CYBER DEFENCE SCENARIOS - Part 2: Building The Blue Team

CYBER
D E F E N C E
SCENARIOS
p e t e r c o c h r a n e . c o m
Prof Pet er Coch rane OBE

STUDENT ALERT
This Lecture is a primarily a BLUE TEAM exercise
where we review the field to then assume the mantle
of a defence group engineering a secure environment
for fixed and mobile workers
Be prepared to exploit the attacker mind-set thinking the
unthinkable during the previous RED TEAM exercise!
The process will become highly interactive toward the
latter half of the lecture and to fully understand you will
have to fully engage

N O S i l v e r B u l l e t s
C o m p l e x p r o b l e m s d e m a n d c o m p l e x s o l u t i o n s
- Yo u c a n n o t s o l v e a p r o b l e m f r o m w i t h i n t h e v e r y
f r a m e w o r k t h a t c r e a t e d i t !
- T h e e n e r g y t o s o l v e a p r o b l e m i s a l w a y s g r e a t e r
t h a n t h a t e x p e n d e d t o c r e a t e i t !
We a r e g o i n g t o n e e d a w i d e
r a n g e o f c o n t i n u a l l y e v o l v i n g
& i n c r e a s i n g l y s o p h i s t i c a t e d
t o o l s i f w e a r e t o s t o p / c o n t r o l
t h e g r o w t h o f c y b e r a t t a c k s …
- T h e m o r e w e k n o w a b o u t t h e E n e m y / D a r k S i d e /
R e d Te a m t h e m o r e l i k e l y w e a r e t o s u c c e e d !

T o b e e f f e c t i v e !
C o m p r e h e n s i v e d e f e n c e d e s i g n +
G l o b a l
M o b i l e
M a l l e a b l e
A d a p t a b l e
A u t o m a t e d
C o n c e n t r i c
R e s p o n s i v e
I n t e l l i g e n t
E v o l u t i o n a r y
S e l f s u f f i c i e n t
W e l l m a i n t a i n e d
H i g h l y n e t w o r k e d
W h o l l y i n t e g r a t e d
F u l l y a n t i c i p a t o r y
I S P . n
D e c o y s
A p p s . n
F i b r e . n
C l o u d . n
R o u t e . n
D e c o y s
C l o a k i n g
B i o m e t r i c s
C l o a k i n g
S e r v i c e s x n
A I A n a l y s i s
D a t a S h a r i n g
anticipato
C o l l a b o r a t o r s
M a r k e t W a t c h
A I D i a g n o s t i c s
2 4 x 7 x 3 6 5 W a t c h
W h i t e H a t Te s t i n g
D e v i c e M o n i t o r i n g
P e o p l e M o n i t o r i n g
T r a f f i c M o n i t o r i n g
A t t a c k M o n i t o r i n g
N e t w o r k M o n i t o r i n g
B e h a v i o u r a l A n a l y s i s
S e c u r i t y A d v i s o r y B o a r d
E x p e r i e n c e / D a t a N e t w o r k

P a s t L e s s o n s
F e n c e
F e n c e + M o u n d
W a l l + M o u n d
W a l l + M o u n d + D i t c h
W a l l + M o u n d + M o a t
W a l l ( s ) + M o u n d + K e e p + M o a t
+ + +
+ + +
W a l l ( s ) + M o u n d + K e e p + M o a t
+ H i d d e n D i t c h + O b s t a c l e s
+ + +
+ + +
C a s t l e i n a C a s t l e !

S lo w e vo l u t i o n
T h e e n e m y i s m o b i l e & a g i l e
I r o n A g e
N a p o l e o n
E x p o n e n t i a l l y m o r e e x p e n s i v e a n d l o n g e r b u i l d t i m e
E f f e c t i v e n e s s o n a s h o r t e r a n d s h o r t e r f u s e !

S lo w e vo l u t i o n
T h e e n e m y i s m o b i l e & a g i l e
I r o n A g e
N a p o l e o n
E x p o n e n t i a l l y m o r e e x p e n s i v e a n d l o n g e r b u i l d t i m e
E f f e c t i v e n e s s o n a s h o r t e r a n d s h o r t e r f u s e !
Does this not look
like
the recent history
of
cyber
defence w
ith
layer
on
layer
of
fixed/static
defences
And
w
e are still
building
them
in
the
form
of bunkers at
even
vaster
expense

WA L L S D O N ’ T W O R K
B u t w e k e e p b u i l d i n g t h e m !
And after > 2000 years

of evolution, what

comes next?

WA L L S D O N ’ T W O R K
B u t w e k e e p b u i l d i n g t h e m !
And after > 2000 years

of evolution, what

comes next?
After
1000s of years
building
them
they
are
still static
and
unable to
adapt as
fast as the enemyYou can
dig
a
tunnel
cut a
hole
end
run
climb over
fly
over
drive/w
alk
through
on
false documents

Fa s t e r e vo l u t i o n
T h e e n e m y i s m o b i l e a n d a g i l e

W H At D I D W E L E A R N !
C o n c e n t r i c d e f e n c e l a y e r s w o r k ( i s h ) ?
N o t s o i f t h e y a r e :
F i x e d
U n c h a n g i n g
U n r e s p o n s i v e
S l o w t o e v o l v e
L a c k i n t e l l i g e n c e
P o o r l y m a i n t a i n e d
O p e r a t e i n i s o l a t i o n
N o t w h o l l y i n t e g r a t e d
N o t f u l l y a n t i c i p a t o r y
H u b
L A N
S w i t c h
C P E
H u b
L A N
S w i t c h
C P E
I S P
C L O U D ( s )
S e c u r i t y a t
e v e r y l a y e r
h a s t o b e
d y n a m i c &
a d a p t a b l e
V
P
N
s
-P
N
s
E
n c r y p
t i o n

E X E M P L A R
T h r e a t R e d u c t i o n
“ H o n e d i n t h e f a c e o f y e a r s
(decades) of ongoing of threat
with Carriers, Companies, ISPs
Service Providers, Security and
I n t e l l i g e n c e a g e n c i e s a c ro s s t o
provide a stable (for now) model
- but much more is required of the
IT industry, Operators & Customers”

E X E M P L A R
T h r e a t R e d u c t i o n
“ H o n e d i n t h e f a c e o f y e a r s
(decades) of ongoing of threat
with Carriers, Companies, ISPs
Service Providers, Security and
I n t e l l i g e n c e a g e n c i e s a c ro s s t o
provide a stable (for now) model
- but much more is required of the
IT industry, Operators & Customers”
Each
segment/ish
demands specialised
teams and
great
expertise on
r
and
d
FULL TIME

P a r o d y !
W e f e e l r e a l i t y
S u p p o s e o u r c a r s w e r e
l i k e o u r l a p t o p s a n d
o t h e r I T k i t - w h a t
w o u l d w e t h i n k
a n d d o ?
T h i s i s a c o m p l e t e
p r o d u c t b a s e d o n t h e
i n d u s t r i a l d e v e l o p m e n t s s p a n n i n g > 1 3 0 y e a r s

R E A L I T Y !
I t c a n b e a p a i n
A u t o U p g r a d e
P r o b l e m a t i c
N o t f u l l s o !
E a c h d e v i c e i s
i d i o s y n c r a t i c & n o t
i n h e r e n t l y s e c u r e -
d e m a n d i n g u s e r s t o
b e a l e r t & c a p a b l e !
M u l t i - O S
M u l t i - A p p
F i x e d / M o b i l e
Users lives at work and
at home are becoming
ever more complex as
the number of devices,
peripherals, terminals
and appliances multiply
Husband - Wife
H o m e - O f f i c e
F i x e d - M o b i l e
P e r s o n a l a n d
Company
Children
School-Home
Games -Video
S o c i a l N e t s
S t u d y - F u n

R E A L I T Y !
I t c a n b e a p a i n
A u t o U p g r a d e
P r o b l e m a t i c
N o t f u l l s o !
E a c h d e v i c e i s
i d i o s y n c r a t i c & n o t
i n h e r e n t l y s e c u r e -
d e m a n d i n g u s e r s t o
b e a l e r t & c a p a b l e !
M u l t i - O S
M u l t i - A p p
F i x e d / M o b i l e
Users lives at work and
at home are becoming
ever more complex as
the number of devices,
peripherals, terminals
and appliances multiply
Husband - Wife
H o m e - O f f i c e
F i x e d - M o b i l e
P e r s o n a l a n d
Company
Children
School-Home
Games -Video
S o c i a l N e t s
S t u d y - F u n
All of these products
have only
been
w
ith
us
a
very
few
decades
and
remain
immature

T h e i m m a t u r e I o T
A N D N E X T ?
T h e i n f a n t i l e I o T
Conceived, designed, produced
off shore with security more
or less an afterthought
& a last minute kluge!
This may be an impending nightmare

IncreasingRisk S tat u s
U n t e n a b l e

IncreasingRisk S tat u s
U n t e n a b l e
IT Companies need
to get a grip anD
start supplying
complete products
IT security is way
beyond Joe Public
and most of the
poPulation

S o l u t i o n S p a c e
B e h a v i o u r a l A n a l y s i s o f P e o p l e ,
M a c h i n e s , N e t w o r k s , A p p l i c a t i o n s

A I B e h a v i o u r a l A n a l y s i s o f N e t
Pre-Attack

Activities

A I B e h a v i o u r a l A n a l y s i s o f N e t
Pre-Attack

Activities
Early
days but
retrospectively
show
n
to
be capable of
identifying
some cyber
and
terrorist attacks
AI Still in
early
learning
phase and
examining
many
different attack
types
Grossly
underfunded
in
a
start up w
ith
actual deployment
uncertain

S e g u e
D i v e r s i t y
Power + Control + Comms Cable Distribution
Port
Keel
Starboard
Power Generation + Main Plant + Generator + Batteries
I n c r e a s i n g r e l i a b i l i t y ,
re s i l i e n c e & s u r v i v a b i l i t y

S e g u e
D i v e r s i t y
Power + Control + Comms Cable Distribution
Port
Keel
Starboard
Power Generation + Main Plant + Generator + Batteries
I n c r e a s i n g r e l i a b i l i t y ,
re s i l i e n c e & s u r v i v a b i l i t y
S a f e t y
B e l t ,
B r a c e s
L i f e l i n e

D i v e r s i t y
F a c e B o o k S e r v e r F a r m
F a c i l i t y M i r r o r e d i n a n d o u t
M u l t i p l e P o w e r & F i b r e F e e d s
C o n t r o l l e d A c c e s s a t a l l l e v e l s
S
ta
n
d
b
y
G
e
n
e
ra
to
rs
&
B
a
tte
rie
s
~ 5 0 k m
f r o m
n e a r e s t A i r p o r t
Standby
B
atteries
fo
r
every
rack

D i s p e r s e d
R i s k & R e d u n d a n c y
P e o p l e S k i l l s
P h y s i c a l L o c a t i o n s
M u l t i p l e E q u i p m e n t s
T r a f f i c R o u t i n g D i r e c t i n g

D i v e r s i t y
R e l i a b i l i t y / R e s i l i e n c e

D i v e r s i t y
A single Cloud/Services Provider poses a
potential single point of failure
All your eggs in one basket with no legal recourse
should the provider lose or corrupt your data

D i v e r s i t y
Triplication creates a vast improvement in
the overall reliability and security

S e c u r e S t o r a g e
D o c u m e n t s o p e n , l o c k e d , e n c r y p t e d ?
Singular back ups, or multiple co-
located Tape, Disc, SS drives on
desk, in building, on servers, at ISPs,
or on a singular Cloud?
Could we create
an even greater
degree of data
security

S e c u r e S t o r a g e
D o c u m e n t s o p e n , l o c k e d , e n c r y p t e d ?
Singular back ups, or multiple co-
located Tape, Disc, SS drives on
desk, in building, on servers, at ISPs,
or on a singular Cloud?
Multiple Clouds (at least)
triplicated provides a far
higher degree of security
Why an odd number (3) ?
If you only had two copies -
and one is corrupted how do
you choose the correct one?
Could we create
an even greater
degree of data
security

S e g u e
A e r o S p a c e
C o m m o n l y a d o p t t r i p l i c a t e d s e n s o r s , c o m p u t e r s ,
d i s p l a y s + e l e c t r i c a l a n d h y d r a u l i c s y s t e m s + + +

O t h e r s e c t o r s
M o s t m i s s i o n / l i f e c r i t i c a l s y s t e m s !
N u c l e a r P o w e r
i s o b v i o u s - c a n
y o u t h i n k o f m o r e
l i k e l y c a n d i d a t e s ?

b l o c k C h a i n
A v e r y b r i e f o v e r v i e w
F o r a f u l l e r t r e a t m e n t
G O T O : h t t p s : / / w w w . s l i d e s h a r e . n e t /
P e t e r C o c h r a n e / b l o c k - c h a i n - b a s i c s
S h o r t F o r m : h t t p s : / / b i t . l y / 2 x s x E J t

B l o c k C h a i n
A v e r y v e r y b r i e f o v e r v i e w
•Self organising
•Functionally autonomous
•A distributed electronic ledger
•2007/2009 saw visible manifestations
•No one knows the inventor/origins for sure
•Designs, protocols and code are open source
•Security agencies suspected to be on a similar tack
•Specialised Block Chains dedicated to just one task
•Generalised Block Chains are now becoming a platform
•A next step in the logical progression toward decentralisation
•Inherently more secure than any previously realised transaction system
•Sidelines institutions and centralised control making all transactions simpler

C a p a b i l i t i e s
Great utility spanning all spheres
Voting
Storage
Records
R&D data
Multi-media
Production data
Patents/Copyright
Licences/permissions
Property deeds/ownership
Every form of value exchange
Ultra secure communications
All forms of legal documentation
+++++
WTH are Hash Functions
and Merkel Trees?

C a p a b i l i t i e s
Great utility spanning all spheres
Voting
Storage
Records
R&D data
Multi-media
Production data
Patents/Copyright
Licences/permissions
Property deeds/ownership
Every form of value exchange
Ultra secure communications
All forms of legal documentation
+++++
WTH are Hash Functions
and Merkel Trees?
Confirms the validity
of data and an agreed
transaction beyond
all doubt
IF you did not study
maths you have to
take this on trust
but there is hidden
beauty in all this
there has been a
widespread hype of
this tech and what it
can actually do
It has been used
inappropriately and
many have disclosed
their architectures

A N e w L e d g e R
Digital, Encrypted, Highly Complex
• Distributed attack virtually impossible
• Obscuration through complexity
• Impervious to focussed attack
• Spread over many machines
• Geographically distributed
• Address space invisible
• Inherently secure
• Format variable
• Vastly scaleable
• Multiple forms
• Multi-key
No one knows who owns individual machines,
where they are, what type they are, which OS
and apps they use, when & if they are on-line
(No) single point of
failure or access
Machines can protect
themselves and
each other
Networks are generally
conﬁguration dynamic
A vast number
of app, conﬁg,
coding, hash, and
design options
Keeping
the design
detail a secret
is imperative
Concatenated
hash checks
have never
been cracked
Operates
securely without
all members
being
on-line

A S A N E T W O R K
Dynamically connected machines
via every conceivable topology
Thisdiversityalladdstothesecurityequation
Open
Closed
Internet
Telephone
Broadband
L AN
WiFi
WL AN
3/45G
DarkNet

A S A N E T W O R K
Dynamically connected machines
via every conceivable topology
Thisdiversityalladdstothesecurityequation
Open
Closed
Internet
Telephone
Broadband
L AN
WiFi
WL AN
3/45G
DarkNet
How do I know you are
what you say you are
where is the validation
and evidence of any
crosschecks
PUBLIC KEY ETAL ARE in
use here but it is a
prime threat area and
a point of attack

S E C U R I T Y
C o m m u n i c a t i o n s
All machine-to-machine/network
communications are protected
by public and/or private key or
some other form of ‘disguising/
hiding/encryption’
If you need a tutorial on this GOTO:
https://www.slideshare.net/PeterCochrane/public-key-made-very-easy
https://bit.ly/2yp1tep
Short Form GOTO:

b l o c k c h a i n
Perhaps the ultimate solution
Ledger(s)
Processing
Storage
A decentralised system of shared ledgers
(public or private) across tens/hundreds/
thousands of machines of all
kinds capable of processing,
storage and peer-to-peer
networking

b l o c k c h a i n
Perhaps the ultimate solution
Ledger(s)
Processing
Storage
A decentralised system of shared ledgers
(public or private) across tens/hundreds/
thousands of machines of all
kinds capable of processing,
storage and peer-to-peer
networking
obviously
in
the limit
not infinitely
scalABle
connectivity
Latency
machine memory
et Al
are all finite

S a m p l e F E AT U R E S
B y wa y o f s i m p l e b u t s t ro n g a n a l o g i e s
• A transaction (a single page) has a hash number (page character type count)
• Blocks (concatenated pages) have an accumulated page-on-page, hash-on-hash value
• BlockChain - an endless book (of concatenated chapters) has an accumulated running hash
We an detect the removal
or insertion of a single full
stop, or any character, word,
sentence, para or page
anywhere in this Bible!
We therefore know with
certainty if it has been
Interfered with!

boiled down
U s i n g p r o v e n a l g o r i t h m s
PROOF OF WORK
Was a message sent ?
Was a transaction completed ?
Was everything acknowledged ?
How big was the completing hash ?
Was everything checked and tested positive ?
HASH FUNCTION
An apparently simple mathematical operation
Uses a complex seed of two (or more) primary numbers
This is digitally multiplied by a binary ﬁle to be protected
A unique hash is generated to detect the smallest of changes
Answers the question: is this the correct ﬁle or has it been tampered with ?
Hash Binary
Code Number
Unique Hash
Code Number
Input
File
Input
Factors
Proof of
Work
Number

M E r k L e T R EE
T h e c o n c a t e n a t e d h a s h
Each page of a our book is
given a hash value used in
creating a block hash and then
a chain hash by a process of
sequential concatenation
PAGE 1 PAGE 2 PAGE 3 PAGE 4
HASH OF
PAGE 1 + 2
HASH OF
PAGE 3 + 4
HASH OF PAGES
1 + 2 + 3 + 4
A change of any one
character or space
on any page at any
time will be detected
& ﬂagged immediately
HIGH SECURITY

File
1
File
2
File
4
File
3
#
# #
## # #
A four file Block
Individual file hashing
Grouped hash of hashes
A full block hash
A fixed size number that will
change if just one file has
a ‘full stop’ changed
N The Block hash value

P r o c e s s W a l k T h r o u g h
For only one simple set of choices
User 1 requests a transaction

Peer computers analyse past
blockchain transactions with
veriﬁcation through proof of
work and/or P2P consensus

A different peer group for
User 2 ?
IFF all are agree that this is a
sound transaction, then & only
then:Assets are exchanged

User 2 ?
The entire transaction is
recorded in the distributed
ledger across many machines

User 2 ?
The entire transaction is
recorded in the distributed
ledger across many machines
work and/or P2P consensus User 2 receives materials

M i n i n g
Many alternatives
Negating all the
5 1 % , i n t r u d e r, &
m i m i c a t t a c k
scenario(s)
Randomly select 3, 5, 7…users as decision arbiters
Send them the ‘work functions’ of all users (or a significant
slice/sample thereof )
If the select 3, 5, 7… all agree that all user work functions
and final hash tally; the transaction is carried
This is also a simple way of isolating
r o g u e u s e r s a n d c o m p r o m i s e d
machines/portions of the network

m o r e
G O T O W W W
Beyond this outline
you will ﬁnd many
articles, movies and
slide sets dealing with
speciﬁc cases and
i m p l e m e n t a t i o n s
available on line
T h e d e p i c t i o n
opposite is just one
example of very many

P a r s i n g
C l a s s i c P e r s p e c t i v e
Used extensively in speech recognition
and language translation by machines

P a r s i n g
C l a s s i c P e r s p e c t i v e
Used extensively in speech recognition
and language translation by machines
W
e
n
eed
to
ben
d
th
is
c
o
n
c
ept
to
a
d
v
a
n
ta
g
e
in
th
e
c
r
ea
tio
n
o
f
super
sec
ur
e
sto
r
a
g
e
o
n
c
lo
ud
o
r
o
ff

P a r s i n g
O u r P e r s p e c t i v e
We a r e a b o u t t o u s e t h i s t o ‘c h u n k ’
documents pre or post encrypt BUT pre
dispersion to multiple clouds or storage
locations
Parse by Para
Encrypt with same/
or different keys

P a r s i n g
locations
Parse by Para
Encrypt with same/
or different keys
D e p o s i t o n
the same disc
or cloud…or
D e p o s i t o n
multiple discs
or clouds…

P a r s i n g
locations
Parse by Para
Encrypt with same/
or different keys
D e p o s i t o n
the same disc
or cloud…or
D e p o s i t o n
multiple discs
or clouds…
A
ll
a
d
d
r
essin
g
a
n
d
d
o
c
um
en
t
ID
a
n
d
fo
r
m
a
t
in
fo
sh
o
uld
be
g
r
o
ssly
d
iffer
en
t
a
n
d
g
iv
e
n
o
c
lues…
C
o
m
pleten
ess
m
ust
be
a
c
o
n
d
itio
n
o
f
th
is
pr
o
c
ess
to
en
sur
e
m
a
x
im
um
sec
ur
ity
n
o
pa
r
tia
l
c
lues

P a r s i n g
Can be by letter word, line, group sampling,
and by document geographical (variable/fixed)
guillotining

P a r s i n g
guillotining
D e p o s i t o n
the same disc
or cloud…or

P a r s i n g
guillotining
D e p o s i t o n
the same disc
or cloud…or
D e p o s i t o n
multiple discs
or clouds…

P a r s i n g
guillotining
D e p o s i t o n
the same disc
or cloud…or
D e p o s i t o n
multiple discs
or clouds…
W
e
c
a
n
ta
k
e
th
is
m
uc
h
fur
th
er
but
so
fa
r
it
is
th
e
m
o
st
sec
ur
e
pr
o
to
c
o
l
fo
r
c
lo
ud
a
n
d
d
isc
sto
r
a
g
e

Back to ThePeriphery
R e a l i t y C h e c k a s o f 2 0 2 0
Attacks escalating
Our exposure is growing
Attackers are winning the war
Attackers get richer by the year
Our defences are not 100% effective
We need to collaborate and share all
We are largely disorganised and underinvesting
People remain our single biggest attack risk
All our security tools are reactive & mostly outdated
Best market model appears to be the airline industry

Back to ThePeriphery
R e a l i t y C h e c k a s o f 2 0 2 0
Attacks escalating
Our exposure is growing
Attackers are winning the war
Attackers get richer by the year
Our defences are not 100% effective
We need to collaborate and share all
We are largely disorganised and underinvesting
People remain our single biggest attack risk
All our security tools are reactive & mostly outdated
Best market model appears to be the airline industry
We Can present easy
and very attractive
Opportunities for
cyber hackers and/or
criminals

Collaboration
A i r l i n e s m o d e l 2 0 2 0
Safety record is all
Embraces entire industry
Every accident is investigated
All incident reports are open & shared
Safety communication is pilot/operator centric
Industries, manufacturers, governments all committed
Well organised and structured with a high level of accountability
Passenger and crew safety is the single biggest concern and success metric

Collaboration
A i r l i n e s m o d e l 2 0 2 0
Safety record is all
Embraces entire industry
Every accident is investigated
All incident reports are open & shared
Safety communication is pilot/operator centric
Industries, manufacturers, governments all committed
Well organised and structured with a high level of accountability
Passenger and crew safety is the single biggest concern and success metric
Flying is generally
the safest mode
transport globally
as a result of this
Reinforcing model
Cyber security is in
need of something
very similar if it is
ever to migrate out
of The victim mode

• No transgressions
• Work up to the limit
• Keep within the spirit & word
• Our responsibility to keep up to date
• Seek legal advice on latitude
• Special dispensations may be possible
• National security/intelligence may help
• In general the Buck ends with you !
P L E A S E N O T E
A t t a c k e r s s u f f e r n o n e o f t h i s
Legal system
Codes of practice
Ethical principles
Moral responsibilities
The Dark Side is wholly
u n c o n s t r a i n e d a n d
limited by nothing and
no one - they only care
about the RoI - and the
damage, hurt, they inﬂict
- the crimes, and moral
outrages they commit -
mean nothing to them!
This sets us apart from
these despicable people
and it is the single biggest
differentiator in our
thinking, actions and mode
of operation!

EU GDPR https://eugdpr.org/
•Lawfulness, fairness and transparency.
•Purpose limitation.
•Data minimisation.
•Accuracy.
•Storage limitation.
•Integrity and conﬁdentiality (security)
•Accountability.
Global Laws https://www.privacypolicies.com/blog/global-privacy-laws-explained/
• COPPA, CalOPPA
• Do Not Track
• PIPEDA, HIPPA
F a s t E v o l v i n g
Mostly on the back foot often unworkable!

EU GDPR https://eugdpr.org/
•Lawfulness, fairness and transparency.
•Purpose limitation.
•Data minimisation.
•Accuracy.
•Storage limitation.
•Integrity and conﬁdentiality (security)
•Accountability.
Global Laws https://www.privacypolicies.com/blog/global-privacy-laws-explained/
• COPPA, CalOPPA
• Do Not Track
• PIPEDA, HIPPA
F a s t E v o l v i n g
Mostly on the back foot often unworkable!
UK
Data
Protection
act often
violated
by
Gov
Depts and
their
employees
and
public
mostly
ignore it

OUR COAT OF ARMS
W e h a v e c o d e s o f p r a c t i c e !
Do No Harm
As Cyber Security Professionals we are the tip
of a defence sword; but we cannot wield it as
yet! There has to be a national/international
decision as we are looking at starting a war that
might just expand into a global conﬂagration!
Reality is that no nation/country is in a position
to sanction such a risk (independent action) as
all are suffering inadequate defences and could
suffer a societal collapse should a war ensue!

OFF THE TABLE FOR NOW
W e m u s t n o t a n d d a r e n o t r e t a l i a t e !
We almost certainly have all the tools, and technologies to ‘burn’ all the
hackers, hacker groups, criminals, rogue states, military and government
agencies! However, MAD prevails!
Mutually Assured Destruction
We are in a new kind of
cold-war but the other
side are making a fortune!
The extent of National Security retaliation ‘appears’ to be the taking down
of offending sites…

- r t s a t = o m n o w
ust n o t a n d d a r e n o t r e t a l i a t e !
We almost certainly have all the tools, andtechnologies to 'burn' all the
hackers,hacker groups, criminals, rogue states, military and government
agencies!However, MAD prevails!
IJutually ssured estruction
We are in a new kind of
cold-war but the othe
sidearemakinga fortune!
Theextent of National Security retaliation 'appears' to be the taking down
of offending sites...

THE Potential Nightmare
We h a v e n o r e a l e v i d e n c e o f w h o c a n d o w h a t !

SO HERE WE ARE !
I n t h e m i d d l e o f a m a j o r w a r

The eNemy Innovates fast
T h i n g s l i k e t h i s p o p u p a l m o s t w e e k l y !

D e f e n c e e s s e n c e
S p e e d o f d e t e c t i o n , r e s p o n s e & a d a p t a t i o n
1) Our own passivity is the biggest danger
2) The attacker agility and innovation our biggest challenge
3) Attackers have the ﬁrst mover advantage & get to choose everything
4) Human defenders cannot be vigilant and prepared 24 x 365 year-on-year
5) Situational awareness is key & rooted in Data/Information gathering/analysis
6) Machines, AI, Machine Learning are key to solving (4 & 5) and giving us the edge
7) The application of anticipatory techniques is still in its infancy and needs investment!
8) Disparate companies, groups and government almost all the components we need
9) It is essential that these resources (8) are brought to bear and integrated with (5 -7)
8) We might just win this war, but not without changing the way we think and operate!

https://www.varonis.com/blog/cybersecurity-statistics/
A t t a c k C a t a l o g u e
W e f a c e a r a p i d l y c h a n g i n g l a n d s c a p e !
“ I t i s e s s e n t i a l t o m a k e a c y b e r t h r e a t r e v i e w a d a i l y r o u t i n e
b y c o n t i n u a l l y t a p p i n g t h e r i c h v e i n o f r e p o r t s a n d h e a d l i n e
n e w s a v a i l a b l e t o t h e d e f e n c e c o m m u n i t y ”
https://go.crowdstrike.com/crowdstrike-global-threat-report-2020.html
https://www6.gemalto.com/ppc/dtr/global
https://www.accenture.com/gb-en/insights/cyber-security-index
https://solutionsreview.com/endpoint-security/key-ﬁndings-the-check-
point-2020-cyber-security-report/

E X P E R T O V E R V I E W
C h e c k P o i n t 2 0 2 0 C y b e r S e c u r i t y R e p o r t
Major Takeaways :
“2019 presented a complex threat landscape where nation states, cybercrime
organisations and private contractors accelerated the cyber arms race, elevating
each other’s capabilities at an alarming pace, and this will continue into 2020”
“Even if an organisation is equipped with the most comprehensive, state-of-the-art
security products, the risk of being breached cannot be completely eliminated”
“Beyond detection and remediation, organisations need to adopt a proactive plan to
stay ahead of cyber-criminals and prevent attacks. Detecting and automatically
blocking the attack at an early stage can prevent damage”

https://www.varonis.com/blog/cybersecurity-statistics/
T o d a y ’ s C h o i c e
T h e m o s t u p t o d a t e o n t h e p r e p d a y

f a c t o i d s
J u s t s c e n e s e t t i n g 1
Global cybersecurity spend to reach $133.7 Bn in 2022. (Gartner)
62% of businesses hit by phishing/social engineering attacks in 2018. (Cybint Solutions)
68% of business leaders see cybersecurity risks increasing. (Accenture)
Only 5% of companies’ folders are properly protected, on average. (Varonis)
Data breaches exposed 4.1 Bn records in the ﬁrst half of 2019. (RiskBased)
71% of breaches ﬁnancially motivated and 25% motivated by espionage. (Verizon)
52% of breaches were hacking, 28% malware, 32–33% phishing social eng. (Verizon)
Between Jan 2005 & April 2018 there were 8,854 recorded breaches. (ID Theft Resource Center)
Overall ransomware down 52% but enterprise infections up by 12% in 2018. (Symantec)
Top malicious email attachment types: doc & .dot = 37%, next is .exe = 19.5%. (Symantec)
By 2020 humans & machines passwords globally will be ~300 billion. (Cybersecurity Media)

f a c t o i d s
Security breaches have increased by 11% since 2018 and 67% since 2014. (Accenture)
Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland)
The average time to identify a breach in 2019 was 206 days. (IBM)
The average lifecycle of a breach was 314 days (from the breach to containment). (IBM)
500M customers (2014 on) information compromised @ Marriott-Starwood made public 2018.
64% of Americans have never checked to see if they were affected by a data breach. (Varonis)
56% of Americans don’t know what steps to take in the event of a data breach. (Varonis)
The average cost of a data breach is $3.92 million as of 2019. (Security Intelligence)
83% of enterprise workloads will move to the cloud by the year 2020. (Forbes)
In 2016 3 BnYahoo accounts hacked in one of the biggest breaches of all time. (NY Times)

f a c t o i d s
In 2016, Uber reported hackers stolen info on >57 million riders and drivers. (Uber)
In 2017, 412 M user accounts were stolen from Friendﬁnder’s sites. (Wall Street Journal)
In 2017, 147.9 M consumers were affected by the Equifax Breach. (Equifax)
The Equifax breach cost the company over $4 billion in total. (Time Magazine)
In 2018, Under Armor reported “My Fitness Pal” was hacked, affecting 150 M users.
Uber tried to pay off hackers to delete the stolen data of 57 million users and
keep the breach quiet. (Bloomberg)
18 Russians, 19 Chinese individuals, 11 Iranians and one North Korean were
involved in indictments for their alleged state-sponsored espionage against the
United States. (Symantec)

M e t r i c s
W h e r e t o f o c u s

P e r s i s t e n t C r i s i s
Anti-phase cyclic actions correlate with events
Company/Institutions/Gov/Industry
Status Surveys remain almost static year-
on-year and show little sign of improvement
despite the growing number of attacks &
reputational damage

At ta c k R a n k i n g s
W h e r e t o f o c u s a n d t o t r a c k !

I n i t i a l A c c e s s
D o m i n a n t b r e a k - i n m e t h o d s
A l l h u m a n f a l l i b i l i t y
m e c h a n i s m s !

S P A M H O S T I N G
T o p 2 0 C o u n t r y H i t P a r a d e

S P O O F E D B R A N D S
T o p 1 0 u s e d i n S P A M A t t a c k s

M a l w a r e C O D E
N e w g e n e t i c c o d e i n c r e a s e

TopIndustryTargets
SPAM
Victims

TopIndustryTargets
SPAM
Victims
Bew
are
1
w
hat this does not
show
is the potential/
actual roi per
category
Bew
are
2
Nor
does it indicate
the probability
or
likelihood
of a
hit
per
category

P r e d i c t i o n s 2 0 2 0
W h e r e a r e t h e c y b e r t h r e a t s t o b e ?

C I S C O P O S I T I O N
Protecting customers - taking the pain away
https://www.youtube.com/watch?time_continue=130&v=eg_m5jrt1gQ&feature=emb_logo

B a c k t o o u r R e a l i t y
W e a r e i n a m a j o r w a r a n d l o s i n g f a s t
The long term solution rests on 6 (or 7) cornerstones:
1) Taking human DIY out of the security loop
2) Automate the cyber security on every app, device, machine++
3) Apply the principles of auto-immunity throughout the user domain
4) Change the culture from destructive protectionism to proactive sharing
5) Engage in R&D that allows us to ape and anticipate the Dark Side Attacks
6) Introduce AI learning engines at every level to identify ‘give away’ patterns
7) ?????

E t h i c a l
H a c k e R
H i r e a ‘ w h i t e h a t ’ a t t a c k e r s
f i n d h i d d e n v u l n e r a b i l i t i e s

F u r t h e r R e a d i n g
A selection of relevant reports & studies
https://resources.infosecinstitute.com/top-cybersecurity-predictions-for-2020/#gref
https://www.ifsecglobal.com/cyber-security/predicting-the-top-five-2020-cyber-security-trends/
https://cybersecurityventures.com/cybersecurity-almanac-2019/
https://www.mimecast.com/the-state-of-email-security-2019/
https://www.cisco.com/c/en_uk/products/security/security-reports.html
https://www.forbes.com/sites/daveywinder/2020/02/11/these-ancient-microsoft-security-flaws-
are-still-driving-cybercrime-in-2020/#3c3105a6657e
https://www.akamai.com/uk/en/resources/our-thinking/state-of-the-internet-report/global-state-
of-the-internet-security-ddos-attack-reports.jsp
https://www.ibm.com/security/digital-assets/xforce-threat-intelligence-index-map/#/
https://content.fireeye.com/m-trends/rpt-m-trends-2020

Things that Think want to Link
and
Things that Link want to Think
F I N - Q & A ?
www.petercochrane.com

CYBER DEFENCE SCENARIOS - Part 2: Building The Blue Team

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CYBER DEFENCE SCENARIOS - Part 2: Building The Blue Team

Similar to CYBER DEFENCE SCENARIOS - Part 2: Building The Blue Team (20)

More from University of Hertfordshire

More from University of Hertfordshire (16)

Recently uploaded

Recently uploaded (20)

CYBER DEFENCE SCENARIOS - Part 2: Building The Blue Team