What is the single best thing that military and civilian government agencies can do in their search for an all-in-one cybersecurity solution? Simple: Give up hope.
As counterintuitive as that may sound, there is no magic bullet that will solve all our cybersecurity challenges. A sufficiently-motivated and capable adversary will get around our defenses, given enough time. The question then becomes: How can we tax that motivation, or increase the cost of these attacks? What emerging areas of cybersecurity should government decision makers focus on to extend the range and capability of our deterrents?
Three areas in particular warrant government attention: Cyber deception, defense in-depth and formal verification.
Conventional approaches to advanced persistent threat (APT) cyber attacks — like the one that infiltrated the Democratic National Committee (DNC) during the presidential election — often fail because it is relatively easy for attackers to identify high-value targets within a corporate network. Once an adversary gets a foothold on a network, distinguishing between servers, PCs, smartphones and other systems is relatively easy. As a result, they can find the sensitive data they are interested in based on this analysis. Worse, given the effectiveness of existing attack tactics, we must operate under the assumption that attackers will get into your network, and are potentially performing target analysis at any time. This fact demands a new objective for cybersecurity — to make their lives as difficult as possible while they are around.
The art of deceiving attackers is not a new one. “Honeypots” — decoy servers that are designed to gather information about attackers without exposing sensitive network assets — have been around for years. But over time, sophisticated attackers have learned to recognize these decoy devices by monitoring their traffic patterns.
To remain one step ahead, government agencies are turning to more advanced cyber deception technologies that include both decoy devices as well as realistic traffic generation. Such traffic generation includes data resembling user browsing sessions as well as encrypted protocol sessions that are extremely difficult to distinguish from real traffic, even for expert observers. Sophisticated cyber deception technology can also include false documents placed in low-impact servers that divert attackers from real servers and more sensitive information, or watermarked documents that can be used to track an adversary as they navigate in and out of the network.
At the heart of cyber deception is the recognition that sophisticated adversaries will penetrate our networks. Thus, the ultimate goal of cyber deception is to delay and mislead these adversaries, increasing their frustration and causing them to make mistakes. In doing so, these deceptions dramatically reduce the utility of a breach, by decreasing the chance that an adversary gains access to valuable network assets and increasing the chance that administrators can catch them in the act.
Classic defense in-depth
Many of us growing up playing Risk, the classic board game in which players engage in diplomacy, conflict and conquest. Over time, those that played often noticed the obvious strategy: Defend a small handful of strategically placed countries, creating a bottleneck for the opponent that prevented them from reaching other countries. By doing so, the player reduced the number of armies they needed to defend their territory, and could use their resources more effectively.
Lessons like this are rampant in our history and our training: find the choke point in a system, and pile our resources there. It seems obvious and logical to us, and it is easy to convince ourselves that we do not need to protect the interior of our systems if we can just protect the gates. Thus, when we design our networks, we become very tempted to put all of our security eggs into one basket: the core router/firewall. It is easy to imagine that, since all traffic must flow through this gateway, we just need to stop all attacks there and be done with it.
Unfortunately, given the wide deployment of wireless technology, there are an astonishing number of ways for an adversary to gain access to our network without going through the firewall. There is thus no single bottleneck, no single entry or exit point. Yes, you should install a good firewall, but you should not fund it at the expense of all the numerous other sensitive parts of the network. In classic military theory, we call this approach defense in-depth — multiple layers of security controls distributed throughout the system.
In a network, this means never assuming that your network is free from adversaries, and ensuring authentication and encryption at every point. It also means having access control rules and policies at every point in the network, including so-called “protected networks,” just in case something gets through. In short, as network operators, you need to build “fire doors” that protect infection from spreading, just as architects do so in our public buildings.
With defense in-depth, every piece of software focuses on best-effort security, and the organization layers in various cyber defense tools — such as firewalls and filters — on top of this infrastructure. At the end of the day, we do so this for much the same reason as we integrate cyber-deception into our networks: eventually, the adversary will find their way around any single blockade that is introduced. Thus, we add more blockades to slow them down, dissuade them from continuing, and make them easier to detect.
With cyber deception we have thrown up distractions, and with defense-in-depth we have thrown in layers and layers of defenses. But what if we have something on our network that is so sensitive, so valuable, that we simply cannot allow our software to fail?
Imagine if the engineers and planners constructing a bridge focused solely on its design and aesthetics, and didn’t spend time worrying about whether the bridge was sturdy enough to support the weight of vehicles until after construction was completed. This would be a harrowing prospect for drivers traversing that bridge. At the same time, organizations approach cybersecurity in much the same way: Something to be concerned about after the “important stuff” in software development has been worked out.
Formal verification is a technique that goes beyond testing and evaluation to provide mathematical assurances that a system works only as intended in all cases. As such, it can be used to address the nation’s most challenging cyber security challenges, including homeland security, election/voting systems, Internet of things-connected vehicles and (of course) internal corporate network design. Formal methods work by developing a precise and total specification of what the system should do, and then mathematically proving that the application implements that specification and only that specification. No backdoors, no hidden functionality, just what you said it would do.
Numerous projects are underway across the DoD and other agencies to leverage formal verification, including a DARPA Crowd Sourced Formal Verification (CSFV) program to overcome the challenges associated with unreliable software, as well as for High-Assurance Cyber Military Systems (HACMS). For those systems that absolutely must work — for security-critical, mission-critical, and safety-critical systems — increased adoption of formal methods will help ensure the robustness of mission critical software.
In the end, no single solution is enough — not cyber deception, not defense-in-depth, not firewalls, and not formal methods. It is only by assessing our risk, by considering our specific situation, and by combining our tools that we can mount an effective defense to the nation’s cyber threats.
Adam Wick is research lead for mobile security and systems software at Galois