A lot has ben said about Sun Tzu’s “The Art of War” in relation to modern cyber warfare. The coined term “cyberwarfare” has been around for a while and with it has come a lot of correlation between military strategy and cyber security protocols.
As an example, The Art of War is listed on the Marine Corps Professional Reading Program. It is recommended reading for all United States Military Intelligence personnel and is required reading for all CIA officers. Some nations even require its army and intelligence divisions to be able to recite passages perfectly from memory.
Of particular relevance to us, is Sun Tzu’s views oclean intelligence, where he educates that good intelligence is a means of avoiding harm to your group and still mitigating the threat.
‘Know your enemy and know yourself and you can fight a thousand battles without disaster.’ – Sun Tzu
Earlier this year I covered an analysis done of the cyber security industry by Massive, pointing out the underlying cause of all failed security activities – Prediction. In this article I will touch on the topic of prediction again, and show its value in cyber monitoring and cyberwarfare.
As a point of reference, an article by Krypt3ia from last March gives us a rich assessment of the Target breach. The timeline (shown below) gives the known sequence of this epic breach and points out valid violations of protocol. irresponsibility and inaction. In this article we see a useful but is still a limited view of the Target breach timeline as it shows the onset of the criminal activity from the first physical action, not from the first intent.
How cyber monitoring fits with a typical APT scenario
An Advanced Persistent Threat (APT) come come in many shapes and sizes. This simple diagram shows the common procedure of a data breach, much like we see everyday in the headlines.
Point #2 of diagram “Intelligence gathering” is undervalued and doesn’t show the actual timeline which precedes the APT in its full glory. The possibility of scenarios which come prior to an effective data breach are too numerous to describe (see Target diagram above). But for interest I will lay out a case scenario as documented by a Strixus Cyber Threat Assessment™ – a service used to map out existing and historical external threats relating to a company.
Timeline of a Bank Data Breach
- June 2012 – A Bank’s junior IT employee laptop is stolen from his car. BOYD policies were very touch and go.
- June 2012 – The Bank follows good protocols and notifies those who may be impacted by the data stolen and attempts to reset access to anything which may have been stored on the junior employee’s computer.
- January 2013 – Accounts and passwords from the employee’s laptop show up on a dark web forum. One of the entries being a “temp” account to a restricted portion of a beta system they were testing at the bank.
- February 2013 – The forum community interest builds about these details, with junior and senior hackers testing their skills on this unmonitored and forgotten portion of the bank system.
- April 2014 – The bank experiences a huge breach over 200 thousand compromised consumer accounts, including malware placements designed to shut down their fraud detection algorithm – putting them at risk of financial fraud on accounts.
- April 2014 – An internal forensic audit showed that this small pocket testing area had been exploited.
So what did the client take away from this?
– The breach was avoidable, IF they had active cyber monitoring on external communities and chatter relating to sensitive information on the bank.
– That this could have been detected back in 2012 and shut down before it even escalated.
– Internal forensic audits only you showed them how the data breach took place on their systems, not how it all began 2 years prior.
– That at this very moment, there could be some activity somewhere which will lead to a similar or greater incident tomorrow or even years down the line.
The goal of good intelligence operations
Massive’s goal has always been “to detect and neutralise”. When you tie this into cyber security, we are essentially providing a protection of a brand, its digital infrastructure, reputation, sensitive documents, employees, shareholders and credibility through real-time proactive detection of the earliest moment of a threat. And then of course, neutralising it.
Setting aside scandal or misuse of incredible threat detection technology available to top government intelligence arms, the interest in the approach taken by government intelligence organisations is uniquely different then that of corporate intelligence.
They operate one step ahead of a threat through cyber monitoring strategies which give the earliest warning or signal that a physical or cyber threat is underway and shut it down before it becomes a crisis. This is exactly what we are accomplishing here at Massive and is the only gaping hole within corporate cyber security.