Active defense or hacking back?

As attackers are seemingly always a few steps ahead of corporate lines of defence, a more active and outward focused approach to security incident response has emerged the past several years. Some call it hunting, the kill-chain or active defence, or will use other terminology to make a clear point: We will no longer sit back and wait passively for attacks to respond to. The often militaristic terms to describe these new lines of defence is a good indication of the proactive and perhaps more aggressive nature of what may better be classed as counter-attack. It is an approach whereby you seek out the attackers before they strike you. Recently JP Morgan announced that it had set up a new cyber defence unit, largely staffed with ex-military cyber warriors. A new security operation centre was subsequently established conveniently close to NSA’s headquarters in order to attract the much needed talent. Is this a trend much in the same way as air force pilots who make their way into commercial aviation following their military careers? Perhaps too early to tell, but there is clear evidence that more organisations are standing up a much more pro-active response to cyber-attacks than we have seen over the past decade or so.


But when does pro-active response turn into hacking back. And what about the legal boundaries of what is permitted and what not, not to mention the many jurisdictions a typical cyber-attack usually spans. My guess is that the courts will have to produce much new jurisprudence on this complicated matter, with legislators trailing behind. This will create somewhat of a paradoxical situation over time, as the very same nation states that will need to pass these new cyber laws will be reluctant to curb their own cyber-war capabilities at the same time.

Most companies however are far removed from establishing hunt teams, and have yet to start with establishing a more organised response to cyber-attacks in an adequate security operation centre. Before doing so an interesting exercise is a reality check on how many of the implemented security controls are preventative in nature versus more detection oriented. As we know that the prevention paradigm is behind us, it is striking to see how much of enterprise security is still based on prevention. In most cases at least seventy percent prevention oriented I wager. With that I am not suggesting that we should do away with preventative security controls altogether, many of them have a place in the mix. However, if you want to move towards an informed and more proactive cyber-defence organisation, you will need to provide your hunt teams with the intelligence gathered from internal and external sources in order for them to be effective. For most this will require a security transformation, a move away from the fortress approach and towards the detection and proactive response paradigm.

Assume breached, the new paradigm.

Where we used to think that it was possible to protect corporate networks and systems and prevent them from being compromised, we are now seeing a level of persistence; organisation and skill that makes these break ins inevitable. Organisations are better off assuming to be breached, a mindset that will allow us to get beyond the prevention paradigm from yesterday and implement a much more effective approach to cyber-defense, one that is largely based on response.

But where do we start? How about with the question what is worth stealing or disrupting? What are your crown jewels, your prized possessions and critical processes? This is often where the confusion starts. Although at first glance similar, there is a fundamental difference between “what are you looking to protect”, and “what are you looking to defend?”. The former looks at your valuable data such as intellectual property and critical business processes, where the latter is really about your attack surface or infrastructure. I say let’s worry about what attackers may be after first and then think about how best safeguard it.

Many organisations are still transforming from a perimeter focused approach and in the process of including more security  layers, embedded throughout vital parts of the business architecture. The problem with the disappearing perimeter  however is that if you try and protect everything with the same level of security you will eventually fail. Not in the least because it will break your budget. Equally, if your strategy is still based on a pure protection approach this will also lead to failure. The more successful strategies I have seen are based on at least sixty percent response as opposed to protection. The first question asked on this subject is if a predominantly response based security approach will not allow for attackers to always claim success. Not necessarily. Implement prevention technology and processes where they make sense , and response oriented controls across the board starting with continuous monitoring.

The key is to focus on your valuables, the stuff that really matters. This is where data classification usually comes in, managing the sensitivity of information and giving it labels such as classified or even top secret. The issue here is often over-classification. When in doubt label it classified, just to be sure. That is what many people will do, not realizing that this dilutes the process and makes the classification senseless. Simple data classification is not good enough in today’s world, and more rigorous steps are required to ensure that the organisation understands what is truly critical to protect to manage the business successfully.

Once you know the answer to that question naturally you will need to then provide an appropriate security architecture and organisation to address the risk of a breach of these valuables and an appropriate level of security for the rest. Much of this  will be based on a more modern response framework and not just protection. This will include continuous monitoring, threat intelligence, incident analysis and response and hopefully an incident response team organised in a Security Operations Center. We have seen new methods of incident response hunt teams with a proactive approach as opposed to only following security events and incidents. This goes a long way in further complicating an attack, which is absolutely critical in stopping it. By complication your incident response team will have the valuable time  that it needs to stop an attack in its tracks prior to it succeeding in exfiltrating your data or disrupting your business process.

Such a modern approach to cyber defense, in what can be classed as an a-symmetric battle, needs to start with the assumption that your organisation is breached. It will make the subsequent security transformation a lot more successful.

How much has the internet blurred the lines between right and wrong?

How much has cyber space desensitized us to real crime and its effects? The recent court case of Ross Ulbricht, aka Dread Pirate Roberts, has made me think of the desensitizing effects that the internet has had on humans. How has the distance that the internet has created between us and real physical activity changed us? Think about the low threshold for spewing filth of obnoxious and anonymous commentators on regular news websites and social media. And trolling as a prime example where people feel no shame in bullying others, famous or not,  into submission and even doxing their targets (the activity of identifying and publishing someones identity with often shameful facts, fabrications and imagery to back it up). This in turn has led to catastrophic real-life events as awful as suicides, acts that cannot be enacted in cyberspace and can destroy lives of the targets and their relatives. Other examples where the lines of reality get blurred with our lives online can be found in online grooming, of underage children or recruits for fanatics on a mission to carry out their holy war.

How does all of this relate to Ross Ulbrichts’s case and the unraveling of the Silk Road, an underground version of Amazon for drugs, weapons and other illegal stuff? Well, I truly believe that as we have shifted from mostly off-line, brick and mortar and face to face activity to a much less tangible way of interaction over the last few decades that humans overall are still adapting. Adapting mostly in how to distinguish from what is fake or real, and often right or wrong. Are humans perhaps not genetically programmed yet so that norms that we value in daily life may also apply online?

How many of you have, or still do, download music or movies and don’t really consider this as real theft? Equally, what if people were to interact with each other in the local supermarket the way they troll and try to outwit each other on online forums or in the endless trails on facebook and other media? We are still having to get used to the fact that we now live in two worlds, one where people can see and hear how we interact directly in the real world, in the supermarket, the pub, your local sports club, the office and so forth. Behind a shroud of anonymity however many of us seem to forget about the values by which we like to live our normal real lives. It is almost as though the internet has made us into split personalities, one persona which we use in our day to day life and quite another and often more sinister one for our online existence. Just for fun, do a Google image search of Ross Ulbricht and tell me whether he looks like what you would expect a drug or illegal arms dealer to look like? Ideal son in-law more like. I know that looks can be deceiving, but if this is combined with some of the background information available about him you would think Ross to be a pretty normal bloke. Less the Dread Pirate stuff of course.

In some of the recent coverage on the Ulbricht case there was one constant, his mum’s conviction of her son’s innocence. Let me paraphrase some of her commentary to the press: “He would never do such a thing, Ross is a good boy and believes in making the world a better place”. This does make me think about that person walking his pitbull in the park that just bit you, stating “he’s never done that before.” Is it possible that Ross Ulbricht, quite likely not an evil person at all, got sucked into the dark web and was unable to appreciate the trade performed over Silk Road for what it really was?

As long as the dark web provides the sort of anonymity it currently offers, and the chance for the drug trade to step out of dangerous and bullet-ridden alleys to be performed from the comfort of your desk, it will provide the ideal platform for illegal and highly organised trade. It is no surprise than that next versions of Silk Road and many other nefarious markets flourish on the dark web today, with very many Bitcoin millionaires trading on them. The big question is how schizophrenic we are as humans and our ability to  differentiate between on and off-line? Understanding that online actions can have catastrophic off-line consequences is a start. Ross will likely have the next two or three decades to ponder this behind bars, the verdict is expected mid May this year.


Layer 8, security’s weakest link.

No matter how much news coverage security gets on a daily basis, or how many hours we are asked to click through a security awareness course to show compliance, people are still the weakest link in security. I lovingly refer to people as layer 8 in this case, and just for those of you in need of a refresher on the OSI layers, they are: Physical, Datalink, Network, Transport, Session, Presentation and Application. “Layer eight” is represented by the flesh and blood sat behind the keyboard, touch screen or phone line. That is where it often goes wrong, as layer eight cannot be coded, is difficult to monitor and as it turns out is resistant to awareness. People are naturally curious and mostly willing to be helpful, these are our built in security vulnerabilities that cannot be patched.

As pointed out to me in a training course that I attended a week ago, the average hit-rate on a targeted phishing attack with three emails is 50 % on the first go. This goes up to 80 % on the second run of three emails to the same population.  These were results from a campaign run by ThreatSim. What this means is that in a multi-message phishing attack more than half of the target population will click on a link or file which will trigger malware or guide the the unaware target to a less than reputable website to harvest valuable data, like passwords. The probability will vary dependent on the sophistication of the user-base, but still.

Now think about this proposition not as a hacker or geek, but as a businessman whilst putting yourself into the shoes of a cybercriminal. Surely with that kind of hit-rate a layer 8 attack, social engineering if you will, will yield a much better return than a technically more sophisticated attack? In reality social engineering is usually an activity to support a larger attack of course, and with this kind of success-rate it is quite easy to understand why. Businesses, bonafide and nefarious alike, love high yield returns. This is exactly the reason why significant investments are made by cybercriminals in perfecting the art of social engineering.  The increase in the “quality” of phishing attacks is clear evidence of that.

Another interesting finding in the study of phishing is that roughly 25 % of a normal user population cannot be made aware by normal means. So if you were to run a test with bogus phishing attacks run over a period of time, combined with post-mortem communication you will only be able to bring the % of offenders down to about 25 % . After this it will probably flat-line, and more drastic measures like HR interviews with the threat of sanctions will be required to bring the % of offenses down into the single digits. So, layer 8 is not only unaware, but stubbornly unaware as it appears.

What’s the bottom line? Standardised “awareness” training with endless click-through web-based tools that people multi-task their way through is great for demonstrating compliance, but it will never be enough to combat phishing and other forms of social engineering. If you want to optimise awareness, provide a more hands-on approach and run real tests so that you can figure out which of your users are still lacking the required awareness.

Now, click here to collect your payment for reading this blog 😛


The main security issue with convergence of IT and OT, people

Most people will know what IT is, let’s face it.. IT has changed our lives forever. We carry processing power around in our pockets that NASA would have paid for very dearly only a a decade or so ago. Even if this may seem as an exaggeration, it’s probably not far from the truth. Just think about the little amount of time it takes to download a 30 MB size app to your smartphone and install it. It’s become so normal that we have to remind ourselves how different things were.

Now try and imagine a train from A to B (fill in your from and to of choice). The train in question changes course by signaling on the rail. A mechanical process you might say, and yes it is, but one that is managed by a piece of technology known as OT, or operational technology. Just like with trains there are very many other processes, industrial or otherwise, which are managed by this kind of technology. SCADA and other industrial control systems are mostly focused on managing a single process. As you may imagine both up-time and safety are the two most important things that really matter in this kind of an environment. You would not want your train to collide with another just because an old piece of kit failed to control a critical signal on your way home after a long day at work. If you live in or near London, you will have often heard the most commonly used excuse of “signaling failure between Waterloo East and London Bridge…”. Makes you wonder. With signaling failure the remedy is to delay trains, serving safety. Up-time needs work clearly.

Just like trains need to run, preferably in the right direction, power stations need to function, nuclear reactors need to react and oil refineries need to refine. There are countless industries where OT plays a major role in the running of the enterprise. This technology, even though often based on very similar technology as found in IT, is managed by a different group within an organisation. Not IT, but operations engineers. They live by different rules and a completely different set  of best practices. As an example you will often find servers that have not been patched for years, with engineers boasting that their servers have not been rebooted in the past four years.

So why is this a problem? In the past systems in the OT environment were air gapped. This means they were physically separated from other systems or networks, meaning not connected in any way to the corporate network. Direct physical access was required to work on them. That is often not the case anymore. With requirements for lowering management cost of equipment, ease of use and maintenance and the omnipresence of the internet, came inter-connectivity of IT and OT networks. In some cases on purposes, but sometimes simply as a result of poor network architecture design. Even if an organisation insists that  the two environments are “firewalled off”, this will never be good enough. Not if you believe in the “assume breached” paradigm, which is today’s reality if you like it or not.

There are many other technical and process oriented challenges that I could highlight between IT and OT, but none of that will matter unless companies will be able to deal with the organisational aspect.   As stated above, OT is typically managed by a different part of the organisation, and quite rightly with different metrics and definitely a different approach to maintenance. Without being too sexist, IT and OT and kind of like men and women, with the one group hailing from Mars and the other from Venus. They don’t think alike, they act differently and they sure as hell do not want you meddling in on their turf. Not sure that last bit is exactly true for men and women, but you get the point.

So, unless a company, with a fair amount of critical infrastructure under its wings, is able to adopt an organisational structure with ownership over IT and OT appropriately organised and resulting in real collaboration between the two, none of the potential technical solutions will matter.

I will be speaking about this at an ISC2 conference later this year, and welcome your comments and feedback on this topic.