Anticipating Future Security Design Patterns

In the WIU School of Computer Sciences among my colleagues and with my students in my Software Engineering classroom, we discuss how we have developed a great wealth of Software Design Pattern and Anti-Pattern knowledge in the last 50 years. Yet in the past 20 years our problem domain has shifted from inside exposure of a known population, to an outside exposure of an unknown population — the Internet. We do not yet have a comparable wealth of Security Design Patterns and Anti-Patterns as we do in traditional Software Engineering. And this problem domain continues to grow at an increasing rate.

My colleagues and I agree that we teach students how we have solved previous design patterns, so that we can enable our students with the critical thinking skills for solving new ones of today as well as those yet to come.

The article I provide a link to below gives a very good insight on how one threat actor is creating botnets to implement campaigns. It also mentions threat patterns, and how services (like pastebin) are abused to distribute malware seed. What can we glean from what we know in order to develop Security Design Patterns for our industry?

https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/

Today we use Traffic Light Protocol and STIX/TAXII to share standard formatted IOCs (indicators of compromise). And we exchange them in communities like the Open Threat Exchange (OTX). Yet, is there a potential we can transform IOC data and information from passive multiplier systems (systems used by threat actors to distribute malware) into some kind of Knowledge Packet (first introduced in (Wachsmuth 1987)) that can be used in automation? K-PACs (a current knowledge packet concept used in #KnowledgeAware) could be leveraged as we revolutionize towards Industry 4.0 to give us cyborg awareness to our collective security threat intelligence (CTI).

I anticipate a community technical system in which we will have a vast network of IOC data providers to map the activity of threat actors from victim to passive multiplier systems and back to the threat catapult where the threat actor launched the campaign. Third party vendors that are used as the passive multipliers by threat actors will have automated systems to respond to IOC alerts so they can automatically add their own usage data, like the source location from where malware seed is being uploaded, to end-systems downloading malware seed (making this process look almost like a honeypot). Together we can conceive a network of autonomous systems producing intelligence about our threats, and creating K-PACs (Knowledge Packets) we can use to apply in developing the future of Security Design Patterns.

We are at a turning point in our industries. Technology advances and exploitation are moving at such a fast pace, cyborg-aware processes will have to fuel the knowledge we build. We must standardize our knowledge, and collect it intelligently. These security processes can quickly consume them to make us innovate faster — and hopefully at a pace faster than the threats.

Further Reading:

• TLP & STIX — Using Marking Definitions: https://oasis-open.github.io/cti-documentation/examples/using-marking-definitions.html
• Knowledge Packets (1991) — https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.38.4382
• K-PACs — Knowledge Aware Organization: https://knowledge-aware.org/

I originally posted this article on LinkedIn on February 5, 2020 https://www.linkedin.com/pulse/anticipating-future-security-design-patterns-russell-glaue/

Find out more about me https://www.linkedin.com/in/russellglaue/

My Additional Comments

“Attackers continue to abuse legitimate online storage platforms for their own gain. By storing malicious payloads on trusted platforms, attackers can bypass security products to exploit the trust given to legitimate online services. … Security practitioners must find ways to evolve faster and ensure the security of these trusted resources so we can stay ahead of these threats.”
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

Perhaps software companies that knowingly patch their security holes should also provided software functionality in those security updates that look for directly related IOCs and report on them.
Is this problem domain getting so complex that end-administrators can’t identify the seriousness of the treat of software security bugs?
https://threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/