The Information Theater
In the context of cybersecurity, we are not talking about information warfare per-se, or even intelligence about threats, though it plays a factor. What is typically meant by information in our context, conjures up the recent Russian meddling and Asian psycho-warfare, and is certainly not new. Threat intelligence has been around a while as well, though there have been some recent advances which are interesting and may be useful to help us get to know our adversaries better.
To be precise, the Information Theater to which we are referring relates to one of the core elements of the attacker/defender dynamic where our attackers know lots of stuff about us, while we know very little and in many cases, nothing about them. This, of course, provides a tremendous battlefield advantage to the other team. This asymmetric element sets our very siloed and segmented defenses up against masquerading attackers about whom we have almost no information, and they consequently require very little of their own to be successful.
Informational asymmetry also results in our continuing failure to identify the exploitation of legitimacy (fakery) or ability to correctly attribute the source or nature of our attackers.
We are never sure whether Russia, Iran, China or young Robert Francis Baker living in his mom’s basement down on First Street is the actual attacker. And it dramatically affects our ability to respond to or even develop a policy for response protocols.
As one of many examples, it appears that China likely recruited the hacker who pulled off the massive cyberattack on Anthem where 78.8 million consumer records were exposed … but we don’t know that for sure. Even though seven state insurance commissioners conducted a nationwide examination of the breach over a 3 year period and in addition, hired Mandiant to run its own internal investigation, we still don’t know.
Made in China
In spite of uncovering only the apparent source IP address, this army of investigators concluded that the hack originated in China and began when a user at an Anthem subsidiary opened a phishing email which gave the hacker access to Anthem’s data warehouse.
The hack was of course devastating to Anthem and the 80 million covered who lost all of their sensitive PII, but while we now know how it was carried out, we are unable to conclusively determine the actual perpetrator.
The result of all of this investigation and the more than $300 million Anthem has spent in recovery and forensics is a slight increase in general awareness about the nature of our adversaries, but a widening of the actual information gap itself. We think it was China and we “know” they are always doing this sort of thing, but that information does not advance our ability to defend ourselves in the future.
We don’t know who we are fighting unless the U.S. government agencies do, and they aren’t telling.
Another Widening Gap
This information gap contributes to another imbalance in attacker/defender dynamics where we stack up a relatively small contingent of trained defenders protecting millions of applications and systems located in fixed positions against tens of thousands of unknown global cyber attackers continuously examining tens of millions of dispersed targets.
In terms of military tactics, state armies like ours generally fight in an orderly framework while non-state and individual terrorist organizations successfully use guerrilla warfare methods designed to leverage the disparities in power advantage.
Since we don’t know who we are fighting and we must defend fixed positions without specific rules of engagement, it makes it difficult to successfully engage and almost impossible to imagine victory.
Our adversaries regularly probe and collect reams of information about our cybersecurity defenses. This is not difficult to do since we openly publish all of our academic cybersecurity research and in the few cases where we don’t publish, our adversaries just steal our IP anyway.
Reverse engineering an AI/ML cyber defense system to discover the methods it uses to provide that defense is not hard to do. Which systems deploy which technologies is easy too. U.S. product vendors proudly broadcast the sources and at a macro level, and even the techniques.
A classic example can be found in Security Information and Event Management (SIEM) systems.
Love them or dismiss their effectiveness, a SIEM is a widely acknowledged cybersecurity fundamental requirement for monitoring, detecting and alerting in real-time the presence of malware or a threat vector present in our computing infrastructure.
Though there are other approaches like network behavioral monitors, all enterprises must have some way to determine the presence of a threat and to notify early respondents so they can move to mitigate before the damage spreads.
The Achilles with SIEMs and with all other behavioral detection systems is the detection threshold. Those thresholds (aka policies) for the detection of certain behaviors must be set low enough so that a brute force password attack (for example) cannot evade the detection but not so low that activity other than brute force attacks triggers an alert and results in a false positive.
Set too low, the system will generate tons of false positives. Set too high, and the system will fail to catch true predators. These threshold variations are not secrets.
SIEM and network monitoring vendors publish the default ranges along with recommended settings. Since IT resources are under continual pressure, the natural response is to accept the defaults and install as recommended. This enables even the most dim-witted attacker to tune the vulnerability probe to fly beneath the radar and look for software holes, open backdoors, available credentials and other keys to the kingdom. Those findings are reported back to the C&C and this data informs the next cyberattack on that enterprise.
We don’t know what we don’t know.
These low and slow vulnerability probes go on for months and years, collecting and distributing useful information back to the attackers. Probes are likely floating around your network infrastructure as you read this. By having less information than our attackers, we unintentionally provide a fully cooperative pathway to the next series of breaches.
Less is not more, in this case, anyway.
Attackers frequently scan many thousands of potential targets before a successful compromise, and much is learned from each one. We have an abundance of online hacker communities willingly dispensing reams of information, how-to tutorials for every kind of hack imaginable, instructions in the use of available open-source penetration testing tools, malware kits tailored by attack type with complete user manuals that describe in detail the steps required to deploy.
All available to all.
The defenders have information security communities like ISACA and ISC2, industry conferences like RSA, and vendor product user groups, but our ability to connect information to execution does not compare to the way the bad guys do it.
Big Hat, No Cattle
In other words, we talk a lot about this stuff, but we do very little in terms of actually implementing best practices.
Our adversaries are busy deploying their well-informed attack protocols while our information security community is continually distracted by the necessities of daily survival.
Back when we first advanced this thesis in 2015, an ideologically driven actor (who was known as HackBack!) was running rampant with a slew of significant cyberattacks including a big one against the Italian surveillance technology company “Hacking Team.”
Motivated by what he perceived to be human rights concerns, Mr. HackBack!, managed to compromise their internal network and publicly release 400GB of data which included email correspondence between employees at the company and their clients, proprietary source code, financial records, sensitive audio and video files.
Then he published a set of instructions detailing exactly how he mounts his attacks including the schematic for a zero-day exploit that he had developed himself.
He followed that with a published a list of off-the-shelf tools and specific guidance on using exploit kits to carry out similar compromises. After the hijacked data was made publicly available via Twitter and a fully searchable database was hosted on WikiLeaks, the company suffered significant and embarrassing reputational damage and had a global operational license revoked.
In just a few days after the breach, two exploit kits, Angler and Neutrino which have now morphed into far more advanced EKs, had incorporated new exploits revealed in Mr. HackBack!’s publications, increasing their functionality and assisting other cybercriminals to compromise new targets with new malware.
Sharing is Caring
In response to the growing imbalance, the federal government began encouraging businesses to share threat intelligence among themselves, but almost every business has ignored the suggestion. We keep trying to address the issue in forums, seminars and conferences instead.
There is sort of a weird layer of general apathy that hangs around the surface of this industry, where it feels constantly like a streak of existential acquiescence, as in … “there’s really nothing we can do but let’s keep pushing this boulder up the mountain anyway.”
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) launched the Joint Cyber Defense Collaborative (JCDC), which is a collaboration between federal agencies and the private sector led by the CISA to strengthen the nation’s cyber defenses through planning, preparation, and information sharing. The purpose of the JCDC is to establish an “office for joint cyber planning” to develop “for public and private entities” plans to defend against cyberattacks posing a risk to critical infrastructure or national interests.
Congress was acting on one of the Cyber Space Solarium Commission’s recommendations, which noted in its report that the sheer number of U.S. cybersecurity agencies makes it difficult “to achieve the unity of effort required to conduct layered cyber defense” as well as to “collaborate with the private sector and conduct cyber operations as part of whole-of-nation campaigns.”
And the whole of national campaigns are what we need.
Those of us in the private sector have all agreed that the plethora of various public-private partnerships led by different federal agencies, was at best, confusing. The JCDC aims to correct for that, creating a unified effort among government agencies and private sector partners to share threat information, validate it and act upon it.
The idea is to be proactive, not reactive, so when an attack does occur both public and private sector entities will know who will be responsible for certain actions, and how to respond. We shouldn’t be trying to figure things out after every attack. What feels different with the JCDC is that both the public and private sectors will be planning our responses together. Multiple agencies and multiple companies will be offering their insight on how to best defend our nation against cyberattacks. While the initial focus will be on ransomware attacks and securing the cloud, other defenses should be readied as the threat landscape evolves.
As National Cyber Director Chris Inglis stated, if the JCDC works as imagined, the “adversary will need to beat all of us to beat one of us.”
Threat Intel to The Rescue
On another promising front, we have recently made some progress in threat intelligence technologies that may have a small but favorable impact. Threat intelligence is actually a potentially useful way to start shifting some of the imbalance by providing insight into what the bad guys are doing and prompting companies to rebalance their cybersecurity defense portfolio accordingly.
It is one of the very few approaches that have a chance of actually providing a little immediate information relief as it offers current insights about emerging threats and their evolution.
These systems track adversaries across multiple types of unique and hard to reach online communities, from elite forums and illicit marketplaces to chat services platforms, and then they provide visibility into cybercrime and fraud practices, international, political and societal dynamics, trends with malware and exploits, specifics about disruption and destructive threats and physical and insider activities.
By providing an intelligence profile of the threat landscape, this contextual view offers concrete input to enable enterprises to more effectively rebalance their cyber defense portfolios with respect to emerging and existing threats, adversaries and relevant business risks.
This is of course a whole lot different than having Mr. HackBack!’s instruction manual and $50 for an exploit kit. But at least defenders now have some information about the adversarial community and may be able to determine effective cybersecurity technologies and processes to which it can shift the emphasis and stave off a few of these attack vectors. It costs a lot of money, takes a lot of resources, needs support at the executive level and is not easy to implement.
It’s something, but alone, it is nowhere near enough.
Knowing more about our adversaries and their behavior is about to become even more critical as we embark into the IoT world in earnest. A simple example of how IoT threats pose a significantly higher risk can be found in the recent graduation of the Mirai botnet into a grander version of itself. This new descendant is casting a much wider net than its predecessors and is now infecting systems normally found outside of traditional IT enterprises.
The entire world of industrial control systems and SCADA are highly vulnerable, based solely on the fact that the devices themselves are old, have little to no built-in security, control 99% of our critical infrastructure across all segments (energy, water, food, transportation, communication and military) and almost no IoT devices can be either updated or secured from being drawn into a botnet army, or addressed from a pure cybersecurity defense point of view.
A Clear And Present Danger
One can shut down an ERP system for days to patch and apply security updates, but try that with an automotive plant sometime.
One other point of light is on the back end, where cybercriminals use crypto exchanges to launder cryptocurrency into fiat currency through a myriad and complex network of mixed crypto content and multiple digital wallets.
Companies like TRM Labs who are using blockchain to trace the source and destination of cryptocurrency transactions, compile risk profiles for wallets, addresses and entities, including high-risk on-chain activity or affiliates, and trace the flow of funds across many different blockchains and hundreds of thousands of assets.
The more mature the industry gets, the more blockchains and digital assets will become available. Forensics like these are vital to the FBI and DOJ in the disruption, apprehension and prosecution of cybercriminals following a successful attack.
Yet, for all these steps in the right direction, we have seen the attacker/defender dynamic information growing in complexity and has broadly expanded the gap that has developed over the last few years.
So what can we do to address this gap?
- Begin with a re-architecture of our systems, networks, applications and access – this is not as daunting as it appears – by localized protect surfaces surrounding key assets, we isolate them from the rest of the network and attack surface landscape, forcing our adversaries to reveal more about themselves or abandon their journey altogether.
- Centralize and distribute threat intelligence in an efficient, actionable format that feeds into and expands our visibility into threat actors and their behaviors.
- Openly and jointly share the vulnerability data that we now hoard privately, so that both private and public get boosted insight into collateral threats and can deal with them more effectively than flying blind, hoping for a random kill.
- Modernize our current laws to enable both private and public entities together and separately to mount offensives against the known, documented and evidence traced markets, forums and illicit distribution centers on the dark web.
- Adopt a more aggressive cybersecurity posture so we can be more efficiently monitoring adversaries in real-time in order to understand what they are doing and planning to do and who they are.
A New Sheriff?
At the end of the day, we also need a galvanizing central force who can force us all to end this cowboy approach to cybersecurity defense that has led only to increased cybercrime and more breaches.
We all love our horses and are loath to dismount, but the time has come to join a larger movement that can form a united front and attack the battlefield asymmetry across all five theaters of war.
Until these steps are taken, it appears that the information gap will continue to expand, and the farther it does, the more difficult it will be to bridge with new suspension technologies, and it will keep us sliding backward enabling our enemies to advance.
History is a good teacher, but only if we pay attention, and act.