A long day of encouraging a customer to reconsider their lack of desire to develop a plan, build a security architecture that included automation and orchestration – with the ability to measure value vs. just adding tools as needed – led to a very late-night drive home. I was encouraged the customer invited me back to prove my case, but it was one of those days that left me shaking my head. In reflecting on the day and all the discussions, I kept thinking back to how many times both sides used the words “cybersecurity strategy.”
Clearly, strategy is one of those words that takes on different meaning depending on the context. A thought that came to mind on my drive home was that cybersecurity is very much like the board game Battleship. Both involve strategy, and operate in a “static model”. In the game Battleship, as you may recall, the game play is simple: each player arranges five ships—an aircraft carrier, battleship, cruiser, submarine, and destroyer—on a ten-by-ten grid of squares and attempts to “sink” his opponent’s ships by calling out the squares where he believes his enemy’s ships are hiding. Most players approach the game as essentially one of chance, targeting squares at random and hoping for a “hit.” In the Battleship game, once the player positions and arranges their ships they cannot move them so in turn they become static targets. One could say the same holds true for our classic cyber security defenses. Once we position all our defensive sensors across our environments they remain static.
But is there a better strategy? In Cybersecurity we tend to deploy strategy in a similar fashion. We establish a perimeter, network and internal protections with Firewalls, Security Gateways, IPS’s, Endpoint Security etc., and wait for the adversary to guess where to attack us. They then refine their method until they achieve their objective. Clearly it is time for a change in cybersecurity game theory.
One concept that has not been yet fully explored is that of the Moving Target Defense (MTD). Not a new concept by any means, early research dates back to prior to 2011, however it is one I believe requires much more attention by the industry. The Department of Homeland Security (DHS) defines MTD as the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts. DHS believes in this concept so much they have invested Research & Development money to advance the idea past the concept stage.
MTD assumes that perfect security is unattainable. Given that starting point, and the assumption that all systems are compromised, research in MTD focuses on enabling the continued safe operation in a compromised environment and to have systems that are defensible rather than perfectly secure.
MTD will enable us to create, analyze, evaluate and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.
In an ideal case, I envision a scenario where an administrator would have the ability to set via policy variable time intervals to “move or shift” an entire network environment, or enclave including applications along with changing privileged account credentials, and leave a ghost network (think honeynet) in its place to capture forensics data for further review and analysis. There are several new innovative cybersecurity companies out there that have developed unique and forward-thinking deception technologies. I look forward to seeing what the art of the possible is in this space in the near future!
Good luck and good hunting…. Here is to you never having to say, “you sunk my battleship!”