By Dr Robert Ghanea-Hercock, Chief Researcher, BT Security Research Practice
James Cameron’s successful dive to the bottom of the Mariana Trench in the Pacific Ocean recently was a stunning display of advanced engineering and pure courage — a truly monumental achievement. Cameron’s adventure was a wholly peaceful challenge but, for me, it brought to mind the more usual use for submarines — warfare.
Deadly serious hide-and-seek
It made me think how hunting for advanced persistent cyber threats is a little like hunting for nuclear submarines in deep water. The opponent is stealthy and trying their best to hide all traces of their activity in a sea of data and net activity. In the submarine domain we can use sonar to listen for enemy vessels, but in the cyber domain we have a more limited sensory capability. Yes, we do have intrusion detection systems and network trip wires etc., but fundamentally we lack the ability to separate out the weak stealthy signal of an advanced attack.
In ‘The Hunt for Red October’ (my favourite submarine film with Sean Connery) the plot revolves around a defecting Russian submarine captain involving lots of shots of big submarines pinging each other with sonar and playing war games. But the real story is about how the protagonists try to work out the intent of their opponents. Is the Russian captain really trying to defect? Or is it all a sophisticated double-bluff orchestrated by the Kremlin for a first-strike attack? The stakes are high and the information available to each side is extremely sparse.
Interpretation and context are everything
We face exactly the same problem in handling cyber attacks; some are weak feints that precede a later full-scale assault, some are just background noise in the malware sea. Specifically, the issue is how we infer the intent of the malware source agency — and intent is everything in any combat scenario.
People tend to focus on the possible technical capabilities of hackers, but this is increasingly irrelevant as sophisticated attack tools are now free and ubiquitous. What we should care about is the intent of each cyber adversary. Are they simply playing around, hunting for an easy credit card breach, or are they a serious state-backed group targeting a critical asset? The problem is that the online behaviour we can measure often looks exactly the same.
Cyber attack brings additional complexity
Solving this problem is going to take a great deal of research and a broader psychological and sociological perspective. Compared to the military domain of submarine warfare it’s complicated by the broader range of objectives each adversary may have. These include: economic interests; social hacking as political expression, (which I predicted some time ago would become a major problem); organised crime; and state actors and their offensive cyber operations. In the defence role we must infer intent and interests of the opponents.
Use imagination to avoid your personal iceberg
Back to James Cameron, this time in his role as director of the blockbuster ‘Titanic’, a great story of how human hubris can blind-side us to the risks we face when engineering large complex systems.
The engineers of Titanic built multiple transverse bulkheads within the vessel, believing the vessel couldn’t sink because, even in the worst case scenario, only one or two of the bulkheads would be breached. Of course their vision of the worst case scenario was wrong and the iceberg ripped along the vessel, breaching multiple bulkhead defences.
What the engineers lacked was the most vital ingredient in engineering any defence — a vivid imagination.
Cyber threats like icebergs may only reveal a small percentage of their true scale and nature. Sensing what lies below the water is ultimately the real challenge in cyber defence.
Find out more at Infosec 2012
To find out more about BT’s view on the ‘elastic perimeter’ visit the Vehicle for Change at Infosec this year. Find BT at Stand F100 in Earls Court, London between 24 and 26 April.
Come and talk to our experts from BT Assure, our security practice which serves the security and business continuity needs of BT’s global customers. We’ll have a range of demonstrations available on our stand, from ethical hacking, to web security services, threat monitoring and business continuity.