Cyberattacks and Cyberdefense: Eternally at War and Yet Eternally at Peace

Ashok Banerjee, CTO and VP Engineering, Enterprise Security, Symantec

Ashok Banerjee, CTO and VP Engineering, Enterprise Security, Symantec

Technology brings the world closer and enhances convenience, however, the same technology brings the attackers closer too. Most of us in Silicon Valley think with the “mind of a maker”, and yet there is the “mind of a breaker”. Technology extends not only our reach but also the reach of the attacker for espionage, sabotage, and ransomware.

While the “mind of the maker” and the “mind of the breaker” are co-evolving in adversarial relation, Fake news and real news are in a similar adversarial cycle as Cyberattacks and Cyberdefense. In regular Machine Learning, there is a static truth, and with Machine Learning, we approach it. However in Cyberattacks and Fake-News the cheese moves, as soon as defense catches on. These systems are far more of Game Theory and Adversarial Machine Learning than regular Machine Learning.

Cyberattacks have become increasingly organized and sophisticated. The sophisticated attackers are well-versed in Cloud, Devops and Machine Learning. Every move begets a counter-move, so what matters is not the move but the equilibrium of the adverserial game.

Another thing to note is that attackers look for the weakest link in the chain for maximum returns. So, cyberdefense needs to “protect it all, or not at all”. In a passive system, e.g. a roof with a 1 percent leak in the roof surface, leaks only 1 percent of the rain hitting the roof surface. However in an active system like cybersecurity if there is 1 hole in the security, 100 percent of attacks come through it.

Where are these deadly attackers? Are they terrible people?

The cyber-educated attacker is usually located outside the jurisdiction of the victim, this makes consequences for the attacker less likely. Attackers do not like to be physically proximal to their victim and few things prove it better than regular household garage door openers. A standard garage door opener has 10- 12 pins for the code. Each pin can be up/down so it has 1012 combinations. Using De-Bruijn sequences with rolling shift of keys, a garage door can be opened in eight seconds. Then why isn’t it open all the time? The physical proximity to the victim is unpleasant for the. It is easier to attack nameless, faceless entities. Typically attacker communities develop where large numbers of cyber-educated professionals do not have meaningful employment prospects. Fake news authoring communities are similar in genesis.

What changes the terrain of this adversarial system?

Weak Signals:The world today uses separate products for different aspects of Cybersecurity. These products can provide overall verdict of malicious or benign, but they are currently unable to convey degree of confidence e.g. 60 percent confidence. Sophisticated attackers operate in the gray, between white-listed (known good) activity and black-listed (known bad) activity. These are low-and-slow attacks or just under the radar attacks. This works because the different products are unable to convey context to each other beyond absolute determinations.

With a single backplane of assets and events spanning multiple enforcement points, Endpoint Security, Network Security, CASB (SaaS Security), Email Security with universal antimalware, DLP and hardening the weak signals cannot hide in the limited context across capabilities or enforcement points.

Local Learning: Beyond globally learning what is malicious behavior or malware, it is important to learn locally on every specifics of each user, or a LDAP group or an enterprise on what is normal. The solution is not to look at global big-data but instead to scale to the small data of the specific enterprise. The benefit of such a system is highly compounding since it learns the user over time and becomes increasingly more precise.

Additionally, our constant need for speed and convenience forces us to enable remote access to control systems of a nation, such as Industrial IOT. These control systems used to be behind badged entry doors in office buildings, requiring physical access. Those badged door are rapidly vanishing and the systems are becoming remotely accessible and this is happening across power grids, water treatment plants, sewage treatment plant, toxic waste handling, nuclear reactors, oil and gas and manufacturing plants.

Adverserial nations are constantly trying to get a foothold into the each others control systems. These footholds are like switches, that are never activated butcan be activated to either send a message or during a war. We are now eternally at war and yet eternally at peace, interacting with grace in diplomatic spheres and yet a battlefield in cyberspace.

In a strange way, many of us in technology are the gladiators 2.0 in the coliseum of the modern world. Yet be cautious, we have much that we forget to value and there is always an unseen adversary who is looking for the opportune moment.

Weekly Brief

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee