It’s hard to believe we’re not far away from the 20th anniversary of the dreaded Y2K bug that put fear into every technology professional’s life at the turn of the millennium. The Y2K bug was initially thought to be a major safety threat because experts claimed there were significant flaws in the software of computers that controlled many critical systems such as air traffic control, the electric grid, banking, traffic lights and other key resources. In hindsight, the threat was over-hyped. None of the dire predictions came true – partly due to preparation, but mostly because such systems were not so heavily automated and had human intervention to prevent catastrophe.
Today, however, failure or malicious attack on critical infrastructure is real. So real, in fact, that U.S. Undersecretary of Defense Marcel Lettre declared that cyberattacks that result in the destruction of critical infrastructure or serious economic impact should be closely evaluated as to whether or not they would be considered an act of war. With the pace of innovation and digital transformation, the threat only continues to grow. Thanks to the internet of things, more and more systems that we rely on to live every day (such as energy, food and agriculture, health care or even our water supply) are connected to the internet as well as one another – opening more potential entry points for hackers.
Such systems are officially considered part of the Critical Infrastructure and Key Resources (CIKR) by the U.S. Department of Homeland Security, and include sectors whose “assets are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Protecting Our Key Resources
Until recently, CIKR systems were either air-gapped (i.e., completely disconnected from any other network, including the internet) or behind at least one or more firewalls. But even these measures don’t offer full protection, as demonstrated by attacks like Stuxnet in 2010. Even worse, critical infrastructure services are distributed, extend beyond firewalls and employ external cloud-based services.
To protect the new distributed, cloud-based CIKR, cybersecurity vendors now offer security-as-a-service across private and public cloud vendors. These next-generation cybersecurity systems are designed to monitor, detect and react to threats automatically, shutting down ports, issuing alerts, raising threat levels and deploying various countermeasures without human intervention – all at machine speed.
The links between threat detection and defensive actions are captured in “playbooks” that allow machines to coordinate threat responses including ongoing and advanced persistent threats. Playbooks are like recipes that coordinate various tools in a cyber defense ecosystem, even though such tools may be provided by a myriad of vendors. Playbook coordination is implemented via orchestration engines that allow tools in a cyberdefense system to exchange information securely regardless of their role or vendor. For example, I’ve used anti-phishing playbooks to coordinate tools that track domain blacklists with other tools that filter incoming emails. These tools belong to different vendors, but can be coordinated via playbooks.
Achieving Herd Immunity
Playbooks come in two flavors: adversary and defensive. Adversarial playbooks capture the behaviors of cyberattackers such that their actions can be predicted and anticipated. Defensive playbooks capture common and best-practice responses to ongoing or impending cyberthreats. By sharing playbooks and threat information across CIKR, a kind of “herd immunity” can be achieved that denies attackers the element of surprise or the reuse of attack vectors on new victims. Information sharing and analysis centers like the FS-ISAC (financial) and E-ISAC (energy) have been established in recent years to facilitate sharing threat information via common STIX and TAXXI protocols. Programs like the joint DHS-NSA Integrated Adaptive Cyber Defense (IACD) program seek to standardize playbooks, the protocols used to orchestrate tools and information-sharing messaging across a sector.
For example, phishing attacks are a common dominant cyberattack vector. Attackers seek to hijack identity credentials of administrators who control privileged operations remotely via malicious hyperlinks embedded in fake emails from a user’s supervisor or co-workers. Consider bank employees and contractors who manage offsite and networked automated teller machines (ATMs): An incoming email message may contain a malicious hyperlink that acts as a trigger capable of implanting a virus or zero-day attack on the recipient’s computer. At the enterprise level, an identity threat playbook is capable of protecting against such attacks by filtering all incoming emails for suspicious hyperlinks, including commonly published lists of such links, sender emails and message body signatures (i.e., a hash of the message body). The playbook can replace such links with intermediate proxies that require biometric authentication to dereference any suspicious link. This proxy can defuse the trigger, protect the system and cause little (if any) inconvenience to the end user.
A variety of vendors provide interoperable solutions for link detection, threat feed integration, email filtering and authentication, which can be used in the playbook in tandem, without relying on a single vendor’s solution or cyber ecosystem. If a user decides to open a suspicious link (or proxied link), it would require explicit consent. In this case, we use biometric authentication for that consent to ensure that a live, human user is accepting the incumbent risk.
This new approach to CIKR defense is automated and coordinated – a vast improvement over old email- or telephone-based systems in which alerts were shared between human operators in Security Operation Centers who must manually sort and prioritize a flood of incoming alerts, most of which were false alarms. It depends, however, on common standards for playbooks, interoperable orchestration protocols and a culture of sharing cyberthreat information across sectors. Until we adopt such community approaches to CIKR defense, the attackers will continue to isolate the weak from the herd and replay their attacks on unsuspecting victims.