Planning, prioritization and testing are the hacker’s worst enemies
Each day’s headlines bring news of cyber attacks that have become more sophisticated, more creative and more targeted than ever before. Today’s cyber threat profile has evolved into a polymorphic, opportunistic, persistent threat that all the chaotic mathematics in the world cannot definitively pin down.
Addressing the unconventional cyber threat requires more than conventional wisdom. Firewalls, a “moat around the castle” approach to cybersecurity, are no longer enough to keep government’s sensitive data and mission-critical information safe. When it comes to cybersecurity, there is no border to protect; instead, there is an ever-changing cloud of data. And this cloud is constantly under attack.
A breach in our current cyber defense is inevitable but absolutely does not mean that we throw up our hands and surrender. Instead, civilian agencies and the Defense Department must do three things:
å Plan for the successful cyber attack by understanding how to accomplish the core mission when — not if — the network is penetrated.
å Address the ever-changing nature of the cybersecurity threat profile.
å Keep a weather eye on the virtual horizon.
Protecting 100 percent of the government’s data 100 percent of the time is a lofty goal. It is also 100 percent unrealistic. Keep in mind that the cyber attacker has to be successful only once. The defender must be successful all the time.
Understanding that protected data has been penetrated, or soon will be, creates a mindset of prioritization: Which data and network components are most critical to the continuous completion of the agency’s mission? This “mission assurance” approach to cyber planning defines how the organization will continue to complete its core functions even in the face of a successful cyber attack.
The knee-jerk reaction in this key planning process is to go straight for technology — complex cyber defenses and weapons designed to protect critical data. However, the first steps to effective cybersecurity do not involve high-tech silver bullets. Rather, these initial steps require identifying critical assets, understanding the potential cyber threat, and relentless and ruthless testing.
In a military operation, troops go into battle understanding that there could be casualties; some part of the unit may be lost. A similar mindset makes the most sense for cybersecurity, where well-intentioned attempts to protect everything end up protecting nothing. Data triage will help identify what parts of the network must have every cyber protection and what parts may be more expendable.
Identifying mission-critical data is a tricky proposition because each person in the organization sees his own work as critical. That’s just human nature. Bringing in an objective, third-party team of experts will help the organization’s leadership define critical assets. This independent team can ask the tough questions: How long can the agency go without an update to its critical information? How long will it take to re-create this critical information if it becomes untrustworthy? Allow the outside team to examine the entire organization from a day-to-day operations standpoint, and it will help determine what can be sacrificed and what needs to be protected at all costs.
Then, and only then, the cybersecurity team can build the system architecture to assign the highest levels of protection for the most mission-critical data. Much like a series of concentric circles that become more and more secure as one gets closer to the center, this cybersecurity approach can make it extraordinarily difficult, time-consuming and risky to gain malicious access to the central, most important data.
This step can sound a lot like continuity of operations planning. Cybersecurity begins and ends with protecting the data required for continuity of operations planning, but takes the concept much further than offsite data backups. Cybersecurity must also protect access and functionality so that the mission can continue no matter what.
Understand how threats relate to your organization. This moves cybersecurity away from selecting technologies from a catalog and into the realm of understanding how the cyber threat can morph in relation to the organization. Who could target this agency? Do the homework, and look at the entire organization through the eyes of an opponent. Could the agency’s core mission attract the attention of virtual gangs, organized crime or even a nation state?
Changes in the organization can also mean changes to the threat profile. A new initiative or a big contract could make an agency or a contractor more attractive, or more vulnerable, to certain cyber threats.
This approach to cybersecurity takes time. It can mean the difference between strengthening government’s processes in anticipation of a possible attack or picking up the pieces after a virtual gang knocks the entire network offline for hours or even days.
Test, test and test again. Only now — after understanding what must be protected, and from whom — can a thoughtful, effective cybersecurity plan take shape. And, once the protections are in place, it is time to test, improve and test again in a never-ending cycle.
Cybersecurity testing is simply stated: attack yourself. This is not extraordinarily expensive and can be accomplished via a standard blue team-red team model. The blue team conducts the first round of testing, working side by side with the cybersecurity and infrastructure functions to help identify vulnerabilities and lock down the system. After the blue team testing is complete, and systems and processes have been corrected or tightened up, it is time for the red team to step in. This level of testing takes place without warning and is the most important cybersecurity test government can conduct. The red team will try anything, at any time — because that’s what the cyber criminal will do.
Always remember the human element when testing and improving cybersecurity postures. Actively look for the points in the overall security architecture that are not technology-based, but rather people- and process-oriented. Try to get someone to allow entry into a secure building, and attempt to cajole passwords from the help desk. This human-focused facet of cyber testing can help to ensure that every person in the organization understands his role in protecting the mission.
Of course, effective cybersecurity testing is a continuous cycle. Cybersecurity is never complete, because cyber attacks never stop changing. Know that the opponent attacks on his schedule; you must be ready all the time.
Cyber defenses cannot see all and know all. Because the cyber threat exists as an unpredictable, adaptive foe with great intellect and infinite patience, no single configuration provides the answer. Government agencies and the Defense Department have to be in motion as much as — if not more than — any opponent.
While government cannot presume to know the precise threat profile, agencies can do their homework to understand which cyber criminals might be most interested in attacking certain agencies or organizations. Generally speaking, cyber attacks originate from one of four groups:
1. Individuals cannot be underestimated; some of the most elegant, analytical and persistent attacks originate from a single person. The individual can be motivated by the desire for fame, notoriety, vengeance or just plain boredom.
2. Virtual gangs involve a group of like-minded people who come together for a period of time, pooling their talents and resources to attack a common target. Motivations for this group can be very similar to individuals, and there is great power in this momentary organization of skills. “Anonymous,” the group taking credit for the recent Apple attack, is an example of a virtual gang.
3. Organized crime in the world of cyber attacks is all about business. Some call it virtual robbery. Competitive advantages, competitive intelligence and financial gain are the key motivators for this group.
4. Nation-states can leverage cyber crime to identify or increase their advantages over rival nations. Often an economic-centric threat, nation-states can breach cybersecurity with the intent to figure out another nation’s economic vulnerabilities or other weaknesses that can be exploited on a global scale.
Understanding what motivates potential cyber threats can help government agencies and DoD plan for and even anticipate attacks. With the polymorphic nature of cyber attackers, it is important to keep current on what’s out there every day in terms of new threats.
Government cybersecurity teams must troll the Internet to look for what’s out there, and to stay up-to-date on where the most recent attacks originate. Who is doing the phishing? What is the latest malware?
Examining the virtual horizon also involves an understanding of how space and time affect the security of the virtual environment. Again, this requires the ability to analyze unstructured data and extract an interwoven, logical fabric that will help keep mission-critical networks and data as safe as possible. It’s not easy to cull through the Web’s digital detritus, but it can be done.
Committing to this due diligence will keep government as far ahead of the threat as possible, and will buy more of that precious cybersecurity commodity: time. Think about any brilliant, successful robbery. It took planning, precision and practice, and everything ran like clockwork; the thieves got in, executed the plan and got out. This is an important lesson for cybersecurity. When someone does manage to penetrate the network, government’s cyber defenses should make the attackers stay longer than they planned — which gives the cybersecurity team time to detect and respond to the invasion. The virtual environment should be confusing, so that it appears to be more complex than it actually is, and create ways to box in and shut down the attacker. Never assume that an anomaly in the network is “probably just a glitch.” Know the system, understand what the agency’s network does, and have a fast response in place.
An over-the-horizon view of the world helps determine the organization’s critical assets and shapes how the organization protects those assets. With this view, government has a better sense of where an attack might originate, what the attack will target and how to stop it before irreparable damage is done.
From spear-phishing to botnets to automated attack detection, government enters a battleground the moment the Internet connection is made. Cybersecurity can sound like a daunting task, but with some time, attention and the right tools, data can be kept as safe as possible.
Good talent is easy to find in the government IT universe. And, if government can move to a more open approach and share cybersecurity talent and experience across agencies — another unconventional tactic — then the nation’s data will become even safer.
From network engineers to rank-and-file employees to government contractors, everyone needs to understand his role in cybersecurity. Defense is a state of mind as much as it is a state of technology, architecture and processes. Today’s analytical, adaptive, persistent threat presents a significant challenge, but it is not invincible. Cyber attacks can be tough, clever, even elegant — but it is possible to make sure they do not bring the core mission to a halt. AFJ
KEITH RHODES is chief technology officer at the Services and Solutions Group of QinetiQ North America.