While traditional cybersecurity defenses focus on prevention, there are many vulnerabilities and potential attacks against weapon systems. While weapon systems are more software dependent and networked than ever before, cybersecurity has not always been prioritized with regards to weapon systems acquisition.
Threat actors have advanced in their sophistication as they are well-resourced and highly skilled, oftentimes gathering detailed knowledge of the systems they want to attack. Ensuring stronger detection methods is imperative, but because these types of threats are very targeted and advanced, agencies need the capability to proactively hunt.
4. About this presentation…
• Perspectives on the cyber threat
• From history
• And personal experience
• Concluding with actionable recommendations
5. Based On Three Sources:
Human History Trusted Analysis
Experience
• A lesson from every
great period of
history
• The case of Hannibal
• Civil War
• OODAloop.com
• Recorded Future and
other open intel
sources
• Learning from adversaries
in government and
industry systems
6. A Brief History
If you know human
history you have the
most important things
down already
7. The Condensed History of the Cyber Threat
• 1862 Civil War: Both sides attacked, exploited, hacked. Cyber attack enabled “The
Great Locomotive Chase” which also destroyed comms infrastructure
• 1998 Moonlight Maze: It takes a nation to fight a nation
• 2007 Estonia: Be ready to weather a storm
• 2008 Georgia: Expect cyber attacks timed to military ops
• 2008 Turkey Pipeline: Large cyber to physical attack
• 2011 Wikileaks: Know the human element. Balance info sharing and protection
• 2013 DSB Report: Software for most weapon systems stolen
• 2013 Mandiant Report: Cyber intel is strategic
• 2013 Snowden Leaks: Know the threat before it strikes
• 2013/14 Banks and Retail: Nothing stops this adversary
• 2014/15 Embedded IT, including in DoD: Threat actors will find a way
• 2015 Healthcare and Governments: No sector immune
• 2016: Turla Attacks: Telecom sector a target
• 2016: Shift to small and mid-sized businesses, supply chain, and home users
• 2017/18: Privacy attacks at scale, ICS/SCADA/Telecom, Cyberwar
• 2019: Adversary use of AI and Machine Learning7
8. Now Some Historical Context
8
8 How we think.
Today’s hackers are made of the same stuff as the famously
persistent Hannibal, who did not give up till he got through the
impassible firewall of the Alps
10. What Are We Seeing Today:
• Phishing remains dominant path to organizations… exploits human traits of compassion and
curiosity.
• Adversaries constantly shift tactics. When Phishing doesn’t work there are plenty of other
avenues in.
• The big breaches get the press, but many criminals prefer mid-sized businesses, individual
users (you!), and government agencies.
• DDoS attacks evolved. Can be large enough to take companies offline.
• IoT is here... But little indication of IoT security solutions (Lots more room for innovation here).
• Complex command and control infrastructures leverage unsuspecting companies and their
servers/telecom.
• Ransomware evolving/becoming harder to prevent/beat.
• 28% of breaches involved insiders. The worse were working for criminals or nations so the “outsider”
is still a huge threat.
• Adversaries also exploiting vulnerabilities in hardware (Spectre and meltdown)
• Governments (especially Russia, China, Iran, DPRK) invest in targeting infrastructure and
weapon systems
10
12. Actions: Know The Adversary
• Be Prepared To Be Surprised: Big lesson from both history and
study of current threats. You will be surprised, so have an incident
response plan and exercise it.
• Know that the adversaries have weaknesses too: They must obey
the same laws of physics that constrain defenders. And when they
are in your networks they are on your turf which gives you an
advantage. Ensure your defenses are agile enough to take
advantage of their weaknesses. Be ready to deceive your adversary.
12
13. Actions: Know Yourself
• Know your own organization: Assess and Understand: Know what data,
systems and capabilities are most important to the function of your
organization, and maintain continuous automated awareness of their
status.
• It takes teams to beat teams: No organization can match the technical
talent of the modern cyber criminal or nation. Build trust based teams
now. Leverage the power of other organizations for your defense.
Security professionals, law enforcement, cloud service providers, the
FBI, the US CERT, and the appropriate ISAC (FS-ISAC for financial
sector).
• Test yourself: through independent assessment and realistic
training/evaluations (table top exercises)
13
14. Actions: Raise Your Defenses
• Enhance Defenses: The adversary in cyberspace is continuing to
innovate, which means we must continue to review our defenses
and modernize. Automating is key. Automate configuration
management, automate detection, automate response, automate
deception.
• Design for Containment: Early detection and rapid incident
response will be aided if systems are designed to contain
adversaries. Containment of attacks is especially important in
malicious code. IoT devices critical to segment.
• Ensure Backup: Every critical system must have a backup, and
recovery methods must be defined and tested.
14
15. Get Your Mental Model Right: Think OODA
• Observe: What do you know about the
situation, including adversary actions, your own
systems and the environment.
• Orient: Consider your observations in the
context of everything you know including your
business objectives, strengths and
weaknesses.
• Decide: In dynamic situations the speed of
decision is critical.
• Act: Minimize the gap between decision and
action. The loop continues, now observe what
changes in the situation your actions caused
15
17. The State Of Cybersecurity Today
17
The
Threat
Unique
Tech
Factors
The
Situation
A great deal is known about who is attacking
and what their motivations are. By studying
them we can build better defenses before
attack and respond smarter during attack. Get
the right info for strategic, operational and
tactical decisions.
Every sector of the economy and every
government and every citizen is under almost
constant attack. Most suffer ongoing
infections with malware. Attackers get in fast
and remain undetected for months. But risk
can be reduced/mitigated.
Your
Action
Governments, businesses, homes, aircraft,
cars, roads, trains, ships increasingly
interconnected. But cyberspace is hard to
observe. Well instrumented systems overseen
by trained/experienced people are key to
defense.
Lead with understanding that cybersecurity
is not just a tech function. Must have
executive leadership and engagement by
entire team. Ensure external verification and
validation of strategy, policy, process and
tech.
Successful Attacks Are By Organizations Defenders Should Collaborate on Lessons
Ensure Tech is Independently Assessed Victory Must Be Earned
Nations Crime Groups Extremists Hackers Insiders
Encryption ID mgnt SDP 2FA AutoPatching Deception
Tools To Consider:
Adversaries Are:
Attackers are persistent, we must prepare for breach
Top Lessons Are:
Engage with CSA, Collaborate with Peers, Study Threats
Top Actions:
18. OODA LLC
• OODA helps our clients identify, manage, and respond to global risks and
uncertainties while exploring emerging opportunities and developing robust and
adaptive strategies for the future. We provide advanced intelligence and analysis,
strategy and planning support, investment due diligence, risk and threat
management, training, decision support, crisis response, and security services to
global corporations and governments.
• OODA is comprised of a unique team of international experts lead by co-founders
Matt Devost and Bob Gourley.