Most mechanical engineers are familiar with the three competing targets „time to market“, „costs“ and „quality“. And most of them also understand the costs of changes: the earlier a change happens in the product development cycle, the cheaper it gets.
An equivalent of these tripod for governmental organizations could be: time to completion, co-signing, collaboration & delegation and comprehensibility. And in security? The most obvious three axis are: Quality of detection, time to remediation and security efficiency.
Quality of detection is the first target. It covers the most urgent question: Do I really detect all attacks I need to detect without over flooding my crew with false positives? And this question leads to additional ones. Can I really detect all important attacks by supervising only the endpoint? How do I correlate information from the endpoint, the network and the datacenter? And how reliable and fast is my threat intelligence information for these three sensors?
Time to remediation is the second target. Once an incident is identified, how easy is it to drill down to patient zero, the first infection? How much time do you need to identify all other devices also attacked and penetrated? And how much time do you need to secure the rest of your system from those already infected.? Not to mention cleaning and resetting all compromised devices. And there is a similarity to engineering change here – the faster you fight an attack, the less impact this attack has on you overall system.
Security efficiency is the third target. How much resources do you need to implement a reliable holistic prevention system and to create the capacity to quickly react and defend an attack. And how much impact does your security solution have on your operational processes? Security measures which reduce the efficiency of your business processes may be cheap in security but will cost you a fortune in OPEX.
Measuring these three targets – or indicators, identifying KPIs is a difficult task, as one major component in analysis is unknown – the total number of attacks run on a specific system. So the number of attacks found by a specific security system could either be zero as the security system does not work or it could be zero as the target system does not undergo any attack. Therefore you need to define KPIs which work independently from the implementation or you need KPI which compare a before and after status.
An example for an implementation independent KPI is the ratio of false positive detections to the total number of incidents found. This is a clear KPI measuring the quality of a detection algorithm. On the opposite, the “number of incidents found“ needs to be compared in a „before and after“ manner, assuming that the total number of attacks run is constant over time.
Consequently, running intensive Proof of Concepts before selecting a new security solution is key to validate the efficiency of a solution over all three axes. I also believe that a holistic security architecture combined with an integrated portfolio of security components is best for delivering highest prevention and attack detection as well as fastest threat remediation while delivering the best operational efficiency.
An integrated solution detects attacks not only on a single point, but across the whole security architecture. Exchanging information between the security components and between the security, network and IT infrastructure increases the ease of investigation. And integrating IT and security operations improves the operational efficiency.
Many of you have noticed the press about defense locations being detected by analyzing the sport patterns military people release on fitness portals like Fitbit, Strava, Polar, and others. Searching for these patterns in areas where there is no sport activity o a regular base like Mali, Iraq, Afghanistan, Syria, Lybia and others shows not only where military bases are located but also details about daily routines ans behaviors.
This shows how easy it is in a todays world to collect information from public sources, an intelligence tactic which is known in the field as Open Source Intelligence or OSINT. And OSINT plays also a role in the Cybersecurity Perimeter.
OSINT is used by attackers to collect informations about potential victims of social engineering attacks. Because the more you know about somebody, the easier it is to build the trust to force these victims into actions or the release of confidential informations.
OSINT is used by attackers to collect information about targeted organisations and their systems. These informations coming from different sources: 404 error web pages which reveal informations about OS, software & release levels, in depth analysis of email headers, public whois information, document informations in published pdfs and more. These informations help significantly to identify the most promising attack vectors and to reduce work and frustration for the attacker.
OSINT is used by attackers to collect informations about vulnerabilities of systems and successfull realised attacks. These informations will help to build an individual attack, mostly a combination of specialised social engineering and individual malware.
Check your enterprise:
A very simple check to see how exposed your organisation is to OSINT: Enter the following text into a google search box:
YourOrganisation.com should be replaced by the domainname of your organization. This query uses google to search all pdfs (filetype:pdf) which contains a typical confidentiality string and limits the results to those of your organizations domain. You will be astonished, I bet.
What can you do agains OSINT?
In fact, there nothing what can be done to prevent attackers from using OSINT to gather informations. The counter OSINT strategies are:
Limit the amount of unnecessary technical information published into the internet.
All information which will be shown or distributed should be as frugal as possible. This does not refer to content, but to error messages, status informations, document informations, source code comments in webpages and more. This is not an technical issue, thats simply a configuration and awareness task. In addition an onion- or segmentation-based approach to data security decreases the risk of accidentially exposed information.
Reduce the effects malware and social engineering attacks are creating in your systems infrastructure.
Most malware is calling back to Command & Control server, loading additional software or getting information about what to do. Intercepting this chain reduces the damage malware can create and identifies compromised systems.
Setup an infrastructure which allows you to detect atypical information flows and specialized attacks.
Seeing whats happening in your network, identifying anormal user behavior is a key to identify penetrated systems and malicious users to start appropriate countermeasures.
Make the IT-Infrastructure flexible to isolate compromised subsystems and to respond to attacks individually.
Compromised systems need to be isolated as soon as possible to prevent further penetration of the IT-Infrastructure. An automated environment increases the reaction speed and ensures the minimation of the attack surface,
These four countermeasures are working independently but – as in every systems engineering approach – integration enables savings. These savings include implementation cost (by reduced planning), operational cost (by reduced training and effort) as well as total cost of ownership (by optimized license models). They also increase security by minimized friction between subsystems and faster and error-reduced communication between system components.
Please feel free to comment!
P.S. This Video shows an example, how simple OSINT can be used to prepare an individual ransomware attack…
Designing a Cyber Security system is a complex task. Designing systems is not easy and designing security systems is even more difficult.
Security design is thought typically around 4 axes: Security against technical failure, Security against human failure, Security against natural hazards and Security against intended misbehavior. While the first three elements are typical defined as a Safety approach, defining security against intended misbehavior is a little more difficult. The reason for that is, that safety mostly deals with systems and subsystems refusing operation by different reasons and the whole system needs to be passively move into a fail-safe status. Security against intended misbehavior is the opposite. It includes an active component which manipulates the system to create a state of maximum damage or intended misbehavior. Security against these principles cannot be achieved by relying on passive fallback mechanisms.
So the question is: How does a generic system look like, which protect systems against the unknown treats of intended misbehavior.
The General Protection System
As a pragmatic approach for defining a role model for the general protection system a technical model can be build upon the biological model of the human immunology model. This model incorporates the protection against unknown threats – in general viruses, bacterias, and parasites, it works in a high availability mode, it is self-learning and it is built with more than 400 millions of years of evolutionary design improvement. The challenge is the transformation of a biological model into a technical approach.
The biological model can be structured into 3 natural and 1 artificial area: A unspecific detection and prevention capability, an individual defense capability, a self-learning memory capability and an artificial stimulation and knowledge exchange capability.
The unspecific detection and prevention capability is generally based on Macrophages, detecting alien intruders with an sophisticated friend-foe detection, killing most of them and triggering the foe-specific generation of killer cells, T-Helper cells and B-Cells and cytotoxic T-Cells. This part of the immune system can be compared with the hardening of an IT-System, following the different standards and the addition of an Intrusion Detection System (IDS) and a Security Incident and Event Monitoring System (SIEMS).
The cytotoxic T-Cell as an exemplary defense capability which reacts against the attack can be compared with the Computer Emergency Response Team (CERT), highly specialist IT-Security and Forensic specialists, asked for fighting against a cyber attack.
The generation of attack-specific cytotoxic T-Cells is memorized by the T-Memory cells, providing a a self-learning memory capability of the immune system. This capability can be compared with a lessons learned process, which updates the technical prevention and detection capabilities of the IT-Security system by implementing a Security Change Management Process.
This natural immune system is stimulated by human intervention to increase the effectiveness by active and passive vaccination – stimulating the immune system with weakened threats to trigger an immune reaction (active vaccination) or supporting the memory of the individuals immune system by providing artificial or foreign Antibodies (passive vaccination). These artificial stimulation and knowledge exchange capability are realized in the technical world by stimulation and testing the IT-Security infrastructure by intrusion testing (active vaccination) or updating the prevention and detection capabilities of the system based on the information of external security bulletins.
In summary this approach generates a Cyber Immunology Blueprint based on 7 Key Capabilities.
The Cyber Immunology Blueprint
These seven key capabilities can be seen of the seven work-packages of a Cyber Immunology Implementation.
The hardening & prevention work-package is typical the initial start. Here the critical assets, the security targets, the access control rules and the initial system protection mechanisms and rules are defined, which act as the first line of defense. But as there is not total protection system in real life, the whole system needs to be monitored by an independent supervising authority which detects system malbehavior and identifies possible attack. The implementation of this authority is managed in the Intrusion Detection work-package. This authority also acts as a sensor to the Security Incident and Event Monitoring System which creates the Cyber Security Situational Awareness Picture. To do so, it links the security status of a technical system with the key business processes and the security target definition of an organization. In case of a severe event this system triggers the Security Incident Response, an emergency activity which analyses the incident in depth and defines countermeasures and updates for the Hardening and Prevention work-package. The operational implementation of these countermeasures is managed with a Security Change Management system which should follow the ITIL principles and is mostly based on a dynamic hardware & software inventory. Security Information Exchange and Penetration testing are two work-packages which actively stimulate the whole Cyber Security Blueprint, to prevent the system from becoming static and outdated. The Penetration Testing work-package fulfills the active part of the stimulation while Security and Threat Information Exchange ensures the stimulation by external knowledge.
The depth of implementation for these work-packages can be different, according to the individual needs of an organization. Mostly an implementation of this blueprint follows a spiral approach, implementing simple methods first but in all work-packages, followed by more sophisticated subsystems while the whole Cyber Security System matures and evolves.
Summary
Following the experience of nature, a Cyber Immunology System can be modeled by implementing the seven key work-packages of the Cyber Security Blueprint. This system ensures a dynamic, active defence as well as an improved first line of protection for the unknown threat. An individual spiral implementation strategy reduces the amount of resources needed for the setup.
