Not really many relevant comments in this thread. Everyone seems to have read the first sentence (if even), interpreted it as 'why did no one think the NSA was hacking?', and responded. It's a shame, this is a great piece, I think.
The question is, with all of these companies performing IR, why didn't they see mass exfiltration and C2?
I think the article lays out largely correct claims.
I personally would imagine (2) and (5) to be the most significant.
Regarding (2), it is so hard during an incident to know exactly what is attacker behavior and what isn't, to know that it's all the same attacker, etc. It isn't so uncommon to go digging into an incident only to find some unrelated malware - and in fact many companies find out they're owned from their pentesters.
With regards to (5), defenders have frankly been to slow to evolve. The people investigating these attacks likely only have a rudimentary understanding of TCP/IP, have virtually no ability to read or write code, and mostly are trained to build and enforce policy. The idea that they can catch even basic attackers in realtime is a joke, that they are to also be tasked with catching the NSA is just a depressing, hard to swallow reality.
Attackers are out here building up toolchains from scratch - anyone who isn't doing that is called a script kiddy. And yet defenders who can't build a single thing, who can only throw tools at a problem, are the standard. Attackers are flat out better than defenders - they work smarter, they have better capabilities, and defenders don't even seen to care en masse.
As Alex Stamos said (paraphrasing), most companies aren't even "playing the game", and it's a select few that even know what game to play - not even that they're playing well, but at least they showed up to the right ballpark (I'm butchering his statement). The vast majority of companies employee outdated models of security and incident response is probably the least mature, with devops pushing more and more infrastructure and product security engineers over IT admins.
No doubt that NSA's scale allowing novel forms of exfil like passive collection also played a major part.
What a sad state.
Having taken VC money to try to improve the situation I do always laugh when thinkst talks about that :) but much respect!
> The question is, with all of these companies performing IR, why didn't they see mass exfiltration and C2?
1. Good tradecraft means that, except for skilled IR folk, they wouldn't see mass exfil/C2.
2. American IR companies know what side of their bread is buttered on. From both employees' personal allegiances to their former employers and the company's active government contracts, there's not a lot of incentive to report on their own government's actions.
How would they know itβs their own government? If the NSA were in the habit of leaving calling cards, then sure some info-sec people might keep quiet out of patriotism, but others would be screaming from the rooftops about proof of conspiracy.
More likely, as the author mentions, the NSA disguises its attacks as less sophisticated than they really are.
The question is, with all of these companies performing IR, why didn't they see mass exfiltration and C2?
I think the article lays out largely correct claims.
I personally would imagine (2) and (5) to be the most significant.
Regarding (2), it is so hard during an incident to know exactly what is attacker behavior and what isn't, to know that it's all the same attacker, etc. It isn't so uncommon to go digging into an incident only to find some unrelated malware - and in fact many companies find out they're owned from their pentesters.
With regards to (5), defenders have frankly been to slow to evolve. The people investigating these attacks likely only have a rudimentary understanding of TCP/IP, have virtually no ability to read or write code, and mostly are trained to build and enforce policy. The idea that they can catch even basic attackers in realtime is a joke, that they are to also be tasked with catching the NSA is just a depressing, hard to swallow reality.
Attackers are out here building up toolchains from scratch - anyone who isn't doing that is called a script kiddy. And yet defenders who can't build a single thing, who can only throw tools at a problem, are the standard. Attackers are flat out better than defenders - they work smarter, they have better capabilities, and defenders don't even seen to care en masse.
As Alex Stamos said (paraphrasing), most companies aren't even "playing the game", and it's a select few that even know what game to play - not even that they're playing well, but at least they showed up to the right ballpark (I'm butchering his statement). The vast majority of companies employee outdated models of security and incident response is probably the least mature, with devops pushing more and more infrastructure and product security engineers over IT admins.
No doubt that NSA's scale allowing novel forms of exfil like passive collection also played a major part.
What a sad state.
Having taken VC money to try to improve the situation I do always laugh when thinkst talks about that :) but much respect!