Winning the Cyber War or Continued Cyber Insanity?

The Nation at a Crossroads

I recently posted an article defining cyber insanity as “implementing the same old protection strategies over and over again and expecting different results.” In a related article, “Fighting the Last War,” I introduced the concept of “cyber guerrilla warfare.” So now might be a good time to provide some additional details of what fighting the last war and fighting the current war look like to the casual observer. Here’s a quick thumb-nail sketch…

Fighting the Last War

The 12-Step Cyber Insanity Program 

• Step 1: Announce major breach of [insert agency or company].
• Step 2: Declare in the forensic investigation that the attack was attributed to [insert nation state actor or hacking group].
• Step 3: Reveal that the attackers had gone undetected for [insert time period].
• Step 4: Announce that [insert additional agencies or companies] were also affected by the attack.
• Step 5: Issue preliminary statement that the attack was the most sophisticated on record.
• Step 6: Conduct an all hands on deck “sprint” to fix the problem.
• Step 7: Issue follow-on statement that “Defenders have to be right 100% of the time while attackers only have to be right once.”
• Step 8: Establish a national commission or task force to study the systemic issues that led to the breach.
• Step 9: Testify before [insert Congressional Oversight Committee].
• Step 10: Talk about “going back to the basics” and develop a severe case of amnesia.
• Step 11: If mission or business has not yet failed, go to Step 1.
• Step 12: [insert resign or retire]

Fighting the Current War

The 4-Step Cyber Guerrilla Warfare Program 

• Step 1: Assume adversaries are in your system.
• Step 2: Identify them.
• Step 3: Disappoint them.
• Step 4: Then destroy them.

Rip and replace the famous cybersecurity slogan “Defenders have to be right 100% of the time while attackers only have to be right once” with…

“Defenders have to be smart 100% of the time and attackers have to be frustrated always.”

Key Elements of Cyber Guerrilla Warfare

A well-thought out cyber guerrilla warfare program employs sound systems security engineering practices as part of the systems development process [1]. These engineering practices contain many of the items below. How many items depends on the goals and objectives of the organization, the criticality of the organization’s missions and business operations, the systems supporting those missions and biz ops, and the organizational risk tolerance.

Prepare for the Adversary

• Conduct criticality analyses
• Study adversary tradecraft including tactics, techniques, procedures (TTPs)
• Anticipate adversary tradecraft (employ adversary emulation)
• Plan for system evolution ahead of adversary developing TTPs
• Continue to monitor new, innovative security approaches as adversaries shift TTPs

Reduce and Manage Complexity

• Segregate and disperse high value assets
• Design and implement a system security architecture that is tightly coupled to the enterprise architecture
• Implement least privilege and least functionality
• Eliminate non-essential system components, applications, and connections 

Don’t Present a Uniform Attack Surface

• Implement segmentation, micro-segmentation, and security domains
• Employ heterogeneous system components and services
• Diversify products, services, and providers

Develop Resilient Systems

• Limit the damage adversaries can inflict
• Increase adversary work factor
• Impede adversary lateral movement
• Reduce adversary time-on-target
• Confuse, delay, and deceive adversaries
• Implement virtualization and micro-virtualization techniques and technologies
• Employ zero trust concepts and architecture
• Eliminate single points of failure
• Know how your system should behave and be able to detect deviations
• Churn the system continuously; never present the same view twice
• Implement mandatory access controls and information flow controls
• Employ dual authorization and separation of duties
• Implement strong identity and access management and monitor continuously
• Minimize the use of reusable credentials
• Make it harder to get out of the system than it is to get into the system

Value Assurance

• Require process transparency and security due diligence from developers, vendors, and supply chain partners
• Favor trustworthy system components in procurements and acquisitions
• Make assurance arguments for system components and services [2][3]
• Capture evidence used to make assurance arguments
• Use assurance as the basis for making risk and engineering decisions as well as the hard decisions on how much to depend on organizational systems for mission success [4]

Cyber guerrilla warfare is not an exact science. It’s a mindset.

[1] R. Ross, J. Oren, M. McEvilley, NIST SP 800-160, Volume 1, “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.”

[2] R. Ross, “Time to Get Serious about Assurance.”

[3] R. Ross, “System Assurance: A Missing Component to Military Readiness?”

[4] R. Ross, “Taking the ‘High Assurance’ Road for Critical Systems.”

A special note of thanks to Mark Winstead, Greg Touhill, Tony Cole, Keyaan Williams, and Gary Stoneburner, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.