The cyber threat landscape has always been in flux and will continue to evolve. However, it seems the pace of change has increased significantly in the past few years alone. The volume, vector, and variety of attacks are worse than ever. The cavalry is not coming. Many of us are left wondering how, if we can't stop simple SQL injections, we can ever hope to stop 190 Gbps DDoS attacks. Why things are as bad as they are – whether because of HD Moore's law, the nationalization of computer warfare, the socialization of the underweb, or the industrialization of attacker tools, is open to debate. But fundamentally, each of these factors likely plays a role.
Because the history of traditional warfare offers some interesting parallels, we may be able to look back to help us look forward. While the weapons of war have evolved since well before the first attacks on Troy and will surely continue to evolve well beyond a vision of “Star Wars” is realized, several distinct points in human history represent fundamental shifts in the threat landscape. One such shift undoubtedly took place during World War II.
A conflict that stretched from Europe, Russia, Africa, Asia, and the United States, World War II was truly the first global war. The battle fronts, influenced by the German practice of Blitzkrieg, and the ambition of the Japanese Navy and Air Force, shifted faster than ever before. Far flung soldiers and sailors on the fronts relied on wireless communications to receive orders from central command. Yet intercepting wireless communications was (and still is) easy. As such, the Germans relied on encryption to keep their plans secret. The Allies realized that if they were to stand any chance of winning, they would have to figure out how to crack the German code. What followed was a massive effort, initiated by Churchill, that eventually helped the Allies win the war. What Churchill and the Allies did offers important lessons for those of us trying to fight the new threat landscape in computer security today.
To stand a chance, the Allies needed to decode these messages quickly enough to stay ahead of their opponents. Churchill didn't know how to decrypt messages, but in order to stack the odds in his favor, he did two things:
- He established a secret location in Bletchley Park to which he invited a huge, cross-disciplinary team to live, work and collaborate together. The team included the best mathematicians from Poland, engineers from Britain, and linguists from the United States. Let's call this the “socialization” of the Allied effort.
- He gave the team at Bletchley Park a nearly unlimited – or at least a budget measured on a macroeconomic scale – to work with.
The result of the team at Bletchley Park's efforts was a device capable of decrypting intercepted German messages within minutes. The device was nicknamed the Bombe – and is now widely considered to be the first electronic computer. The Bombe revealed the locations of 58 German divisions. The work of the Bombe was instrumental in devising D-Day plans and, eventually, the defeat of the Axis powers.
Ironically in 2013 it is the attacker community that seems to have best embraced the lessons of Bletchley Park. Consider:
- Nationalization – In recent years we've heard this term associated with alleged government support for hacking efforts coming from China and other nations.
- Industrialization – Today we see evidence of industrialization in the rise of Metasploit and the availability of downloadable attack tools such as Dirt Jumper, Havij and LOIC and HOIC.
- Socialization - We see evidence all the time of hacker socialization via underground forums in order to recruit participants, develop new tools and discuss campaigns and targets.
Cyber crime has been evolving for 50 years, but in 2013 these three factors came together, forming a perfect storm of destruction and a sea of change for the internet threat landscape. Of course, we know that the landscape is always evolving, but true revolutionary change – like the change the Germans introduced with the concept of Blitzkrieg –only emerges once in a great while. By the same token, building shelter from the perfect storm for ourselves, our families, our companies and our nations will require more than an evolution in our security posture – rather it will require a fundamental shift in the way that we approach cyber defense.
For those of us in the security industry, the questions is always, “what more do we need to do?” or “what more can we do?” We could argue we have the socialization part down pat. After all, we socialize at Schmoo Con, Black Hat, and RSA Conference. We dutifully read periodicals like SC Magazine and blogs like “Krebs on Security”. But are we cooperating on the same level that the team at Bletchley Park cooperated?
We could argue that we have the industrialization part down pat. After all, isn't there a thriving security market/ecosystem? Don't companies cooperate, share feeds, partner, and help each other defend their customers? But are our tools as advanced as those used by the attackers? Do we operate with the same zeal and passion for discovery and mayhem with which they operate?
And some could argue that the forces of nationalization are finally working in our favor. After all didn't the governments in Britain and Vietnam work together to bring down the Vietnamese Carder ring? But to that end, are we using the funds from governments with the same clarity of purpose that the teams at Bletchley Park used their resources?No answers here, just questions. We've come a long way, but by looking back to the examples set at Bletchley Park I believe we can move forward, faster.