The document discusses the concept of velocity as it relates to cyber crises. It defines key terms like velocity, breach, and social impact. It argues that traditional measures of time like SI units are not meaningful for understanding crisis response, and that the speed of social networks is more important. It suggests defenders need to understand an adversary's speed, lay traps, and remain agile to keep up with the fast pace of cyber attacks in today's digital world. The current defender model is broken because it cannot respond in real-time at the speed information spreads on social platforms.

1. Cyber Speed – The unknown
velocity component
Jonathan Sinclair

2. Agenda
i. Motivation
ii. Goal
iii. Definitions
iv. SI Units
v. Where are we then?
vi. Understand your social impact
vii. Where you exist in the social ecosystem
viii. OODA Loop IT
ix. Defenders
x. Attackers
xi. The Answer

3. Delivery type
 As this presentation evolved it became quickly obvious that this should have been
a white paper. Forgive the laziness of not reworking the material and enjoy.
Disclaimer
 The following material represents in no way the opinions of my current employer.
This presentation was created in my own time, leveraging my own data gathering
and research techniques.

4. Motivation
This presentation was inspired from two recent items I saw
posted:
A recent talk title posted on an HPE Protect roadshow agenda where it
talked about the ‘Cyber Crisis’ and a velocity component identified as ‘at
the speed of twitter’
(https://www.hpevents.be/protect/agenda.php)
A small blog entry posted by the company Cybereason titled: “Security’s
2F2R Syndrome: Why fast remediation helps hackers maintain persistence
in your network”
(http://www.cybereason.com/securitys-2f2r-syndrome-how-fast-remediation-can-help-hackers-maintain-persistence/)

5. Goal
 Identifying a velocity component with regards to the emergence of a crisis, within
the topic of IT security is an interesting idea and I’ll try and explore it more in the
following slides
 It leads to interesting questions about crisis management:
 What is the correct time for a reaction?
 What are the correct values for your Recovery Time Objective?
 What are the correct values for your Recovery Point Objective?
 Is a quick reaction time really required?
 What if the corrective action doesn’t address the root cause?
 What of residual fall-out?
 How important are your communication messages?

6. Definition: Velocity
 Taking the Britannica definition we find ourselves with the following “ve-loc-i-ty:
The state of moving swiftly; rapid motion; celerity; speed.”
 A slightly more charming and wonderfully academic reference is defined by Wikipedia as
“The scalar absolute value (magnitude) of velocity is called "speed", being a coherent
derived unit whose quantity is measured in the SI (metric) system as metres per second
(m/s) or as the SI base unit of (m⋅s−1).”
 Speed is what we’re interested in and it’s frame of reference / context
 Speed in this case can be defined as any x defined unit i.e.
 Milliseconds, Hours, Minutes, Tweets, Pastebin posts, LinkedIn news articles, Etc.

7. Definition: Breach
 The Verizon Data Breach Investigations report 2016 defines a “Breach” as the following:
“An incident that results in the confirmed disclosure (not just potential exposure) of
data to an unauthorized party.”
 Within the context of this definition (which I will use synonymously with regards to a
cyber crisis) it’s probably prudent to think more in terms of social communication
timescales than in traditional SI units.
 SI units don’t really effect you, as a business.
 Ponemon famously stated in it’s 2015 report that time to resolve incidents, on average takes
46 days, whatever this really means e.g.
 What does resolution actually mean?
 Can all incidents be resolved?
 Does this just mean time until management is convinced a problem doesn’t exist anymore?
 The idea of plausible deniability has interesting repercussions within this context.
 Yet reports are full of these statistics about SI time units.

8. But SI units give us a warm fuzzy feeling
inside
 We like to work with SI units because they are timeframes we’re familiar with and
quantitatively can be described to everyone without recasting you’re definition.
 Looking at Verizon’s latest report, we see this everywhere.

9. SI units continued

10. Meaning?
 In the end though these figures mean nothing to yourself and the organisation you’re
trying to defend.
 It can be 3 months until you detect an infection
 It can be 2 days to clean an infection
 It can be 20 days for an investigation to take place
 It can be 500 milliseconds for your SIEM to detect an emerging threat
 But it’s all smoke and mirrors. What actually matters are things like:
 Time to extract data from your network
 The speed of your own internal escalation processes
 Understanding damage limitation at the speed of social networking
 A rather more prudent question to ask is: What is the velocity of your data?

11. Limited Focus
 Of course all threats don’t necessarily want to publish information about your
organisation. They may want to steal your IP, disrupt business activities e.g.
production flows/outages etc. but for the sake of this deck I’m going to side-line
these items (partially) into the bucket of industrial espionage and not address them
explicitly.
 I know, I know, this limited focus isn’t showing the whole picture but the topic of IT
security and breach types, in general, are far too huge to not impose some limits.

12. Where are we then?
 So, with the definitions behind us,
 Established that SI units for reaction velocity aren’t very meaningful,
 Understand that through the idea of a breach being synonymous with a cyber crisis
occurring in your organisation,
 And appreciating that we’re only addressing data leakage, corporate embarrassment,
reputational and trust damage at the heart of the crisis where does this leave us?
 The answer:
 Understand your social impact
 Where you exist in the global ecosystem
 And appreciate quantitatively what it will mean when datatypes of information are published
on social networks

13. Understand your social impact
 A simple question but often not an easy one to answer
 Take for example the following companies
 Apple
 A tech company who has little regard for customer concerns and focuses more on driving it’s agenda
 Is purely tech driven
 Has a massive cultural following (mostly in the western world)
 Tries to define, for a generation, what it means to be cool
 Languishes more in the luxury good market than other tech competitors
 Is secretive
 Palantir
 Start-up venture having raised more than $2.5 billion in capitol
 Deals in data-analysis
 Stays out of the public eye
 Is secretive

14. Understand your social impact
 Toyota
 Largest automobile manufacturer in 2012
 Develops advanced robotics
 Global appeal
 Deals in devices that can kill people
 Employs approximately 350,00 people worldwide
 Pfizer
 One of the largest pharmaceutical companies world wide
 Develops medicines and vaccines
 Brand trust and testing is critical to the companies success
 Deals in a product that can kill people
 Largely appeals to those people who need their product rather than outside

15. Understand your social impact
 When we review these 4 arbitrarily selected companies we need to understand
their marketing strategy and their key revenue lines. It’s not about IT security it’s
about the social disruption
 Target has POS devices compromised:
 What damage did this really do?
 40 million customer accounts compromised
 People still buy from Target, the company still exists and makes profits
 Sony is hacked multiple times:
 So what?
 People still log onto the Sony network, buy PlayStation’s etc.
 JP Morgan Chase data breach
 So what?
 2 people arrested, 83 million accounts compromised, share price continues to increase

16. Understand your social impact: Hacks
worth while
 Revisiting our previous 4 candidates:
 Apple:
 What happens when design ideas are leaked before product launch
 Corporate strategy is undone
 Hopefully nobody dies
 Palantir
 Data-analysis data is stolen giving those with control of the data, informational control
 They market a technique, so unless the method, infrastructure, algorithms are removed the damage may be minimal
 Rather destroy the data or tamper with it’s integrity
 Real social impact = minimal
 Toyota
 Compromise remote control features and expose flaws
 Resulting in accidents, a social backlash of customer confidence and significantly damaging the companies reputation
 People can die
 Pfizer
 Compromise a chemical production facility and alter dosage quantities
 Customers health is compromised and significant causality fall-out

17. Where you exist in the social ecosystem
 The previous examples are brief overviews and highly subjective deconstructions of
industry leaders who have been trivially reduced. The point, is to provide an
appreciation of what a real cyber crisis means and provide context framing for
reaction times
 Each company has a social responsibility and as with traditional emergency
response plans IT based components should be being elevated alongside other
business critical assets
 Based on the reaction times of the Internet and exposure these IT assets are
actually often more likely to reach crisis point in terms of likelihood than natural
disasters, plant destruction, machine malfunction etc. (at least in those countries
with strong health and safety measures)

18. Moving forward
How to cope and move forward

19. OODA Loop IT
1. Understand your companies speed
2. Get inside your adversaries velocity
3. Lay traps
4. Remain agile and dynamic
 A recent quote coming out of HPE’s CTO Andrzej Kawalec, chief technology officer
“People need a robust security partner, or set of partners, who understand how to
respond in real time”. (https://www.technologyreview.com/s/601004/once-more-unto-the-breach-
what-it-takes-to-defeat-cyberattackers/)
 This is a nice wish and close to what needs to happen. But practically possible? =
impossible (at the moment).

20. Current Defenders model is broken-by-
design
 As an analogy to “Twitter-speed” it’s fast, agile, lean and has sped up the speed of
communication by factors
 So much so that being kept up-to-date is no longer about reading papers and who you
know. It’s who you’re following and the trust relationship to these people.
 Current state and what IT security people are doing
 Install detection/prevention boxes
 Percolation through an MSSP or the internal analyst teams takes time
 Be it through the levels of analysts
 Locating escalation points
 Communicating back to customer
 Negotiating and understanding the risk profile

21. Current Defenders model is broken-by-
design: Simplified timeline
Incident Occurs
Incident
analysed by
Humans (slow)
Percolation
through analyst
layers
Incident
response plans
initiated
Communication
escalation paths
followed
Message(s)
communicated
This entire timeline happens in SI time e.g. seconds, minutes, hours

22. Attackers Timeline
 The attacker has three principle options (with an destructive end process always being an optional extra)
Intrusion
Data
extraction
Leave Destroy?
Intrusion
Data
integrity
compromise
Stay resident Destroy?
Seek Destroy

23. Attackers velocity
 With each scenario the attacker will adopt differing velocity mechanisms for example:
 Option 1: Twitter
 Destruction is the aim of the game so hit them hard and quick i.e. DDoS brought to bare on a weak
infrastructural component, ransomware worm, backup virus etc. For most of these examples it’s
advantageous to run the attacks at the same time in a quick hit.
 Option 2: Snail-mail
 The objective here is to get the information, get in and get out. So the initial research and analysis phase
will take more time. Access acquisition will be more targeted and data extraction will be ‘as fast as
possible’
 Option 3: Carrier Pigeon
 We’re all in it for the long haul. The objective here will be to not only perform data extraction but also to
‘ride-the-whale’ and keep harvesting as much data until noticed. This is particular favoured when
industrial espionage is the goal i.e. product design acquisition, financial manipulation, general stealing
of IP etc.

24. Defender vs. Attacker
 With this asymmetric velocity imbalance, the defender is always out-gunned
 Reactive defence tactics are relied upon
 IT Security will never actually resolve the Attacker-Defender conundrum, no matter
the amount of shiny boxes, financial investment etc. made

25. The Answer: Automation, correlation,
integration
 Businesses will have to accept that technology can be trusted to make decisions
 Even if this has negative effects on business operation
 Automated incident management of systems has to be handed over to algorithms
 Virtualisation has to be leveraged to allow smooth automation of services
 Correct understanding of the companies relation to the world and the IT
environment must be understood from the risk/threat perspective

26. End quotes
 Please take away the following:
 For the Defender:
 Understand your enemy and recall:
 Dave Eggers statement: “You shall know our velocity”, combined with
 Matthew Devost: “For active defense operations to be effective, you will have to compress your OODA Loop down to Observe -> Act.”
Cumulatively declared as: “Don’t react too fast or too slow otherwise you might undo the entire operation. Observe, react,
predict. You shall know our velocity”
 For the Attacker:
 They will operate based on the following principle:
 Harry Hillaker:“The key is to obscure your intentions and make them unpredictable to your opponent while you simultaneously clarify
his intentions. That is, operate at a faster tempo to generate rapidly changing conditions that inhibit your opponent from adapting or
reacting to those changes and that suppress or destroy his awareness. Thus, a hodgepodge of confusion and disorder occur to cause
him to over- or under-react to conditions or activities that appear to be uncertain, ambiguous, or incomprehensible.”
 Speed and each’s velocity will determine the outcome of each engagement