Rethinking Cyber Security
I want you to think of your ideal world for cyber security. How would you envision your team, their goals, and their effectiveness in cyber defense? I would wager that most of you would wish for the moon, the stars, and the endless space beyond. Your team would thrawrt every attack, would uncover zero-day vulnerabilities before they are exploited, and act as an impenetrable bulwark against the onslaught of cyber crime.
This next part may be controversial, and it may cause you to stop reading altogether or hurl creative insults. That said, I do not believe that is a realistic, or even productive goal even in an ideal world. Consider that the best laid defenses are defeated by underdogs. In World War 2, the strongest military (in terms of manpowers, equipment, and experience) prior to the invasion of France was the French army. The German army, by comparison, was smaller, had less resources to pull from, and had less overall odds for winning. The French errected, and manned, their famous Maginot Line in an effort to stop any attack from Germany. To boil this down to the essentials, what happened next is a great anology to cyber defense. The Germans planned, feinted, and went around that impenetrable wall and swept across France in a matter of days. Together, The United Kingdom and France were able to salvage and retreat a significant portion of their army to fight another day. What's the lesson here? Expect that your defenses will be side-stepped, and that you will have need to quickly and effectively regroup your remaining resources.
The easiest way to explain cyber security, is by comparing it to physical security. Cyber security can be thought of as dissuasion, or deterrence, rather than denial of entry. Much like physical security, if someone has enough time or resources, they will find a way in to a secured location. However, if your home has flood lights, security cameras, noisy pebbles surrounding the exterior, an alert barking dog, and secure locks, then a robber might consider trying the house next to you that has less of those things. That is why I do not believe in thinking of cyber security measures as a form of denial of entry. Rather, I recommend thinking of them as an array of measures that deter, slow, or exhaust an adversary. In addition, much like a good home security system, a good alert system is vital.
The exception to this thought is an adversary that is not looking for opportunistic crime, but rather has your area of control in their crosshairs as a target. These can be hacktivists who have an intrinsic motivation that compels them through your barriers. The most dangerous, however, is advanced persistent threats or APT for short. APT’s are usually in the form of a nation-state effort, with funding, resources, and coherent goals. If an APT wants to penetrate your network, you can bet they probably will. As an example, in September of 2013 Iranian hackers were caught after they had already obtained unauthorized access to the Bowman Dam, which is located in New York (Office of Public Affairs, 2016). They had unfettered access to the controls of a dam that holds back hundreds of tons of water pressure, and it was only after they had gained access controls that this intrusion was detected.
This is not a defeatist mindset, it’s just reality. This is in large part due to the nature of defense: you are always on the backfoot, and always in a response to an attack. In war, you might consider this as the element of surprise. The attacker gets to choose the time, place, and location of their attack. They can study your patterns, exploit your weaknesses, and develop numerous plans before ever alerting you. Moreover, in Cyber Security we have to contend with the very real threat of Zero-Day Vulnerabilities. If you are relying on your Perimeter Security, such as firewalls, or intrusion detection and protection systems, you are gambling on those technologies being foolproof.
A Zero-Day Vulnerability is called such due to it being completely unrecognizable to these technologies, and outside the realm of logic that most defenders are ready to be alerted and respond to. Consider the infamous EternalBlue vulnerability and fallout that resulted from its exploitation. In 2017, a zero-day worm exploit termed EternalBlue was unleashed. This exploit penetrated numerous networks all over the world, breaching the logic and rule-based Intrusion Detection Systems, Intrusion Prevention Systems, Firewalls, and even the security analysts watching their SEIMs. Over 80 hospitals in the United Kingdom were affected by this ransomware attack, and had to shut down operations (Aljaidi, 2023). If an exploit is not known, then a logical and rule-based defense such as a firewall cannot account for it.
Again, this does not mean you adopt a defeatist mentality and open your doors to the world, rather, it goes back to treating your network like you would treat home defense. Layers of security are required. Layers to alert you of efforts to poke around, of privilege escalation, and of changes in your network’s settings. Obstacles like strong password policies, multifactor authentications, and an educated workforce that can spot suspicious activity. Lastly, you will want to take heed of the CIA triad model of Confidentiality, Integrity, and Availability. Specifically, to capstone this, consider the Availability aspect of this model and plan for numerous snapshots, backup methods, and routine maintenance on these in the case of an attack penetrating your layers of defense.
Thank you for reading.
References Aljaidi, e. a. (2023, March 02). NHS WannaCry Ransomware Attack: Technical Explanation of The Vulnerability, Exploitation, and Countermeasures. 2022 International Engineering Conference on Electrical, Energy, and Artificial Intelligence (EICEEAI), 3. doi:10.1109/EICEEAI56378.2022.10050485 Office of Public Affairs. (2016, March 24). Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector. Retrieved from U.S. Department of Justice: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
This next part may be controversial, and it may cause you to stop reading altogether or hurl creative insults. That said, I do not believe that is a realistic, or even productive goal even in an ideal world. Consider that the best laid defenses are defeated by underdogs. In World War 2, the strongest military (in terms of manpowers, equipment, and experience) prior to the invasion of France was the French army. The German army, by comparison, was smaller, had less resources to pull from, and had less overall odds for winning. The French errected, and manned, their famous Maginot Line in an effort to stop any attack from Germany. To boil this down to the essentials, what happened next is a great anology to cyber defense. The Germans planned, feinted, and went around that impenetrable wall and swept across France in a matter of days. Together, The United Kingdom and France were able to salvage and retreat a significant portion of their army to fight another day. What's the lesson here? Expect that your defenses will be side-stepped, and that you will have need to quickly and effectively regroup your remaining resources.
The easiest way to explain cyber security, is by comparing it to physical security. Cyber security can be thought of as dissuasion, or deterrence, rather than denial of entry. Much like physical security, if someone has enough time or resources, they will find a way in to a secured location. However, if your home has flood lights, security cameras, noisy pebbles surrounding the exterior, an alert barking dog, and secure locks, then a robber might consider trying the house next to you that has less of those things. That is why I do not believe in thinking of cyber security measures as a form of denial of entry. Rather, I recommend thinking of them as an array of measures that deter, slow, or exhaust an adversary. In addition, much like a good home security system, a good alert system is vital.
The exception to this thought is an adversary that is not looking for opportunistic crime, but rather has your area of control in their crosshairs as a target. These can be hacktivists who have an intrinsic motivation that compels them through your barriers. The most dangerous, however, is advanced persistent threats or APT for short. APT’s are usually in the form of a nation-state effort, with funding, resources, and coherent goals. If an APT wants to penetrate your network, you can bet they probably will. As an example, in September of 2013 Iranian hackers were caught after they had already obtained unauthorized access to the Bowman Dam, which is located in New York (Office of Public Affairs, 2016). They had unfettered access to the controls of a dam that holds back hundreds of tons of water pressure, and it was only after they had gained access controls that this intrusion was detected.
This is not a defeatist mindset, it’s just reality. This is in large part due to the nature of defense: you are always on the backfoot, and always in a response to an attack. In war, you might consider this as the element of surprise. The attacker gets to choose the time, place, and location of their attack. They can study your patterns, exploit your weaknesses, and develop numerous plans before ever alerting you. Moreover, in Cyber Security we have to contend with the very real threat of Zero-Day Vulnerabilities. If you are relying on your Perimeter Security, such as firewalls, or intrusion detection and protection systems, you are gambling on those technologies being foolproof.
A Zero-Day Vulnerability is called such due to it being completely unrecognizable to these technologies, and outside the realm of logic that most defenders are ready to be alerted and respond to. Consider the infamous EternalBlue vulnerability and fallout that resulted from its exploitation. In 2017, a zero-day worm exploit termed EternalBlue was unleashed. This exploit penetrated numerous networks all over the world, breaching the logic and rule-based Intrusion Detection Systems, Intrusion Prevention Systems, Firewalls, and even the security analysts watching their SEIMs. Over 80 hospitals in the United Kingdom were affected by this ransomware attack, and had to shut down operations (Aljaidi, 2023). If an exploit is not known, then a logical and rule-based defense such as a firewall cannot account for it.
Again, this does not mean you adopt a defeatist mentality and open your doors to the world, rather, it goes back to treating your network like you would treat home defense. Layers of security are required. Layers to alert you of efforts to poke around, of privilege escalation, and of changes in your network’s settings. Obstacles like strong password policies, multifactor authentications, and an educated workforce that can spot suspicious activity. Lastly, you will want to take heed of the CIA triad model of Confidentiality, Integrity, and Availability. Specifically, to capstone this, consider the Availability aspect of this model and plan for numerous snapshots, backup methods, and routine maintenance on these in the case of an attack penetrating your layers of defense.
Thank you for reading.
References Aljaidi, e. a. (2023, March 02). NHS WannaCry Ransomware Attack: Technical Explanation of The Vulnerability, Exploitation, and Countermeasures. 2022 International Engineering Conference on Electrical, Energy, and Artificial Intelligence (EICEEAI), 3. doi:10.1109/EICEEAI56378.2022.10050485 Office of Public Affairs. (2016, March 24). Seven Iranians Working for Islamic Revolutionary Guard Corps-Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector. Retrieved from U.S. Department of Justice: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
Comments
Post a Comment