In a world of accelerating innovation and increasingly complex digital services, applications, appliances, and devices, it seems unreasonable to expect customers to understand and maintain their own cyber security. We are way past the point where even the well educated can cope with the compounded complexity of an ‘on-line-life’. The reality is, today's products and services are incomplete and sport wholly inadequate cyber defence applications.
Perhaps the single biggest problem is that defenders have never been professional attackers - and they don’t share the same level of thinking and deviousness, or indeed, the inventiveness of their enemies. Apart from an education embracing the attack techniques, and in some cases, engaging in war games, the defenders remain on the back foot However, there a number of new, an potentially significant, approaches yet to be addressed, and we care to look at the problem from a new direction.
In the maintenance of high-tech equipment and systems across many industries, identifiable precursors are employed to flag impending outages and failures. This realisation prompted a series of experiments to see if it was possible to presage pending cyber attacks. And indeed it was found to be the case!
In this presentation we give an overview of our early experimental and observational results, long with our current thinking spanning networks through to individual hackers, and inside actors.
3. CYBER ATTACKS
All originate from human action
https://www.embroker.com/blog/cyber-attack-statistics/
Outsiders Outsiders + Insiders
Criminal Groups
Cyber Security
Industry Focus
B i g g e s t T h r e a t ?
L a r g e l y I n v i s i b l e
What About
Diverse 45%
IoT Elements
Wi de Open -
U n p r o t e c t e d
E x p o n e n t i a l
Growing Risk
Source:
“The Threat Landscapes gets bigger and
more complex year-on-year with reactive
defenders always behind the wave”
4. THERMODYNAMICS
“All things in the natural & unnatural worlds, experience failures and death”
“Acts of war, terrorism, and criminality wear a cloak of
causality that renders them recognisable as unnatural
in the schema of failures ”
“In general, these exhibit random distributions at scale”
“Patterns are thus key in charactering and
identifying failure types and likely cause”
“The Celestial Ratchet that governs
everything in the universe”
5. HYPOTHESIS 1
“Everything in the natural world; be it biological, geological, climatic,
astronomical, et al, exhibit precursor indicators to major events”
Eg Hormonal and Chemical Changes, Tremors, Pressure, Humidity,
Temperature, Trajectory Deviations etc
6. HYPOTHESIS 2
“Everything in the unnatural world, be it electrical, mechanical,
electronic, photonic, mechatronic, robotic, AI et al, exhibit precursor
indicators to major failures and events”
Eg Excessive Heat, Vibration, Packet Loss, Data Storage, Processing
and Decision Failures,
7. E l e c t r o -
MECHANICAL
E x a m p l e
Unwanted Resonances
Failure Precursors
Speci
fi
c Element in
Wear Out Phase
Vibration spectrum identi
fi
es reducing machine
performance pending total failure
8. Time
Machine
Conditio
n/Funct
ion
E l e c t r o -
MECHANICAL
S Y S T E M S
Multi-spectrum monitoring quickly identi
fi
es
reducing machine performance pending total
failure / a need for preventative maintenance
10. Commissioning In Service Change Out
Low Level Quasi-Constant Accelerating
Overall Failure Rate
Infant Mortality Random End of Life
Failures
Cause
Timeline Not to Scale
Stage
Production
& Install
Inherent
Natural
Ageing
C o n V e n t i o n a l
Failure Timing
“System fails are generally clustered at the
start and end of a systems life, but Cyber
Attacks tend to be more evenly spread”
11. “Cyber Attacks span the natural and unnatural worlds with people and
technology in concert, and precursors are therefore highly likely”
“Malware, Spam, Insider/Outsider Activity will exhibit unusual patterns
of Physical/MetaPhysical behaviour across all Networks, and Devices”
HYPOTHESIS 3
12. Key Question 1
“Can we detect deviations from the behavioural norm of Networks,
Hubs, Severs, Terminals, Devices (“and people”) with su
ffi
cient
fi
delity to identify a pending or ‘in progress’ Cyber Attack?”
“There is only one course of action open to us - take a look see”
13. Components: people, PC, device, router,
switch, hub,
fi
rewall, network, server, cloud,
tra
ffi
c and data activity
Cyber Attack
Pre-Emptive
Probe + HIT
Pre-cursor
to full on
attack
Initial investigation in Vienna of
available Interpol Data @ SAIL Labs
19. People
Systems
Networks
Monitoring
People
Systems
Networks
All Operations Disabled
All Systems Failing
Visible
Operational
Noise
Sporadic
Outages
Multi-System Critical
Fails-Unpredictable
Up Times
Inexplicable
Productivity
Reductions
CYBER
ATTACK
Undetected
Attack Build
Up + Hidden
Precursors
Time
IT
Systems
Conditio
n/Funct
ion
“The attacks to really worry about are the ones
you never detected and know nothing about”
20. Key Question 2
“Can we establish the behavioural characteristics of individual hackers/
hacks with su
ffi
cient
fi
delity to initiate Pre-Emptive action and ward o
ff
pending Cyber Attacks?”
“This demands the behavioural analysis/characterisation of known
systems, equipments and individuals across a su
ffi
ciently large sample!”
21. NSA EXEMPLAR
A dramatisation of actuality!
Edward Snowden - disillusioned &
sure he is right, based on a limited
perspective of operations
22. I n s i d e r T h r e at
What has become very evident…
They are often:
- trusted employees
- tend to be lone wolves
- have a sense of Justice
- abuse access privileges
- commit acts of treachery
- have an incomplete picture
- convinced they are in the right
- may have external actor relationships
23. Disregarded security
policies
Social engineering by
insiders or outsiders
Disgruntled
employees sabotage.
Financial gain
Compliance/policies
insufficient or
ignored
Accidents and
errors?
Lack of cyber security
awareness
I n s i d e r T h r e at
o p p o r t u n i t i e s
Ignorance/unawareness
cavalier attitudes
Blasé/Ignorant board
and/or management
24. Yang et al (2018) identified the traits of
Edward Snowden and dismisses his
claimed motivation as justice, and
presents his underlying pathology as
narcissistic
O v e r S i m p l i f i e d
A n a ly s i s ?
25. WHISTLEBLOWERS often motivated by :
• Hubris
• Naive beliefs
• Misguided purpose
• Distorted perceptions
• Incomplete/distorted view of operations
AND guilty of:
• Laxity when engaging with external threat actors
• Positive emotions ‘of above’ amplified post breach
O B S E R V A T I O N S
26. vulnerable
HABITUALITY
“Imitating & emulating others can be a powerful attack tool/strategy”
“It might even be the highest risk and opportunity space!”
“Attackers/Defenders - near impossible to change their operating modes”
27. Insider Positive Emotions: Engagement
( Used own
strengths)
Positive
Relationship
( Team worker)
Meaning and
Purpose
Accomplishment
(Had a goal)
Edward
Snowden
√ √ √ √ √
Katharine
Gun
? ? ? √ ?
Chelsea
Manning
√ √ √ √ √
Julian
Assange
√ √ √ √ √
I n i t i a l R e v i e w o f
s e c o n d a r y d a t a
28. H A C K E R S u r v e y
Preliminary results from interviews…
Motivation
Curiosity
C
a
u
s
e
$$
$
Computing
Self
Educated
Loner
Refuge
Pitiless
Remorseless
Odd
Socially
20 -
40 -
60 -
80 -
100 -
0 -
% Scores
29. • Secondary data is extremely limited
• Organisational integrity, reputation, potential damage
• Reluctance to reveal attacks & share insider threat data
• Widespread corporate bias and truth distortion in reporting
• Insider Threat Management responsibility CISO? CEO? CFO?
• Corporate ignorance, inaction, underfunding, fatalistic attitudes
• Cognitive bias in reporting and research
• Inconsistency across research bodies
C H A L L E N G E S
30. S o l u t i o n S p a c e ?
• Create a balanced behavioural and motivational assessment for individuals
• Provide intervention strategies for those who have access to data
• Provide behavioural guidelines for those operating in a digital space
• Establish the motivations/targets of organised crime and state actors
• Create automated early attack warning and defence protocols
“Educate people in ‘effective self
regulation’ behaviours/actions -
this is a team game”
31. • Identify hidden themes embedded in much larger secondary data samples
• Confirm the statistical significance of key behavioural characteristics
• Correlate with published threat surveys – hackers, state actors, et al
• Identify primary weaknesses in currently used defence solutions
• Evaluate current organisational defence/resilience strategies
• Identify key weaknesses and propose new solutions
• Estimate the potential cost of ineffective defences
B e h a v i o u r s
W h at N e x t ?
32. • Recruit a PhD student with a good hardware/software/math ability
• Confirm the significance of ‘observed’ network attack precursors
• Configure ‘honeypot’ machine(s) to attract real device attacks
• Identify primary waveform characteristics v attack type
• Create an ‘attack alarm’ monitoring strategy
• Construct a demonstration prototype
A T T A C K P R E D I C T I O N
W h at N e x t w i s h l i s t ?