Maybe you have nightmares about accidentally posting AWS console credentials on Github?
Some CISOs undoubtedly have dreams where they must explain to the board that the company has just set the record for the world’s largest data breach. As a developer of security products, I spend many early mornings thinking about how hacking and data breaches continue to increase despite the significant advances that we are making to harden and secure facilities. Clearly, something rather fundamental is escaping our attention. I think that I have a good idea of what is going wrong.
If you think of hackers as unshaven 20-year-old guys attempting to amuse themselves in their parents’ basement, it’s difficult to explain the growing tsunami of breaches. Let’s face it: if amateur hacking were profitable, would people choose to live life as basement freeloaders? Probably not. So, we can discard the subterranean sect as the source of our problem.
But consider organized crime as an alternative source. Imagine businesses as a flock of sheep and organized crime hackers as the proverbial wolves. Obviously, the security community is doing an excellent job of giving the sheep armored overcoats. But fundamentally, this doesn’t change the paradigm. The wolves have to be more creative. But because sheep are inherently non-confrontational, wolves are safe in continuing their lupine ways.
Looking at hacking as if it were a business model, the problem becomes increasingly clear. For a modest investment in ransomware or penetration automation, it is possible to secure impressive returns with very little risk. What organized crime boss or petty despot could resist? By adopting a purely defensive approach to security, we have issued an engraved invitation to attackers.
To change the “hacking market” dynamics, the security community needs to inject risk into hackers’ business model and to reduce their return on investment. Fundamentally, we need to devalue their business model so that it is no longer an attractive investment. Here is the germ of an idea that could potentially achieve this goal.
The concept has two parts. First, make police forces around the world more efficient. For offenders who are in countries where there is a reliable rule of law, deliver enough information to the police so that they can make major cases without major investments:
- Set up honeypots that can only be accessed illegally and with obvious intent.
- Use dye packs that place coded identifiers into the intruder’s file system. This code can be tied to the case file that documents the illegal activity If police are able to find the machine, they can tie it to fully documented violations.
- Fingerprint computers to tie illegal activity together across a volume of events/companies. This makes it possible to identify groups attacking multiple banks or businesses.
- Cross-correlate device signatures with email addresses to identify low-grade offenders. Send these people a notice saying, “We know who you are. Stop it.”
- For high-grade offenders, provide detailed evidence to police forces.
Second, when hackers are operating beyond the reach of law enforcement, use offensive methods to attack their machines. Specifically, contaminate their machines with non-replicating malware.
Where hackers are known to be beyond the reach of law enforcement, contaminate their machines with non-replicating malware that makes machines unreliable. Every minute which hackers use to diagnose problems or clean their machines to remove malware is a minute that their machine is not conducting an attack. Every dollar spent on malware detection is a dollar removed from a hacker’s bottom line.
What keeps me up at night is the knowledge that we have set up hacking to be a business model with returns that rival any Silicon Valley startup.
We are treating the symptoms without ever coming to grips with the underlying causation.