Can You Hear The Hoofbeats?

I have come to think of our global cybersecurity threat as the four horsemen of the Internet-apocalypse. But instead of death, famine, war and pestilence, our current plague is economics, information, technology and education.  By each of these measures, we are being outgunned, outpaced, and outdistanced.

The most obvious is economics. We operate in a world where some random guy with a laptop, an internet connection and $25 can attack JP Morgan Chase bank who is spending a half billion dollars a year on cybersecurity defense. The random guy wins. Worldwide spending on cybersecurity is predicted to top $1 trillion for the five-year period from 2017 to 2021. In early 2015, Lloyd's of London claimed that cybercrime was costing businesses globally up to $400 billion a year, but the whisper number is more like one trillion.

To contrast this, if we bought every exploit kit available on the dark web, we would be hard-pressed to spend $100,000. If we went instead to the Russian, German, Chinese, Brazilian, Japanese and Canadian underground markets, we might add another $100,000. From ATM PIN pad skimmers and Bots, to Credit card clones, Credit card number generators and Crypters to exploit Kits, Fake websites, How-to guides/modules, Malware itself or Malware-as-a-Service, to Social engineering toolkits, we have a candy store of attack vectors, processes, disguises and ruses.

For $50, we can purchase a perfectly good and in excellent working order Distributed denial-of-service (DDoS) attack in any variety or flavor (floods, pings of death, fragmented packets, low and slows or zero-days) we want.

The economic imbalance is hard to believe. We are essentially operating as a fourth world country trying to compete with global economic powers. But the reverse is actually true, yet you wouldn’t know it by examining the results. The fact is that it is happening and we continue to let it happen and by doing nothing, we encourage its growth.  

Last week, Anonymous took down 20% of the dark web (those sites that were peddling child porn) demonstrating that if we were inclined to go after the source of much of the disparity we at least know where to start. Even though we know where the weapons are stored, we continue to concentrate on defense. Perpetuating this approach only exacerbates the discrepancy and what looks like a widening gap today will look like an insurmountable chasm tomorrow.

The informational imbalance is also huge. We know virtually nothing about our attackers, yet they know everything about us.

They continue to probe our defenses so that they compile a comprehensive view of which technologies we are using to defend our government agencies, our critical infrastructures and our financial ecosystem. We report continuously on government hacks (47 that we know of), infrastructure probes (the latest Iranian hack of the Bowman Avenue Dam in upstate New York) and banking assaults (the Federal Reserve has been hacked more than 50 times in the past 5 years), yet we act as if this wave of activity is like the latest weather report – chance of showers, then partly cloudy through Thursday.

Our government entities argue that they should be entrusted with massive amounts of data on thousands of US citizens, while a 16-year-old who goes by the handle of "penis" on Twitter dives into the servers of two of America's most secure federal agencies and plucks out their internal files. After the fact, we find out that the same kid is part of the crew that socially engineered their way into the inboxes of CIA director John Brennan, Director of National Intelligence, James Clapper and the Obama administration's senior advisor on science and technology, John Holdren.

A classic example of the result of this imbalance is the attacks against the cyber-surveillance technology company “Hacking Team”. The outcome was the release of 400GB of data which included email correspondence between employees at the company and their clients, proprietary source code, financial records, sensitive audio and other files.

Although the attacker claimed use of a zero-day exploit that he had developed himself, he also used off-the-shelf tools and provided guidance on using exploit kits to further compromise the victims. Moreover, the attacker provided detailed run-downs of the attack mechanics which should make for insightful reading for any network defender.

In just a matter of days after the disclosure of the breach, at least two exploit kits - Angler and Neutrino - had incorporated exploits revealed in the guide. The only problem is I have yet to meet anyone who either knows the identity of the hacker or has read the “how-to” guide.

Beyond the forensic specifics involved with a particular investigation, cyber-attribution today suffers from a variety of conflicting indicators including false flags, external motivators, and methodological disparities across the attack surface and the contents of the perpetrating packets. What we know for sure right now is that confident attributory analysis is far outside our present reach.

Can you imagine winning a global conflict like say, World War Two without Intel or counter-intel? We don’t know who our attackers are and we have limited ability to even identify exploitations of legitimacy let alone make proper attributions. When we have done so to date, we have been largely wrong.

Believe it or not, back in 2007 we had technology that would have told us everything we wanted to know about the Virginia Tech shooter before he ran out and killed 32 people, but we didn’t apply it. All of his troubled mental health history, his Facebook posts, his ammunition buys, his weapon descriptions, his ranting 1800 word manifesto, and his videos were available on social media to anyone who bothered looking prior to the actual act.

That information would have saved those lives. We had the technology then and we have it now. But, we don’t use it.

Which brings us to the technology imbalance. While it’s true that we have tons of defensive technology that can prevent conventional cyber-attacks, detect most signature-based intrusions and even tell us when an attack has occurred, we have not successfully integrated these into a unified armament designed for active defense.

We have spent over $80 billion on developing this stuff and almost all of it is used for perimeter or endpoint defense. We have a handful of products that can identify certain forms of anomalies on our networks and we have some that are trying to predict attacks before they occur. But the nature of all this technology is passively defensive.

We don’t have an integrated capability to mount a continual recon within our perimeter defenses and actively seek out intruders who have penetrated our initial lines. We have a small cadre of point-specific products that use algorithmic deductive reasoning to detect anomalies in various ways, most of which are holistically ineffective and can be bypassed with minimal skill.

One of these market leaders depends upon a network baselining process that can take several weeks during which any active or prior intrusion will be likely perceived and  ranked as a normal event. Its deductive reasoning hypothesis is based in Bayesian mathematics and assumes that A equals B, and B equals C, therefore A will always equal C, which is great except when it isn’t – like in the case of advanced malware.  Additionally, the data collected by this product is not integrated with any over-arching defense monitoring and control system and it is difficult to extract and parse.

The effect of today’s malware attacks are conversely amplified by the network connectivity, while our current defense effect is not, so the result is a high degree of leverage in the hands of the attackers, with little or none in the technology of the defenders.  

Until we begin actually applying technology like that developed at MIT in CSAIL, we remain a long way from using advances in artificial intelligence against our attackers. If you were at RSA last week, you should have a pretty good idea of why the bad guys keep winning and keep broadening their success gap.

And, MIT brings us to education, the fourth horseman. The last time I looked, there were 8 colleges in the US that had active cybersecurity programs leading to degrees. In 2015, there were 2 computer science programs in the entire US that offered a cybersecurity course.

So, I guess that’s progress. But, compared with North Korea, China, Iran, and Russia where there are tens of thousands of students participating in cybersecurity and hacking programs, our efforts are hard to take seriously. In order to get into one of those elite programs, a student must demonstrate in addition to exceptional subject scholarship, written and oral fluency in English.

North Korea for example is also cooperating with China, Russia and Iran on improving its cyber capabilities by sending its best students to them for additional training. Additionally, Russia has sent several professors who graduated from Frunze Military Academy to North Korea to train professional hackers and Pyongyang and Teheran have signed a scientific and technological cooperation agreement that includes student exchanges and joint laboratories for information technology warfare and cyber-hacking.

The point is that all four of our primary adversaries are working together to develop better trade mastery while we ignore the need to foster our own educational programs. There were at last count, 1.6 million cybersecurity job openings in this country.

These conditions enable a small impoverished country like North Korea to invest in a cyber warfare strategy as an offset to lacking the resources for the development of a conventional military strength and instead become a formidable International power in cyberspace. Or guys like Mr. Penis to blow up large enterprises and embarrass the world’s most formidable intelligence agencies.

Given these extraordinary gaps between what the attackers need in order to succeed and what we, the defenders need in order to respond, it is amazing to many of us in the InfoSec community that we haven’t had a paralyzing electrical grid attack or a cataclysmic air or seaport disaster.

Until we can shift the balances away from conditions where malicious actors are able to leverage cheap frameworks, move away from siloed processes and products, change the way IT organizations work across boundaries, start educating our students in the craft, demand holistic products that address the entire IT ecosystem in the context of an active defense posture and gain a better understanding of the intelligence available to us .....

we will be unable to succeed in the ultimate defenses of our businesses, institutions and government agencies.