No Computer is Safe: Now What?
The quote “Technology is not the measure of a great civilization” from the first episode of The Man in the High Castle is timely given media headlines on President-elect Trump’s remark that “no computer is safe.” Since global critical infrastructure depends on computers for virtually everything — finance, transport, health, manufacturing, energy, military operations — his statement appears to offer a shaky start to the new year.
My bet is that this was not the President-elect’s intent and, in fact, there is a reason for optimism. Perhaps the true measure of a great civilization is the ability to work together to solve thorny, seemingly intractable problems. Certainly, cybersecurity appears to meet both criteria. There is a growing recognition that cybersecurity requires a different approach. Rather than protecting against adversaries individually, there are several efforts underway in the private sector focused on exchanging and fusing incident data in near real time between companies. For example, leading banks in the financial community announced last August to redouble efforts to fuse data associated with cyber incidents. Governor Tom Ridge, a former Secretary of Homeland Security, announced in October the formation of CyberUSA which focuses on fusing incident data among states. The Cloud Security Alliance’s Computer Incident Security Center continues to grow with over 30 companies participating.
Why are these initiatives important? Part of the answer rests in a close analysis of the December 29 Joint Analysis Report (JAR) on Grizzly Steppe. The report produced by the Department of Homeland Security and FBI offers technical Indicators of Compromise (IOC’s) associated with attacks in the United States attributed to Russia. The report was released after a thorough scrubbing of classified data by national security agencies. If we set aside the debate over attribution, it is clear that the hacks have been underway since the summer of 2015, according to the report. What we have as a result appears more ambiguous than the report’s central argument. As security analysts have pointed out in the last week, the IoC’s released with the JAR are ephemeral and do not have associated evidence to help defenders ascertain confidence in the IoC’s. This leaves the report unactionable.
To gain a better perspective of the Grizzly IoC’s dataset we analyzed it in TruSTAR Technology’s database composed of incidents submitted by our corporate members, and we found IoC’s connecting to incident reports back to January 2016, shortly after we first established our exchange. We also found IoC’s in the TruSTAR incident database that correlated with the Grizzly IoC’s as well as with other malware families and campaigns like PowerDuke, SeaDuke, Fysbis, and BlackEnergy. Some of these campaigns have been linked to Russian groups with their focus ranging from industrial control systems to US think tanks. By looking at how the Grizzly IoC’s correlated with incident data we have been collecting over the last year; we were able to provide additional context, including timing, recurrence, and tactics.
To be clear, TruSTAR does not generate intelligence from sensors, or analysts; our data is derived from correlating incident and alert data exchanged between companies. TruSTAR’s system adds relevant context from 3rd party reporting and open source information. With the exchange underway for over a year, operators are beginning to develop a reflex to immediately send data associated with events in their system to understand how it correlates with information from other companies to gain deeper context on malicious activity. Having a synoptic understanding of incidents between organizations and sectors is uncovering attacks more quickly and accelerating mitigation.
Certainly, the Federal government’s intent behind issuing the JAR was positive. Government’s stated purpose was to help defenders. But the release of the JAR well over a year after events started to occur illustrates the inherent flaws of government leadership in protecting cyberspace. Because of intelligence issues — protecting sources and methods — we can’t expect a timely, contextual flow of actionable information. Private-sector driven exchanges go a long way toward addressing the challenges associated with speed and context. No doubt the Federal government will be able to add pertinent information from time to time, but leadership must be driven by the private sector.
The successful fusion of data presents an opportunity for real progress among defenders, a break from the old paradigm of “go it alone” to a new model of collaborative exchanges. The creation of exchanges that manage for market and reputation risk while providing value to operators among vetted companies increases the costs and complexity for adversaries whether nation states, criminals, or terrorists. New technologies to detect or block attacks are perishable as adversaries continue to game algorithms and penetrate systems. However, the growing commitment to exchange data among allied defenders will change cyberspace.
There is no turning back our reliance on information technology. The hard truth is we cannot defend computer systems by solely focusing on more technology. The defense of our interconnected networks requires “networks” of companies committed and incentivized to exchange data and work together. Indeed, a great civilization cannot be measured by technology. However, technology combined with an allied commitment can provide an exceptionally powerful force toward a more constructive civilization — and secure computers.
