“Cyber defense is hard.” Heard that before?
“Compromise is inevitable.” What about that one?
You’re probably already saying: “Stop with the cyber clichés!” Ok, I will. But why do we continue to fail? Why do we continue to have our clocks cleaned by attackers from all over the world (or even next door)? It’s because we try to play by rules that simply don’t exist. And why did you, as a cyber defender, decide to take the red pill, embracing the sometimes painful truth of reality versus the blue pill, which would have brought the blissful ignorance of illusion?
A World without Rules
If you’ve seen “The Matrix,” you’ll undoubtedly remember a lot of scenes where wisdom and philosophy are the main points. If you haven’t seen it, then you’re missing out on Kung Fu, hacking, and robots — it’s worth your time. But I digress. In one memorable training scene, Morpheus (the mentor) tries to educate Neo (the protagonist) that the reason why “The Agents” (bad guys) will never be as good as him is because they’re “still based in a world that is built on rules.” He then says: “Because of that, they (the Agents) will never be as strong, or as fast, as *you* can be.” How might this tie into your day-to-day cyber fight?
The term “hacker” really means someone who is manipulating systems, products, devices, etc. to do things they weren’t supposed to do. In fact, it was originally a positive thing (and some might say that in a lot of circles, it once again is a positive term). It was those individuals who, often in the electronics or computer realms, tinkered and created new outcomes from existing parts and software. But as this mentality began being used for malicious purposes in cyber-attacks, the term “hacker” has meant “bad guy” to most of us. It doesn’t matter, but it does lead to my point. Your adversaries are trying to manipulate your systems, your information, maybe even your employees in order to accomplish an end goal — often money or secrets or influence. The attacker is purposely breaking “the rules,” bending the systems and humans to accomplish this originally unintended outcome.
And yet we, as defenders, have rules. We look at how systems are supposed to work, and then we apply layer after layer of guideline or rule or policy on top of these systems. We stick to them. We become computer-like Matrix “agents,” where the adversaries can break rules, move quickly, and iterate when something works and when something doesn’t. We, in the collective cyber-professional sense, have to go to a change committee to open a port. It’s pretty clear who wins in this arena.
All is Not Lost
Yes, we’re in a tough spot. Yes, you’re probably tired of hearing that (or even saying that). Yes, you just want to effectively do your job.
The silver lining here is that rules and policies can help you reduce entropy and create consistency. After all, if you can define what systems should be in your environment, what users should be using those systems, and what should be allowed to occur on those systems, you actually get to shape the battlefield. When you can say: “Only these three actions should occur on my server,” you can then setup a system that either prevents or detects when anything outside those three actions occurs. So even with these unauthorized guests running amok in breaking rules and manipulating your environment, you can start making them run into trouble. As soon as they do anything against policy or unexpected, you can be alerted. This is how you start to shift the balance of power.
Now, I know that the defining of expected devices and actions that should occur and relationships between user accounts and systems or network segments takes a lot of work. That’s ok. But you need to do it. You need to put in the work. Guess what? IT wants the same thing. IT wants consistency. IT wants to have a more manageable environment. So unite forces, roll up your sleeves, and create a plan to start reducing uncertainty. The more predictable your environment is, the easier it will be to defend. It’s pretty simple, actually. If nothing else, make reducing entropy and creating more consistency the “20 percent activity” that each member of your team does. Take a little time to do some house cleaning every week and the results will speak for themselves. And don’t just stop at your team.
I saw a recent headline that said something to the effect of “Don’t just shoot for employee security awareness, shoot for security engagement.” I love this. Security is a team sport. So, have some discussions with business leaders or influencers and get buy-in. You need everyone to understand that if each of us removes that one toolbar or stops using the music app on our system, we can reduce the amount of security logs and events the security team may have to look at (or at minimum store), by a significant amount. If you need to listen to music, use your phone or do it via an established browser with a site everyone can agree should be the site of choice. And stop letting your teenage kids use your corporate laptop.
In closing, we need to remember that our adversaries have no rules. They hack, they crack, they manipulate, and they get paid. And they keep going until they get paid (and let’s be honest, the more they make the more they want). In reality, they never stop. They are always out there. So, we have to think about how they might manipulate our systems and prepare for that. One good way to prepare for that is to start focusing on predictability where the suspicious or malicious actions just surface themselves.
To tweak a line from “The Matrix,” “I don’t know the future. I didn’t come here to tell you how this is going to end. I came here to tell you how it’s going to begin. I’m going to hang up this phone, and then I’m going to show these people what you don’t want them to see. I’m going to show them a world without you. A world WITH rules and controls, WITH borders AND boundaries. A world where anything is possible.”
Believe you can create radical cyber defense change in your environment. It’s why you took the figurative red-pill. There may be no spoon, but there are plenty of zeroes and ones that need you.