Transparency is not the same as disclosure.

At this point, there's no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.

Bruce Schneier - Schneier on Security

I think everyone is caught up now on the latest. Identification of compromises and potential breaches involving various supply chains stemming from the investigations and response regarding the SolarWinds Orion Platform. Breaches of cybersecurity controls has been scoped on a global scale and it just keeps on growing. 

During all of the subsequent reading and discussion that has been engaged the one quoted here from Schneier on Security caught my eye. For me it seems deserving of a bit more discussion. It's often related that information is free and we put up fences and commission gatekeepers to manage access. The niggling phrase for me in that quote is "we, the public, will never know." To me the framing of information is what is important and not the specifics. In that regard many wrestle with the balancing of transparency versus disclosure.

Transparency for my purposes is not the same as disclosure. If I tell you I keep a key under the mat (which is not something I do) to get into my house, that's a disclosure. It may be a detail that everyone should not receive. On the other hand, saying I have a contingency for getting into my house under all circumstances, that's a valuable bit of insight that can be reused a number of ways. Also, it's much better than telling all of my business. In form and function, that is pertinent to specific situations, that transparency can provide the basis for both increased awareness and security. This transparency is the type of information handling for which I'm a strong proponent. It is a sharing philosophy I referred to in January of 2000 as the "Cyber Neighborhood Watch."

 It's not about being nosey...

When we think of the neighborhood watch in real life it doesn't rely on a practice of relating every discreet observation about your neighborhood to the authorities. Telling the authorities about Bob's skinny dipping frequency isn't neighborly. You don't have to and probably shouldn't do that. That level of disclosure would cause the trust relationship established with your neighbors to crumble in short order. What is a good practice would be for Bob is to let others know (sort of like FireEye did) that he's single and keeps his gate locked so when there was an intrusion suspected it became pretty short order to recognize it. So, how does this relate back to that quote?

The issue with the statement that I highlighted is not regarding any specific DFIR techniques, tools and procedures. Nor is it about classifying information, and whether or why the investigative findings for breaches reveal sources and/or methods about protecting information or access to it. It's about being neighborly. It should be relatively well-known by most practitioners in cybersecurity and infosec that there is an overabundance of classified information. Information may become classified by merely being adjacent to a source and method which is deemed close held, i.e., classified. In fact there are quite a few higher level security paradigms that fall into the good ole classified bucket for no good reason.​

What I propose, in pursuit of the neighborhood watch paradigm, is that we take a close look at how transparency without potentially damaging disclosure can be normalized. In light of the events being discovered pursuant to SUPER/SOLOR/SUN* (yes that wildcard is most fitting in this case it seems) there is a good case to be made that transparency should be the rule of the day.

Planning is the proper way to formulate dialog for response to inquiry, investigation and discussion.

"InfoBro" - Eric Dana Williams

 Some principles...

Bottom line, there are some principals that guide us for sharing relevant observations:

• Let others know what's been seen and what you are seeing, the more we know in the neighborhood the better equipped we are to mitigate for repeat occurrences and to signal on anomalies.
• Mitigation is a before and after activity. Finding protection follows from the trajectory of the attack. Everyone has to be an observer. Observe, report and mitigate.
• Make a plan for transparency and keep a policy for sharing handy. It's easier to plan what not to say than to figure it out on the run. The goal of a transparency plan is to have a tool to share as much as possible. It's not a tool that many keep in their arsenal but it is a valuable tool to employ with partners and "neighbors." It fosters trust.
• Nothing and no one is perfect. Most successful breaches follow the path of least resistance.

Transparency should not be construed as a predicate for retribution on affected entities, but rather as good behavior in the neighborhood. Somewhere along the way the parameters of transparency need to be codified. Don't wait to make the neighborhood safer .