Active Response

Always A Bad Day For Adversaries

Tag: language

Cyber Threat Language Dilution

A “trojanized document” hides malware inside itself, but rarely do we call a webpage doing the same a “trojanized webpage”.  The word Trojan, derived from Homer’s epic poem, intended to describe a seemingly innocuous object containing damaging material, now describes almost all cyber threat delivery vectors.  The term “Trojan” in cybersecurity has become diluted to the point of nonsense.

Trojan is just one example in a diluted language space now including other terms like virus, rootkit, targeted, etc.  As the community grows in both terms of depth and breadth, it will carry with it historical baggage and loose terminology.  Poor phraseology will infect those writing on the topic not familiar with nuances further contributing to the problem.  Lastly, as cyber threats grow and change the language must evolve as well causing further issues.  For example, increased modularization of capabilities challenge attempts to clearly categorize with existing language.

This is a problem for effective threat intelligence communication.  Good threat intelligence accurately communicates the context of the threat relativizing it to a risk environment.  A reliance on diluted language increases ambiguity therefore decreasing accuracy and effectiveness.

My message to those responsible for communicating cyber threats: consider language dilution, both your own actions contributing to dilution but also leveraging diluted language and its effect on your customers.  Language dilution is a fact-of-life for any discipline, but how it’s addressed makes the difference.


What is ‘Cyber’?

Recently, a very amusing website launched to ask a very simple question, “will using the prefix cyber make me look like an idiot?”  It predicated the response based on an answer to three questions: (1) Are you a science fiction author, (2) are you about to engage in dirty instant messaging, and (3) are you using the word to engage in scare mongering?  You can see the answer to my questions below based on my everyday usage of the word:

The site is obviously established to poke fun at the growing use of the word cyber to describe many subjects and items.  There are many in the computer security/information assurance field which agree with that premise and openly disagree with it’s use in any form outside of science fiction or dirty instant messaging.

I come from a background in academia and research.  I understand the importance of word choice and usage.  However, I am also aware of the need to adopt a new lexicon when an existing one is not enough.  I believe this is one of those cases.

I too used to abhor the use of the word cyber in the computer security/information assurance/network security domains.  However, as I matured in my understanding of the topic beyond the technical concepts of these fields and into the human factors and psychology of the field I knew these terms did not adequately describe the full scope of the analysis and operations to secure computer systems.

The word cyber is necessary.

It is necessary because this field is much larger than just securing technical systems.  It MUST also embrace analysis, psychology, human factors, and aggressive operations (hence the name of the blog – ActiveResponse), amongst others.

The other terms used in this area (e.g. Computer Security, Information Assurance, Network Security, etc.) are all fine and have their place.  But they lack one fundamental aspect: the human.

Cyber originated in our lexicon with Norbert Wiener in his seminal 1948 book Cybernetics or Control and Communication in the Animal and the Machine.  He took the word cyber from the Greek word  kybernetes, Greek for “steersman” or “governor.”   It was further adopted by science fiction authors into the cyberpunk and famously, cyberspace (by William Gipson).

Faced with the origin of the word, it has not been co-opted.  In fact, I believe it is a better term than others in many instances.  Primarily because it makes humans and operators the central focus of the activities we study – either their offensive exploitation of systems or our defensive reaction or preventative actions.  It is all done because computers are tools for humans to operate more effectively in any number of areas.  They have no inherit value outside of use by humans.  Many of us technical geeks forget that while we are digging into packets or studying architecture diagrams.

Therefore, I will keep using the word cyber proudly knowing that I am using it to keep the human as the central concept in intrusion analysis, information assurance, computer security, network security, or whatever else you want to define to enable humans to use information and communicate more effectively.

Cyber Moats? Really?!

Cyber Intrusions Into Air Force Computers Take Weeks to Detect

Can someone please explain a “cyber moat?”

We have lots of problems.  We are stuck in a forensic mind-set. Our defensive techniques don’t evolve as fast as the should. We are out numbered.

I never considered the problem of cyber moats.

It must be worse than I thought.

I really hope that we can get beyond 13th century castle defense analogies.

Don’t get me wrong, there are things to learn from physical fortification.  However, like castles in the time of cannon, there are times when offensive capabilities must force defenders to change their understanding.

I’m afraid that we are drawing too much from physical protection theory.  I find counter intelligence to be a better theoretical underpinning – assume you will be penetrated, reduce damage once exploited, focus on prevention and early detection.

From my experience with senior leadership, I find that we continue to pander to their lack of understanding in the domain by drawing inferences and analogies from domains they tend to understand better – namely physical protection.  However, to move forward we must escape from this trap if we are to evolve.

Powered by WordPress & Theme by Anders Norén