Page 72 - Cyber Warnings
P. 72
enough as to be worth repeating anyway, unfortunately the next lesson from the strategic
masters is far less widely understood.
Lesson 2: Action and Reaction
CISOs should never forget that they contest continually with active and maneuvering enemies
who will react to every move and countermove. It is a well-known military truism that, “the
enemy gets a vote” which is to say that the enemy will react to whatever a combatant does,
often in unexpected ways. Clausewitz said this more elegantly when he compared war between
nations to a wrestling match with each wrestler constantly reacting to what the other wrestler is
18
doing in a continuous interaction. Edward Luttwak takes this concept even further and states
that the entire realm of strategy is driven by this interaction which generates a paradoxical logic
where combatants often get the opposite of whatever they are seeking due to the enemy’s
19
response.
Further, once malicious code is released and detected, the defended organization will likely
remediate the threat quickly. After an attack is detected, the defender can perform forensics on
the malicious code and then modify their own systems as required to counter it.
Once the attacker determines that they have been detected, they will respond by changing the
nature of their attack. This maneuver dynamic makes responding to a cyber-attacker very
different from responding to a natural disaster. An earthquake or hurricane may do tremendous
damage, but it isn’t trying to defeat your defenses, it just is what it is and would be the same if
your facility happened to be in the way or not. Natural disasters are mitigated through good risk
management and engineering, but some of that methodology breaks down with cyber attackers.
The odds of a hurricane striking a particular area can be well modeled using probabilistic
methods, not so for a cyber-attacker who is responding to incentives and countering what the
defender is doing. Closely monitoring an incoming hurricane does nothing to change its
trajectory, closely monitoring your IP space and attackers trying to get in, will change a cyber-
attacker’s trajectory.
Vulnerabilities in IT systems represent opportunities for the enemy to inflict their desired effects
on your systems. Both hardware and software added or altered in your system environment
introduces additional potential vulnerabilities. Routine updates to your software as well as
adding even simple devices such as mice, keyboards, printers etc., all add potential new
security weaknesses that attackers can exploit. There are also always “zero day” or unknown
vulnerabilities that exist in every system. The number of potential vulnerabilities in just IT
systems is overwhelming, when you consider Operational Technology (OT) systems such as
water treatment, electrical power generation, or production systems, the enormity of the problem
becomes hard to even grasp. The bottom line is that a determined and competent attacker will
eventually be able to find an opportunity to enter and create their desired effects.
Enemy forces will be able to maneuver and evaluate opportunities, but CISOs should never
forget that they can maneuver as well. Because modern cyber maneuver represent largely
keystrokes versus large personnel and equipment movement, attackers are agile in their ability
72 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
