Cyber Speed – The unknown velocity componentJonathan Sinclair

Agenda

i. Motivationii. Goaliii. Definitionsiv. SI Unitsv. Where are we then?vi. Understand your social impactvii. Where you exist in the social ecosystemviii.OODA Loop ITix. Defendersx. Attackersxi. The Answer

Delivery type

As this presentation evolved it became quickly obvious that this should have been a white paper. Forgive the laziness of not reworking the material and enjoy.

Disclaimer

The following material represents in no way the opinions of my current employer. This presentation was created in my own time, leveraging my own data gathering and research techniques.

Motivation

This presentation was inspired from two recent items I saw posted:

A recent talk title posted on an HPE Protect roadshow agenda where it talked about the ‘Cyber Crisis’ and a velocity component identified as ‘at the speed of twitter’(https://www.hpevents.be/protect/agenda.php)

A small blog entry posted by the company Cybereason titled: “Security’s 2F2R Syndrome: Why fast remediation helps hackers maintain persistence in your network” (http://www.cybereason.com/securitys-2f2r-syndrome-how-fast-remediation-can-help-hackers-maintain-persistence/)

Goal

Identifying a velocity component with regards to the emergence of a crisis, within the topic of IT security is an interesting idea and I’ll try and explore it more in the following slides

It leads to interesting questions about crisis management: What is the correct time for a reaction? What are the correct values for your Recovery Time Objective? What are the correct values for your Recovery Point Objective? Is a quick reaction time really required? What if the corrective action doesn’t address the root cause? What of residual fall-out? How important are your communication messages?

Definition: Velocity

Taking the Britannica definition we find ourselves with the following “ve-loc-i-ty: The state of moving swiftly; rapid motion; celerity; speed.” A slightly more charming and wonderfully academic reference is defined by

Wikipedia as “The scalar absolute value (magnitude) of velocity is called "speed", being a coherent derived unit whose quantity is measured in the SI (metric) system as metres per second (m/s) or as the SI base unit of (m⋅s−1).”

Speed is what we’re interested in and it’s frame of reference / context Speed in this case can be defined as any x defined unit i.e.

Milliseconds, Hours, Minutes, Tweets, Pastebin posts, LinkedIn news articles, Etc.

Definition: Breach

The Verizon Data Breach Investigations report 2016 defines a “Breach” as the following: “An incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorized party.”

Within the context of this definition (which I will use synonymously with regards to a cyber crisis) it’s probably prudent to think more in terms of social communication timescales than in traditional SI units.

SI units don’t really effect you, as a business. Ponemon famously stated in it’s 2015 report that time to resolve incidents, on average

takes 46 days, whatever this really means e.g. What does resolution actually mean? Can all incidents be resolved? Does this just mean time until management is convinced a problem doesn’t exist anymore?

The idea of plausible deniability has interesting repercussions within this context.

Yet reports are full of these statistics about SI time units.

But SI units give us a warm fuzzy feeling inside We like to work with SI units because they are timeframes we’re familiar

with and quantitatively can be described to everyone without recasting you’re definition.

Looking at Verizon’s latest report, we see this everywhere.

SI units continued

Meaning?

In the end though these figures mean nothing to yourself and the organisation you’re trying to defend. It can be 3 months until you detect an infection It can be 2 days to clean an infection It can be 20 days for an investigation to take place It can be 500 milliseconds for your SIEM to detect an emerging threat

But it’s all smoke and mirrors. What actually matters are things like: Time to extract data from your network The speed of your own internal escalation processes Understanding damage limitation at the speed of social networking

A rather more prudent question to ask is: What is the velocity of your data?

Limited Focus

Of course all threats don’t necessarily want to publish information about your organisation. They may want to steal your IP, disrupt business activities e.g. production flows/outages etc. but for the sake of this deck I’m going to side-line these items (partially) into the bucket of industrial espionage and not address them explicitly.

I know, I know, this limited focus isn’t showing the whole picture but the topic of IT security and breach types, in general, are far too huge to not impose some limits.

Where are we then?

So, with the definitions behind us, Established that SI units for reaction velocity aren’t very meaningful, Understand that through the idea of a breach being synonymous with a cyber

crisis occurring in your organisation, And appreciating that we’re only addressing data leakage, corporate

embarrassment, reputational and trust damage at the heart of the crisis where does this leave us?

The answer: Understand your social impact Where you exist in the global ecosystem And appreciate quantitatively what it will mean when datatypes of information are

published on social networks

Understand your social impact

A simple question but often not an easy one to answer Take for example the following companies

Apple A tech company who has little regard for customer concerns and focuses more on driving it’s agenda Is purely tech driven Has a massive cultural following (mostly in the western world) Tries to define, for a generation, what it means to be cool Languishes more in the luxury good market than other tech competitors Is secretive

Palantir Start-up venture having raised more than $2.5 billion in capitol Deals in data-analysis Stays out of the public eye Is secretive

Understand your social impact

Toyota Largest automobile manufacturer in 2012 Develops advanced robotics Global appeal Deals in devices that can kill people Employs approximately 350,00 people worldwide

Pfizer One of the largest pharmaceutical companies world wide Develops medicines and vaccines Brand trust and testing is critical to the companies success Deals in a product that can kill people Largely appeals to those people who need their product rather than outside

Understand your social impact

When we review these 4 arbitrarily selected companies we need to understand their marketing strategy and their key revenue lines. It’s not about IT security it’s about the social disruption Target has POS devices compromised:

What damage did this really do? 40 million customer accounts compromised People still buy from Target, the company still exists and makes profits

Sony is hacked multiple times: So what? People still log onto the Sony network, buy PlayStation’s etc.

JP Morgan Chase data breach So what? 2 people arrested, 83 million accounts compromised, share price continues to increase

Understand your social impact: Hacks worth while Revisiting our previous 4 candidates:

Apple: What happens when design ideas are leaked before product launch Corporate strategy is undone Hopefully nobody dies

Palantir Data-analysis data is stolen giving those with control of the data, informational control They market a technique, so unless the method, infrastructure, algorithms are removed the damage may be minimal Rather destroy the data or tamper with it’s integrity Real social impact = minimal

Toyota Compromise remote control features and expose flaws Resulting in accidents, a social backlash of customer confidence and significantly damaging the companies reputation People can die

Pfizer Compromise a chemical production facility and alter dosage quantities Customers health is compromised and significant causality fall-out

Where you exist in the social ecosystem The previous examples are brief overviews and highly subjective

deconstructions of industry leaders who have been trivially reduced. The point, is to provide an appreciation of what a real cyber crisis means and provide context framing for reaction times

Each company has a social responsibility and as with traditional emergency response plans IT based components should be being elevated alongside other business critical assets

Based on the reaction times of the Internet and exposure these IT assets are actually often more likely to reach crisis point in terms of likelihood than natural disasters, plant destruction, machine malfunction etc. (at least in those countries with strong health and safety measures)

Moving forward

How to cope and move forward

OODA Loop IT

1. Understand your companies speed 2. Get inside your adversaries velocity3. Lay traps 4. Remain agile and dynamic

A recent quote coming out of HPE’s CTO Andrzej Kawalec, chief technology officer “People need a robust security partner, or set of partners, who understand how to respond in real time”. (https://www.technologyreview.com/s/601004/once-more-unto-the-breach-what-it-takes-to-defeat-cyberattackers/)

This is a nice wish and close to what needs to happen. But practically possible? = impossible (at the moment).

Current Defenders model is broken-by-design As an analogy to “Twitter-speed” it’s fast, agile, lean and has sped up the

speed of communication by factors So much so that being kept up-to-date is no longer about reading papers and who

you know. It’s who you’re following and the trust relationship to these people. Current state and what IT security people are doing

Install detection/prevention boxes Percolation through an MSSP or the internal analyst teams takes time

Be it through the levels of analysts Locating escalation points Communicating back to customer Negotiating and understanding the risk profile

Current Defenders model is broken-by-design: Simplified timeline

Incident OccursIncident

analysed by Humans (slow)

Percolation through analyst

layers

Incident response plans

initiated

Communication escalation

paths followedMessage(s)

communicated

This entire timeline happens in SI time e.g. seconds, minutes, hours

Attackers Timeline

The attacker has three principle options (with an destructive end process always being an optional extra)

Intrusion Data extraction Leave Destroy?

IntrusionData

integrity compromise

Stay resident Destroy?

Seek Destroy

Attackers velocity

With each scenario the attacker will adopt differing velocity mechanisms for example: Option 1: Twitter

Destruction is the aim of the game so hit them hard and quick i.e. DDoS brought to bare on a weak infrastructural component, ransomware worm, backup virus etc. For most of these examples it’s advantageous to run the attacks at the same time in a quick hit.

Option 2: Snail-mail The objective here is to get the information, get in and get out. So the initial research and

analysis phase will take more time. Access acquisition will be more targeted and data extraction will be ‘as fast as possible’

Option 3: Carrier Pigeon We’re all in it for the long haul. The objective here will be to not only perform data extraction but

also to ‘ride-the-whale’ and keep harvesting as much data until noticed. This is particular favoured when industrial espionage is the goal i.e. product design acquisition, financial manipulation, general stealing of IP etc.

Defender vs. Attacker

With this asymmetric velocity imbalance, the defender is always out-gunned

Reactive defence tactics are relied upon IT Security will never actually resolve the Attacker-Defender conundrum,

no matter the amount of shiny boxes, financial investment etc. made

The Answer: Automation, correlation, integration Businesses will have to accept that technology can be trusted to make

decisions Even if this has negative effects on business operation

Automated incident management of systems has to be handed over to algorithms

Virtualisation has to be leveraged to allow smooth automation of services

Correct understanding of the companies relation to the world and the IT environment must be understood from the risk/threat perspective

End quotes

Please take away the following: For the Defender:

Understand your enemy and recall: Dave Eggers statement: “You shall know our velocity”, combined with Matthew Devost: “For active defense operations to be effective, you will have to compress your OODA Loop down to

Observe -> Act.”

Cumulatively declared as: “Don’t react too fast or too slow otherwise you might undo the entire operation. Observe, react, predict. You shall know our velocity”

For the Attacker: They will operate based on the following principle:

Harry Hillaker:“The key is to obscure your intentions and make them unpredictable to your opponent while you simultaneously clarify his intentions. That is, operate at a faster tempo to generate rapidly changing conditions that inhibit your opponent from adapting or reacting to those changes and that suppress or destroy his awareness. Thus, a hodgepodge of confusion and disorder occur to cause him to over- or under-react to conditions or activities that appear to be uncertain, ambiguous, or incomprehensible.”

Speed and each’s velocity will determine the outcome of each engagement