Dodging The Wrong Bullets

We’ve all been there. We get an email or a call from IT that says we’ve been breached. We immediately want to know how they got in, who they are and like Stinger in Top Gun immediately demanded, we want to know “What’s been hit?”

The answers often go something along these lines: It was a SQL injection, we don’t know who it was and it looks like our web server was hit. Our question was really related to the value of what’s been hit, not which device or software system, but we never get that answer because no one actually knows. If you’re a CFO, this is frustrating because you just learned that you have assets at risk whose value you don’t understand and whose implications you are unprepared to deal with.

As an IT pro or CISO, you are also frustrated because you actually don’t know if that web server was of significance or just a cog in your network wheel and is being used as a gateway for a more malicious attack downstream or even as a stalking horse for a real attack taking someplace else on the network at this very moment.

One of your employees attempts to access a commonly used file, only to find that the file no longer exists. Looking closer, the employee finds that the file does exist but the file name has been changed. His calls to IT reveal that his file and many others have been encrypted and are part of a ransomware attack.

Your IT staff has already quarantined the infected system and has begun tracing through discovery to determine the extent of the compromise. The task is difficult however because not all network activity has been captured in log files and none of the event data is accessible. After 4 days of tedious analysis, the IT team concludes that only one system has been compromised, and after running restores from backups it appears that there is no lasting damage. Once again, your IT staff manages to dodge a cyber-bullet.

Or, did they?

Actually, the breach occurred well before that employee tried to access that file and it went undetected. In fact, the discovery was only possible because the attackers wanted it that way. The game plan was to create a few encrypted files, demand a ransom payment and then erstwhile use the system resources to launch a real attack later. The collected log data was virtually useless in making this determination because it didn’t contain any evidence of the attacker’s footprints within the network and as a result, there was no way to detect what really happened or may be still happening.

This problem doesn’t necessarily argue for better SIEM solutions or a network behavior analytics engine because in the case of SIEM, log data alone won’t detect a multi-pronged attack like this one and in the case of behavioral analytics, an attack like this one may resemble normal network traffic.

Most businesses today misunderstand the nature of cyber-threats and are busy dodging the wrong cyber-bullets. Today’s (most popular conventional) technologies keep security analysts focused on the vulnerability under attack and not on the device or system processing or storing the most valuable assets.

It is a mind-set that is encouraged by the under-pinning security solutions in the same way that perceptual decision traps operate. Framing errors occur when the way in which information is presented influences the interpretation which in turn alters a decision based on the information, as in the corrupt file in the earlier example.

Randomness bias and escalation errors cause us to believe we can predict the outcomes of random events by over-ascribing meaning to each event and by believing that based on prior experience the continuation of a process will eventually lead to success. We end up frequently believing that continuing down a path in which we have invested heavily is the best course of action because abandonment would equate to failure, even though we know that more technology may not add any particular value. Economists refer to this as the sunk cost fallacy in which we irrationally throw good money after bad.

As a consequence, instead of mitigating risk, we actually incubate risk.

We inadvertently create an environment where risk actually increases even though we report that risk is declining due to our belief that increased compliance, protection and detection technologies and better maturity and governance has put us on a path to an improved cybersecurity posture.

The network behavioral analytics technology people will tell you that their solutions can detect  a motivated attacker who didn’t immediately alter the file system as in our earlier example, but rather moved quietly through the network gaining access to operational systems, privacy data, proprietary information and intellectual property. They will tell you that real-time threat monitoring behind the firewall using advanced machine learning and artificial intelligence will detect that activity.

And while certain of these behavioral analytics technologies do an excellent job of that sort of detection, what they will not do is tell us about the values of those assets at risk and what the monetary impact of a successful attack might look like.

Further, they cannot distinguish between a device or network node that is under attack for the wrong reasons. They cannot identify the device or system that stores or processes the high value information because we have not made that determination for them.

Today’s best technologies will continue to point our remediation activities in the direction of the server or work station under attack, even if it happens to be part of the technical documentation team and is storing valueless data. Not because they can’t prioritize the remediation, but because they don’t have the right information.

Do you think that for one moment if Susan Mauldin or Dave Webb knew that the asset value at risk from that Apache Struts patch was worth over $4 billion to Equifax, they wouldn’t have insisted that it be done?

Effective cybersecurity technology is critical to protecting against cyber-attacks and detecting advanced threat in the modern malware world. Critical thinking skills and a skilled IT team are also necessary.

But unless we begin to focus on the actual asset value of the information stored and processed, we will likely continue chasing down the wrong rabbit holes and dodging the wrong cyber-bullets, in spite of great technology.