Monday, January 31, 2022

Cost of Attack

For about a year now I have been arguing that we need to raise the cost of attack against our systems.  This is best justified by observing the rate of successful extortion attacks against our systems.  Few seem to be adequately resistant to such attacks.   

However, I am also mindful of the admonition of William Thomson, the First Baron Kelvin, who told us that if one cannot measure it, one cannot recognize its presence or its absence.  So, if one is to advocate for increasing it, one should be able to talk about how to measure it.   I use the mnemonic W.A.I.S.T.   These stand for work, access, indifference to detection, special knowledge, and time to detection and mitigation.  


The first letter stands for WORK.  The cost of attack will almost always include some effort on the part of the attacker, though, of course, some of this may be automated.  Take for example, a brute force attack against a password or a cryptographic key.  The cost is that of a trial multiplied by the number of necessary trials.  The number of trials required is a function of the number of bits, digits, or characters in the password or key.  One can increase the cost to the attacker by increasing the number of bits in the password.  (One can also reduce the value of success by changing the password or key after one use.)

For example, the cost of attack agains the Data Encryption Standard was defined as the cost of an exhaustive attack against the key.  While prohibitively high at the time of the publication of the standard, it was falling in proportion to Moore's Law, as was the cost of encryption.  Thus the DES implementers proposed Triple DES which raised the cost of attack by 2^56, is standardized for use until 2030 and will still be useful for some applications far beyond that.  

Note that the work of one person may be encapsulated in tools and procedures.  The cost of attack has decreased, been made more efficient, by attacker specialization and commerce.  One rogue may specialize in capturing credit card numbers while another may buy the numbers to monetize them in fraud. 

ACCESS is the second element of cost.  The attacker must have some kind of access to the target system.  Today that may be a network connection but in the early days, it meant physical access.  At a minimum an attacker must at least be able to send a message to the target system and observe its effect.  One can raise his cost by the use of physical isolation, "air gaps," gateways, firewalls, strong authentication, or encryption.  Note that strong authentication greatly increases the cost to the attacker while the ubiquitous mobile has been reducing its cost to the defender.  

INDIFFERENCE to detection is a little more subtle but so called "ransomware" illustrates it well.  Today's attacker believes that there is a low probability that he will be reported, investigated, identified, or punished for his attack.  We can increase his cost by increased monitoring, surveillance, and law enforcement.

SPECIAL KNOWLEDGE is often key.  It includes things such as user credentials, how applications work, such skills as programming, knowledge of the victims network architecture and others.  Interestingly enough, while it is often the most important thing that the perpetrator brings to the attack, it may be the one she herself least appreciates.  One will often hear hackers talk about the low cost of an attack, completely discounting the special knowledge and skill, often acquired over years, that they bring.  The attack looks cheap to them but would require much more of the other elements in the hands of another.

The defender may increase the cost of the special knowledge of the attacker by better operational security, so called OPSEC, choosing, identifying, changing, and protecting mission critical information.  We resist the acquisition of special knowledge about our systems, applications, and data by operating in a manner designed to resist the leakage of information about them that might be useful to an adversary.  These may include using code words, and changing key information.  Think TORCH, ULTRA, and MAGIC from WWII.  Think camouflage and disinformation.  Think product, application, and server names; better to call them "apple" and "orange," than "next generation product," "payroll" and "payables."  Think "trade craft."  

Finally there is TIME to detection and mitigation.  While some breaches can succeed in hours to days, others may require weeks to months.  Again ransomware attacks are of special interest.  The time from attack initiation to successful compromise of the victims entire network has been shrinking from weeks to days, in part from the tools, skills, knowledge, improved efficiency of the attackers.  The defender can reduce the time available to the attacker by improved surveillance, detection, and threat intelligence.  

Perhaps the most efficient way to reduce the time to detection and mitigation is out-of-band confirmation of all sensitive activity.  Kenneth Chennault, the President of American Express, told the President of the United States, that by confirming credit card charges using instant messaging, AmEx was often able to detect fraudulent transactions within sixty seconds.  

Note that these elements are fungible; an excess of any one, especially special knowledge, may decrease the need for the others.  If the attacker already has knowledge of a vulnerability, credentials, or applications, then the amount of work or time to detection required may be considerably less.  Increasing the cost of any one, increases the total cost.  Increasing them all proportionally mayincrease that cost exponentially.  

Three cautions:

  • "An ounce of prevention is worth a pound of cure."
  • "Never spend more mitigating a risk than tolerating it will cost you."  --Robert H. Courtney, Jr.
  • At least collectively and over time, even criminals are rational; they will not pay more in the cost of attack than they can expect in the value of success.
Raising the cost of attack is efficient; the cost of attack goes up faster than the cost of the measures to achieve it.  While there is an upper limit, we are nowhere close to it.  The value of success has been going up very fast and the cost of attack has not risen proportionately.  The situation is now urgent and we have some catching up to do.  



No comments:

Post a Comment