Internet Pioneer On Incident Response: Sorry, There's No 'Magic Security Pixie Dust'
Internet Pioneer Vixie On Incident Response
Incident responders need better tools and information to build a case against attackers, said Paul Vixie, an Internet pioneer, domain name system expert and security luminary. Vixie founded Farsight Security, which maintains a passive DNS database for incident responders at ISPs, network and system security solution providers, governments and businesses. The authoritative DNS data contains no personally identifiable information, but it can help responders determine the scope of a cybercriminal campaign and map out an attacker's prior activities. Cybercrime will never be stamped out under the current open standards governing the Internet, Vixie said. Here's why he believes incident response capabilities are necessary for all businesses and his predictions for how the security industry will evolve.
Open Internet Fuels Rising Threats
"The Internet is a mess," said Vixie, who serves on the security and stability advisory committee of ICANN. "We don't have admission control, we don't have control over who can send spam or who can forge IP addresses or create DDoS attacks. It is a holy terror. It is a lab-grade toy network that has been forced on an unsuspecting world who probably hoped for a more 'Star Trek' like future. There's an argument to be made that maybe we should have done better and made this a little more resilient. Now having a ringside seat for 25 years, I can tell you that this is the only way that a global network could have been built. The fact is that this was the right way to go. It was completely open to innovation from anywhere and this is what was going to win."
Taking Recourse Against Attackers
"Recourse is one of three goals for incident response. An incident responder may be building a case for prosecution. That means uncovering evidence to work toward prosecution or lawsuits against whomever attacked the business," said Vixie.
Establishing The Security Incident Impact
"The second goal of incident response is the ability to gain an understanding of the depth and breadth of an attack," he said. "If you see one corner of it, you might like to be able to go look through the rest of your Splunk or Syslog or whatever it is you are using to gather data about your network to review recent history and find related attacks. Investigators need to have access to related identifiers."
Building A Defense Against Future Attacks
"If you have been attacked in a certain way by a certain criminal gang, you would like, if possible, to firewall them out. Related attacks from the attackers won't work if they can't get past the outer perimeter. That calls for being able to map the infrastructure of whomever it is that attacked you," said Vixie.
Breaches Lead To Infrastructure Improvements
"After you have been broken into and lost your CIO or CISO, that is when organizations realize they need more robust infrastructure," he said. "We cannot sprinkle magic security pixie dust over what you have built. It cannot be secured at any price. We have to get you to change the way you do security because the way you've been doing it was asking for trouble."
Snowden, NSA Revelations Increasing Secrecy
"Organizations are going to bend in the direction of more channel encryption and more secrecy. There will also be a lot more secrecy from criminals and less data being sent in clear text, which could make detecting and tracing cybercriminal campaigns increasingly difficult" he said.