Cyber threats are now broader and more dangerous than any board recognises, and they have proved that static security concepts are insufficient in the face of advanced and well-funded attackers. The rise of espionage in the cyber domain has shown that information is not secure and e-sabotage is a growing threat to process industries, but these scenarios are barely registered as current threats among many senior executives.
In the meantime, firms are investing in security technology but still experiencing unacceptable losses, and discovering that the technology is being persistently undermined by different attack methods. In most cases, security managers are being overwhelmed by technological solutions that claim to be critical elements in providing a secure barrier to intrusion, and companies are investing in ‘great hopes’. The main hope being that various layered systems are left to run and successfully detect and block attempted intrusions.
This management attitude to securing the corporation’s information and systems is essentially reactive and passive. It is evident even among the more prepared companies which are making dangerous risk judgments about where to invest in protecting against a breach, and how to invest in response and recovery from the loss of critical data, and the compromise of systems. Many firms are yet to fully appreciate that a critical vulnerability is highly likely to cause such a severe impact that the ability to return to normal operations does not constitute ‘recovery’. Most are also over-confident in their ‘resilience’, ignorant of the potential causes of failure in managing cyber crises, and many underestimate the probable long-term losses or damage to the organisation and its reputation from the new generation of threats.
The shift towards a more proactive approach first requires a seismic shift in management perspective, to view security as an essential function to protect what companies have built over many years, and ‘prevail’ in the ongoing confrontation with malicious adversaries. But the reality that all companies face is stark. They are invariably ‘weaker’ than the opposition, unprepared for the challenge they must meet, and quite unaware of the many manifestations of the threat. So it is no surprise that they find it difficult to grasp what an enduring and relevant security model really looks like, let alone how to implement it.
Proactive security requires a complex, and integrated or ‘converged’ approach that incorporates human and physical security elements as much as IT security to provide ‘security of information’. Human failings and lackluster adherence to good security practices tend to explain many security breaches and the era of employees bringing their own devices into the workplace is exacerbating the risk that companies face. Social engineering, subversion, targeted intrusion, and infiltration can all expose information security technology to threats from within ‘the perimeter’.
For most organisations, remediation of the human and physical problems requires leadership and cultural change that prove difficult for them to adopt, because of the intensive program of awareness that is required to support more rigid policy and procedure. While there is tacit acceptance of the problem there is insufficient management appetite to contemplate a meaningful solution. So in the absence of proactive and informed management, greater budgets are being allocated to proactive systems and the next ‘silver bullet’.
FROM SECURITY TO DEFENCE
We should conclude that information security is proving to be a static concept in the way it is being implemented even as ‘proactive security’. The persistent ‘perimeter’ approach commonly adopted shows the ‘symptoms of delusion’ that have plagued security concepts since the building of Hadrian’s Wall to the Maginot Line, and they are perilously underestimating their adversary. The reality of current static practices is that they are failing. The issue is much less about the nature of the security concept and more about the ‘doctrine’ that firms adopt to combat the threats.
Penetration testing, now a commoditised service, provides no guarantees that vulnerabilities have been uncovered, and security measures are being circumvented every day. There is daily evidence that static security postures are ineffective when faced with an ‘advanced’ attacker who has the ability to apply a sophisticated approach that corporate security can neither anticipate, nor detect in time to effectively prevent. Many IT security professionals do not believe they have methods to detect and track AETs [Advanced Evasion Techniques] used by attackers, and the majority have not implemented technology against AETs because they are unable to convince the board that AETs are a serious threat.
Industry needs to move from ‘security’ concepts to ‘defence’ concepts. Defence is a more dynamic concept because it incorporates the assumption that we have to detect and react to an attack in real time, and we require various options with which to respond, depending on the objectives and methods of the attacker. This is increasingly the case as organisations are learning that the attack process, from the attacker’s perspective, from first reconnaissance to full assault, can last for days, weeks or months. In the case of espionage and evidence of malware like ‘flame’ or most recently ‘the mask’, the end game is not ‘assault’ but the exfiltration of information that can persist for years.
An advanced approach to cyber defence should consider adopting a pre-emptive approach, and a more active defence posture. Both need to be seen as different ‘doctrine-based’ approaches:
A pre-emptive approach assumes that active measures will anticipate current threats and are prepared to repel attacks, based on relevant threat intelligence, preparation, and testing of response measures, and as part of a ‘developed’ detection-response doctrine. Once the appropriately complex defence is established, this approach is built on the principles of pre-empting potential failure, by simulating what defence needs to achieve, how to achieve it, and under which circumstances it will fail. This is then mapped against the types of threat that the organisation faces and informs any enhancement of capabilities that is required.
It ensures a high state of ‘readiness’ to deal with what reasonably can be anticipated, and maintains the effectiveness of capabilities that the firm has. As it is commonly accepted that most firms are unable to resolve a cyber attack, this approach has many benefits; not least that it prompts organisations to balance their focus between prevention and response. Moreover, because too little investment and planning is being dedicated to real-time response a pre-emptive approach prompts specific awareness that triggers greater preparation and investment in response, even if it is limited initially to outsourcing response to a reliable CIRC [Cyber Incident Response Centre].
To many organisations this approach presents great benefits, because they continually learn lessons without having to experience the real consequences of a breach. It also builds trust and confidence in the capabilities they have in place, and the response they can deploy to an attempted intrusion. It also helps to enhance awareness within the organisation around weaknesses and different attack scenarios by regularly testing security and exercising response. More importantly, it provides a body of ‘forensic’ evidence that security teams can become familiar with, which informs their response and options to real-time events.
A pre-emptive approach is effective in the majority of cases where it is implemented comprehensively, but for some organisations the intensity required for such a high level of readiness and awareness is difficult to maintain. It requires an ongoing program of ‘sensitisation’ so that security apparatus and processes are fine-tuned to the impending threats as far as they can be identified. Furthermore, in more advanced and particularly in converged scenarios, an over-reliance on threat intelligence is ineffective particularly where employees are being specifically profiled and targeted.
For organisations which have a near-zero tolerance for loss of IP and security failure in general, a pre-emptive approach still falls short of the essential requirements of ‘defence’ because it does not offer them enough opportunity to intercept and defeat attempted breaches that have multifaceted characteristics, and have employed complex deception against them. They also offer a weak deterrent factor.
An active defence is built on the assumption that effective defence requires a pre-prepared, active plan to deter, or ‘counteract’, or engage threats as part of a defensive doctrine. With the growing body of evidence about e-espionage risk and a rapidly expanding attack surface, it is proving increasingly futile to rely on any perimeter; defenders need to start developing ‘tactics’, and more military concepts of ‘controlling the battlefield’, developing ‘killing zones’, and the use of ruse, decoy, and camouflage. This is a complex undertaking conceptually because the approach and the methods differ fundamentally from the conventional security posture, and the skills required are more advanced.
The employment of deception strategies within a defensive doctrine are central to a pre-active defence doctrine because they add complexity to the battlefield, which provides time, ‘space’ and options for engagement. Introducing deception also creates ‘unknowns’ that attackers will have to tackle, and increases the likelihood of attack failure. In some instances, a ‘show of force’ or providing signs that a deception plan is in place can both have a deterrent factor against some attackers.
Deception has been a mainstay of warfare since biblical times, and history is littered with evidence of the strategic value of deception. In the commercial world using deception can offer a low-cost and effective aspect to information defence, using methods to confuse, misdirect, or deceive attackers into belief that they are undetected, accessing real data, or their methods are effective. Through the careful timing and sequencing of deception ‘plays’, defenders can introduce uncertainty where it is most likely to benefit the defender, and reinforce attacker confidence where it is not warranted.
The objectives of the deception can range from effecting a premature end to an attack, protecting defenders’ methods and tools, and ensuring that data lost has zero value to the attacker, among others. As most attacks are initiated through phishing attacks, deception methods can range from false email traffic through compromised accounts, and the use of ‘false’ contact staging in the knowledge that attackers are intercepting the traffic, to more elaborate means which leverage the assumption that attackers will have knowledge of your methods and vulnerabilities, in order to follow a path of your choosing.
Preparation requires organisations to establish the technical, architectural and operational ‘conditions’ that will allow more active methods to provide advantage, out-manoeuvre adversaries, negate threats, and prevail in any engagement. The technical architecture can incorporate files and devices [honeypots], or a network [honeynet] or designated ‘zone’ that exists simply to delay and isolate an attack. More importantly, they can trigger an immediate response when hacker or malware connects to it. This can also incorporate an array of specific technical measures including ‘tar traps’ that are concealed in invisible layers of code of web-based applications.
In this way a suitably configured defence also offers effective options for intercepting zero-day exploits, and brand new malware that security systems are yet to identify. For converged threats, this advanced form of defence offers a mechanism to detect malicious activity from insiders, and dealing with the BYOD threat or the compromise of wifi systems, by routing threats through a ‘zone’ in which they can be examined and identified before reaching an organisation’s ‘true’ network.
The ‘operational’ conditions that need to be established are more important, particularly as they are the foundation of the doctrine. Many critiques of honeypots are based on the evidence that they can be identified and compromised, which may heighten the risk to the organisation. This alludes partly to the importance of the organisation’s OPSEC [operations security] in the use of deception and the importance of the special-access nature of such a program and a minimised internal ‘signature’.
This is particularly the case with high-interactivity honeypots which require ‘manning’ but offer more value in engaging and identifying threats, and it reinforces the importance of a ‘doctrine’ that supports the deployment of such measures, that will convince an attacker that what is false is, in fact, real. Particularly in cases of attempted industrial espionage. It also ensures that the organisation is prepared to effectively exploit these measures, with carefully managed intent, and a clear mission statement.
The ‘smart’ combination of measures can provide the defender with the means to develop a doctrine for identifying attackers’ behaviour, scripts, tools, and exploitation methodology. This is important because attackers and their tools are equally as prone to flaws as nearly all other software. So the ‘smart’ defender can pre-establish a number of different ways in which these measures can be used to outwit the defender, and to fulfill specific defensive objectives.
To an expert eye, attackers’ behaviour may be even more predictable and therefore exploitable than a typical defender because they feel protected by their anonymity. So the opportunity to engage, and counteract against attackers can pose a credible threat of exposure and represent a real deterrent to attackers. While the expenditure of time and resources are key considerations in their targeting options, the risk of identification or compromise is anathema to attackers.
This form of dynamic defence provides sufficient early warning typically associated with ‘strategic depth’, and options that can allow the defender to respond quickly and effectively. If the defence is suitably complex it can provide ‘conceptual mobility’, which enables the defender to employ his own methods for evasion and surprise as part of a dynamic doctrine. These parameters prescribe the methods that an active defence requires, and an agility whereby those capabilities can be applied to a range of different scenarios that may not have been anticipated.
The challenge this raises is the skill sets required of the ‘blue team’. In any combative ‘pursuit’ or sport, defence and attack are taught in parallel: to parry and riposte, to punch and block, but this is less true in the case of cyber security where the practice of defence training is dominant. The more active typology of doctrine is longer established in the US, Israel, and other countries outside Europe where skills and suitable training are more readily available, which highlights one of the challenges facing the commercial cyber capability development in the future, and in particular the adoption of a more ‘active’ approach.
The main stumbling block, however, is the board of directors, which as previously described, typically fails to appreciate the severity of the cyber problem, and the need for a nuanced approach to tackling it. Over time, board awareness will evolve as their understanding of attack implications become more commonplace, or more probably after a significant breach. But the message to industry must reinforce the emerging reality that any corporation which cannot afford to experience loss of confidential data must embrace greater complexity to achieve greater assurance, and must accept the need to adopt a more ‘active’ posture to establish real ‘defence. ■
ABOUT THE AUTHOR
Dan Solomon heads the Cyber Risk and Security Services division at Optimal Risk and is a leading proponent of a converged approach to security risk. He is an industrial espionage specialist and a practitioner of FAIR, and is a prominent advocate of red teaming and cyber war games. He served as Director of the Homeland Security Program at The Atlantic Council and has published & spoken around the world on Intelligence Analysis & National Security, Cyber Security, Critical National Infrastructure Protection.
This article first appeared in Cyber Security Review, Summer 2014 edition published by Delta Business Media.