Defense Against the Dark phArts

Wait! What! There’s no spell for that?

This tongue-in-cheek post was written  to point out that one should consider preparing for worst case scenarios. We can’t talk ourselves secure, and it doesn’t look like it’s going to be business as usual. This week saw the damage caused by Petya/NotPetya, a widespread attack that appeared at first to be ransomware. Upon analysis, it’s now generally concluded that Petya appears actually to be malware crafted to cause chaos and destruction to targeted systems. This time the damage was primarily in the Ukraine. Next time, who knows? Beware of copycats!

When it comes to the defense of systems and the data they hold, wouldn’t it be so much easier, not to mention fairly cool, if cyber defenders were wizards who could use magic to protect them?

img-thing

If you or your kids were a fan of the Harry Potter series, or still are, remember the disarming spell? If you didn’t catch either the books or the films, one could disarm an adversary with a spell. Seemed pretty darn effective too.

If defenders were wizards, the magic they would need would be a cross between the magical dome-shield that f72bf58a6cprotected Hogwarts against Death Eaters and whatever, and the Patronus Charm, a Dementor’s worst nightmare.

(Pro-tip: positive security models seem to work universally!)

A wave of  your wand, recite a quick spell, and let one of these beauties rip…

Expelli-Hackus!!!

Your network defending troubles would be over! That might be perimeter security that actually worked!

Magic would probably be so much better than the peddled security pixie dust and snake oil that has caused customers to suffer “buyer confusion” in a market for lemons, for so long. Sadly, in real life we don’t have magical forces at our disposal.

Super Powers, etc.?

And you probably shouldn’t go thinking that you might have some kind of super power because,

“I must be invincible – I never get hit.”

Sorry, not unless super-denial is a super power, or unless you happen to be super Patch Man! You may want to buy a lottery ticket though, because you may just have been lucky, and that could run out – at any time! Besides, recall something about,

… absence of evidence, is not evidence of absence.

images-2

What about psychics or pre-cogs?

minority-report

Nope. No manner of fortune tellingpsycho-babble works either. If someone Peering-into-the-crystal-ball-A-look-at-mortgage-industry-predictions-1080x675predicts you’re going to suffer some form of cyber incident in future, that’s just a an educated guess and a probable event, not anything mystical.

Back to reality – Dark Forces

Isn’t all of this human resistance to change? Fully revved up human lizard brains at work? It’s always easier to fall back on wishful thinking, ignoring the problem, hoping it goes away, or waiting for someone else to fix it.

This is all sort of too bad actually, because defenders must now contend with dark forces and the black arts that are all around us, in the escalating threat environment. (It’s ironic that for many legislators who don’t understand the technical issues, much of “hacking” is perceived as black magic.) The infosec version of the Dark Arts, or perhaps we should refer to it as the Dark phArts, since phishing plays a huge role in many of the insidious attacks we’re witnessing, appears to be thriving.

1295929859994

What am I getting at here? We’re moved well beyond the point of basic cyber crime and data theft, where,

the goal of adversaries could be “to take you down!

For examples of what may lay ahead, you might read the article, “The ultimate cyberattack is on the horizon“, which offers this view;

As DDoS attacks grow stronger, ransomware attacks become more frequent, and modern warfare moves into the cyber arena, the potential for cyberattacks of nightmare proportions seem even more likely.

Data poisoning, distributed volumetric attacks capable of shutting down critical networks, and insider threats have always been serious issues, but some researchers fear these kinds of attacks may be used to shut down critical infrastructure and wreak havoc on their victims outside of the cyber realm that have lasting impacts.

The problem with attacks on critical infrastructure is that members of the everyday public will be innocent victims

That’s Gotta Hurt!

In case you’re a politician, a bureaucrat, or you’ve been in a cave for a while, consider a few of the following accounts. (You can skip down a bit if this doesn’t apply to you.)

The article, “How hackers are making the worst-case security scenario ever worse” informs us,

” disruption even resulted in the lost of capability to function as a business due to what’s described as “the crippling loss of critical systems“.

“public events over the last few years have altered the notion of what comprises a worst-case scenario“.

Just ask Sony!

This type of damage was inflicted on a victim who became the ultimate poster child of malicious attacks, as described in, “Sony, hack of the century pt 1“.

“Before Sony’s IT staff could pull the plug, the hackers’ malware had leaped from machine to machine throughout the lot and across continents, wiping out half of Sony’s global network. It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. To make sure nothing could be recovered, the attackers had even added a little extra poison: a special deleting algorithm that overwrote the data seven different ways. When that was done, the code zapped each computer’s startup software, rendering the machines brain-dead.

“… it took just one hour to throw Sony Pictures back into the era of the Betamax. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.”

Sony’s CEO described living through this in,They Burned the House Down”: An Interview with Michael Lynton

“The bigger challenge was that the folks who did this didn’t just steal practically everything from the house; they burned the house down. They took our data. Then they wiped stuff off our computers. And then they destroyed our servers and our computers.”

The article, “Sony’s Big Takeawaytells us the lesson is for the typical enterprise;  

“That anything they do, or say, that upsets and motivates a group (or nation) with enough skills to lash out can and may do exactly that. And companies need to know how to prepare and respond to these types of attacks. Enterprises can’t assume that it’s just money or the theft of assets of monetary value that attackers will seek. They have to prepare themselves for the possibility of revenge attacks. These attacks will be a lot less business-like than is common with traditional attacks. And they’ll be much more public, vindictive, and potentially much more damaging when they do occur. And the motivation for, and the delivery of, these types of attacks can come unexpectedly and from anywhere.”

Others

Other large corporations, notably Saudi Aramco who was knocked off-line for 5 months, were hit as well.  We saw that a “Cyberattack on German steel factory causes ‘massive damage’

” … hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report  revealed one of the rare instances in which a digital attack actually caused physical damage.”

Shade of Stuxnet! The Sands Casino was hit to the tune of $40 million in damages in what appeared to be a revenge attack.

“Adelson’s comments soon sparked outrage in Iran, and on February 10th the Las Vegas Sands Corp was targeted for retaliation by who are believed to be Iranian hackers.”

Financial Systems

No segment is immune to malice. After J.P. Morgan was breached, people really began to worry. The article, “If Financial Systems are Hacked” says,

“Recent attacks give a glimpse of the sort of cyber-assault that could bring the world economy to a halt. Better defences are needed.”

“We’re not keeping up, we’re losing,” says one insurer, who thinks most people remain blind to the real-world damage such assaults could do.”

Whether financial systems are taken off-line for some period of time, or whether public loses trust in financial institutions, the repercussions could indeed be devastating.

Ransomware

I said that ransomware is the first perfect storm of infosec. In 2015, Richard Clarke said here;

“Ransomware is increasingly common… Actual destruction where everything is wiped out on a network is not, – yet.”

Examples of this now happening, see here, and in an article this week, “KillDisk Ransomware Targets Linux; Demands $250,000 Ransom, But Won’t Decrypt Files. There’s always a chance your data will be gone with ransomware, and if attackers can load a ransomware payload, they can hit you with destructive malware to also be used for either extortion or destruction, at the same time.

The Trouble With Normal, is it Always Gets Worse!

Infosec is always playing catch-up in a world where it’s constantly falling further behind. Adversaries aren’t standing still; they’re constantly innovating. We’re likely heading to even more malicious ransomware targeting everything, data tampering, AI and automation used in attacks, and cyber terrorism possibly becoming the more convenient weapon of choice. Right now, everything is adding more attack surface. What’s more, once an attacker is in your network, how do you know when your environment is ever safe again?

Business as Usual?

Keep in mind that these malicious attacks were possible years ago. Who thinks that more of what’s failing now, is going to hold up going down the road? The vulnerability-centric model, is the central pillar of infosec, and it’s Achilles Heel at the same time. Every new app, every new platform, just adds attack surface. Is it as much a fiction as Harry Potter is in terms of practical utility? (Remember, super-denial isn’t actually a superpower.)
Is staying the course just an excuse to avoid choosing the really hard road, that of actually fixing systems so they are no longer inherently insecure? Recall that systems were designed to share information, never to be secure.
Some parties are starting to address the lack of system security engineering for trustworthy systems, such as NIST with the NIST 800-160 standard. Trustworthy computing shifts the advantage to defenders as discussed last post and here, or here. Or check out the blog index below for more discussion on defender advantage, as can be delivered by Trustifier’s KSE implementation of trustworthy computing.
Trustifier has performed the really tough security engineering and design, so you don’t have to. The combination of KSE defensive capability with TUX AI cognitive security which is able to implement and maintain security posture dynamically going forward from a point in time, is ready to deliver defender advantage, now.
The KSE security sub-system means that trustworthy systems are no longer limited to a world of imagination, and the realm of fantasy.

Related

Why NotPetya Kept Me Awake (& You Should Worry Too)

Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows

Inside The Aftermath Of The Saudi Aramco Breach

Hackers Cause $40m Worth Of Damage To Las Vegas Sands

The rise of ransomware, crafty hackers and health data destruction

KillDisk Ransomware Targets Linux; Demands $250,000 Ransom, But Won’t Decrypt Files

Posing as ransomware, Windows malware just deletes victims’ files

Here’s how cyber attacks will get worse in 2017

Move Over, APTs — The RAM-Based Advanced Volatile Threat Is Spinning Up Fast

AVT creators make their exploits less persistent — and harder to detect

Take me to the blog index.

By |January 14th, 2017|KSE|

About the Author:

Leave A Comment