week as it will be for another 15 years. More



IDEAS, TRENDS, & ANALYSIS



Do Things That Don’t Require Scale More



An argument that a better way to think about China and Taiwan is not “will they invade or not”, but rather as a Civil War that was put on pause during WWII and has never ended. More



UPDATES



I’m in the process of redoing my RSS feeds in Feedly. I used to have my tags, or categories, listed fairly generally, e.g., security, technology, etc. But now, with so many feeds, it’s hard for me to get through all the titles while still filtering for context and quality. In other words, I need to be able to adjust how skeptical I am of something based on the source, and this is hard to do when I’m looking at 797 articles. So what I’m doing now is breaking my categories into smaller pieces, like, “news-high-quality, news-political-analysis, security-disinformation, tech-social-discovery”, etc. This tells me the level of caution I should employ, and the frame of mind I should be in, when parsing content. As part of that, I’m also pruning a lot of sources and focusing on fewer, higher-quality sources. We’ll see how it goes. Early Screenshot



DISCOVERY  



Thinkst Canary — Three minutes of setup and nearly zero false positives in detecting threats on your network. More



ASMRION — A generator of soothing sounds. More



INTEZER — Track the use of libraries with offensive capabilities by threat actors. More



You can now use IPINFO to resolve IPs to hostnames very quickly. IPINFO is absolutely one of my favorite recon tools! More



GHunt — A tool that gathers lots of Google-based information on someone based on just their Gmail address. More



RECOMMENDATIONS



Enjoy the Best—Not the Latest—Media. “Go by the average rating, not popularity. It’s better to watch something a million people love than something 10 million people watched and consider okay.” More



APHORISMS



“The difference between successful people and really successful people is that really successful people say no to almost everything.”



~ Warren Buffet

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

I’ve been writing a lot on ransomware recently, and wanted to comment on an interesting new development in attackers’ toolchests.

At first they started with:

If you don’t pay, you won’t get your data back.

This is the original ransomware tactic. It’s a denial of service against your data. You pay, and you (sometimes) get your data back.

Then, within the last year or two, they started adding a second technique, which is stealing the data before they encrypt it—and then if you don’t pay they threaten to release that data and embarrass your business.

If you don’t pay, we’ll release this data to the public.

And now they’re adding a third tactic, which is a denial of service again, but at the business/network level. They threaten to DDoS your company so customers can’t use your service.

If you don’t pay, we’ll knock your business offline.

This is a brilliant set of options for an attacker, and they seem to be moving from left to right, which is the order in which they became popular. So they start by asking if people want their data back. If they have good backups, or don’t need the data, they threaten to release that data to the public, and if that doesn’t work they now seem to be pivoting to a threat to take the business offline using a DDoS attack.

All three cases target the business’s ability to make money. The first and third are direct hits to the ability to do business itself, and in the case of embarrassment, it’s an attack on reputation, finances, and resources via lost customers, fines, etc.

They also get to point to real-world examples in their threats, such as the situation in Las Vegas where student information was just leaked because a school declined to pay a ransom.

The thing that makes these groups so dangerous is their ability to evolve their attack techniques. And that’s not just the quality of their malware, but the effectiveness of their approaches to victims.

Some groups play the sympathy card, and apologize for asking for the ransom. Others pretend their threats are “findings” that are part of a bug bounty program, which gives the company the out of paying security researchers instead of hackers.

Whatever the tactic, the problem is that the attackers are evolving a lot faster than defender defenses. And we should expect that gap to continue and even widen in the coming months and years.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

The US is currently being ravaged by ransomware.

Google News Results for US Ransomware

Our schools are being disabled, our small businesses are being pilfered, our cities are being taken offline, and now our hospitals are being attacked as well.

I talk about the reasons here, but in short, we have long had a horrible state of security in our local governments, our small businesses, our schools, and our hospitals. But until recently, attackers were using less-advanced malware in an unorganized way.

Now they’ve not only started perfecting the tooling they’re using, but they’ve figured out how to monetize the entire operation. They’ve married the tech with the business side, and the combination has caused an epidemic.

The problem is that we’re figuratively out-staffed and out-gunned. In low-security environments, attack is infinitely easier than defense. These soft targets not only lack the defensive technology to protect themselves, they don’t even know what that tech is. And even if they did they wouldn’t have the people to do a basic security assessment, implement basic security practices, and to install and maintain some basic defensive technology.

So I have a proposal: Operation Fortify.

Free to attendees.

The Pentagon starts a new program called Operation Fortify, which allocates multiple billions to hardening our essential infrastructure of governments, schools, SMBs, and hospitals.

This is accomplished by activating millions of people into the US workforce via a new, standardized security course that takes people new to the industry or who are already working in it—and teaches them how to secure an organization.

These are the top 20 NCC and Optiv-type companies in the country.

Those people are then hired as supplemental staff to the US’s existing security services companies that do consulting like this already.

I know many of the best people in the industry for making this course content.

We create a free, instructor-lead, 2-week (virtual) security training course available to anyone in the US who wants to get into security (or move into this area). The course is trade-focused in that it teaches how to do very specific tasks that will help attendees lock down organizations.

Those tasks are: Security Fundamentals (Security+), Networking Basics, Sysadmin Basics, Security Assessment Basics (Nmap, OWASP Zap, etc.), Security Hardening Basics (Patching, Disabling Services, etc.), Ransomware Basics (Common Features, Common Variants, etc.), Endpoint Tool Basics (SentinelOne and Crowdstrike).

We then create a concise Fortify Hardening Methodology (FHM) that serves as an infographic and Top-10 list of items to be done for every entity in the country we want to protect.

Maybe add a Cyber to the name. People love some Cyber.

After people go through the course and pass the exam, they become Fortify Certified. They are now part of the National Fortify Task Force, and are eligible for hire at these existing US security companies.

The Fortify Project then goes to SentinelOne and Crowdstrike, taps them on the shoulder, and says, “You’ve been drafted. We’re securing the entire country using your software. Here’s a lump sum, so make us a free version to be used in all these organization types.

We then divide up the country into regions and verticals. So we’ll have like Southwestern Hospitals, for example, and Northeastern Governments. Every government, school, hospital, and SMB in the country will be accounted for and entered into our National Attack Surface Map (NASM).

Then we execute.

Project Fortify deputizes all these security services companies to carry out the hardening procedures in the Fortify Hardening Methodology.
Fortify-certified people are added to the ranks of the branch of NCC/Optiv/Etc. company where they live as they graduate the course.
Each new recruit then gets virtually deployed (via Zoom, et al) to their assigned “customer” based on where they’re needed most in the NASM.
If you’re some random county government in upstate New York, for example, Julie will show up one day and say, “Hi, I’m with Project Fortify, and I’m here to help.” She’ll then proceed to follow the Fortify Hardening Methodology for that customer. Figuring out what they have, getting it patched, locking down credentials for key systems, getting the security software installed and configured, etc.

If your objection is that it’ll be a nightmare to put partially-trained people onsite doing work like this, I have two responses. First, you should have more faith in American industriousness. And second, we’re already living a nightmare. It’s actually pretty hard to go into one of these places and MESS UP their security.

If your objection is that this will be hard, or that it’ll cost a lot of money, well, yeah. The only thing that will cost more is doing what we’re doing now. And given the state of military budgets, what’s a few billion among friends?

To be clear, it’s not that I think this is a good idea. There are many challenges with it. I simply think it’s the best option we have.

It activates Americans. It puts them in play against a serious threat. And it simultaneously functions as an infrastructure enhancement project—kind of like Roads and Bridges—and a national training program that addresses the cybersecurity skills gap.

Notes


We could also have a massive network of technical support, using people in infosec who already have jobs. So basically the Fortify Operatives? who are deployed onsite can ask questions about installations, configs, etc. For specific product support, the company itself can potentially offer help with a dedicated support line just for Fortify assistance.
A major, positive side-effect will be that we’ll have trained somewhere between tens of thousands and a few million Americans with some basic security knowledge. Some significant percentage of them are likely to transition into careers in the field using that jumpstart.
This is not the logo I recommend. It’s just a placeholder graphic from the internet that I added the Fortify project name to. But—even more than most projects—this definitely needs a great logo.
The practical nature of the training is likely to help with both the effectiveness of the people onsite during Project Fortify, but also in their marketability afterward.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Since 2007 the InfoSec industry has been talking about TheBigOne™—the event that would change cyber threats from annoyances to existential concerns.

They called it Cyber Pearl Harbor.

This doesn’t mean it can’t still happen.

The idea was that it’d be some massive blast that would take out the country’s power grid, or disable the entire internet, along with what they used to call e-commerce. That moment hasn’t happened (yet), but I think we’ve become the frog in the boiling cyber-water.

Ransomware is the Cyber Pearl Harbor we’ve been waiting for all along. It just looks different. Rather than being the one big blast, it’s more of a steady bombardment.

Ransomware is the new PCI.

1. It’s annoying
2. It’s not nearly the whole story
3. It’s forcing a lot of organizations to take security seriously

No catalyst for change compares to real-world consequences.

Business disruption is the ultimate argument.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) September 19, 2020

Some stats:

At the time of this writing, Google News returns 7,460,000 results for the term Ransomware. More
SafetyDetectives reports the average cost of a ransomware-caused downtime incident has risen from $46,800 in 2018, to $141,000 in 2019, to $283,800 in 2020. More
The UHS hospital network, which is a Fortune 500 company with over 400 hospitals, has had multiple hospitals affected which required them to redirect patients to other options. More
According to Datto, Ransomware attacks are costing businesses more than $75 billion a year. More

Ransomware groups simply evolve too fast for small school districts with no IT staff.

She tried to reroute to another hospital and didn’t make it.

A woman recently died in Germany after she couldn’t receive critical care at her local hospital due to an attack. More
A ransomware attack against the New Orleans city government in early 2020 cost the city over $7 million dollars. More
New York City’s capital was hit with a ransomware attack in 2019 that took several key services offline. More
IBM says 1 in 4 of attacks its X-Force Team sees is caused by Ransomware. More
Ransom demands are increasing exponentially. In some cases, IBM Security X-Force is seeing ransom demands of more than $40 million. More

The skill and preparation asymmetry between attacker and defender is drastic.

My rough scribble of how ransomware sophistication surpassed our defensive capabilities somewhere around 2018

I think the only reason we survived this long without serious disruption to business—like we’re seeing now—is because attackers didn’t have their acts together. Their tooling wasn’t nearly as good as it is now, and they hadn’t linked their tooling with the business models.

Today there are multiple routes to make money from an insecure business. Once they get in—via RDP or Phishing or Drive-bys—they are not only extorting people who want to get their data back.

Google Trends Data for the term Cyber Peal Harbor

As a security person I sometimes have to admire their creativity.

Many groups have come to realize that some companies have good backups, so they start by stealing a copy of the data for themselves at the beginning of the attack. Then if someone doesn’t want to pay they can threaten to release the data and create a public incident.

A threat to release data. Image from BrianKrebs.com.

These attacks don’t seem to be slowing down, and the attackers keep getting better at them. They’re improving their tools, they’re improving their business models, and they’re constantly evolving their techniques for getting companies to pay using social engineering.

The question is—how fast are our schools and hospitals and local governments improving our defenses to stay ahead of the attackers on all these fronts?

Nowhere near fast enough. That’s my answer.

Even medium and large businesses struggle to handle this threat, and that’s with dedicated security staff to help them. The small businesses, government orgs, and other entities that lack security talent and budgets are hopelessly outgunned.

If enterprises that spend millions on cybersecurity struggle with this, what hope is there for local governments?

I think the attackers are just now hitting their stride. I think they’re going to get more deadly, more efficient, and smarter about who to target at what times.

Schools have had to shut down over this. Hospitals. City governments and businesses. And as far as I can tell there’s no end in view here. We don’t have enough security people to cover the surface area, even if these targets had the budget to hire them.

We can stop waiting for Cyber Pearl Harbor. It’s here already, and we’re living it.

Notes


I think what’s going to happen before too long is the federal government will tap the endpoint vendors on the should and say: “Hey, the country needs you. Here’s several hundred million dollars: you now need to get Crowdstrike, Sentinel One, etc., installed on every school and government computer in the country. Go.”
I’d put BEC in the same conversation, but not the same sentence.

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.

Since 2007 the InfoSec industry has been talking about TheBigOne™—the event that would change cyber threats from annoyances to existential concerns.

They called it Cyber Pearl Harbor.

This doesn’t mean it can’t still happen.

The idea was that it’d be some massive blast that would take out the country’s power grid, or disable the entire internet, along with what they used to call e-commerce. That moment hasn’t happened (yet), but I think we’ve become the frog in the boiling cyber-water.

Ransomware is the Cyber Pearl Harbor we’ve been waiting for all along. It just looks different. Rather than being the one big blast, it’s more of a steady bombardment.

Ransomware is the new PCI.

1. It’s annoying
2. It’s not nearly the whole story
3. It’s forcing a lot of organizations to take security seriously

No catalyst for change compares to real-world consequences.

Business disruption is the ultimate argument.

— ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler) September 19, 2020

Some stats:

At the time of this writing, Google News returns 7,460,000 results for the term Ransomware. More
SafetyDetectives reports the average cost of a ransomware-caused downtime incident has risen from $46,800 in 2018, to $141,000 in 2019, to $283,800 in 2020. More
The UHS hospital network, which is a Fortune 500 company with over 400 hospitals, has had multiple hospitals affected which required them to redirect patients to other options. More
According to Datto, Ransomware attacks are costing businesses more than $75 billion a year. More

Ransomware groups simply evolve too fast for small school districts with no IT staff.

She tried to reroute to another hospital and didn’t make it.

A woman recently died in Germany after she couldn’t receive critical care at her local hospital due to an attack. More
A ransomware attack against the New Orleans city government in early 2020 cost the city over $7 million dollars. More
New York City’s capital was hit with a ransomware attack in 2019 that took several key services offline. More
IBM says 1 in 4 of attacks its X-Force Team sees is caused by Ransomware. More
Ransom demands are increasing exponentially. In some cases, IBM Security X-Force is seeing ransom demands of more than $40 million. More

The skill and preparation asymmetry between attacker and defender is drastic.

My rough scribble of how ransomware sophistication surpassed our defensive capabilities somewhere around 2018

I think the only reason we survived this long without serious disruption to business—like we’re seeing now—is because attackers didn’t have their acts together. Their tooling wasn’t nearly as good as it is now, and they hadn’t linked their tooling with the business models.

Today there are multiple routes to make money from an insecure business. Once they get in—via RDP or Phishing or Drive-bys—they are not only extorting people who want to get their data back.

Google Trends Data for the term Cyber Peal Harbor

As a security person I sometimes have to admire their creativity.

Many groups have come to realize that some companies have good backups, so they start by stealing a copy of the data for themselves at the beginning of the attack. Then if someone doesn’t want to pay they can threaten to release the data and create a public incident.

A threat to release data. Image from BrianKrebs.com.

These attacks don’t seem to be slowing down, and the attackers keep getting better at them. They’re improving their tools, they’re improving their business models, and they’re constantly evolving their techniques for getting companies to pay using social engineering.

The question is—how fast are our schools and hospitals and local governments improving our defenses to stay ahead of the attackers on all these fronts?

Nowhere near fast enough. That’s my answer.

Even medium and large businesses struggle to handle this threat, and that’s with dedicated security staff to help them. The small businesses, government orgs, and other entities that lack security talent and budgets are hopelessly outgunned.

If enterprises that spend millions on cybersecurity struggle with this, what hope is there for local governments?

I think the attackers are just now hitting their stride. I think they’re going to get more deadly, more efficient, and smarter about who to target at what times. As far as I can tell there’s no end in view here. We don’t have enough security people to cover the surface area, even if these targets had the budget to hire them.

We can stop waiting for Cyber Pearl Harbor. It’s here already, and we’re living it.

Notes


I think what’s going to happen before too long is the federal government will tap the endpoint vendors on the should and say: “Hey, the country needs you. Here’s several hundred million dollars: you now need to get Crowdstrike, Sentinel One, etc., installed on every school and government computer in the country. Go.”

—

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.