“Cyber Attacks are not like natural disasters or other forces of nature, nor are they like diseases or other autonomously evolving and spreading agents (yet). They are ultimately and fundamentally driven by rational human action.” – Dino A. Dai Zovi
II have watched the evolution of Cyber Attacks over the past 20 years, and whilst I feel there has always been an economic motivation in some attacks, it is only now that Cyber Attacks are very focused on financial return, be it through corporate RansomWare, financial institution attacks and phishing schemes, to something new that is just around the corner. In the past we saw hackers write worms, seeing them cause monumental damage to businesses for nothing but an individual hacker’s own notoriety.
The traditional approach to defence is to raise the cost for your attackers by making attacks as difficult as possible. Rather than attempt to thwart hackers by making it costly and difficult for them to launch attacks, which will also increase costs for the defenders, a more effective strategy may be to deflate the value of the attack prize and employ a decentralised security approach.
What does this look like?
This strategy is made up of six concepts that are already in use in many forms around us, some not originally from a IT security pedigree. Putting them all together lets us look at another perspective, and IT Security strategy that de-incentivises attacks in the first place, reduces the value to attackers if they do get through, minimising the impact to the business.
Devaluation. By devaluing the success of a cyber attack, hackers will be less motivated to develop an exploit – if the returns are minimal coupled with the potential consequences if caught. The reason why small bank branches have been able to reduce their physical security and become customer friendly, open spaces is because the banks carry such little cash that a robbery is not worth the risk of being caught. Everyone will probably recall the StageFright vulnerability that affected Android users. The fact that there are just so many manufacturers of Android phones, their unstructured and haphazard cycle of patching has actually worked to the Android phone users benefit. An attack would have to be written for every variant of Android phone, reducing the hacker’s motivation to launch a StageFright attack in the first place. As Dino A. Dai Zovi said on twitter this morning, “NorthBit’s “Metaphor” StageFright exploit only supports one firmware image for one device “ See:http://opensignal.com/reports/2015/08/android-fragmentation/ to get an idea of the sheer fragmentation of android devices and software and you get some idea how this ecosystem actually works to protect Android users from attackers writing vulnerabilities.
Containment. Don’t focus on trying to stop attackers at the door, focus on trying to lessen the impact of an inevitable attack. What we have learnt over the years, is that even the best security technology and expertise can’t stop a well-funded and determined attacker. Businesses should operate under the assumption that attackers will get in, or they are already inside i.e. your own employees. So the best security strategy to devalue attacks is to contain them as best you can. DMZ’s and physical security is one way, obviously, but by containerising software applications and data as much as possible, a breach can be minimised and the value to the attacker is therefore reduced and less likely to occur in the first place.
Immutability. Those public toilets you walk into in some cities that are all made of stainless steel are there because no matter what happens to them in terms of “destruction” including vandalism, they can be quickly returned to new with a big fire hose and some bleach. In object oriented and functional programming, an immutable object is an object whose state cannot be modified after it is created. This is in contrast to a mutable object (changeable object), which can be modified after it is created. We see the benefit of this type of technology and approach when it comes to reducing the value of your target to attackers, if the work they put in is only wiped away on the next reboot/restart. The Read-Only OS in the Chromebook is an excellent example of this.
Flux. Software that is in a constant state of flux/change/evolution makes it much more difficult to write an exploit for if it is a moving target. The introduction of evergreen browsers is and excellent example of this.
Speed. Respond and adapt quickly to an attack. One compromise is not catastrophic if you can recover quickly. It’s going to reduce the impact and the value to the attacker compared to where attackers can live in your network for months without you knowing. Build speed into your incident response plan and into your overall IT ethos. If you don’t have an incident response plan, well you should speak to us about it. about it. Assume attackers will breach your network or your employees will do it for them. One of the most incredible products I have seen in my industry to date, Darktrace, will live in your internal network and learn what is normal behaviour over time, so when something unusual occurs you will be immediately notified potentially stopping an attacker before they have a chance to gain momentum. Don’t take my word for it either, read the real world case studies or talk to us about real results we’ve seen in NZ and Australia. We can also put Darktrace in your network for a month absolutely free.
Decentralisation. This concept can be controversial in a world where Enterprise IT are trying to consolidate their infrastructure in the datacentre and centralise IT management. However, decentralising data will make it more challenging for attackers to achieve value from their attempts to steal your data, when it is spread out and containerised. Peer-to-peer is a fairly uncommon example of this, and obviously as we move to more to 3rd party cloud the opportunity to decentralise data occurs readily with cloud providers play a role in supporting this approach and the management of the data. Dino also tweeted recently “With IoT, there’s need to decentralise trust. Having ultimate trust in all these insecure IOT devices will be increasingly dangerous. If we can decentralise trust, we can ensure overall safety. Distributing control and data sharing on these devices would prevent one breached device from being used as RansomWare or to infect others on the same network, such as a personal home network”
Some or all of the six steps to reducing the value of attacks on your business IT should be at the core of your new IT and Cyber Security Strategy for 2016. Devaluation, containment, immutability, flux, speed and decentralisation are the basis for a tactical plan for action, which we can assist your business and IT team to achieve through our outsourced services and CISO capability.