The Internet isn’t the real world. That’s not that hard a concept is it? In training courses I’ve felt a little embarrassed when making a point of this early on in the presentation, as it feels like such an elementary point.
But occasionally, due to the nature of some of the mailing lists I’m on, I have to explain this. Some annoyed spam recipient, or a user with new firewall software and mad whois skillz, wants to exact retribution on the dastardly IP address that just attacked him; and I explain how difficult it is to tie received traffic to an IP address, and an IP address to a person.
Then I read this:
“Real Security Is Threat-Centric” at http://taosecurity.blogspot.com/2009/11/real-security-is-threat-centric.html by Richard Bejtlich.
Now if you’re trying to pin down the source of a concentrated attack by many parties, and trying to generally attribute it to a foreign power or a criminal gang, or a concentrated concerted attack, I can see his point about attribution, just, if I squint. However the online equivalents of Bejtlich’s “local residents” are unlikely to come under such an attack, and will more likely be spammed using hacked email accounts or faked sender addresses, compromised through a drive-by download, infected by a worm, simply be some bot, or similar. In those cases attibution is very difficult, if not impossible.
To stretch Richard Bejtlich’s example even farther… imagine the situation, two suspects were questioned Friday, but the suspects claimed that their bodies had been compromised and were under the control of malicious ghosts, or that the evidence of the break-ins had been remotely faked by a rival of theirs from Brazil; or the victim’s possessions had only been copied, not removed, so no-one noticed they’d been “stolen” for several months, meaning all the forensic evidence of the break-in had been destroyed.
Ridiculous ideas, yes? But their online equivalents are possible because… wait for it… The Internet is not the Real World, don’t expect the same methods to work on here.