A Complex Approach Is Needed to Win Cyber Wars
The United States requires a cybersecurity overview and systematic defenses.
The massive cyber attack on the United States via information technology vendor SolarWinds continues to send shockwaves through the departments of Defense, State and Homeland Security as well as other agencies. Damage assessments are ongoing. If the U.S. government in general and Defense Department in particular are to successfully defend against attacks by well-funded, patient and highly motivated enemies, they will need to change their approach to defending their networks and systems.
First detected in December 2020, the Sunburst attack was quiet and insidious. Hackers injected malicious code into SolarWinds’ information technology management suite, Orion, providing a toehold into 18,000 of their customers for nine months before it was discovered. By late January 2021, investigators began to think the hackers also had exploited weaknesses in additional supply chain vendors, including Microsoft’s Office 365 and VMware. U.S. intelligence agencies believe SVR, Russia’s intelligence agency, directed the hackers, who are variously called Dark Halo or Cozy Bear.
Much is still unknown, but it is no coincidence that the recent attacks targeted cybersecurity companies that often have valuable tools and remote access to customers’ networks. Attackers know that if they compromise these firms’ security infrastructure or applications, which is embedded deeply in the heart of multiple clients’ systems and running with the highest level of permissions, they effectively have the keys to the kingdom.
If, as seems to be the case, the very companies the U.S. uses to defend its systems are being penetrated and used against it like some tech version of an autoimmune disease, then America faces an enormous problem. It is not a question of money. The Defense Department already spends billions of dollars on cyber defense. What the country needs is a comprehensive overview of its cybersecurity posture across all domains and a systematic approach to deploying cyber defenses as well as regular and methodical testing to ensure its defenses are constantly updated.
Despite prominent wake-up calls such as the Office of Personnel Management data breach, when the personnel records of 22 million people were stolen by an attack originating in China, the U.S. government still has not sufficiently advanced its defensive capabilities. In fact, the opposite has happened. In her recent book This Is How They Tell Me the World Ends, Nicole Perlroth argues that the staggering early successes the United States had with offensive cyber operations, including derailing Iranian nuclear enrichment activities through the Stuxnet worm, not only fueled American hubris but also sparked a dangerous cyber arms race, the effects of which the United States has been feeling ever since.
The country has left itself enormously vulnerable to the increasingly sophisticated cyber attacks of Russia and China. Compared to the focus the United States has placed on defensive cyber capabilities, the scale and growth of Russian and Chinese offensive cyber operations is alarming.
Since its modest yet successful forays into this space in Estonia, Georgia and Ukraine in the early 2000s, Russia has significantly bolstered its offensive capabilities, increasing its personnel and capabilities with cyber operations being conducted by several agencies across the Russian defense and intelligence community.
Similarly, China has focused on offensive cyber operations. Cyber warfare and cybersecurity today are more broadly embedded into Chinese military doctrine and strategy with its Strategic Support Force pursuing superiority in cyberspace, space and the electromagnetic domain.
During his confirmation hearings, Secretary of Defense Lloyd Austin recently called out China and Russia for their “persistent malicious cyber campaigns to erode U.S. military advantages,” which he said required the United States to “elevate cybersecurity as an imperative across the government.”
It will not be easy. The asymmetry of cyber conflict would seem to give all benefits to the attacker. However, the one advantage defenders have is they are fighting on their own turf: attackers always must invade the defender’s territory.
The key is preparing the field to give defenders the upper hand. The United States should take three successive steps to keep its cyber attackers at bay: layer defenses; enhance breach detection capabilities; and continually test defenses using the tactics of adversaries.
To layer defenses, the nation must take a page from the military’s defense in depth strategy and apply a layered defense that slows the momentum of an attack, delays the enemy’s advance, negates the element of surprise and buys time for defenders, allowing them to organize and employ their defenses. Within a cyber defense context, layered defense means not only relying on perimeter defenses such as firewalls but also focusing on combining multiple security controls ranging from intrusion detection to antivirus and anti-malware solutions, behavioral analysis and anomaly detection.
Defenders should assume their networks will be breached. The key is to limit the benefits afforded an attacker should they breach the perimeter. Well-patched systems provide fewer landing spots for attackers to traverse. Zero trust architectures, where networked devices are not trusted by default even if they are inside the network perimeter, restrict what compromised accounts can access and actions they can carry out. Layers of defense help ensure that when the perimeter is breached, defenders won’t be overrun.
The second step to maintain the upper hand is to better detect when the perimeter has been breached. The SolarWinds hack was notable because it was not detected by the government but by private security firm FireEye, and even then, only months after the breach.
Cyber attacks can be sudden and brazen or insidious and creeping, for example, innocuous-looking emails, code worming deeper into networks or information stealthily extracted drip by drip. If even the best defenses cannot prevent each and every attack, then the focus must turn to knowing when such attacks are occurring.
The U.S. government’s current signature digital detection system, known as Einstein and forecast to cost $5.7 billion, clearly failed to prevent or detect the SolarWinds hack. However, Einstein was not built to catch the new or unique but rather focuses on detecting known threats only. Using digital signatures and established patterns of malicious activity, Einstein was built to tell when an attack might be occurring.
However, the key is that signatures must be known to detect them. Just like a fingerprint left at a crime scene may not immediately break a case unless it exists in the automated fingerprint identification system, the fingerprints of a digital attack are not usable if they’ve never been seen or cataloged before.
Evidently, the SolarWinds exploit was sufficiently unique that it did not trip Einstein’s alarms. Furthermore, it was particularly insidious because the attackers were able to compromise the supply chain. By modifying SolarWinds Orion’s code itself, it effectively weaponized a legitimate information technology management tool with a Trojan horse, undetectable by Einstein and overlooked by network defenses.
Solutions are urgently needed to solve this problem. The ability to detect new and unique attacks and to shine a light on anomalies that might be early warnings of attack is critical. The fields of artificial intelligence and machine learning are ripe for innovation in this area. Commercial cybersecurity vendors are already exploring solutions that would allow the detection of anomalous and potentially malicious behavior based on deviations from machine-determined patterns of life.
The third step to keep attackers at bay is to prepare defenders to better protect their terrain by giving them the tools necessary to safeguard their territory. They range from tools that guard endpoints against viruses and malware to those intended to scan networks and applications for known vulnerabilities. The tools also include those intended to collect and aggregate sensor data that provides telemetry for the current state of applications and network infrastructure.
However, having the right tools is not enough. The Defense Department already has access to every conceivable product in the crowded cybersecurity marketplace, yet these capabilities didn’t keep the SolarWinds hackers out. A formidable arsenal will mean little if defenders are not trained to use their weapons effectively nor given ways to test their defenses against realistic attacks.
Disparate tools’ rollouts far outpace the ability to integrate them into a coherent whole or to train defenders on their most effective use. As the number of tools increases, so too does the cacophony of alerts and warnings, threatening to drown out the signals that really matter. It is all too common to see warnings go ignored if for no other reason than defenders have become desensitized by their prevalence.
Additionally, even with all the tools the Defense Department currently deploys, it still lacks an accurate picture of network test coverage. Knowing what has been tested and when, what a network’s security posture looks like and how weaknesses relate to specific mission outcomes is still beyond the reach of commanders.
Because tools themselves cannot solve the problem, defenders need training on how to effectively use the capabilities at their disposal. In his remarks to the Senate Armed Services Committee, Secretary of Defense Austin stressed the importance of training the cyber workforce “more effectively to better defend our networks.”
Cyber warfighters need better intelligence on how their adversaries, particularly in Russia and China, operate, and they need training to defend against specific tactics, techniques and procedures. Field commanders are most effective when they understand an adversary’s likely strategies and can choose the most appropriate response from available options.
Offensive security testing methods, such as penetration testing and red team exercises, are some of the best proactive tests. However, these activities in the Defense Department aren’t being conducted at scale and tend to be too infrequent and constrained by limited financial and personnel resources.
For three consecutive years, the office of the director, Operational Test and Evaluation (DOT&E), who advises the secretary of defense on testing of all Pentagon acquisitions, has noted that increased demand for red team operations outstrips the availability of teams to support them. It also notes that the “capacity of available cyber teams to meet the rising demand becomes ever more limited.”
Given the shortage of qualified cybersecurity personnel, particularly with red team or penetration testing skills, solutions must be fielded that can automate portions of the offensive testing process. This would not be done to replace the skill, cunning and creativity of human operators but to augment and scale their operations.
Defenders need to be able to emulate the behavior of their adversaries, running campaigns that mimic the types of attacks they can expect “in the wild.” Similar to live-fire exercises the Army uses, this as-close-to-real-as-possible experience would prepare defenders for the stresses and conditions of a real attack.
Tools and technology also can help address U.S. defensive weakness by ensuring that the data derived from these tools helps tell a story rooted in mission relevance. Without knowing the impact of vulnerabilities on mission outcomes, it is impossible for commanders to prioritize scarce resources to remediate issues. In a world where vulnerabilities outnumber repairs, finding those that pose the biggest risk to mission success is critical. Few current tools speak the language of mission impact, and a good solution doesn’t exist to synthesize data from disparate sources to tell a story that helps inform a measured and meaningful response to risk.
The department will need to enhance its ability to detect when its defenses have been breached, even in cases where the intrusion is stealthy and intended to evade detection. It also will need to better prepare its defenders to defend. Like the training afforded to other troops, cyber warriors need the opportunity to constantly hone their skills, practicing against the actual and continually evolving tactics of their adversary. Only with improvement in all three of these areas can the Defense Department expect to avoid the next SolarWinds attack.
Kevin Tonkin is the product manager at Rebellion Defense.