Security, Time, and the Decline of Efficacy
This week at the FOCUS’16 conference in Las Vegas, I shared perspectives on today’s changing threat landscape, how we must re-think cyber defense technologies, and Intel Security’s vision for thwarting the cyber-threats of tomorrow.
In 2016, we saw significant cases of cyber activity from criminals, nation-states, and hacktivists. In each case, they’ve really upped their game.
We saw ransomware evolve from holding consumers’ data hostage, to going after larger “soft targets” such as hospitals. Front and center in our presidential election, we’ve seen nation-state actors become mainstream by using cyber activities to manipulate voter thought processes. Hacktivists have been effective in using cyber events and disclosures to change the way that we think about certain people, organizations, and issues.
In all of these cases, bad actors also changed their underlying arsenal of tools and techniques. In some cases, we saw them use tools we defenders use, but for malicious purposes. They’re using artificial intelligence to do a better job at spear-phishing. As we’ve seen in the current presidential election, they’re not just stealing data, but weaponizing it to cause harm.
They’re also looking at ways to take advantage of vulnerabilities among the armies of IoT devices (including connected cars) that are now beyond the physical reach and corrective capacity of their manufacturers. Some of these devices can’t be updated at all even if manufacturers wanted to. Any vulnerabilities that may exist within them could allow attackers to compromise and use them as cyber-attack vehicles for the current and future generations of hackers.
What we see in all of these cases is that there is a way to think about the problem statement of “what might be attacked.” It’s really about the incentive to the attackers, how easy it is to achieve their goal, and what the risk of discovery is.
Cybercriminals will always look to maximize profits, while minimizing the risk of prosecution. Nation-states will look to amplify their ability to change opinions, or steal intellectual property. They will weigh this against the risk of being identified through strong attribution, and the prospect of retaliatory steps taken in either the cyber or kinetic domains.
In all of these cases, it’s really about understanding how we defend against the next generation of attacks, and, in many ways, it requires thinking about our cyber defense technologies and their efficacy over time.
Cyber Defense Efficacy
One of the ways to do this is to think about security technologies from a time perspective, in contrast to typical IT technologies.
In most IT technologies, there is an inherent benefit to being a late adopter. Whether a database, architecture, or network technology, most technologies get better over time, meaning there are advantages to waiting for early adopters to implement and work the bugs out.
The problem is that cyber defense technologies are typically most effective right after invention. The reason for this is that a security defense capability will initially focus on solving a problem for a very well-understood issue or set of threats. During the initial deployment phase, there isn’t enough volume for adversaries to build countermeasures or evasion tactics.
But once it becomes part of a widely deployed defense, we see that new techniques by the attackers work to directly influence and reduce the effectiveness of the technology. Its effectiveness inevitably declines.
Threat Defense Efficacy Curve
We’ve seen this time and time again:
- Bayesian spam filters worked well until there was enough deployment to force the cybercriminals to use HTML formatting tricks and other techniques to bypass them.
- When we implemented the use of hashes to very quickly convict files without waiting for signature detection, adversaries were driven to build countermeasures such as creating polymorphic downloads to make each malware sample unique.
- Sandboxing helped us find never seen before malware, but very quickly we began to see malware that was sandbox aware, adding evasion tactics to determine whether it was operating within a sandbox or on a victim’s machine.
We need to recognize that this cycle is going to remain true for every technology, even some of the most powerful technologies at our disposal today. So, as we walk around the floor at RSA and Black Hat, and hear about the promise of big data, machine learning, and artificial intelligence, we need to think forward to what the next generation of countermeasures could be.
That’s one of the key things we’re focused on at Intel Security: as we build out new technologies, we’re figuring out how adversaries will attack them to make them more inherently resilient.
In my next blog post, I will share how we can use the curve to develop better defensive strategies, and how Intel Security is delivering the solutions to enable partners to improve their defenses and amplify outcomes.