The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys.
“We need to conduct defenses in a way that kills an adversary’s ROI,” Ziring said. “I want to get it down to the point where a threat actor says, ‘I better choose carefully where I throw this malware first, because I’m not going to get a third or fourth try.’ Today they don’t have that concern.”
In order to decimate a cybercriminal’s ROI on developing tools and attack playbooks, Ziring is calling on public agencies, companies and the security community to radically change the way they respond to cyberattacks.
In a keynote address Thursday at the Borderless Cyber conference, he said the cybersecurity community needs to work cooperatively to collectively respond to attacks in the same spirit they share threat intelligence. He argues, doing so will deprive cyber threat actors of the ability to use tools and tradecraft multiple times and starve criminals financially.
“The future of cyber defense is having a shared response or coordinated response,” Ziring said. “We need to break out of today’s enterprise mentality of every person for themselves.”
The type of framework Ziring describes doesn’t exist today, but two standards come close. Those are STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) which both deal with sharing data ahead of an attack. Neither address a key component that Ziring is calling for which is a public-private framework that creates a type of autoimmune system. If one node on the network is attacked, all other connected nodes are warned within seconds to defend against a similar attack.
“There is no technological reason why this couldn’t work. There are only practical obstacles like the need for interoperable standards that will enable us to do this in today’s heterogeneous environments. And that’s the bit we are solving right now with STIX and OpenC2,” he said.
Still early in development, OpenC2 is a language that would enable the coordination and execution of command and control of defense components between domains and within a domain.