The State of Incident Response by Bruce Schneier

Bruce Schneier This series of articles reflects a Black Hat talk by prominent computer security expert Bruce Schneier where he covers the current state of incident response.

I’m going to talk about incident response. I’m going to talk about it in kind of a meandering fashion. I’m going to talk about three trends in cybersecurity. I’m going to talk about five pieces of science: four from economics, one from psychology. I’ll talk a bit about the current state of incident response and try to tie this all together with some systems theory from the U.S. Air Force. That’s the plan for the next hour.

So, trends first. First trend is that we are losing control of our IT infrastructure. And I think this is really interesting to watch, because it’s really a function of the way technology is working right now. The first thing that’s happening is that the rise of cloud computing means we have a lot less control of our data: our email, our photos, calendar, address book, messages, documents – they’re all on servers belonging to Google, Apple, Microsoft, Facebook, these different companies. Probably in this room is going to be the greatest concentration of people who actually still have their stuff on their computers. Go out of this room, out of this conference – everybody else is going to have their data on someone else’s cloud. That’s the way the world is working. It’s true for individuals, and it’s also becoming true for organizations. Organizations now are outsourcing communications, CRM systems, applications, desktops – entire IT infrastructure – into the cloud.

As we do that, we lose control over the tech details of those things. We often can’t affect the security of those systems; I mean, we can, depending on virtualization, but the core security we simply have to trust. You don’t actually know visibility of this security. I mean, I can’t tell you what kind of operating system Facebook uses. I have no idea, and I pretty much don’t care.

Less user control with portable devices

Less user control with portable devices

Also, we’re increasingly accessing all this data through devices where we have much less control. We’re using these things (holding up a smartphone): iPhones, iPads, Android phones, Chromebooks – devices where we don’t have as detailed a control of the configuration as we do on our computers. I cannot run arbitrary software on this machine unless I break it, which, you know, normal people aren’t going to do.

And if you look at the operating systems, you look at Windows 8, you look at Apple’s Mountain Lion, now Yosemite – both of those are moving in the same direction of more vendor control, less user control. And again, corporations are using these things just as much as individuals are, because people want them, people like them. So, again, it gets to less control of the infrastructure. Organizations are doing this pretty much for solid financial reasons. It makes a lot of sense to outsource all this, it’s cheaper, it’s better, more reliable – all the reasons you do it. And in general we in society always outsource infrastructure. IT is catching up here. But as security people, this means we have much less control. That’s the first trend.

Second trend: attacks are getting more sophisticated. There’s a lot of lousy news out there. What’s reported on seems to be a function of what editors find interesting, and less – what’s real. But we are seeing increasing attacker sophistication. This is variety of attackers – nation state, non-nation state, hobbyists, criminals; and we are seeing increasing sophistication across all levels.

I have debates on cyber war, and people are talking about some of these major attacks as examples of cyber war. I think that’s nonsense. I think what’s really going on and the really important trend is that we’re increasingly seeing war-like tactics being used in broader cyber conflicts. This is important. Technology spreads capability, especially computing technology which can automate attacks and capabilities.

And it used to be you could tell the attacker from the weaponry. And if you walked outside on the street and you saw a tank, you knew that the U.S. Army was involved, because only armies could afford tanks. The weaponry told you who the attacker was. That shortcut doesn’t work anymore. Everyone is using the same tactics, everyone is using the same technologies; they are all across the threat spectrum. A lot of this is “advanced persistent threat”, a buzzword that I started out hating and have come round to like, because I think it describes something really important about IT security that as an industry we’ve largely missed.

So you could think of attackers along two different axes: skill and focus. A low skill, low focus attacker – that’s a script kiddie, that’s an opportunist, that’s someone who is attacking everything and anything, what I think of as the background radiation of the Internet. High skill, low focus – think of those as identity theft attacks, zero day exploits, the kind of stuff we also see pretty regularly. Low skill, high focus is you typical targeted attack. High skill, high focus – that’s APT; that’s advanced persistent threat.

The reason this is an important distinction is that the way you look at your defense is different. In a normal criminal attack, what matters is relative security. If your security is better than people around you, you are safe. The typical criminal wants a database of credit card numbers – it doesn’t really matter where he gets them. It will be you or somebody else. If you’re better, you’re fine. Against an APT, the attacker for some reason wants you. And there it doesn’t matter how much better you are than your neighbors; what matters is whether you are better than the attackers. And we all know in this room that if the attacker is sufficiently motivated, skilled and funded, they will get in. You all know somebody who does pen testing for a living, and you know they never fail not to get in.

The question is how we deal with it. I think these are politically motivated attacks, and I define politics very broadly here: nationalistic, religious, ethical, against institutions, against governments. So you think of companies in politically charged industries – big oil, big tobacco, big pharma. You think of companies everyone loves to hate – used to be Microsoft, now it’s Google. And these are the targets for these politically motivated attackers.

Financially motivated hacking has also gotten more sophisticated, better funded, more international. I think what’s really happened is that cybercrime has finally matured as an industry. There’s now an entire supply chain in place for cybercrime: thieves, fences, mules; all the pieces are there, anything that you can’t do you can outsource, you can chain it all together. And the process from theft to monetization has become very fast and very efficient. That’s trend two.

Government-run defense becoming common

Government-run defense becoming common

Trend three is the increased government involvement in cyberspace. Long gone are the days when governments didn’t understand the Internet and when they left the Internet alone. The regulatory environment is getting much more sophisticated. This is domestically and internationally. There are a lot more rules involving personal data, especially outside the U.S. On the attack side, there’s a lot of nation state-sponsored espionage and attack. A few months ago we were seeing some attackers from China compromising U.S. corporate targets. We are seeing nation state attacks conducted by the U.S., by other countries. And a lot of time organizations are really collateral damage that were sort of in the way, more than anything else. There’s a lot more talk about critical infrastructure which is using more government-run defense. As countries realize that their power grid and their transportation infrastructure are all dependent on the Internet, they’re going to start saying “Hey, we need to be in charge of its defense.” We’re going to see that more and more.

Also, we have a cyberwar arms race going on. There’re 27 countries now with cyber commands. They are all building cyber weapons, they are all stockpiling vulnerabilities and they’re all looking at each other with suspicion and then doubling their efforts to make sure they are stronger than before. And I think this is increasingly destabilizing.

Alright, those are the trends.

Read next: The State of Incident Response by Bruce Schneier 2: Security-Related IT Economics

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: