Richard Bejtlich - The Best of TaoSecurity Blog, Volume 1: Milestones, Philosophy and Strategy, Risk, and Advice

The Best of TaoSecurity Blog, Volume 1

The Best of TaoSecurity Blog, Volume 1

Milestones, Philosophy and Strategy, Risk, and Advice

Richard Bejtlich

TaoSecurity Press

Copyright 2020 Richard Bejtlich and TaoSecurity Press

Trademarked names may appear in this book. Rather than use a trademark symbol with each occurrence of a trademarked name, names are used in an editorial fashion with no intention of infringement of the respective owners trademarks.
This is a book about digital security and network monitoring. The act of collecting network traffic may violate local, state, and national laws if done inappropriately. The tools and techniques explained in this book should be tested in a laboratory environment, separate from production networks. None of the tools or techniques should be tested with network devices outside of your responsibility or authority.
Suggestions on network monitoring in this book shall not be construed as legal advice.
The author has taken care in the preparation of this book, but makes no expressed or implied warranty of any kind and assumes no responsibility for errors or omissions.
No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher.
ISBN: 978-1-952809-00-2

I dedicate this book to my family.

I propose to fight it out on this line, if it takes all summer.

General Ulysses S. Grant, Spotsylvania campaign, 11 May 1864

Contents

Preface

The purpose of this book is to extract and highlight my favorite posts from the TaoSecurity Blog, from 2003 to mid-2020. While all of these posts are available for free online, without advertising, they have become increasingly difficult to find. As of mid-2020, TaoSecurity Blog features over 3,050 posts, and despite being hosted by Googles Blogspot property, lacks sufficient search capability for the average visitor. When I know that Im having trouble finding posts, then I expect readers are suffering the same limitations.

In the course of doing research for one of my personal hobbies, namely the Martial History Team (martialhistoryteam.org), Ive realized that books possess a permanence not found in blogs or other digital media. Ive enjoyed looking at scans and other representations of books published in the late 19th and early 20th centuries. Ive looked for books through the global WorldCat database and learned only a few copies exist, according to that repository. Nevertheless, they do exist, and in some cases I can request them via the InterLibrary Loan system. Long after blogs and other social media content has disappeared, books will remain in someones library, waiting to tell their story.

I posted my first blog entry on January 8, 2003. (I normally provide dates in military format, e.g., 8 January 2003, but Blogger uses the Month Day, Year format. Rather than change them all manually, Ive adopted that convention here.) I had already been reviewing cybersecurity books from my personal library, having read and reviewed 24 books on Amazon in 2002. I decided to try promoting those reviews via a blog, which was a new form of communication in the early 2000s.

In early 2003 I was a consultant for Foundstones incident response team, working for Kevin Mandia. Foundstone encouraged its consultant to write, speak, teach, and otherwise get the message out about our cybersecurity capabilities. The company had essentially been launched by one of the best-selling, if not *the* best-selling, cybersecurity books of all time: Hacking Exposed , first published in the fall of 1999. In 2002 I had contributed a case study on network security monitoring (NSM) for the fourth edition of Hacking Exposed, published in early 2003. Soon thereafter I began research for my first book, The Tao of Network Security Monitoring: Beyond Intrusion Detection , which Addison-Wesley (Pearson) published in the summer of 2004.

During the next 17 years I changed companies and roles but continued blogging. After McAfee bought Foundstone I moved to ManTech, where I worked on a team supporting a national offensive mission. From there I became a full-time independent consultant, offering NSM via TaoSecurity LLC. A blog post (featured in the Milestones chapter) in 2007 attracted the attention of my next boss, Grady Summers, who hired me to create and lead the General Electric Computer Incident Response Team (GE-CIRT). In 2011 I migrated to Mandiant, reunited with friends from Foundstone, and served as its first and only Chief Security Officer. After FireEye acquired Mandiant, I stayed for a few years, but eventually left and more or less took a break from the security scene for a year. My blogging suffered as I was burned out and felt that I had already written what I needed to say. I included my blog post about burnout in this compendium. After joining Corelight as a strategist in mid-2018, I began blogging for them, and as a result did not often write for TaoSecurity Blog.

I composed this book by reviewing all 3,050+ blog posts on TaoSecurity blog, tagging the top candidates for inclusion in this book with the topcan label. (That label is reachable at https://taosecurity.blogspot.com/search/label/topcan and applies to over 370 posts, approximately 12% of the total.) I then manually copied each post to a Google document and sorted them according to twelve categories, which form the chapters of the three volumes in this series of books. Roughly speaking, those posts consist of 192,000 words, which, if they are a representative sample of the overall posts in the blog, would equate to about 1.6 million words in the entire TaoSecurity Blog corpus. I believe that is an exaggerated amount, as many of my early posts were much shorter, before the age of Twitter.

Furthermore, Ive omitted many of the technical posts, as I dont believe that command line output or packet captures are representative of true words authored by me. Therefore, I estimate that Ive probably written about 1 million words for TaoSecurity Blog over the 17 years of its existence.

This book, by and large, only incorporates the text from the selected posts. There are many cases where I originally linked to material created by others, and I did not want to violate any copyright holders in a commercial work such as this. Ive also omitted all of the URLs mentioned in the posts. Given the age of the source material, most original URLs point to dead links, and I was not interested in tracking down replacements in the remote expectation that a reader might want to follow a source. If that is the case, however, each entry in this book includes a URL for the original blog post. Duly motivated readers can begin their research there, should they be so inclined.

In reproducing the posts in this format, Ive chosen to fix some typos and make other minor obvious fixes. However, I have not altered my point of view from earlier posts, however cringe-worthy they might appear to me now. Its clear that in my early days in the security world, I was heavily influenced by the so-called hacker mentality, and did not moderate my views until I had spent more time working for the victims of various intrusions. My point of view changed substantially after spending time with under-resourced, under-staffed, politically outmaneuvered security teams, whether I helped as a consultant or as a member of an enterprise security function. Ive concluded that too many people, especially on the offensive side of the security equation, would be better served if they were responsible for the digital assets they seem so intent on breaking. Too many so-called hackers lack sympathy for the lives affected by their desire to break software.