Mais conteúdo relacionado

Similar a Cyber Portents and Precursors(20)

Mais de University of Hertfordshire(20)


Cyber Portents and Precursors

  1. C y b e r P o r t e n t s & P r e c u r s o r s Shireen Walton Peter Cochrane OBE, DSc
  2. CYBER CRIME Cost to Global Business Source: We Are Losing THE CYBER WAR
  3. CYBER ATTACKS All originate from human action Outsiders Outsiders + Insiders Criminal Groups Cyber Security Industry Focus B i g g e s t T h r e a t ? L a r g e l y I n v i s i b l e What About Diverse 45% IoT Elements Wi de Open - U n p r o t e c t e d E x p o n e n t i a l Growing Risk Source: “The Threat Landscapes gets bigger and more complex year-on-year with reactive defenders always behind the wave”
  4. THERMODYNAMICS “All things in the natural & unnatural worlds, experience failures and death” “Acts of war, terrorism, and criminality wear a cloak of causality that renders them recognisable as unnatural in the schema of failures ” “In general, these exhibit random distributions at scale” “Patterns are thus key in charactering and identifying failure types and likely cause” “The Celestial Ratchet that governs everything in the universe”
  5. HYPOTHESIS 1 “Everything in the natural world; be it biological, geological, climatic, astronomical, et al, exhibit precursor indicators to major events” Eg Hormonal and Chemical Changes, Tremors, Pressure, Humidity, Temperature, Trajectory Deviations etc
  6. HYPOTHESIS 2 “Everything in the unnatural world, be it electrical, mechanical, electronic, photonic, mechatronic, robotic, AI et al, exhibit precursor indicators to major failures and events” Eg Excessive Heat, Vibration, Packet Loss, Data Storage, Processing and Decision Failures,
  7. E l e c t r o - MECHANICAL E x a m p l e Unwanted Resonances Failure Precursors Speci fi c Element in Wear Out Phase Vibration spectrum identi fi es reducing machine performance pending total failure
  8. Time Machine Conditio n/Funct ion E l e c t r o - MECHANICAL S Y S T E M S Multi-spectrum monitoring quickly identi fi es reducing machine performance pending total failure / a need for preventative maintenance
  9. Electronic fibre optic E x a m p l e Bit, Byte, Block, Frame, Addressing, Routing, Decision Errors+++
  10. Commissioning In Service Change Out Low Level Quasi-Constant Accelerating Overall Failure Rate Infant Mortality Random End of Life Failures Cause Timeline Not to Scale Stage Production & Install Inherent Natural Ageing C o n V e n t i o n a l Failure Timing “System fails are generally clustered at the start and end of a systems life, but Cyber Attacks tend to be more evenly spread”
  11. “Cyber Attacks span the natural and unnatural worlds with people and technology in concert, and precursors are therefore highly likely” “Malware, Spam, Insider/Outsider Activity will exhibit unusual patterns of Physical/MetaPhysical behaviour across all Networks, and Devices” HYPOTHESIS 3
  12. Key Question 1 “Can we detect deviations from the behavioural norm of Networks, Hubs, Severs, Terminals, Devices (“and people”) with su ffi cient fi delity to identify a pending or ‘in progress’ Cyber Attack?” “There is only one course of action open to us - take a look see”
  13. Components: people, PC, device, router, switch, hub, fi rewall, network, server, cloud, tra ffi c and data activity Cyber Attack Pre-Emptive Probe + HIT Pre-cursor to full on attack Initial investigation in Vienna of available Interpol Data @ SAIL Labs
  14. ffi Fourier ? ANALYtics Looking for needles in haystacks - or will it all be blindingly obvious - what/where are the fl ags?
  15. ffi Fourier ? ANALYtics Looking for needles in haystacks - or will it all be blindingly obvious - what/where are the fl ags?
  16. ffi Fourier ? ANALYtics Looking for needles in haystacks - or will it all be blindingly obvious - what/where are the fl ags?
  17. ffi Fourier ? ANALYtics Looking for needles in haystacks - or will it all be blindingly obvious - what/where are the fl ags?
  18. ffi Fourier ? ANALYtics Looking for needles in haystacks - or will it all be blindingly obvious - what/where are the fl ags?
  19. People Systems Networks Monitoring People Systems Networks All Operations Disabled All Systems Failing Visible Operational Noise Sporadic Outages Multi-System Critical Fails-Unpredictable Up Times Inexplicable Productivity Reductions CYBER ATTACK Undetected Attack Build Up + Hidden Precursors Time IT Systems Conditio n/Funct ion “The attacks to really worry about are the ones you never detected and know nothing about”
  20. Key Question 2 “Can we establish the behavioural characteristics of individual hackers/ hacks with su ffi cient fi delity to initiate Pre-Emptive action and ward o ff pending Cyber Attacks?” “This demands the behavioural analysis/characterisation of known systems, equipments and individuals across a su ffi ciently large sample!”
  21. NSA EXEMPLAR A dramatisation of actuality! Edward Snowden - disillusioned & sure he is right, based on a limited perspective of operations
  22. I n s i d e r T h r e at What has become very evident… They are often: - trusted employees - tend to be lone wolves - have a sense of Justice - abuse access privileges - commit acts of treachery - have an incomplete picture - convinced they are in the right - may have external actor relationships
  23. Disregarded security policies Social engineering by insiders or outsiders Disgruntled employees sabotage. Financial gain Compliance/policies insufficient or ignored Accidents and errors? Lack of cyber security awareness I n s i d e r T h r e at o p p o r t u n i t i e s Ignorance/unawareness cavalier attitudes Blasé/Ignorant board and/or management
  24. Yang et al (2018) identified the traits of Edward Snowden and dismisses his claimed motivation as justice, and presents his underlying pathology as narcissistic O v e r S i m p l i f i e d A n a ly s i s ?
  25. WHISTLEBLOWERS often motivated by : • Hubris • Naive beliefs • Misguided purpose • Distorted perceptions • Incomplete/distorted view of operations AND guilty of: • Laxity when engaging with external threat actors • Positive emotions ‘of above’ amplified post breach O B S E R V A T I O N S
  26. vulnerable HABITUALITY “Imitating & emulating others can be a powerful attack tool/strategy” “It might even be the highest risk and opportunity space!” “Attackers/Defenders - near impossible to change their operating modes”
  27. Insider Positive Emotions: Engagement ( Used own strengths) Positive Relationship ( Team worker) Meaning and Purpose Accomplishment (Had a goal) Edward Snowden √ √ √ √ √ Katharine Gun ? ? ? √ ? Chelsea Manning √ √ √ √ √ Julian Assange √ √ √ √ √ I n i t i a l R e v i e w o f s e c o n d a r y d a t a
  28. H A C K E R S u r v e y Preliminary results from interviews… Motivation Curiosity C a u s e $$ $ Computing Self Educated Loner Refuge Pitiless Remorseless Odd Socially 20 - 40 - 60 - 80 - 100 - 0 - % Scores
  29. • Secondary data is extremely limited • Organisational integrity, reputation, potential damage • Reluctance to reveal attacks & share insider threat data • Widespread corporate bias and truth distortion in reporting • Insider Threat Management responsibility CISO? CEO? CFO? • Corporate ignorance, inaction, underfunding, fatalistic attitudes • Cognitive bias in reporting and research • Inconsistency across research bodies C H A L L E N G E S
  30. S o l u t i o n S p a c e ? • Create a balanced behavioural and motivational assessment for individuals • Provide intervention strategies for those who have access to data • Provide behavioural guidelines for those operating in a digital space • Establish the motivations/targets of organised crime and state actors • Create automated early attack warning and defence protocols “Educate people in ‘effective self regulation’ behaviours/actions - this is a team game”
  31. • Identify hidden themes embedded in much larger secondary data samples • Confirm the statistical significance of key behavioural characteristics • Correlate with published threat surveys – hackers, state actors, et al • Identify primary weaknesses in currently used defence solutions • Evaluate current organisational defence/resilience strategies • Identify key weaknesses and propose new solutions • Estimate the potential cost of ineffective defences B e h a v i o u r s W h at N e x t ?
  32. • Recruit a PhD student with a good hardware/software/math ability • Confirm the significance of ‘observed’ network attack precursors • Configure ‘honeypot’ machine(s) to attract real device attacks • Identify primary waveform characteristics v attack type • Create an ‘attack alarm’ monitoring strategy • Construct a demonstration prototype A T T A C K P R E D I C T I O N W h at N e x t w i s h l i s t ?
  33. Thank You