Effective Response to Asymmetric Warfare
It has been given many names: soft war, non-linear war, unconventional hybrid warfare, cyber cold war, Cold War 2.0, and Code War. Regardless of the name, one thing is certain – the way in which the Internet is being used as a weapon is asymmetric, between Western democracies and revisionist powers. And the economic damage to the West can be measured in the loss of intellectual property, regulatory controlled data, and operational capacity.
I have earlier described in some detail the nature of the threat we’re under – see Asynchronous Warfare blog posts (part 1, part 2, and part 3). While I introduced effective solutions earlier, I would now like to elaborate and provide detailed recommendations for how to combat the persistent threat presented by asymmetric warfare.
The Concept of Asymmetry As a Strategy
How is the conflict asymmetric? Do the West and its resurgent adversaries have the same capabilities? Probably yes. Has the West actually used cyber weapons? Again, yes. In the form of Stuxnet, there is an element of symmetry in this regard.
However, fundamentally there is a philosophical asymmetry in the methodology of intelligence collection and use of cyberattacks. What we are really seeing in cyberspace is the application and evolution of a mosaic methodology approach to intelligence gathering. Thousands upon thousands of diverse attacks that all in some way have an impact as an economic weapon and are now damaging Western GDP to the tune of trillions of dollars lost per year.
A mosaic strategy of cyberattacks has several advantages over a high-value decisive cyberattack strategy. Individually each attack can appear insignificant and unrelated with un-attributable and confusing motivation. Because of the asymmetry in usage at a philosophical and strategic level, the West has not been very good at seeing the big picture impact from cyberattacks. The mosaic nature makes it virtually impossible to see patterns in a sea of disinformation when each attack and intrusion surfaces randomly like a fractured jigsaw piece from myriad threat actors.
Effective Response to Asymmetric Warfare
In order to achieve effective cyber resilience under an asymmetric warfare condition, we must do three things.
1) Wake up to the situation
It is necessary to accept the fact that the economy has become a de-facto combatant in the ongoing conflict, and the conflict is on a global cyberwarfare scale. Corporations are used as pawns in the game to damage the population’s trust in the ability of the government to uphold order and guarantee societal function. Recognize the true severity of the threat you’re under.
Finally, the giant Western democracies are beginning to stir. Executive order 13806 has pieced together and presented the predatory practices of foreign nation states, highlighting the long term negative impact on the defense industrial base and the competitive implications of that on the American military. Nearly 60,000 factories have closed and 17,000 US companies have ceased to be DoD prime contractors. Across the pond, Europe has released the Cyber Security Act as a direct response against the threat from foreign nations.
2) Raise the bar for best practices and regulation
IT security is costly, it is complicated, and it demands continuous action. It is therefore on us to demand systematic efforts to require the best possible information security practices and technology. And it is incumbent upon government and industry regulators to lead the way with higher standards, more demanding guidance that is required to elevate the capabilities of the industry. Organizations, left to their own devices, will, as a whole, do just enough to be compliant, which we know is not the same as being secure. A clear signal that we are indeed in a warfare situation will be an elevated level of security, not suggested, but required by appropriate oversight organizations.
Leading the way is the Aerospace Industrial Association with the National Aerospace Standard (NAS) 9933. We see NAS 9933 as representative of the higher level of guidance and security needed.
The AIA states:
“The industry shares concerns raised by senior DOD leaders about threats to the security of DOD and industry’s data and networks. With aggressive state and non-state cyber actors targeting the United States, it is essential that our industry work collectively to protect technology and information. To counter this dynamic cyber threat, dynamic, risk-based solutions are required rather than Static ‘checklist’ compliance requirements; 9933 provides industry with a baseline for true security and serves as a companion to DOD’s current minimum standards.”
NAS 9933 outlines a tiered approach to cyber defense ranging from Levels 1 through 5, with Level 3 representing what is required to achieve a minimum threshold of performance expectation in cyber resilience, and Level 5 being the most sophisticated response to a cyberattack. The standard is based on the CIS controls and contains 22 chapters of controls, each with their own set of requirements. Specifically addressing cyber defense are Chapter 5: Malware Defenses and Chapter 13: Boundary Defenses. Together we believe these two chapters specify the critical security controls for effective cyber defense.
3) Push For Ever More Sophisticated Defenses
The side capable of introducing more sophisticated technology at a quicker pace will eventually win this conflict. Therefore, improving the sophistication and capabilities of security systems is the best shot at getting ahead of, or at least keep up with, the cyberwarfare conflict.
Sophisticated defenses will eventually deny success to the rather large community of single hackers and non-state groups that have limited resources, which is a great deterrence. This, in addition, will reduce markedly the number of potential attackers and make attribution easier. Constantly raising the bar of security and IT sophistication eventually can drain the swamp.
Chapter 5: Malware Defenses
Level 3 – This indicates a solid performing cyber risk management program. Strong protections have been implemented, and the required steps have been taken to implement specific controls. Level 3 within Malware Defenses, calls for:
- A “Next-Gen” endpoint solution
- Host-based IDS
- Port control
- Anti-exploit functions
Level 4 – Achieving Level 4 indicates a Cyber risk management program that can detect, protect against, and respond to advanced attacks, including the implementation of specific tools. It requires a level of sophistication that requires the organization to:
- Ensure that automated monitoring tools use behavior-based anomaly detection to complement traditional signature-based detection
- Enable a DNS query logging system to look for malicious command and control traffic
- Limit the use of external devices to those that have a business need and monitor for use and attempted use of external devices
Level 5 – Achieving this ultimate level of security for Chapter 5: Malware Defenses, requires that systems and capabilities be optimized on an ongoing basis. It requires sophisticated operations that:
- Use network-based anti-malware tools to identify executables in all network traffic and use techniques other than signature-based detection to identify and filter out malicious content before it arrives at the endpoint.
- Implement an incident response process that allows the IT support organization to supply the security team with samples of malware running on corporate systems that do not appear to be recognized by the enterprises anti-malware software.
Chapter 13: Boundary Defense
We can shorten the stated requirements to attain Level 3 for Boundary Defense as articulated in Chapter 13 by simply saying, use an application-aware firewall.
To achieve the next level of protection, Level 4, an organization must:
- Periodically scan for back-channel connections to the Internet that bypass the DMZ.
- Deploy network-based IDS sensors on the Internet and extranet DMZ systems and networks that look for unusual attack mechanisms and detect any compromise of the systems.
- On DMZ networks, configure monitoring systems to record preferably full packet header and payloads of the traffic destined for or passing through the network border.
The final technology implementations to achieve Level 5 are:
- Deploy IPS devices to detect unusual network activity and block known bad signatures or attack behaviors to complement passive IDS monitoring.
- Devise internal network segmentation schemes to limit traffic to only those services needed for business use.
- To identify covert channels exfiltrating data through a firewall.
- Deploy NetFlow collection and analysis to the DMZ network flows to detect anomalous activity.
What consistently surfaces in AIA’s guidance around effective defense to achieve Level 4 and Level 5 maturity is the use of automatic tools that augment signature-based detection methodologies with behavioral and anomaly detection techniques essential to discovering sophisticated actors.
We think AIA has it right, and encourage regulatory organizations to follow their lead. It all comes back to our first recommendation: Wake Up! The data, personal information, IP, credentials, and more will be secure only when the cybersecurity industry recognizes that we’re in a warfare state, that attackers are actively engaged in a sustained effort to weaken the West, and that current, tick box static security strategies will be ineffective in an asymmetric cyberwar.
I invite you to download the complete report, which includes additional background information and more detail about the NAS 9933 regulations.