Stories like the July 4th cyber attack are raising our awareness of the cyber battlefield. Given the media focus on bots, rootkits, and malware, it is easy to overlook the core of these attacks – human conflict. In the Art of War, Sun Tzu stressed the understanding of those who wield the weapons of war. Security expert Richard Stiennon of IT-Harvest applauds this perspective. Below are highlights from the SecureLexicon Art of War podcast with Mr. Stiennon.
The Cyber Battlefield
According to Sun Tzu, victory is predicated on understanding both yourself and the opponent. This understanding goes beyond knowing attack techniques. One must understand the mind and spirit of the enemy. This is where our cyber strategy falls short. “At the very low level”, said Stiennon, “the typical enterprise-driven individual treats attacks as if they are nameless, faceless packets coming at them – and that’s how most vendors have created their products.” While this approach has its merit, it fails to provide forensic intelligence that reveals the nature of the attacker.
“On the larger theater, where there’s hactivism going on, there is more study of who the attackers are.” Mr. Stiennon cited Hamas vs. Israel and Russia vs. Estonia. While these exemplify a focus on attribution and the understanding of attacks, “no one does it better than China,” said Stiennon. When asked how we can counter the methods employed by China, Stiennon said “certainly we don’t want to engage in counter cyber espionage.” He feels that we should defend ourselves using the information gleaned from examining these attacks. According to Stiennon, “we must watch them and block them at every possible opportunity.”
Winning the Hearts and Minds of Would-be Attackers
Understanding the environmental context of the battlefield and its populace is, according to Stiennon, “one of the key turning points in understanding the new cyber domain for warfare.” Crowd sourcing is powerful because it employs other people in the conduct of an exploit. According to Stiennon, crowd sourcing is effective because of its “very low cost in terms of technical investment and low cost in terms of political fallout.” Its effectiveness, however, depends on the instigator’s ability to rally support for the attack. Stiennon described how crowd sourced cyber attacks on Iran evolved from attack tools posted on web sites for download to web application that “tricked people into being a part of the cyber army.”
“Invincibility is in oneself. Vulnerability is in the opponent.”- Sun Tzu
Sun Tzu advised that the enemy be enticed into actions that reveal useful information about their operational capabilities, tactics, and strategies. “I think this is very critical for the aspect of cyber war that we are having the most trouble with – attribution,” said Stiennon. He supports the use of honeypots/honeynets to gain knowledge of our adversaries through forensic analysis of their attacks. These cyber artifices require careful coordination between operational, tactical, and strategic activities to make them convincing.
My interview with Amit Yoran detailed how our analysis of the opponent must have forensic rigor. We must understand the weapon, the attacker’s identity, how it was used, and what effect it had. I hold that our analysis must also determine the “why” behind the attack. Before engaging his opponent, General George S. Patton studied the works of his counterpart; his books, articles, poems, etc. His goal was to understand the mind of that individual. We must do the same.
The Conditions for Victory
According to Stiennon, “a cyber conflict is going to be part of another conflict. If the goal were simply the cyber attack, it would be an ineffective goal because we recover from cyber attacks.” For example, the SQL Slammer worm shut down several Internet transit providers in 2003. However, its effects lasted for about twelve hours. Mr. Stiennon holds that a cyber attack could be employed effectively as a distraction or as a means to disrupt communications. “The goal of information, as state in US and Chinese military manuals, is information dominance. This means that you have complete control over, and complete access to, the enemy’s information and ability to shut off the enemy’s ability to communicate.” Meeting this goal through cyber attacks alone is unlikely given the current exploits.
According to Stiennon, accountability at all levels of the enterprise is critical to security.
“I think the lesson learned from many wars is, from a defensive standpoint, cyber war is very distributed. You won’t be able to fortify a particular perimeter and be any stronger because you have to defend everything, everywhere. That means that you have to delegate all the way down to system administration level responsibility for security.” Mr. Stiennon adds that this responsibility must have associated rewards and punishments.
Closing Thoughts
War has not changed. The weapons of disruption, corruption, and destruction reflect only the evolution of human creativity and innovation. We must understand the conflicts that drive their use, be they individual, corporate, or international. Without this insight, we are doomed to cyber attrition.
"Know your enemies" was essential in the Art of War by Sun Tzu; hence, we have the HoneyNet project ( http://www.honeynet.org ) Then you would learn the meaningless of cyber-war.
For example, the latest DDoS attack towards South Korean government and U.S. Federal Government. No one really know the origin of attack, then how can you war against them? Perhpas, both governments can send code to disable those machines for attacks. However, those machines were actually victims of some bigger attacks.
Perhaps, the best effort for cyber-war is to ignore those attack codes.
"Hold your friends close and your enemies closer" might have been a better parable. Aside from demanding more "accountability at all levels," which is correct, a huge impediment to realizing this and other security goals stems from a lack of IT visibility. Stiennon argues that security responsibility must be delegated throughout the organization. Most staff are woefully in the dark regarding IT operations, security and compliance status. We see this on a daily basis. Many have dropped a lot of money buying all sorts of sophisticated and complex IT security boxes (UTM, SWAG, SIEM) and have given over complete control to these devices. It's not surprising when we identify exploits, abuse, configuration issues and persistent problems on these networks because the users have no perspective. None of these $$$ solutions will them what it missed. The whole idea behind defense-in-depth is trust but verify. Basic network awareness is the first and most effective battle plan in any cyber war.
All the best intrusion prevention equipment in the world is useless if you don't know what "should" be on your network. Compromise always happens at the fuzzy edges where signatures and rules haven't been codified. Accidents can happen at any time. The key is to anticipate these problems because many times there are telltale indicators of pending problems. All these problems and disruptions can be managed effectively if users take the time to understand their network and patterns of usage.
The biggest, baddest weakness in the cyber-space battle arsenal has been and will always be IT apathy and ignorance. The belief and bravado that superior technology will keep you safe has been proven to be demonstrably false. One can actually win a war of attrition and not get pulled into the ITSec arms race. Take stock of one's assets: define what should be on your network and who should have access to systems and data. Understand who is having the biggest impact on resources. Define all business process and map them to the infrastructure. With this small step you'll understand very clearly how much bandwidth you need and where wasteful activity is occurring.
We don't have to get drug into a battle just because the field generals (the analyst community) say so. God only knows that they've been proven wrong on many occasions with their growth predictions. And how many of them actually predicted the current economic situation accurately?
Information is your best defense against all enemies foreign and domestic (outside and inside your network). And it doesn't require going into debt to finance either.
"Hold your friends close and your enemies closer" might have been a better parable. Aside from demanding more accountability at all levels, which is correct, a huge impediment to realizing this and other security goals stems from a lack of IT visibility. Stiennon argues that security responsibility must be delegated throughout the organization. Most staff are woefully in the dark regarding IT operations, security and compliance status. We see this on a daily basis. Many have dropped a lot of money buying complex IT security boxes (UTM, SWAG, SIEM) and have given over complete faith that these devices can do no wrong. It's not surprising when we identify exploits, abuse, configuration issues and persistent problems on these networks because the users have no perspective. None of these solutions will them what it missed. The defense-in-depth process means trust but verify but very few people employ the process. Basic network awareness is the first and most effective battle plan in any cyberwar.
The best ITSec equipment in the world is useless if you don't know what "should" be on your network. Compromise always happens at the fuzzy edges where signatures and rules haven't been codified. Accidents happen all the time this way. The key is to anticipate because there are telltale indicators of pending problems. These disruptions can be managed effectively if users take the time to understand their network and patterns of usage.
The biggest, baddest hole in the cybespace battle defenses has been and will always be IT apathy and ignorance. The belief and bravado that superior technology will keep you safe has been proven to be demonstrably false. Just read news accounts about the large credit card processors who are compromised--they of huge IT security spend and hiring outside security consultants, beaten by some cyber-criminal.
One can actually win a war of attrition and not get pulled into the ITSec arms race by taking stock of one's assets: define what should be on your network and who should have access to systems and data. Understand who is having the biggest impact on resources. Define all business process and map them to the infrastructure. With this small step you'll understand very clearly how much bandwidth you need and where wasteful activity is occurring. Management is a process. Security, compliance and all the other aspects are a subset. The foundation of sound management is information. Nobody has to get drug into a battle just because the field generals (the analyst community) say so. God only knows that they've been proven wrong on many occasions. Ex: how many of them actually predicted the current economic situation?
Information is the best defense against all enemies foreign and domestic (outside and inside your network). And it doesn't require going into debt to finance either.
Post new comment