Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/19/2019
02:30 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Making the Case for a Cybersecurity Moon Shot

There are severe and unsolved problems in our industry that justify a sustained effort and substantial investment. It's worth picking one.

There's been a lot of talk lately of a cybersecurity moon shot. Unfortunately, the model seems to be the war on cancer, not the Apollo program. Both are worthwhile, but they are meaningfully different.

Allow me to start with a line from a speech by President Kennedy on May 25, 1961. Odds are you've heard these words:

… This nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the Earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish.

That's what a moon shot is: a clear, measurable milestone with reasons for doing it and challenges to overcome. And so the image to recall is not the iconic first footstep, but this:

Apollo 11 splashdown. Courtesy NASA.
Apollo 11 splashdown. Courtesy NASA.

Unlike JFK's moonshot, explained Grant Schneider, federal CISO, at the recent 9th Annual Billington Cybersecurity Summit, "there isn’t going to be an instant where we say we've achieved success in cybersecurity. We're not blasting anyone into cyberspace." Instead, Jeannette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, put forth a different vision:

Within 10 years, I'd like to see a true fundamental shift in how the Internet is operated in. I'd like to be in a place where we have move passed the "whack-a-mole" approach to cybersecurity incidents.

This is not the way to put a woman on the moon and return her safely to earth. But getting away from whack-a-mole is certainly a worthwhile goal for cybersecurity.

Defining a Moon-Shot Goal for Cybersecurity
The Apollo missions did not do everything that space exploration enthusiasts wanted. We did not establish a permanent presence outside the atmosphere, even if you count the International Space Station. (It makes no claim to being self-sustaining.) It's been 46 years since a person went to the moon. No one has been to Mars. Of the many goals expressed by the engineers and visionaries, we executed on one. 

On the other hand, we can and should define moon-shot goals for cybersecurity. My goal is to define game-changers, with objectives that are imaginable and with the criteria:

  • No single project will be more impressive or impactful.
  • No single project will be more important for our long-term ability to operate a resilient cyberspace.
  • The result thus justifies the effort and expense.

Some possibilities:

  • Payloads attached to email will not result in an attacker's code running on a computer, or the compromise of credentials needed to log in to it. (That is, phishing, either with a URL, an executable attachment, or an exploit-bearing attachment, will fail. We have many of the parts, such as execution whitelists, anti-execution mitigations, password managers, and MFA, but we rarely deploy them all in an integrated, usable package.)
  • Red teams given execution access to a standard desktop cannot move laterally without setting off alarms that are not lost because the SOC is a sea of tranquility.
  • Investigators digging into a compromise six months after it's started can enumerate 90% of the actions taken by a red team.

These goals do not solve every problem in security any more than the moon shot solved every problem on earth, or even within the exploration of space.

My success criteria could be usefully refined, but such refinement distracts from the importance of setting and reaching for a moon-shot-style goal. The goal need not be that every computer has these properties, but it would be useful to achieve them with the most-deployed desktop configuration in the federal government. We need criteria about usability. We need to stop complaining about people, and give people technologies that allow them to safely do their jobs. We need to ensure that if a red team is part of the criteria, the goal is not made meaningless by rules placed on their work.

Focusing our attention on a moon shot can be a powerful technique. There are severe and unsolved problems in our field that may be solvable with the right attention. It is worth picking one.

What other goals are worthy of the name "moon shot"?  Share your thoughts in the comments.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/26/2019 | 7:36:41 PM
Re: A network that understands hardness
Sure - how about:

Abandon the "permitted by default" network model.  Endpoints must prove to networks that they are ready to be exposed to anything beyond their immediate neighborhood.  Moderate access requires only basic proof of hygeine, while a new Internet-facing web server (or container) must demonstrate being hardened and ready before the flood gates are opened.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/26/2019 | 6:58:42 PM
Re: A network that understands hardness
I think I see where you're going -- can you rewrite it as a moonshot goal?
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/25/2019 | 8:43:26 PM
Re: A network that understands hardness
Right - there is a big distinction between general purpose endpoints and special purpose "things".  Laptops get patched regularly, and have decent internal firewalls.  That said, the market for network firewalls has not gone away - it's interesting to look at reasons why. 

Laptops are great and all, but they aren't where most of the value resides.  Data centers are fragile in one way - huge uptime pressure, and an unwillingness to patch.  IoT devices are fragile in a completely different way - they lack a decent patching infrastructure, and are generally designed to a pricepoint, not about flexible response to a changing security landscape.

My response to your moonshot question comes from a point of view that "between" still matters.  Security tech is either placed on endpoints, or between them.  The endpoint security products face challenges (too many agents, not to mention endpoints that aren't built to accomodate agents - does your fridge?).  That's why there is still a large challenge space around "between" controls.  It's the old debate - shiould the network just be dumb pipes, or should it provide intelligent services and controls?

I'm suggesting a moonshot for a network that can enforce intelligent controls *between* endpoints as the way forward.  This is a moonshot because today, endpoints do not have to play along, or follow any hygeine standards, or register what kind of object they are.  We've stacked up some ways to lock down laptops, and messed around with MDM, but what about all the things that are neither?
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/25/2019 | 6:09:50 PM
Re: A network that understands hardness
Hi thanks Mike!

 

Is this still a problem? I was under the impression that most mainstream systems were fairly firewalled these days, but perhaps I'm thinking more of desktops and less of IoT?

 

Adam
drmikelloyd
50%
50%
drmikelloyd,
User Rank: Author
2/20/2019 | 2:39:43 PM
A network that understands hardness
Nice question, Adam.  How about a project to ensure a machine directly exposed to the Internet does not immediately succumb to all the known "background radiation" out there? 

There are a range of possible implementations (proactive vs reactive hardening).  But similar to your goal of "email payloads should never be detonated", I'm thinking "maintain a living battery of tests that must pass as basic hygeine before a machine can be exposed widely".  It's not NAC - it's more like the inverse.  NAC says you can't even access a local network unless you're "clean" to a specified level.  This project flips that, to say the level of hardening required depends on breadth of exposure to others.

The moonshot aspect of this is to teach the network (where access policy is enforced) about the quality or hardness of each endpoint.  In an IoT future, this may be essential - consumer IoT is too weak to be treated like other endpoints.
schopj
50%
50%
schopj,
User Rank: Strategist
2/19/2019 | 4:31:31 PM
Moonshot
Getting Microsoft to log at least as much as Sysmon and to start better protecting those logs so they cant be easily deleted, or if they can, can also be easily recovered.  I shouldnt have to install a third party app, or any app, just to get detailed logs monitoring process hashes and who started what from what program, or any of the other things that advanced logging applications log.  It is an MS operating system and it should log everything that is done on it, period.  
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13961
PUBLISHED: 2019-07-18
A CSRF vulnerability was found in flatCore before 1.5, leading to the upload of arbitrary .php files via acp/core/files.upload-script.php.
CVE-2019-13962
PUBLISHED: 2019-07-18
lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VLC media player through 3.0.7 has a heap-based buffer over-read because it does not properly validate the width and height.
CVE-2019-10101
PUBLISHED: 2019-07-18
OECMS v4.3.R60321 and v4.3 later is affected by: Cross Site Request Forgery (CSRF). The impact is: The victim clicks on adding an administrator account. The component is: admincp.php. The attack vector is: network connectivity. The fixed version is: v4.3.
CVE-2019-10102
PUBLISHED: 2019-07-18
MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersControlle...
CVE-2019-10102
PUBLISHED: 2019-07-18
Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suric...