The Art of Digital War
by James Rees CISM, PCI DSS QSA, ISO 27001 LA
Managing Director, Razorthorn Security
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
Sun Tzu, The Art Of war, 5th Century BC
There are few books in history that are still considered to be as valuable today as when they were written and “The Art of War” is one of them. Written in 5th Century BC, it is still considered today to be essential reading in many fields, including business. It has been quoted in a ton of movies, books and media more times than you can probably count. As you can probably see, I am a huge fan of the manuscript and have studied it numerous times both for my work in the field of information security and for my own medieval battle interests outside of my working life. It is an excellent read and I’d recommend getting yourself a copy as soon as you can.
I was interviewing Richard Cassidy from Exabeam for our YouTube channel recently and he mentioned that we are fighting a never ending digital battle, us information security people, IT people and business people, against the malicious actors looking to compromise systems and networks for their own gain. He was absolutely correct and after some thinking, this article was born.
Since the internet became widely available back in the 90s, we have been seeing an ever-increasing demand for technological advancement. Many of the systems and services that we rely on today are all connected to networks, which are connected to other networks and so on and so forth until you reach the internet. Applications and software run everything. The last 25 years have seen more advancement in technology than ever before in the history of our species and the rate of development and advancement is increasing and getting faster and more efficient every year. It is a fantastic time to be alive.
But for all the huge benefits we have in today’s world, we are totally reliant on that same technology to run our lives, our businesses and our governmental institutions. It’s hard to remember a world where information was not instantly available, or services available at our fingertips. Whilst this provides us the comfort to concentrate on other matters to previous generations, it has led to a level of reliance that means if that same access to technology gets taken away, in whole or in part for any length of time, there would be serious social, mental and real-world implications. All our financial and critical infrastructure now runs digitally in some form or another – it has made us both strong and weak as a species.
So now I have set the scene, what has this got to do with cyber security and digital war?
Information security people have for a long time now been working as hard as possible to secure infrastructure, systems and services from being compromised or rendered unavailable due to some form of software error or outage. Us old timers call this the AIC Triad, which stands for Availability, Integrity and Confidentiality. In the early days, we spent a lot more time securing against software outages, downed comms links and similar such issues. IT back then was very much a young discipline and innovation in that space was based around the development of better, more efficient systems and redundancy to ensure critical systems and services remained available. There was a lot of innovation in moving the older paper-based systems over to fully digital versions that were built to be able to evolve and change as well as be refined as required.
Then we started moving to ecommerce over traditional high street shopping. And with that, the world of information security changed forever.
As is historically proven time and time again, once a system is in place to take payment for services, or a system for the movement of money is created, or anything to do with money is put in place, shortly after you will get the criminals sniffing around. And with the rapid rise in popularity of internet shopping, more and more followed. Today, cyber crime is considered to be one of the fastest growing criminal industries on the planet, eclipsing even the global drugs trade in profitability.
Thus we hit where we are today, after that brief history lesson. 20 – 25 years ago we were worried about a virus causing havoc, or a system falling over etc. Today, we are worried about ransomware, data loss, credit card theft, cryptocurrency theft, etc. The list grows each day. As I have mentioned in my video blogs, there is currently the seriously disturbing trend towards compromising key service providers and software solution providers from alleged state sponsored hackers who are targeting these institutions to introduce backdoors and malicious code into their software, which, when installed onto their customer systems, provide access for those malicious groups to undertake covert operations.
Information security professionals are in great demand at the moment. Malicious activity has grown to epidemic proportions in the last few years and it has caused many a board of directors and shareholders of organisations of all sizes serious concern about whether they will be the next targets. But for every information security professional trying to protect an organisation, there is another trying to find new ways to compromise everything the information security professional is trying to protect. In essence, this is a huge digital battle raging on the internet that you only really see when one or more of the malicious groups compromise the systems of an organisation and the news gets out. Unfortunately, you rarely hear about breaches if there is the possibility of a coverup. The difficulty in this never ending battle is that information security professionals are usually underfunded and the malicious actors can make a lot of money and thus are in essence overfunded. Other than what these individuals or groups take for themselves, they usually plough the remainder into increasing their ill-gotten yields.
There is a whole Dark Web cyber criminal community where they sell their gains as well as access to systems, malicious code, targeted attacks, vulnerabilities and all kinds of supporting services and technologies. This cyber criminal ecosystem mirrors that of the ethical system in reverse. There are coders paid to create malicious software, there are initial access brokers selling access to systems, there are hackers for hire and many, many other services that can be procured for those with the right contacts, the right money and the right determination.
The unfortunate truth is that cyber crime is never going to go away. Cyber attacks and state sponsored attacks are going to get more and more widespread as time goes by. We are constantly having to adjust and change our defensive tactics to keep up with our counterparts in the darker side of cyber security because if we don’t, the average cost of cyber crime per year will rise even faster than it is now. It is a real balancing act – by keeping the cyber criminals on their toes, we are keeping the rate of cyber crime damages increasing at a lower rate, yet they are keeping us information security people on our toes by coming up with ways to circumvent the security countermeasures we put in place… it’s an endless dance that is never going to change.
This is a war that can never be won and will only ever continue.
Organisations, both public and private, will have to rethink security in order to efficiently and effectively maintain a semblance of balance. Security can no longer be the bolt on at the end of the process, it needs to be carefully baked into the beginning, the middle and the end of every part of an organisation’s DNA. An organisation needs to have a baseline for basic security, then build levels of defence in depth on top in the form of policies, processes, standards and awareness training. Software developers need to undertake secure coding and strict DevSecOps along with security testing of code and products. IT professionals need to secure infrastructure, perimeters and ensure adequate testing of all infrastructure at least annually or after any significant change, and information security teams need to carefully manage and support the business with governance, risk and compliance to pull it all together in a way that provides consistent, effective and evolving security and risk management as the organisation itself evolves and changes.
There are so many components to information security in today’s world that it’s hard to list them. The list I just mentioned is in no way complete and hardly does it justice, but it’s a good base to start from, I could spend several days talking about cyber security and tooling alone, let alone security governance, risk management and incident response, but I don’t think I have quite that much time.
Trust me, there is a lot to go over.
To conclude, let’s revisit the quote I used at the beginning. I think one of the biggest problems we have as an industry is the limited knowledge we have of both ourselves and of the enemy, hence why we are stopping some attacks, but falling foul of others. We have a good knowledge of low to mid-level attacks, as well as the types of malicious software the lower end of the cyber criminal spectrum use. We put countermeasures in place to deal with these and they are pretty effective.
However, we have very little knowledge of the malicious actors higher on the spectrum, especially in the state sponsored side. It is a fact that governmental security institutions have been reported to have backdoors and knowledge of vulnerabilities in key technologies that they can use to compromise systems, and with all the reports of “state sponsored hackers” actively attacking key organisations, we are starting to see an evolution of the battle entering into a new level.
We need to take a step back and re-evaluate the battlefield and the defensive methodologies we are using to protect our organisations and institutions. It is apparent that protecting our organisations is down to us alone, as our own government’s state sponsored teams are more concerned with waging their own cyber wars, with little regard for protecting commercial concerns, who are being left to defend themselves. This is never going to change, so we need to spend more time talking as a community, helping one another out, advising one another and pooling our resources so that we can mount a collective defence posture that can protect our commercial institutions from this ongoing war.
This all sounds very grandiose, I fully appreciate that. But I firmly believe the information security industry needs to carefully return to the basics and rebuild for a modern information security world, rather than returning to the same old systems that quite frankly are very hit and miss at the best of times. If you don’t believe me, just look at the last 2 years’ worth of attacks and do the research.
It is time for us to get to know ourselves and re-evaluate our situation and research and re-review our enemy and their goals.