Artificial Intelligence & Machine Learning , Black Hat , Events

As Complexity Challenges Security, Is Time the Solution?

Black Hat Europe Speakers Focus on Upsides of Failing Faster as Complexity Mounts
As Complexity Challenges Security, Is Time the Solution?
Jeff Moss opens Black Hat Europe briefings on Dec. 7, 2022. (Image: Mathew J. Schwartz)

"Who here thinks your network or environment will become more complex next year?"

See Also: Safeguarding against GenAI Cyberthreats with Zero Trust

So asked cybersecurity veteran Jeff Moss, kicking off this week's Black Hat Europe conference briefings in London.

"Complexity leaves me in a very depressing place; complexity is just forever increasing," said Moss, who's the founder of Black Hat and regularly opens the conference by detailing leading challenges as well as potential solutions.

For addressing complexity, he said, "time has got me pretty excited." Simply put, being strategic about doing things faster - including detection and recovery - gives organizations one tactic to blunt the impact of increased complexity.

Not all complexity involves technological evolution, such as malware built to better evade defenses, or criminals wielding zero-day exploits. Researchers debuted last week ChatGPT, a prototype, conversational AI chatbot that can sometimes appear to be human.

This means added complexity for security professionals, since many security tools use attackers' poor command of English to detect and block phishing attacks. Expect criminals to soon use tools such as ChatGPT to write lures that seem to have been crafted by a native speaker, said Daniel Cuthbert, a veteran cybersecurity researcher who's a member of the U.K. government's new cyber advisory board.

For Cuthbert, the success of phishing attacks points to larger problems with vendors and developers failing to better eliminate bugs, simplify and trim their code bases and disable often-abused features. "For me, phishing is a systematic problem of where we are as an industry, in that you should be able to click on something and not have it push a reverse shell out to somebody else," he said.

Observe, Orient, Decide, Act

Since complexity comes in many different shapes and sizes, Moss recommends focusing on time via the decision-making loop OODA - for observe, orient, decide, act - to either succeed or to "fail faster and break things."

Moss added: "The faster you can observe, orient, decide or act, the faster you're able to spin that cycle. The faster you spin the cycle, the more you can be ahead of an adversary."

To put this into practice, he recommends that security professionals every quarter pick key, time-based metrics to address. For example, in this era of rampant ransomware attacks, how long does it take to restore a backup?

Restoration will never be an instantaneous process, and even restoring numerous systems in one day is probably a stretch. But if they can make small savings in time in advance of a crisis, Moss said, they might be able to more easily weather the crisis and recover.

If an organization knows it can restore working backups in two days and believes it can "string along" ransomware attackers for three days, that provides more leeway to see if the backups work before deciding if they must, after all, pay the ransom to recover data, Moss said. Not that he's a proponent of paying ransoms, "but you now have options," and not least among them is providing leadership with confidence about what can be achieved and when.

If restoration takes five days and negotiations can only be sustained for three, "all of a sudden, your leadership starts thinking, 'Maybe we should pay the bad guy some money just in case,'" he said.

The overriding goal of focusing on time is to more quickly either succeed or fail. "We can use time in so many ways to help our enterprises," Moss said. "A lot of harm that's caused online can be addressed, if we only act faster."

Incident Response

Knowing what an organization needs to do more quickly and finding ways to do that is a repeat theme throughout the conference so far, including at the standing room-only briefing "Confidence in Chaos: Strategies for World-Class Security Operations."

Speaker Kathryn Knerler, senior principal cybersecurity architect in MITRE Labs' Cyber Solutions Innovation Center, shared a story about working in a security operations center that received an alert from an external source saying that it had been hacked. But neither the SOC nor the IT department - which maintained the asset inventory - had any record of the IP address.

Eight hours later, the SOC was finally able to verify the hack report. "It was a research organization that had set up this little, rogue network and not told IT or asset inventory," she said. "If you were listening about timing this morning, eight hours is a long time if you're doing incident response."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.