Storm Chasing and Web Security

I wanted to write a follow up article on a popular post that I wrote earlier, ‘You Have Been Hacked’. The previous article was meant to be an introduction to the work that I have been doing with MB™ on web security for the past few months. Some people have been asking me about the type of data analysis that I have managed to effectively incorporate into my machine learning project. Hence, I have decided to take out some time to write about some of the application taken from another field of study that I have applied to my intelligent web security model.

Have you ever heard about storm chasing? In my opinion, storm chasing is actually very similar to web security. This is a quote taken from Wikipedia about storm chasing:

These can include the beauty of views afforded by the sky and land, the mystery of not knowing precisely what will unfold and the quest to undetermined destination on the open road, intangible experiences such as feeling one with a much larger and powerful natural world, the challenge of correctly forecasting and intercepting storms with the optimal vantage points, and pure thrill seeking. Pecuniary interests and competition may also be components; in contrast, camaraderie is common. — Wikipedia

This quote exactly describes what I have been doing with machine learning, data analytics, prediction and web security. The beauty of sorting and unraveling the ever changing digital space and the excitement of discovering a potential breach or compromise is thrilling. In short, I like to view myself as a web security digital storm chaser! I feel that anyone can do this, no degrees required, just pure passion and experience with the right set of tools. Weather forecasting is one of the hardest things to predict accurately even with the technology that we have today.

The inaccuracy of forecasting is due to the chaotic nature of the atmosphere, the massive computational power required to solve the equations that describe the atmosphere, the error involved in measuring the initial conditions, and an incomplete understanding of atmospheric processes. Hence, forecasts become less accurate as the difference between current time and the time for which the forecast is being made (the range of the forecast) increases. — Wikipedia

Web security is in a similar state today. We have all the technology but it is still a very hard problem to solve accurately because the amount of variables involved in the digital environment, the context surrounding the conditions of the compromise, the amount of data to be evaluated and our incomplete understanding of the perpetrator results in a very inaccurate forecast of impending attacks. What is even more interesting is that storm chasers are like web security professionals in that a large amount of time is spent waiting and analyzing.

Besides the copious driving to, from, and during chases, storm chasing is punctuated with contrasting periods of long waiting and ceaseless action. — Wikipedia

Even the portion of the work when the action actually happens are very similar for both the storm chaser and the web security professional. The storm is brewing real time in the digital space and this can be easily picked up by simple machine learning algorithms. Contrary to popular belief or misunderstanding, picking up the signs of a possible impending attack does not need to be Skynet or even an accurate science. Rather, it is all about proper data collection focused on figuring out the context of the anomaly at the time of the digital storm formation, the more the merrier.

The more complex and difficult part of digital storm chasing is in the analysis to determine if there was a touchdown. In weather storm chasing, a storm is just a storm until a touchdown occurs and the storm then officially becomes a hurricane. In digital storm chasing as well, a storm formation does not necessarily translate into a touchdown. I need to explain this concept of what I mean by a digital touchdown. In my work, a touchdown does not equate to a compromise. Remember that in my previous article, I have explained that my work and effort is in the initial reconnaissance phase of the cyber kill chain. A compromise happens when the hacker has successfully infiltrated or gained access into the target system or in other words, the hurricane is now en route towards a populated area. Once the target system has been compromised, the potential for damage is assured. However, in the initial reconnaissance phase, no potential for damage can be assumed yet.

For my analysis work, a touchdown simply means that the attacker or perpetrator has had contact with the target system whether directly or indirectly by other means like a botnet, Tor, proxy or etc. Once touchdown can be confirmed, the race is on to track the path and interest of the attacker or perpetrator. If we can determine the probable intent through the trajectory of the information or data that the attacker or perpetrator is collecting then bingo! We have a high probability of an impending attack and hence a possible accurate prediction to a future security event or compromise.

If you are using MB™ on your website or IoT device, you will see many of the heavy duty analysis being translated into simple human understandable parameters that is meant to define a touchdown and the information collection trajectory of the web visitor. The only difference between a weather storm chaser and my work as a digital storm chaser is that I can route that touchdown away from a compromise by openly making the attacker or perpetrator aware that he or she is being monitored. At the same time, my service also alerts the site or IoT device owner of the impending attack. Unlike the traditional data analytics approach to web security where post log analysis is used to determine a compromise, everything I have just described to you is all done real time while the events unfold. The value of a system like MB™ is in its ability to couple quick machine response together with human review.

Hopefully, this article has given you a good understanding of what I am trying to achieve with MB™. Feel free to contact me if you have interest in my area of work, you can get my contact details on my project site.

Originally published at blog.malleablebyte.org on August 16, 2016.