Wednesday, June 18, 2014

Data: Defense's Home Field

If vulnerabilities are attack's home field, then data is defense's.

Vulnerabilities Are Attack's Advantage
When we talk in terms of vulnerabilities, attackers inherently have the advantage.  We have to defend against many.  They have to find few.  They can continuously look for them without our knowledge.  A new vulnerability's use may be the first time we become aware of it.  Simple imperfection means that there will always be vulnerabilities available to the attacker. Economically, it will always be more rewarding for the attacker to exploit vulnerabilities than for us to fix them.

The Goals of Defense
Data, on the other hand, is where defense has the advantage.  But to understand why, lets first step back and understand the goals of defense.  Attacks only end in three ways.  The attacker reaches his/her goal (and likely causes a negative impact for us).  Defense prosecutes the attacker (whether it be holding them accountable to company policy or the law).  Defense makes the cost of attack so high the attacker either can't or doesn't want to attack any more.

To come to either defensive win (prosecution or disengagement), defense needs data.  The attacker must be identified and profiled in either case.  To prosecute them, we must know who they are, where they are, and what they did to the point where we can prove it to others.  For disengagement, we need to know so much about them that it becomes too resource intensive for them to do something we don't know about.  (i.e. take action that we cannot identify as an incident, or as them.)

Data Is Attack's Disadvantage
If vulnerabilities economically benefit the attacker, data economically benefits defense.  To get data, defense must simply have sensors where data is being generated and a means to identify profiles within that data.

For attackers it is very resource intensive to not generate data.  In the real world, just sitting quietly generates data.  You generate a heartbeat and a heat signature, both of which can be sensed through walls.  The character Jack Reacher is based around the premise of someone minimizing the data they generate.  It takes a lot of time and effort for Jack to do so.  As can be seen from my blog on Multi-Persona Anonymity, it is very resource intensive to separate your profiles; (not generate data that links one you to another you).

Every time an attacker touches a computer, they generate reams of data.  Every time they use the network.  Every time they interact with a server or run a program, they are generating huge amounts of information.  They are generating logs of who they are, where they are, what actions they took, and what the outcomes of those actions are.  Anything that can in, any way, be tied back to their profile as a threat actor can be used by defense to end the attack.

And the more data they generate and we collect, the easier it becomes.  We can build profiles of everything they do forcing them to change everything from the computer they use to the timezone and geographical location the attack comes from.  We can force the attacker to create completely new tactics, techniques, and procedures in addition to tools for every single attack they attempt.  Attackers will no longer be able to try and fail until they get the attack right.  Every time they fail, they both increase our ability to prosecute them while having to expend significant resources to completely change their profile before trying and failing again.

Investment Needed
To realize this advantage, some investment is needed.  We need the tools to parse sensor data into standard, inoperable formats such as STIX, CYBOX, CAGS, and VERIS.  We need integration of transport systems that move data between tools and organizations such as PxGRID, TAXII, IF-MAP, and Moirai.  And we need investment in tools to parse the data and build the profiles of attackers; an active area of research from individuals and companies such as the MLSec Project.

In Conclusion
With data, the "try, try, again" approach to attack will be over.  By stopping it, the vast majority of attackers will be priced out of the market, leaving defense to deal with truly dangerous threats who are willing and able to commit massive resources to the attack.  And defense will still have the advantage.