Red Queen’s Cyber Resilience Strategy; Thinking outside-the-box

The Red Queen hypothesis[1], also referred to as the Red Queen effect, is an evolutionary hypothesis which proposes that organisms must constantly adapt, evolve, and proliferate not merely to gain a reproductive advantage, but also simply to survive while pitted against ever-evolving rival organisms in a continuously changing environment.

The Red Queen hypothesis aims to explain two different phenomena:

• the constant extinction rates as observed in the paleontological record caused by co-evolution between competing species and 
• the advantage of sexual reproduction (as opposed to asexual reproduction) at the level of individuals

In Lewis Caroll’s sequel of “Alice in Wonderland”, and Through the Looking Glass, the Red Queen explains to Alice the nature of the land. At the top of a hill, the Red queen begins to run, and Alice begins to chase after her. Alice is confused by the fact that even though they are running, they are staying in exactly the same place. Alice asked the queen why is this happening and the Red Queen responded:

“Now here, you see, it takes all the running you can do to keep in the same place”.

In evolutionary terms, the hypothesis proposes that species must constantly evolve and adapt not to only gain a reproductive advantage over other members of the same species, but also to survive when faced with other simultaneously opposing organisms in a changing environment. Consequently, as you evolve, so do parasites that are feeding and weakening the body. You react to these parasites and evolve defences. The parasites start dying off, but also evolve in order to continue to feed. You are left with only one choice and that is to counter-evolve against this counter-evolution in order to fight-off the parasites that invade your body. And so on so forth. More or less, the same way that the evolution of threats and the defend tactics, need to happen in parallel. 

The ever evolving threat landscape in the fifth domain of warfare[2] (land, sea, air, space and cyberspace) can be seen in a way as the parasites that try to take advantage of the healthy living organisms that surrounds them, and these are no other that YOUR businesses, YOUR systems, YOUR services, YOUR organisations. 

All of this happens because of simply how nature works; where there is an attack there will be a need for defence, and while you advance and evolve in order to defend against the emerging threats, the threats will also continue to evolve.

The umbrella terms of cybersecurity and cyber defence, are simply two pieces of a bigger puzzle that is called Cyber Resilience. In order to be able to survive this booming technological era where the attack surface expands on a daily basis, we need to embrace the change, welcome new technologies and services, understand the real business needs, and equally evolve in our perception of measuring cyber risk exposure, especially in the way that we perceive (cyber)security and privacy. 

As cyber threats evolve, we need to be in a position to equally evolve, otherwise we simply keep "running" just to stay at the same place.

In other words, our cyber resilience against fast evolving threats, is to be strengthen by constantly adapting to threats. Our adaptation to threats is what drives the threat actors to aim for the “lowest hanging fruit” and shift to their next stage of their evolution.

Once we start seeing the bigger picture in this dynamic evolution and adaptation, between security experts and threat actors, then, we will be in a place to understand what to expect, when to anticipate an attack, why we might be targeted, by whom, what predictions can be made based on facts, and have better visibility across what we defend against. We do have more or less today the answers to these individual points raised here, such as utilising the important of red team exercises, performing rigorous penetration testing, undergoing system hardening, taking advantage of threat intelligence, using IPS and SIEM systems, and these are just mentioning only a few. The real question to be asked though is how do we measure the effectiveness of all these systems put in place by knowing not only how well they all cooperate and perform (similar to a single organism), but also, how these are going to be affected during a plausible attack scenario. These plausible attack scenarios include targeted and untargeted attacks. Untargeted attacks have become very easy to launch and puts us in a constant race to defend against them, while targeted attacks have become more sophisticated. Despite which of these is the most imminent threat to your business and your organization(s), any defend and respond tactics in place have to evolve in order to withstand a chance.

Coming from an information security research background, it has always been a bit strange to me that over the years the information security industry has dealt with threats which later on were classified as yet another “black swan” event. 

What does the term “black swan” mean, one might ask? Well, it was a common notion in the sixteenth century London. Everyone knew swans were white, and black swans presumably did not exist, so the term came to mean something farfetched, not real. However, in 1636, a Dutch explorer discovered nomadic, red-billed black swans in Western Australia. All of a sudden, black swans were no longer an impossibility, and the meaning of the term changed from something farfetched to something once thought of as farfetched, but now is known as reality. Today, there is a well-known species of black swans. All it took was one black swan to change people’s minds forever[3].

Effectively, coming back to our current Cyber Resilience strategy, it is very important to assess our current holistic security posture from the attacker perspective, as this will not only allow us, or maybe force us to evolve in some cases (according to the Red Queen’s theory), but it also takes us away from yet another “black swan” situation; when we could have predicted and prevented as it was simply another totally plausible attack scenario that was waiting to happen (Black Swan event). For those of you who have heard of the super-antelope (chevaline) project (which was a project to improve the penetrability of the warheads used by the British Polaris nuclear weapons system), you will see how important it is for all of us to start thinking in the way threat actors do.

You can always provide security training to your employees, but why just do that, when you can educate them on Operations Security (OPSEC) with examples from their daily life, and especially for companies that have Bring Your Own Device (BYOD) policies in place. You can always provide guidelines on what is considered a good password by pointing out the significance of having a strong one, but why just do that; when you can educate people on password techniques such as regeneration of complex password by using their login and the uniqueness of their character as inputs. You can always conduct a vulnerability assessment across heterogeneous systems and penetration testing against your critical infrastructure, but why just do that when you can assess your holistic security posture from a threat actor’s perspective, and not only remediate any high-rated vulnerabilities, but clearly identify weak points by combining different kinds of information. Why spend a vast amount of money on individual system and new solutions that do one thing only (as most need to meet their annual budget allowances), when you can withstand the current threat landscape while reducing the cost of the infrastructure by utilising third-party services such as Threat Intelligence and managed Security Operations Center (SOC). You can always take steps towards being compliant with GDPR while security is just an afterthought, but why just do that when any changes can be made with a security-in-mind approach, that will not only take away the overhead of the “added security” but it will also eradicate the backwards approach that security is an afterthought or an out-of-the-self product. In other words, see GDPR as an opportunity not only towards the security of data the business is protecting, but also an opportunity to reduce the handling cost in a secure manner by managing the security posture, without spending more.

An effective Cyber Resilience strategy needs to be capable of assessing the security posture of a business, an organisation, an enterprise, even a country’s critical infrastructure, beyond physical borders and geographically confined sectors, even across the whole globe. In other words, a Cyber Resilience strategy it not only about protecting an entity against the unfortunate effects of a Cyber incident, but mostly dealing with the survivability factor of a whole business ecosystem, which under specific circumstances can have devastating affects (from value erosion, to bankruptcy).

Adding to this, the rapid interconnection of numerous devices, aka Internet of Things (IoT) and SCADA-controlled systems, increases exponentially the complexity of the systems to be protected, especially in critical infrastructures. The required efforts involved in protecting these systems, will only increase further while smart cities start becoming a reality, and this is part of the inevitable evolution, as it was discussed earlier on. Threat actors are mainly opportunists, and it is also inevitable not to see them try to take advantage of this technological evolution, and themselves counter-evolve as well. Hence, today is the time that we need to realise and accept that cybersecurity will become far more complicated in the context of today’s emerging threat landscape, that is not only constantly changing, but is also expanding at an increasingly fast rate. Based on this, the need to start thinking outside-the-box when it comes to security is not only deemed as necessary, but it is the only way if we really want to face the most problematic element of cybersecurity, which is having a dynamic and equally evolving resilience plan that is capable of responding to evolving threats. 

A real-world cyber resilience strategy needs to look towards the targeted and untargeted attacks while it identifies any threat actors that want to target the organisation and their services. While discussing any possible attack scenarios and how prevention, detection and response needs to be planned out, it is always the best approach to not only identify the highest value targets (or simply the mission critical infrastructure), but also point out the “low hanging fruits”, when prioritising the actions that need to be taken based on exposure to risk. It comes without surprise to see that the security of the movement of data through an organisation is usually taken for granted when the data should have been classified and its movement should be mapped and controlled. When a business’s main focus is to deliver a product, its development lifecycle needs to take under serious consideration the element of security, in both its lifecycle and final product form. One factor that is usually overlooked is the supply chain security (third-parties involved) and its own evolutions to emerging threats. Red team assessments are the flagship when it comes to an offensive approach as these simulate real world threat actors. However, a holistic cyber security resilience strategy needs to take under consideration the insider threat, data leakage, business specific challenges and specific business threats, corporate and cyber espionage, and last but not least the ability to efficiently recover and evolve.

Above all, it is imperative to understand that the unfortunate event of being compromised is an unpredictable but real state of operations for any entity. However, the ability to predict, detect, respond and successfully recover from a cyber breach is the essence of Cyber Resiliency, that sets the foundation for the new era of defence against Cyber warfare. Cyber resilience puts us in a stage where we are going to be able to run plausible attack scenarios across the current security posture of a small organisation all the way up to a whole smart city, allowing the results to be measured, act upon factual data, and fine tune our predictions for taking the next steps. 

Readiness is defined by the speed of the threats being detected, while responding in a timely manner is what defines a proper cybersecurity strategy in place. Your cyber resilience strategy though, is measured on how effectively you have allowed yourself to recover.