I was at the RSA show a couple of weeks ago and my plane reading included The Black Swan by Nassim Nicholas Taleb. Black Swans are big things that happen unexpectedly, and having happened, change our world significantly. 9/11 was a Black Swan. So was Lehman. In the context of the RSA show, it was hard not to draw some parallels to the new breed of advanced cyber-attacks.
Human beings are pattern seeking animals. We’re naturally predisposed to take the noise that everyday life is made of and turn it into a song. So when we see an actual pattern, we tend to embrace it wholeheartedly. Consider the life of a turkey. If you’re born a turkey, for the first thousand days, your life is a wonderful pattern. Every day you’re fed and taken care of by this group of humans you live with. Day 1001, out of the blue, on a sunny Wednesday afternoon in November, you’re taken behind the woodshed and slaughtered. An inconceivable Black Swan from the turkey’s perspective. A pretty rational story arc from the perspective of the humans who have been feeding him.
All well and good to laugh at the poor turkey but the obvious next step is to consider our resemblance to the turkey. As security professionals, we live a daily pattern of attacks and responses. Our IDS, SIEM, and Anti-Virus products feed us plenty of noise to make a song with. But what happens on day 1001? Our Black Swan isn’t going to be picked up by our IDS. It will, by its very nature be an outlier from our daily experience.
Even in the context of the entire industry, the Black Swan Attack is an outlier. T.J. Maxx, Target, and Sony were all Black Swan Attacks. As an industry, we dissect these attacks and try to make sure we have some sort of defense against the same thing happening to us. In a reaction similar to 9/11, we fortify the cockpit doors and make sure that no more razor blades get on planes. It seems unlikely though, that the next attack will be the same attack. A series of exploits were used at Sony. Do we believe that if those exact exploits were unavailable, North Korea would have given up and walked away?
Before you sink into a pit of despair, some thoughts on dealing with the inevitable, unpredictable Black Swan Attack.
- Keep looking at your SIEM but do so with a skepticism that admits that there are things going on that your SIEM doesn’t know about.
- Keep a broad variety of expertise around you. Mr. Taleb presents evidence that experts are the most likely people to have blind spots around Black Swans. A SOC team comprised solely of SIEM experts won’t generally think to look beyond the SIEM.
- Knowledge of specific attack cadences will betray you. Don’t spend all your time looking for attacks. Watch your assets, watch your users, and most importantly watch how your users are interacting with assets. Watch for weirdness.
- Don’t get paranoid; get humble. By definition, we can’t know the unknowable. We can, though, humbly admit that we don’t know, and try to find the best places in the network to look for the strange new attack we suspect is coming.