As an information security professional, this is painful to say, but Cyber attackers currently have the upper hand, and it’s getting worse. Attackers have the mathematical advantage, they can afford to try and fail many thousands, or even millions of times because the cost of launching an attack is already miniscule. On the other hand, the cost of defending against an attack with managed IT services is already high, and getting higher. It only takes a single failure to cause irreparable damage. Once the data is compromised, you can’t make it private again. What’s even worse, is that attackers have more ways than ever to monetize their efforts. Profits are soaring, while the losses for cyber defenders are continually mounting. This leads to another problem with profits soaring and extremely low risk of ever getting caught. Cyber attackers are attracting top talent, and that team of highly skilled attackers probing your network for weaknesses is likely also better funded than you. They are innovating faster than you. They are embracing machine learning and AI technologies to exponentially increase their effectiveness.
To all the IT managers, and IT security managers out there, this isn’t news, the writing on the wall (or the crack in the wall for all the whovians out there) has been there for a long time. The magic bullet for solving this problem has been touted as using machine learning and AI to combat the attackers through better detection and elimination. This is absolutely worth doing, however, mathematically speaking, there is a peak efficiency (“peaking phenomenon”) for these detection capabilities, after which the addition of more data results in increasingly smaller returns, and this falls off rather sharply. This is often referred to as the “curse of dimensionality”. The detection failure rate of the machine learning / AI will still be subject to the rules above, if it is 99.99% accurate, the attackers will simply try 10,000 times to get a success. The cards are still stacked against us.
So how we do we overcome these limitations? One clever answer is that if these trends continue we’ll need to stop using IT systems as they exist today. This was famously explored as a theme in Battlestar Galactica, where they had to revert to the systems on Battlestars to state electronics with multiple, redundant, isolated systems to keep the Cylons from hacking them during battle. While today’s trends may lead to the conclusion that this is the inevitable future, there is hope (at least until we develop cylons). But this means we need to drastically change the rules of the game.
Here are the things we can do as an industry to start changing the rules:
Stop ignoring the game. Countless times I have heard even seasoned cybersecurity experts who are fearful of coming under attack. It’s repeated constantly at conferences that you don’t need to be the fastest antelope when the lions attack, you just need to be faster than the slowest. This mentality is part of how cyber attackers exploit fear, by positioning themselves as the wolves over a pack of sheep, we need to be the sheepdogs.. Bigger and badder than the wolves.
Educate yourself and others. Most people do not realize that as soon as they connect to the internet, or buy a cell phone, they are now under surveillance by malicious actors, and that ignorance is exploited by those actors. Cyber attackers can do what they do because there are so many easy targets available. They don’t use their own machines to launch attacks, they take control of someone else’s machine to launch the attack from there. Mass public education is key, if we can limit the resources available to attackers, then we can increase their investments, time and money needed to launch attacks.
Make your Bed every day! Ok, this is a motivational video… but the underlying message, when faced with challenges, and stress, do the things you can do. In cybersecurity this means that we deploy reasonable security measures, manage and monitor these resources. Even if you can’t buy the most expensive whizz bang firewall out there, chances are what you have will still give you good results if you keep it up to date, and monitor and respond to the alerts it is generating. We should be collecting log data and doing analysis, looking for hidden threats, sure it’s not a silver bullet, but it’s the best we have today. If we can raise the level of cyber preparedness and response across the board, we start eliminating the easy targets.
Invest in I.T. Countermeasures and stop being passive! Actively confuse, camouflage, deploy decoys, and set traps. Make the attackers work harder, and spend more time and money! This is an emerging area of cybersecurity, sure honeypots have been around for a while, but intentional obfuscation, morphological networks (made possible through SDN) are all fairly new forms of deception. For far too long we have tried to simplify IT, deploy optimized network configurations, make it easy to discover machines on the network, so on and so forth. We need to start designing and deploying systems that make it harder to attackers to understand and compromise our systems.
Change the probability of success and make it more expensive to attack by enabling active denials. Use automated responses to shut down attacks as they are happening.
Assert control over your attackers, aka Force your attackers to take certain actions. This is probably the most aggressive form of cyber defense, when we start getting into the minds of our adversaries and understanding how they work, we can manipulate their actions by manipulating what they can see. Use countermeasures to force attackers to reveal themselves, then divert them into black holes, so they waste time and effort in quarantine until they get frustrated.
At Griffin Group Global, we provide tried and true, managed IT security services to help our clients with the basic everyday “make your bed” activities to reduce organizational risk. But we also are constantly on the lookout for new technologies and innovations to strengthen our offerings, particularly those that start to turn the trends against the attackers. Our current active cyber defense capabilities deny, confuse, and confound attackers and force them to not only reveal their presence, but also expend time and energy chasing ghosts and using uncertainty to our advantage. Some of the new capabilities currently being developed will double-down on this strategy, starting to really increase the amount of effort and resources needed to execute a successful cyber attack.