July 25, 2017 // By Michael Lester
The following article was originally published on CSOonline.com and can be found here.
One thing is an absolute truism of cybersecurity: it is one of the fastest changing realms currently known to humanity, and one that we are unable to predict. Cybersecurity is like earthquakes. We know that one is coming sometime in the future, but we don’t know where or when it will hit, what magnitude it will be, or what kind of destruction it will bring.
As bad as things might seem right now with the most current ransomware, we are going to look back on these days and think “It was so easy to protect ourselves back then, and we didn’t realize it.” The future will bring new challenges. From my vantage point of working with many different clients and speaking with many different security practitioners, here are my prognostications of things to come:
Right now, attacks are mostly opportunistic and singular. Hackers scan the internet looking for the least protected system. Everyone and anyone is a target and there is no thought to the attack. It’s like firing a shotgun into a flock of ducks. You don’t have a target; you just hope to randomly hit one. More and more though, criminals are approaching cyberattacks like traditional warfare. They are planning and using strategy, deception, and misdirection.
Well before the recent Petya ransomware attacks, Nick Espinoza, Chief Security Fanatic at BSSi2 (and all around super smart security guy!) warned at a recent Channelnomics conference in Chicago that the WannaCry Ransomware was being used as a smokescreen for a much more virulent attack. He was right. He was looking at another ransomware called JAFF at the time, but the idea is the same – cyber-criminals are using military tactics to increase their chances of success. They are using deception, feints and misdirection. This will require those of us working in the security industry to use a much more strategic response than most of us are currently using.
Multipartite combinatorial attacks
Attacks today are mostly simple frontal attacks from known combatants and are easy to identify as such. Stuxnet empirically demonstrated that individually benign snippets of code that can escape detection can be combined to affect devastating attacks. Personally, I find it curious that even after this demonstration, most people just forgot about Stuxnet’s complexity. This is probably one of the most dangerous trends that we will see in the future.
At the recent Heartland Leadership Forum sponsored by the Midwest Chapter of the United States Naval Academy Alumni Association, I had the opportunity to ask the guest of honor, Vice Admiral Jan Tighe, the Deputy Chief of Naval Operations for Information Welfare and Director of Naval Intelligence if she could comment on the Navy’s view on Multipartite Combinatorial attacks. Not surprisingly, she smiled and said something to the effect of “I am unable to comment on that topic.” To me, that means that they are working on it, probably both defensively and offensively.
Ransomware is passe
The same patterns reveal themselves over and over in society. If one takes the time to think about the world as a whole and compare one industry or sector of society to another, one begins to see the emergence of recognizable patterns. Think of aviation. Bad guys used to hijack planes. We upped our security to the point where there were no more hijackers, then the bad guys used planes to just cause destruction instead of obtaining a ransom. In the electronic information sector, we first saw minor probing attacks with bad guys testing whether or not a virus or worm could actually work. When they discovered that they did and that they could reliably infiltrate a victim, they started holding the victim hostage for payment. We are upgrading our defenses and will soon render ransomware a thing of the past, but we will completely miss defending against a new and massively destructive use of the same tools that ransomware used.
Humans are obsolete, yet critical
Humans are too slow to fight malicious attacks. Only at computer speeds can one hope to mitigate an attack, but that also means giving computers a level of control over networks that they don’t currently enjoy. Systems of tomorrow must have the autonomy to instantaneously disconnect a network, or parts of a network, in order to protect the network as a whole from an attack. By the time a human intercedes, it is too late. Contrasting this though, is the fact that computers don’t hack other computers. People hack other computers using computers. If humans vanished from the earth tomorrow, all hacking would stop. This suggests that people are also the key to thwarting attacks, and more time should be spent on human based interdiction rather than infrastructure hardening.
The rise of ‘The Strategist’
As attacks become more strategic, more stealthy, and more devastating, a new role will begin to take shape, the role of the cybersecurity strategist. This person will be trained in psychology, warfare and technology (a rare combination of skills!) and will be able to identify a subtle pattern from incomplete information and recommend protection techniques that may seem superfluous at the moment, but will protect the enterprise from future attacks.
Cyberattacks become a tool of statescraft
I know that this prediction can sound a little conspiratorial, and maybe I’ve been watching too much House of Cards and Wag the Dog, or maybe I’ve just been watching too much CNN and Flipboard, but I think that large political machines will use cyberattacks as distractions and smokescreens for other events or to shape public opinion. A new malware that affects hundreds of thousands of computers (a la Petya), instantly gets everyone’s attention and no one even notices a new bill that decreases personal freedoms or a new allocation of funds to a foreign country. The cyber arena becomes a tool used to either support or oppose legislation, or used to either focus on or obscure international relationships. Cyber events become more about your attention than about your computer system.
Looking towards the future
Much like with earthquakes, many tend to be somewhat fatalistic about preparations. They feel somewhat powerless to do anything about breaches, and therefore tend to ignore cybersecurity as much as possible. That puts them behind the power curve. They don’t plan; they react. Anyone that has been through a breach however, will tell you that lack of preparation is much more costly and painful than they had imagined. We need to look to the future and prepare not for the threat today, but the threat tomorrow.
As Benjamin Franklin quipped, “An ounce of prevention is worth a pound of cure.”
In my next blog, I’ll discuss some of the actions and activities that we should all be doing to protect ourselves, and some of them cost us virtually nothing (other than some time and attention.)