What is Resiliency and How Can We Apply It to All Phases of Attack? Part 1 of 3

Part 1: What is Resiliency and How Can We Apply to All Phases of Attack?

Part 2: Using Misinformation and Intentional Failures to Your Advantage

Part 3: Cattle, Not Pets, Leveraging CI/CD Practices and the Concept of Reverse Uptime

The inevitability of your organization being breached is well established. Vulnerabilities are intrinsic to any software just as human fallibility assures us that users are only one bad decision or one click away from a malicious link or lost credentials in the face of phishing campaigns. The reality of this brave new world is unlikely to change no matter how many security alert dialogs you may put in place to prevent such maliciousness or carelessness.

Meanwhile, bad actors will continue to code beyond our world of known signatures with zero day threats that are already replete in our frameworks, libraries, operating systems and firmware. We solved WiFi, then WPS happened. We sandboxed and hardened the Javascript engines in browsers only to find new exploitable Javascript engines in remotely accessible network services. Every time we solve one problem, it seems we create another with an expanded attack surface, as the borders and boundaries of our networks, software and even hardware continue to erode.

But, while most organizations have come to accept the inevitability of an attack, resignation is never an option. The only sensible response beyond the latest and greatest security precautions is resiliency. When it comes to cybersecurity, resiliency represents the capability to respond and recover from attack, while also maintaining a state that is resistant to permanent damage. Resiliency must be thought of not only in terms of the ability to rebuild, but also in terms of playing defense in such a way as to ensure that a successful attack yields little to no value for the attacker in comparison to the resources expended to launch the attack.

While we typically think in terms of raising the cost of the attack, organizations don’t think often enough about lowering the value of the outcome from the attacker’s perspective. This not only disincentivizes the attacker, but also lowers the cost to the defender such that the loss is not irrecoverable – a conceptual strategy that is vital to the survival of any business in our hyper-connected digital age. In this way, resilience must be applied to all elements of attack. Your organization must be resilient to reconnaissance, resilient to exploitation and resilient to persistence.

Perhaps an extreme example is Microsoft’s EMET, the anti-exploitation technology that grants asymmetry to the user by raising the cost of exploit development time to the attack. Most of EMET’s functionality is now baked-in for recent Windows 10 builds, but until recently EMET adoption was sparse. The downfall for many was the difficulty in managing EMET deployments, and its perceived instability.

A far more common and accepted form of defensive resilience is multifactor authentication. This relatively simple practice protects credentials from compromise. For example, when logging in or attempting to perform sensitive account actions, your bank can now send you a text with a unique one-time-password required to complete the requested task. As a result, an attacker must somehow gain access to this one-time-password despite the attacker’s previously successful phishing attack, which gained the original password. This stinks of effort for the attacker, and instantly devalues the result from their previous attack to compromise the password. The tiny cost of a momentary delay in user experience raises the cost for the attack by orders of magnitude, making the service resilient to the compromise of passwords.

There are countless ways that the spirit of this mechanism can be applied to other attack scenarios. In my next post, I’ll explore ways this concept can be extended more deeply into the world of infrastructure and how misinformation, automation and other technical advances are broadening the concept of operational resilience.