A topic I’ve complained about previously (and one of the motivating reasons for the existence of this blog) is the impermanence of knowledge within the information security discipline. Specifically, information security as a field of study and area of practice remains pitifully immature relative to other disciplines as so much information, knowledge, and experience remains codified in hard-to-access or impermanent forms: conference presentations (even if recorded), “Tweets”, and similar output. Meanwhile, mature fields of study encode knowledge in papers, written proceedings, and reviews of others’ work.
While some avenues may exist for more formal representation of information security ideas, such as various IEEE publications and events, these are so far removed from daily practice and procedures for operational security personnel as to be functionally irrelevant. Instead, the information security community derives its knowledge from word-of-mouth, conference presentations, and social media – some of which may leave lasting artifacts that can be cited, linked, or otherwise referenced, but almost always only with an inordinate degree of effort in searching out specific items or the minute where a particular statement is made in a recorded talk.
The above was emphasized to me today in a an exchange based off one slide in my recently-published SANS CTI presentation. To summarize, my position is that a public report by an information security vendor was interesting and helpful, but only in a post-event perspective as the information contained therein in how a specific campaign took place was effectively backward looking, and thus of documentary value to operational defenders. In response, one of the authors indicated several mentions via Twitter and archived conference presentations that indicated “as it happened” tracking of the relevant activity. While superficially true, a response noted a drawback in such an approach – trying to search for, sort, and otherwise process data from a platform (in this specific case, Twitter) that is generally unfriendly to contextual search when hashtags and other markers are not present.
But the specific example, although irksome in its pettiness and lack of value in pushing the overall information security discussion forward, is nonetheless emblematic of deep-seated issues within the field in terms of recording and disseminating knowledge. In this specific case, the aggrieved party was correct that statements were made concerning the activity in question prior to publishing a blog post – but heaven help an actual network defender to find these items unless they were diligently monitoring or otherwise scraping Twitter and related platforms for such information. Furthermore, what mentions did exist were wrapped in typical information security marketing speak – referring to malware names not actually described until later blog posts and highlighting the organization’s contracted incident response capabilities – making it harder to discern actionable, relevant, operational information from so much sales fluff.
And yet nearly every information security organization – including my own – is guilty of this practice to a greater or lesser extent. While there is a real and legitimate tension in sharing information freely versus only making certain items available for customers, there is a real concern in what information is ultimately distributed, how it is disseminated, and what channels are utilized for such actions. While there may be issues with company white papers or blog posts, they will not be discussed in this particular rant as at least they have a sense of permanence and other parties can reasonably search for, identify, and cite information within them. More problematic are the statements made via Tweet, conference presentation, or webinar that may be valuable, but never get translated into a more permanent, useful form – yet are supposed to stand as prior work for entities moving forward.
Based on this assumption, entities then take umbrage when others cannot find (and cite) such statements made in some random conference presentation or Tweeted 10 months ago. Yet such a state of affairs not only seems unfair (given the difficulty if not impossibility of finding a specific technical or related mention in a recorded video or social media post from some time ago), but patently ridiculous in expectation. As a profession, information security has, for some mysterious reason, decided it is desirable and acceptable to make finding and sourcing information from prior work to be about as difficult as internet-accessible sources can be – and this seems to be not just sadly amusing but profoundly sub-optimal for pushing the field forward.
There are some gradations in expectation and presentation that should be recognized – for example, when I Tweet out a suspicious-looking domain or DrunkBinary posts an interesting malware hash value, such items are raw, unverified, and rather basic information points. As such, one (including myself) should not expect these to stand as canon prior work on any activity of interest given the lack of effort and permanence in their posting. However, quite similar activity (at times deriving from official corporate messaging) with respect to ongoing campaigns or other items of interest meets the same standard: an isolated Tweet or similar message lacking contextuality is so much frictionless spinning in a void in terms of actionable information – and after a period of time difficult or impossible from which to unearth absent either luck or fortuitous use of tags and keywords.
Thus, what I implore others to adopt – and what I myself try to achieve personally – is that instead of embracing a “fire and forget” methodology in information sharing, to create a sense of permanence and stability in information security research by writing things down. While this may not always be practical or desirable, individual entities must ask themselves: if they wish for a certain piece of work to have some degree of permanence and recognition from the profession, then they should adopt a mechanism to record such findings that enables others to both cite and easily find such work. The status quo where so much important (or seemingly important) information resides in the third Tweet of a thread from seven months ago or at 17:39 of some conference talk is not just inconvenient – if we wish to take ourselves seriously as a profession, it should be unacceptable. Our goal should be to capture, store, and make accessible information such that individuals – from defenders to researchers – can search for, identify, and cite such work with a minimum but reasonable level of effort. Right now, we’re not there – and so many social media flame wars and related activity are founded upon unrealistic expectations surrounding an unfortunate current state of affairs.
For myself, I continue to try to record my thoughts, findings, and elements of my research in writing as much as possible – either here at pylos.co, through work posted through my current employer at dragos.com, or through event-specific publications such as VirusBulletin and DeepSec. While I’m not perfect in this endeavor and have several papers in incomplete form that I need to finish based on prior work, if everyone in this field were to adopt this approach, I strongly feel that we will not only create a more robust profession, but facilitate discussion (and informed disagreement) within the information security community.
1 Comment
paul vixie · 05/03/2019 at 10:48
thanks joe– this message hits an important target. one effort now underway to cope with the kind of generational data loss you describe is ACM DTRAP, a peer reviewed journal with the specific mission of getting practitioners to tell the world (and to inform history about) what they know. i hope that some of your readers will consider submitting a paper there. https://dtrap.acm.org/
Comments are closed.