Applying Ancient Wisdom to Help Manage Modern Risks

May 11, 2015
CyberPhysicalHuman: Post by Rob Simmons, Peter Sheingold, and Chris Folk

Today, it is probably impossible to identify all of the vulnerabilities in an interconnected information system. In a CyberPhysicalHuman world, where tens of billions of devices will be used in all aspects of our lives—homes, healthcare, transportation, factories, appliances, entertainment, work, cities, farms, and even our clothing—identifying every vulnerability will be impossible. For an organization, a threat-informed approach to risk management facilitates its ability to bring focus to what could otherwise be a boundless problem.

Although Sun Tzu didn't have to deal with cyber adversaries, his ancient wisdom can help focus the actions of today's defenders: understand the enemy. In today's CyberPhysicalHuman world, heeding Sun Tzu's advice means we need to adopt a more threat-based focus.

This is especially true when addressing today's sophisticated threat actors. Often called the Advanced Persistent Threat (APT), they are not a few isolated individuals sitting in basements. APTs are organizations who recruit, train, equip, and manage a cyber attack team. APTs create campaigns to achieve specific goals—to gain access, escalate privileges, hide their presence, maintain their presence—and to take action to achieve their goals. These campaigns often have patterns. When necessary, the APTs adjust their behaviors in response to our actions. Mindful and prepared defenders observe and learn these campaigns and behaviors, and then intercede.

Therefore, to better understand sophisticated attackers we need to:

  • Place greater focus on understanding and sharing information about threat patterns—analyzing knowledge gained from multiple, discrete attacks.
  • Reduce the likelihood of future attack success by aligning our defenses and associated vulnerability mitigations to the actual threats and campaigns we face.

The security community recently has been taking important steps towards a more threat-based focus. A few years ago, Lockheed Martin came up with the cyber kill chain model. This model has helped many organizations think in more sophisticated ways about how to understand adversaries by watching them before and, equally important, after they enter networks. Defenders can now watch their adversaries and learn about their behaviors and tools.

Using this information, astute defenders capture, assess, and make informed decisions about defensive actions. As a result, defenders could turn what initially seemed to be an unbounded problem of trying to mitigate potentially countless vulnerabilities into a more manageable set of challenges, allowing organizations to align their defense postures accordingly.

Defenders Can Learn By Watching Their Adversaries

To be clear, mitigating vulnerabilities remains a good idea, but we need to understand the limitations of focusing exclusively on vulnerability identification and mitigation. First, as CyberPhysicalHuman systems become increasingly complex and interconnected, the sheer number of vulnerabilities will always outnumber the ability to identify and plug the holes. We also know that liability and fiduciary concerns can discourage organizations from sharing information about vulnerabilities in their own systems. Additionally, sophisticated attackers tend to apply a long-term focus on high-value targets through ongoing, evolving campaigns that adapt to vulnerability mitigations.

This means that a comprehensive defense strategy combines vulnerability reduction with a threat-based approach, based on an understanding of what is most important to protect. A comprehensive defense strategy must also be informed by the reality that bad things can still happen. To that end, our next article will start to address resilience in the CyberPhysicalHuman world.

This post is part of a continuing series that will look at the CyberPhysicalHuman world from three perspectives: convergence, risk and resilience:

  1. The CyberPhysicalHuman World of Homeland Security
  2. Convergence: A Recent History
  3. Risk: Focus On Your Main Thing(s)
  4. Applying Ancient Wisdom to Help Manage Modern Risks
  5. Resilience Is a Team Sport
  6. Resilience, Moving Beyond Sectors
  7. Enabling Effective Collaboration with Shared Threat Information
  8. Wrapping It Up and Moving Forward
  9. Coming Closer and Closer to You
  10. More Ancient Wisdom for Today's CyberPhysicalHuman World
  11. There is No One-Size Fits All Approach to the CyberPhysicalHuman World