The Nuix Black Report on cybercrime was published in February. Leaving it to simmer a while has shown its value, as cyber incidents like WannaCry show the value of the understanding and planning which the report urges. There is a war going on here and, as in war, you need to know your enemy.
There are two deviations before I turn to the Nuix Black Report itself. The first is on the value of setting time aside for a proper read of (some) lengthier papers and articles. We tend to skim in these frenetic times, and one of the points made in the Black Report is that the hackers themselves spend time reading around their subject. The Black Report warrants your time. The second apparent deviation is a section on how the contained task of recovering data (“forensics”) turned into the endless battle to protect data from threat (“cybersecurity”). Looking back, the progression and convergence seem obvious and inevitable. That is not it felt as they developed, with each phase opening new risks, new tools and new opportunities.
An idealised notion of my working life suggests that I sit amidst dreaming spires in Oxford carefully reading the mass of material which passes by every day on electronic discovery and on the many subjects which now surround it, before settling down to write thoughtful articles.
Much of it is actually like that, but often this ideal is broken by the exigencies of real life – of conference organisers demanding session outlines, of having to write about things with deadlines such as forthcoming webinars and, worst, of waiting at railway stations or airport terminals as a day, or a week, is swallowed up by participation in an event.
In those periods, the long reads tend to be put on one side for the time being. One of the things about the long reads is that they have taken someone else a long time to write, and they (the good ones that is) deserve proper attention; the other is that they tend to have a lifespan longer than a journalistic minute – if they are worth consideration at all, they will be as valuable a few weeks later. One merit of writing about them after an interval is that it extends their lifespan beyond the first wave of publicity.
Extension and convergence – eDiscovery tools and skills find new roles
When I began as a commentator, my vision was limited to eDisclosure in England and Wales. That spread to take in eDiscovery in the US and in other common law jurisdictions around the world. It spread in subject-matter terms as well, as eDiscovery skills and tools were applied to an ever-wider range of subjects. What began with forensics and spread to eDiscovery went on into wider questions about compliance, not least with data protection and privacy laws; it encompasses not just litigation but regulation and internal investigations; it spread to the inchoate subject loosely known as information governance; and it fetched up on the wild shores of cybersecurity. What began as keeping and collecting your own data for the purposes of giving it to others became the urgent need to defend your data against attack, both from inside and outside.
Along the way, new forms of data emerged – big data, social media data, BYOD data, chat data and more. New requirements came along too, as new laws and rules required that organisations know what data they have got, that they keep it securely, and that they comply with restrictions on how it is kept, when it should be deleted and what should be done when it is attacked. The EU’s General Data Protection Regulation is the one which is (or should be) on every corporate agenda at the moment. A narrow and contained subject has become a very wide one.
That expanding map, from forensics to cybersecurity and everything in between, describes the life-cycle of Nuix, a software company which has confidently ridden every new wave of development, adapting all the time to meet new threats and to keep up with its clients’ needs, often before the clients knew they had such needs. My recent interview with Matt Geaghan of Nuix covers some of this. A Nuix video called The Need to Know…
…..traces this parallel development of client needs and Nuix developments.
The Nuix Black Report
This lengthy preamble brings me to the Nuix Black Report. Published in February, it is simultaneously important, interesting, meaty, and long. It addresses subjects which are not going to go away and deserve more attention than a quick skim.
Written by Chris Pogue, Chief Information Security Officer at Nuix, with the help of a large team, it looks at the cybersecurity problem (or, rather, problems, since there are many of them) from the point of view of the people who do the attacking, rather than the conventional position of the organisation under threat.
I am fond of analogies from war. The words in the title of this post. “Know your enemy” comes from some Sun Tzu’s The Art of War. The greatest writer on military strategy, von Clausewitz, was simultaneously aware of the value of intelligence and sceptical of its accuracy:
“Many intelligence reports in war are contradictory; even more are false, and most are uncertain…. In short, most intelligence is false.”
After reading Chris Pogue’s Black Report report, I feel much the same about many of the threat reports which I have read.
The Black Report puts it this way:
What we found during our research was quite contrary to the conventional understanding of cybersecurity. Some countermeasures that you think will stop an attacker won’t even slow them down. Other defensive techniques that you thinkare totally arbitrary actually have a tremendous impact on your defensive posture.
Sticking with the war analogy for a moment, there are obvious parallels in the opening stages of the wars beginning in 1914 and in 1939. France’s ring of defensive forts barely slowed the Germans down in 1914. In 1940, Rommel’s blitzkrieg smashed through the Maginot Line in hours. In each case, France had prepared, physically and psychologically, for the wrong war. A closer study of their enemy might have dictated a different defensive approach.
There is a stereotypical picture of the hacker, usually reduced to a picture of a man (always a man) dressed as for physical burglary, complete with mask. The Black Report begins by trying to understand more about the hackers themselves – how they see themselves, and what their qualifications and motivations are.
Looking at hackers simply as criminals out for monetary gain narrows the range of possible enemies and may in turn limit the defences you erect to keep them out. Someone who hacks your systems for the fun of it, to satisfy his or her intellectual curiosity, or for revenge or malice, is harder to deal with because harder to anticipate. Their risk appetite, motive and opportunities – the conventional drivers of crime – become relatively meaningless in practical terms.
The Black Report goes on to look at the tools which hackers use, how they identify potential vulnerabilities, and what is their favourite type of attack. Organisations think they know how long it takes to penetrate their systems but they don’t know what they don’t know – the ones they missed and how long it took for successful ones to be successful. Adding all this together, the Black report concludes:
In the first 24 hours of an attack, it is more than likely an attacker will compromise your systems, and and exfltrate your sensitive data, and leave you none the wiser that they were ever there.
Attackers change their methodologies, and the parallel with France’s wartime defences becomes clearer. The border fortresses of 1914 were designed to prevent an attack of the kind that was successful in 1870. The Maginot line of 1940 was born of the lessons of 1914, but no match for Rommel’s Blitzkrieg.
Rommel’s Blitzkrieg, France 1940
Of Nuix respondents who said that they changed their approach, 56% did so simply because they were interested in learning new techniques. The flexibility needed to repel this is extraordinarily high.
The main points in the Black Report
There is no need to paraphrase for you the whole of a document which, even at 48 pages, is extremely readable, but it is perhaps worth highlighting other key areas covered in it.
There is a problem finding new recruits in the face of an acute skills shortage in security and intelligence.
We need to humanise data: Nuix has a concept called CORE – people, objects, locations, and events – which is as relevant to tracking threats and hackers as it is to discovery and investigations.
There is a need to boil down data to extract usable information. This applies equally to the data we are meant to be looking after, to the deluge of data recording and tracking threats as they arise, and to the mass of reading and learning about cybersecurity which the attackers themselves have access to.
Before considering what security countermeasures to use and where to apply security budgets, it is worth (again) understanding which defences pose the biggest problems to attackers and to defend in depth.
Again, that military analogy is helpful. Pre-1914 France relied on its line of forts and on the élan with which it would counter-attack. What was actually needed, it turned out fairly quickly, was rows of trenches protected by barbed wire, pillboxes, underground fortresses, mines and countermines, all strengthened by the intelligence derived from aerial observation. All this was developed over the next four years as a response to attacks, not in anticipation of them; defence became much easier than attack.
There is a section on ransomware, written before WannaCry showed showed everyone (and not just the experts) how serious this is. Consistent with the rest of the paper, the section on ransomware is largely devoted to understanding what attackers used to achieve their objectives.
Education matters, and at every level from the directors down to individual users.
There is a section on court reactions to hacking including the need for opportunities to educate the judiciary.
One of the recurring points in the Black Report is the speed with which organisations must react. A section headed On Organisational Incident Readiness covers data breach response, including the merits of real-world, controlled attacks performed against them while the response and monitoring teams are watching, reacting and learning in near real time. You need more than a plan and a theoretical idea of how an attack and its response will happen; you need actually to model it.
A model of German Great War defences used to plan attacks
My battlefield analogies recur throughout the report with references to the need to “think like your enemy” and to “ye olde castle keep”. Right at the end, I find that Dr Jim Kent, Global Head of Security and Intelligence at Nuix, uses the Sun Tzu quotation which I used at the beginning of this article in its full form “if you know the enemy and know yourself, you need not fear the result of a hundred battles.”
Jim Kent uses this to anticipate his conclusion:
Without [intelligence], we are doomed to repeat the same fate as we experienced for years”.
All these disciplines are related
My first sub-heading in this article is Extension and convergence – eDiscovery tools and skills find new roles. From the beginnings of electronic data, it has been necessary to be able to find it, which increasingly meant recovering important things from the mass, from damaged sources or in circumstances where someone has hidden it for nefarious purposes. Thus was born the science of forensics.
Litigation discovery, with its rules and sanctions (to say nothing of the need for evidence), accelerated the need to know what you have got. As volumes increased, so did the need to do more than merely find data – it had to be done quickly and cost-effectively, and new tools arose for turning that data into usable information and thence into intelligence. Regulations like the GDPR imposed additional duties of protection and reporting.
On the face of it, cyber risk is something different – the need to protect what you have got rather than the need to uncover what you have. Those same tools, principles and skills, however, became adapted to this new use. One of Nuix’s most compelling demonstrations shows how fast and sophisticated variants on ediscovery tools can be used to track events as they happen rather than merely work out later what had happened. The Nuix CORE concept – people, objects, locations, and events – acquires a new and urgent application as the bad guys are actually at their work.
The Nuix Black Report covers all this and more. Its focus on the attacker is rather different from the usual threat report and is obviously right as soon as you start reading it. The sections on defensive preparations, on multi-layered protection and on testing make much more sense when expressed in terms of the motivations of the attacker.
Although we frame all this in terms of the extension of forensic and eDiscovery needs, skills and tools, it is really no different from anything else. Marketing, advertising, architecture, journalism, the practice of law – anything really – should begin with an understanding of the visitor, whether a client, an authority, a competitor or one who would do us harm. Your enemy is not the only one you need to understand.
As to modelling incidents, that too has parallels beyond cybersecurity. I am sure British Airways had a plan for what to do in an IT crisis; as millions pf pounds and the last vestiges of corporate credibility flushed away last weekend, I bet they wish they had run it, in real time, in an exercise led by an outsider who had studied the weak spots.
Image credits: General (as he then was) Erwin Rommel, Alexander Turnbull Library