Always A Bad Day For Adversaries

Category: Doctrine and Policy

What is ‘Cyber’?

Recently, a very amusing website launched to ask a very simple question, “will using the prefix cyber make me look like an idiot?”  It predicated the response based on an answer to three questions: (1) Are you a science fiction author, (2) are you about to engage in dirty instant messaging, and (3) are you using the word to engage in scare mongering?  You can see the answer to my questions below based on my everyday usage of the word:

The site is obviously established to poke fun at the growing use of the word cyber to describe many subjects and items.  There are many in the computer security/information assurance field which agree with that premise and openly disagree with it’s use in any form outside of science fiction or dirty instant messaging.

I come from a background in academia and research.  I understand the importance of word choice and usage.  However, I am also aware of the need to adopt a new lexicon when an existing one is not enough.  I believe this is one of those cases.

I too used to abhor the use of the word cyber in the computer security/information assurance/network security domains.  However, as I matured in my understanding of the topic beyond the technical concepts of these fields and into the human factors and psychology of the field I knew these terms did not adequately describe the full scope of the analysis and operations to secure computer systems.

The word cyber is necessary.

It is necessary because this field is much larger than just securing technical systems.  It MUST also embrace analysis, psychology, human factors, and aggressive operations (hence the name of the blog – ActiveResponse), amongst others.

The other terms used in this area (e.g. Computer Security, Information Assurance, Network Security, etc.) are all fine and have their place.  But they lack one fundamental aspect: the human.

Cyber originated in our lexicon with Norbert Wiener in his seminal 1948 book Cybernetics or Control and Communication in the Animal and the Machine.  He took the word cyber from the Greek word  kybernetes, Greek for “steersman” or “governor.”   It was further adopted by science fiction authors into the cyberpunk and famously, cyberspace (by William Gipson).

Faced with the origin of the word, it has not been co-opted.  In fact, I believe it is a better term than others in many instances.  Primarily because it makes humans and operators the central focus of the activities we study – either their offensive exploitation of systems or our defensive reaction or preventative actions.  It is all done because computers are tools for humans to operate more effectively in any number of areas.  They have no inherit value outside of use by humans.  Many of us technical geeks forget that while we are digging into packets or studying architecture diagrams.

Therefore, I will keep using the word cyber proudly knowing that I am using it to keep the human as the central concept in intrusion analysis, information assurance, computer security, network security, or whatever else you want to define to enable humans to use information and communicate more effectively.

A New Security Accounting or How to Win Against a Formidable Adversary

Many intrusion analysts are constantly plagued by a nagging thought that we are fighting a losing battle.  The problem only gets worse, it never seems to get better.  There are only more hackers, more damage, more vulnerabilities, more exploits, more toolkits, etc.  Everyday we feel overwhelmed and under-resourced.

This feeling is not wrong.  Our instinct is correct.  We are fighting a losing battle.  There are many more adversaries than there are network defenders.  The adversary needs only one vulnerability, one exposure, or one exploit to win – while we need to find and patch all the vulnerabilities and exposures and prevent all exploits to just stay even.  We have already lost before even playing the game.

To win this battle, or bring it to a draw, we must initiate a new security accounting.  We must change our thinking.

First, we must accept loss.  We must understand that we will be penetrated and exploited.  We must focus on early detection, discovery, and the minimization of loss/mitigation.  We must not count every intrusion as a failure.  This is a game to be played over decades, not days.

Second, we must be truthful with ourselves and then truthful with others.  No more counting scans detected by the firewall as “millions of blocked intrusions.”

Third, we must stop accounting for security in terms of money/resources we have spent to secure ourselves.  It is a self-centered and foolish accounting.  We must start focusing on how much did we force the adversary to spend in money/resources to exploit our network – what was their $ per Megabyte of data stolen.  The larger we make that ratio the more secure we become: (1) we will reduce the number of adversaries operating against us because only the most resourced will be able to gain any profit from their operations, (2) we will reduce the effectiveness of the adversaries which do operate against us by increasing their costs and decreasing their gains.

Some may say that this is a losing proposition.  What about the adversary willing to spend $10 million to exploit my network and steal my intellectual property, but I can only spend $1 million to protect it?  You’re screwed.  The adversary obviously values your data more than you.  The only hope is to band together with other targets/victims to combine your forces in the hopes of creating parity with the adversary.

An analogy: if one country is willing to spend billions to create a military to defeat another country, and the target country cannot even spend millions in defense – they will likely lose.  Their only hope is to create an alliance with other countries in the hope of (1) creating an effective combined force to battle their adversary or (2) being able to pull other handles (e.g. trade/economics/etc) costing the hostile country enough to make the attack worthless.

In the end, it comes down to a relationship built on value.  As long as the adversary is making a profit (however that is defined) there is no incentive for them to stop.

There are two types of victims: victims of opportunity and victims of interest.

Victims of opportunity are victims because they were available to the adversary at the right time but possess little value.  If the adversary was to lose access they would likely not notice.  These organizations can utilize standard security practices to protect themselves reducing their likelihood of becoming a victim.  Example: a home computer infected with a botnet.

Victims of interest are victims because they possess great value to the adversary.  If the adversary were to lose access to the victim it would be noticed, and the adversary would spend resources regaining access and maintaining that access.  The adversary will not stop victimizing the organization until the relationship between adversary and victim changes and the victim no longer provides enough benefit to justify the cost of exploitation.  Example: Advanced Persistent Threats.

Therefore, a security strategy must be based on the adversary/victim relationship.  The only way to win against a formidable adversary, one in a considerably better position than yourself, is to make it too costly for them to wage war.  (NOTE: the cost will be different for each adversary, some may be sensitive to finance while others might be sensitive to jail/loss of freedom, etc.)

Cyber Moats? Really?!

Cyber Intrusions Into Air Force Computers Take Weeks to Detect

Can someone please explain a “cyber moat?”

We have lots of problems.  We are stuck in a forensic mind-set. Our defensive techniques don’t evolve as fast as the should. We are out numbered.

I never considered the problem of cyber moats.

It must be worse than I thought.

I really hope that we can get beyond 13th century castle defense analogies.

Don’t get me wrong, there are things to learn from physical fortification.  However, like castles in the time of cannon, there are times when offensive capabilities must force defenders to change their understanding.

I’m afraid that we are drawing too much from physical protection theory.  I find counter intelligence to be a better theoretical underpinning – assume you will be penetrated, reduce damage once exploited, focus on prevention and early detection.

From my experience with senior leadership, I find that we continue to pander to their lack of understanding in the domain by drawing inferences and analogies from domains they tend to understand better – namely physical protection.  However, to move forward we must escape from this trap if we are to evolve.

Powered by WordPress & Theme by Anders Norén