It’s impossible for cyber security people to monitor all potential threats all of the time. Business Technology’s resident U.S. blogger Keil Hubert suggests that security teams should adopt a pragmatic, behaviour-based approach to out-thinking the baddies.
Seasoned information security practitioners realize that we can’t monitor every possible attack vector, all of the time. That’s as daft as expecting a roving security guard in a warehouse to simultaneously cover all of the building’s doors and windows. It can’t be done. Yes, we do deploy automated monitors and alerting systems that operate twenty-four hours a day, patiently waiting to detect potential baddies’ activities. From Intrusion Detection Systems watching our network gateways to motion sensors watching the door to our data centre, our robot sentries perform a great service for our InfoSec team – but those sensors can’t replace a savvy set of eyes when it comes to detecting subtly suspicious human behaviour. To catch a malevolent insider, you have to pay attention to your potential suspects, and that means you have to be close by when your would-be baddie starts acting up. If you’re not close enough to nab them, then you’re usually not close enough to recognize what they’re up to and stop it.
This can be an infuriating challenge for a new security head; you realistically can’t be everywhere at once. At the same time, in order to do your job properly you have to be around when one of your users starts acting up. Unfortunately, you also have to sleep, eat, and feed the cat. In an ideal world, an InfoSec team would either have perfect automated monitors (which don’t exist) or armies of human observers roving the workplace 24/7 (which won’t be tolerated – or paid for – by upper management). Instead, the vast majority of InfoSec teams are understaffed, underfunded, overworked, and aren’t living in the cubicles between shifts. What’s a good security head to do, then?
I submit that the best answer is to game the system. In this case, ‘gaming’ means deploying your personnel specifically to vulnerable areas during those periods when bad users are most likely to do something stupid. In order to have the right people watching at the right time, you have to pay particularly close attention to your office culture, operating context, and personnel. Once you understand your players and the playing field, you can often make a reasonable guess when and where one of your would-be baddies will manifest – and you can be there waiting to nab him or her.
Along those lines: we had a tradition called ‘stand-to’ back when I was a soldier. When we were out in the field, our entire unit would wake up an hour before dawn every day. All of the soldiers, regardless of their function, would gear up and be ready in their fighting positions, ready to repel an attack. [1] We did this based on historical evidence – statistically, the very best time to surprise (and, therefore, to overwhelm) an enemy encampment was right before dawn. The defenders would all be tired, cold, and sluggish, and the battlefield would be pitch black. You could move your attackers right up to the edge of the defenders’ enclave without being detected, and then massacre your enemy before they could muster a response. Therefore, a savvy commander got all of his soldiers propped upright in their fighting positions with their rifles ready before the enemy was likely to strike – effectively reversing the odds.
InfoSec leads do much the same when it comes to pre-empting insider behaviour. No, we don’t get up before dawn and lurk in the cubicle farm with a rifle; that would probably violate all sorts of HR guidelines. Rather, we take a hard look at how and when past baddies have committed their crimes (including time, place, and methodology). Then we look at circumstances that would drive an otherwise stable user to step out of bounds. Then we combine those two factors and try to think like a disgruntled user: if we were in their place, when would we try to strike?
One of the critical facets of insider misconduct comes down to the offender’s reluctance to get caught. If a user is angry at how they’re being treated, they may want to stick it to the company somehow – but they don’t want to get caught. So, amateur baddies will often try to commit their misdeeds while they’re alone, so as to minimize the odds of their getting noticed by their bosses or co-workers. That’s common sense. Easy ways to pull this off include coming into work early, staying through lunch, or staying late… But the risk with all of these options is that they’re vulnerable to random interruptions. A co-worker could come by unexpectedly at any time and spoil your plan. That’s why baddies will often try to optimize their timing to ensure that no one else is around to catch them in the act.
As a pragmatic example, yesterday was the annual ‘Superbowl‘, the last big championship game of the year for American Football aficionados. Last year’s Superbowl set a record for US viewing, when an estimated 112.2 million Americans watched the live broadcast. [2] There were viewing parties at bars, restaurants, clubs, and private homes all over the country. People actively managed their calendars to get that evening free so that they could enjoy the festivities with friends, families, and fellow football fanatics. I assume that when the statisticians finally finalize their figures for yesterday, that they’ll declare an increase in viewership between 2014 and 2015.
That’s one data point. Here’s a second to consider: on 23rd January, IT World’s Andy Patrizio published a story revealing that mega-corp IBM is planning to fire a staggering 26 per cent of its global workforce starting this month. If the story is true, then that’s 111,800 people for the chop. The IT jobs market will be saturated with over-qualified candidates, thereby mucking up everyone’s chances of finding meaningful work for years to come. The loss of so many high-tech jobs at once will affect the US economy like a cannonball hitting a fishbowl. Moreover, the survivors at IBM will (quite rightly!) likely have no faith at all that they won’t be among the next wave to die; people will be terrified after the first round of devastating layoffs that more are coming. Conditions couldn’t be better for some angry or terrified about-to-be-ex employee to take a stab at Big Blue from the inside.
When you consider those two factors together, it would have made perfect sense for IBM’s InfoSec team to have mobilised their forces over Superbowl Weekend specifically to spot potential disgruntled employees sneaking in during the broadcast window in order to do bad things. After all, if over half of all American households were going to be glued to their televisions watching the game, then odds were darned good that nobody would be paying attention to goings-on in the office. It was optimal time for a one-time disgruntled employee to sneak in and exfiltrate some data, or plant a virus, or take a poo in the boss’s credenza. Therefore, it was both the logically the optimal time for IBM’s InfoSec team to stand-to, leaning forward in their notional foxholes, watching and waiting, poised to return fire.
Specifically, that would have meant having directory service techs scanning domain login events for atypical access requests, IDS/IPS techs paying close attention to event logs, and good, old fashioned patrolmen walking trough the buildings looking for people who weren’t on the roster. A moderare increase in active, pre-emptive defensive measures.
To be fair, I only know three current IBMers and I didn’t talk to any of them before I wrote this piece. I don’t know if any of those blokes are affected by the layoffs, and I don’t know what (if anything) IBM’s internal security elements got up to during the weekend. I’m just using these two factors to make a point: a good InfoSec head needs to consider his or her users’ motivating factors (e.g. hearing from the business press that 100,000 co-workers are about to lose their jobs) and their operating environment (e.g. the best windows of opportunity to commit some mischief would be coming up over the weekend during the big game) in order to effectively deploy their personnel to intercept potential miscreants.
I suppose there’s a second metaphor that we can draw here; in American football, the team playing defence can’t actually do anything until the team playing offense ‘snaps’ the ball and thereby officially ‘starts’ the play. Once the ball moves, the defence can surge forward and try to intercept the person holding the ball. If I’m honest, I’ve known a few InfoSec people who ran their programmes exactly that way: they waited until something bad happened to their organisation, and only then scrambled technicians to deal with the problem. That operating mindset effectively cedes control of the fight to the attacker; it allows the baddie decide the time and place of the engagement. I think that’s a daft strategy. It makes far more sense to get the defenders in among the potential attackers early, so that they can pounce the instant that they perceive that something untoward has started.
I don’t think that either American or world football have analogues for this. Maybe if the defenders were waiting in the locker room before the game, and cold-cocked the opposing team as soon as one of the enemy players put on their jersey. Something like that. Honestly, I’d probably watch football if it was played that way…
From a practical standpoint, I don’t think that sport metaphors or approaches really work when it comes to running InfoSec operations. It’s ludicrous to patiently wait on the other team to make their move when they’re fit and ready; that’s daft and irresponsible. Depending the laws we live under, we may not be allowed to pre-emptively disrupt an adversary action. [3] We can, however, stage our resources shrewdly and aggressively where and when we think the enemy will surface in order to decisively shut them down. That requires a lot of thinking around corners, though.
It also requires you to accept that you’ll guess wrong quite often. That’s the price of engaging in active defence; most of the time, having your forces stand-to without incident simply annoys your defenders and makes them grumpy. The trick is, the one time that you guess right will likely pay off spectacularly for you, for your team, and for your organisation. If you can intercept a disgruntled insider before they damage the company, then the job you save may very well be your own.
[1] We’d often (but not always) do the same thing before the sun went down.
[2] I was not one of those people. Without the Internet, I doubt I’d even know which teams were playing.
[3] I have no empathy for anyone trying to hack American military networks, now that we’ve established that the USG will cheerfully extra-legally assassinate anyone they perceive to be a threat with their army of flying death robots. It’d be smarter to take up a safer career, like juggling live grenades.
POC is Keil Hubert, keil.hubert@gmail.com
Follow him on twitter at @keilhubert.
You can buy his books on IT leadership and IT interviewing at the Amazon Kindle Store.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.
–