jason healy - atlantic council - keynote address: the sophisticated threat – yesterday, today and...
DESCRIPTION
Jason Healy delivered the presentation at the 2014 ADM Cyber Security Summit. The 2014 ADM Cyber Security Summit focused on “Combatting Emerging and increasingly sophisticated cyber threats” both domestically and internationally, and showcased relevant organisational case studies and supporting research from academia. For more information about the event, please visit: http://www.informa.com.au/cybersecuritysummit14TRANSCRIPT
Sophisticated Threats: Yesterday, Today and Tomorrow
Jason HealeyJune 2014
[email protected] Twitter: @Jason_Healey
Computer Network Vulnerabilities
Hardware LeakageSoftware Leakage
Deliberate PenetrationAccidental Disclosure
Physical AttackModify at Factory
Look Familiar?
Hardware LeakageSoftware Leakage
Deliberate PenetrationAccidental Disclosure
Physical AttackModify at Factory
Written in 1969 ….
State-Sponsored Cyber Espionage?
• “Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … insulated from risks of internationally embarrassing incidents”
Heard this Lately?
State-Sponsored Cyber Espionage
• “Espionage over networks can be cost-efficient, offer nearly immediate results, and target specific locations … insulated from risks of internationally embarrassing incidents”
Written in 1988 ….
Advanced Persistent Threat
• “Extensive resources in money, personnel, and technology”
• “Adept in circumventing physical and procedural safeguards”
• “Patient and motivated”
• “Capable of exploiting a successful attack for maximum long-term gain”
Look Familiar?
Advanced Persistent Threat
• “Extensive resources in money, personnel, and technology”
• “Adept in circumventing physical and procedural safeguards”
• “Patient and motivated”
• “Capable of exploiting a successful attack for maximum long-term gain”
Look Familiar?
From 1991 ….
The Threat … from 1997Look familiar?
From President’s Commission on Critical Infrastructure Projection (PCCIP Report) 1997
The Threat … from 1997Look familiar?
JTF-CND Commander’s Presentation to DSB Summer Study, 2000
Bad Guys Finish First
• “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
Heard this Lately?
Bad Guys Finish First
Lt Col Roger Schell (USAF) in 1979
• “Few if any contemporary computer security controls have prevented a [red team] from easily accessing any information sought.”
Back to the Future All Over Again
“…the only cyberwar raging is inside the U.S. government where Washington lawyers and policymakers, military leaders, and official hackers battle over the value and legality of network attack.” Washington Post, 1999
“Attention to security gimmicks results in overlooking serious weaknesses.” Schell, 1979
“The market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems.” Computers at Risk, 1991
“Government and commercial computer systems are so poorlyprotected today they can essentially be considered defenseless - anElectronic Pearl Harbor waiting to happen.” Schwartau, 1991
TODAY
Adversary Groups on Left Which Industry Each Targets
on Right
CrowdStrike Annual Report2013
Everyone, Everywhere, All Ways, and Always
Russia china
usa
Organized crime – israel – france – UK - IndIa…
•Titan Rain •Night Dragon•Shadows in the Cloud•Putter Panda – Unit 61486•Unit 61938
•Estonia, Georgia, Ukraine•Buckshot Yankee•Energetic Bear•Snake
•Stuxnet, Flame•Xkeyscore•TAO•Bull Run
Everyone, Everywhere, All Ways, and Always
Russia china
usa
Organized crime – israel – france – UK - IndIa…
•Titan Rain •Night Dragon•Shadows in the Cloud•Putter Panda – Unit 61486•Unit 61938
•Estonia, Georgia, Ukraine•Buckshot Yankee•Energetic Bear•Snake
•Stuxnet, Flame•Xkeyscore•TAO•Bull Run
To companies like Microsoft or Google, all of these are ‘attackers’ and so all are
adversaries.
If you belong to a SIGINT organization, you are APT too!
What Has Changed?Some Important Trends
1. Rise of the professionals
2. Fed by power of the free/stolen market
3. More aggressive attacks and espionage
4. Real national security attacks
5. Attacks aren’t just by the “bad guys” anymore
6. Scope and scale of attacks
What Has Not Changed?Some Important Trends
1. Basic computer vulnerabilities
2. Basic categories of threat
3. Identities of low- and high-end threat
4. General fecklessness of defense
5. Dynamics of cyber conflict
6. Relationship of offense to defense (O>D)
7. Truly destructive attacks are still “five years away”
WHAT COMES TOMORROW?
Tomorrow…
• The conventional answer:
• Maybe our “five-year clock” finally runs out
– Being hurried perhaps more by our increasing vulnerability than ability or intent of adversaries
– We can discuss in Q&A
– But first, the unconventional answer
Great News!Security is Getting Better!
Whether in detection, control, or prevention, we are notching
personal bests …- Dan Geer, 2014
Time
Effe
ctiv
enes
s
Improvement of Defense
Tipping Point?
2014
Bad News! We’re Still Losing and at a Faster Rate! O>D
Whether in detection, control, or prevention, we are notching
personal bests but all the while the opposition is setting world
records.- Dan Geer, 2014
Time
Effe
ctiv
enes
s
Improvement of Defense
2014
Improvement of Offense
http://geer.tinho.net/geer.rsa.28ii14.txt
Or Is It Exponentially Worse?
Time
Effe
ctiv
enes
s
Improvement of Defense
2014
Improvement of Offense
Can This Last Forever?
Time
Effe
ctiv
enes
s
Improvement of Defense
Tipping Point?
2014
Improvement of Offense
O>D
O>>D
Time
Effe
ctiv
enes
s
Tipping Point
20xx
When There Are More Predators Than Prey
“Somalia”
“Wild West”
THIS HAS BEEN VERY NEGATIVE, SO TO END ON A POSITIVE NOTE…
QUESTIONS?
[email protected] Twitter: @Jason_Healey
Cyber Statecraft Initiative• International conflict, competition and cooperation in cyberspace •Our goal is Saving Cyberspace•Publications (all at our website, atlanticcouncil.org)• Public and Private Events
1. History of cyber conflict2. Future of cyber conflict3. Systemic cyber risks4. Public sector-centric
strategy5. Sustainable cyberspace