Extreme : The Dark Delta’s Impact on Cybersecurity – I Don’t Like Tigers and Snakes

Reality is not something that we actually interpret. Instead, we experience an interpretation of reality through the windows of our senses. For the most part, this is a negligible difference. We don't notice any delay when we walk down a hallway, run on a track, or have a conversation with someone over tea. The reason for this is the latencies involved in passing signals through our bodies are minuscule in the everyday world. We should not expect much delay as we pass signals from our senses to our brains, interpret them, and send signals from the brain down to our muscles at speeds ranging from 70-120 meters per second.

However, we can begin to notice a difference in our interpretation of what we see. We have all had experiences where we have misinterpreted the information that we receive. It might be due to lack of visibility, or it might be that something happens so fast that we do not bother to pick up all the details but our brains to react to the situation. This is particularly true during times of duress or alarm.

This phenomenon is something that I refer to as the dark delta. Simply put, there is a strict limitation on what we can know by our senses about the objectively real world.

While the latency of sensation is negligible in an easy chat over tea, this is not the case if we travel down the road at 60 miles an hour. The average individual will perceive themselves to be roughly ten feet behind where they really are. For example, if we were inside an aircraft traveling at 600 miles per hour, our perceived position would be off by 100 feet.

This misinterpretation of information is also sometimes exploited in natural camouflage. In the wild, we may encounter several snakes that are not venomous, but they look like the Coral snake, a highly venomous and deadly snake. We may not see the tiger in the grass thanks to its stripes, but he is still there, and he is hungry. In the jungle, the latency of our senses, as well as our misinterpretation, could cause our demise. In 1974, singer Jim Stafford had a hit song called 'I Don't Like Spiders and Snakes.' He should have also been worried about the tiger in the grass.

What is the dark delta?

Most of us do not fly high-speed aircraft, and most of us hopefully do not have to deal with the ferocious tiger in the grass. Instead, we all need to deal with cyberspace and the impact these sensual limitations have upon us in this environment. Even if we understand the technologies, unless we designed the systems, we probably don't think about what happens when we send a text or email because it happens so quickly. We need to trust in the systems to deliver our information securely, with both integrity and privacy. But this is easier said than done.

A very pertinent example is a vulnerable IoT device. A device with vulnerabilities can be compromised in minutes. But then the movement changes. Before attempting any active covert moves, attackers will often wait for an extended period of time to build up a presence in the network. Here, the dark delta can be wide. There have been some reports of network compromise for hundreds of days before discovery, and that point of discovery is usually when the attacker finally does something, similar to an ambush by the tiger in the grass. But by then, it is usually too late, and the damage has been done.

Phishing via email and text is based purely on deception, and these scams are often prevalent and successful. Phishing campaigns often result in ransomware attacks, and these campaigns are very sophisticated, with emails mimicking legitimate correspondence between coworkers. The dark delta is in our interpretation of the email or message. If the email is marked urgent and presents a valid-looking subject line, we might click on that file or that link. The tiger attacks and the snake bites.

Using the dark delta to your advantage

The exploitation of the dark delta can also go both ways. One of my favorite examples is an employee from an aeronautical engineering firm stealing information via encrypted files. When the deception was discovered, the firm let him continue to steal the files until they had a complete forensic record of the whole event chain. Only then was he apprehended. In this story, we must ask who was deceiving who. In sting operations, potential attackers are deceived and are placed under intense scrutinization by security operations center (SOC) teams. To protect an organization, a SOC team can monitor an attacker's modus operandi.

This is very similar to the flight assistance that occurs with the high-speed pilot. We can use such systems to obtain a point of perception that we otherwise could not. In the modern cyberspace world, we require additional systems to sense cyberspace environments in ways that we could never do. After all, we cannot see an IP packet with our own eyes. We require a computer and software to decode the packet to provide a human-perceivable display of the information. Remember, an IP packet at the base level is only 1's and 0's. These systems help us deal with the speed of the data and aid in the interpretation of the data. We can narrow the dark delta within cyberspace.

In all of this, remember one dictum, we cannot secure what we do not know about. Hence, extensive knowledge of our cyber-environment helps us establish a more robust overall security posture. The best example is the amount of IoT devices many organizations have in their environment. Many, if not most, admit they cannot account for every IoT system. We need solutions to assist organizations in getting an accurate inventory and security profile management of IoT devices. With the strategic use of such technology, the IT burden significantly decreases while improving the organization's overall security posture. There is a payoff in narrowing the dark delta.

In the previous example of the employee exfiltrating intellectual property, we can see a key principle of narrowing the dark delta through systems that increase visibility. At first, the organization deceived; however, the org ended up misleading the culprit over time. This is the classic definition of the sting operation. If we look closely, we can see a shift in the dark delta from the organization in question to the attacker, with the attacker being the one in the dark at the end.

When considering network security, remember the tigers and snakes

Visibility is critical for security, whether it be physical or cyber. In the physical world, we think of video surveillance and building or campus perimeter control. But when we move into the cyber world, our concept of visibility needs to change. The first thing that comes to mind for most people is traffic analysis, or who is talking to who via the IT network. But there are other dimensions as well. Moving into further granularity, we can move into the discrete analysis of packet flows between systems. On a broader level, one looks for a sense of normalized patterns of behavior and any unusual variations in traffic. A good analogy here is that we would use a microscope to look at the very small (and close) and a telescope to look at the very large (and far). Different ranges of visibility require different systems of analysis.

Additionally, it is essential to consider what part of the network we are concerned with when utilizing certain network security technologies. Firewalls, as an example, are best placed at defined security demarcations where the ingress and egress to individual network segments can be monitored and controlled. Firewalls are very sophisticated security platforms, but they are also relatively expensive. Therefore, careful planning regarding firewall placement and usage is critical. On the network edge, it's a different story. In Wi-Fi and BLE environments, Wireless Intrusion Protection is essential for visibility into the wireless service edge. On the wired side, various options include strong edge policies, port analytics, Fabric RSPAN, and Deep Packet Inspection for a higher-level focus.

Another level to consider is that of security information and event management (SIEM). This overarching system provides information data archives, analysis of systems logs, and security alerts generated by server systems, applications, and network devices. These systems can provide for high granularity in a historical context that can then leverage the other technologies mentioned above to obtain higher levels of focus where required. Remember, security is all about correlation.

Always consider the complementary aspects of all these tools to ensure we have the total end-to-end visibility required to react to situations and make proactive decisions. We can see into the dark corners of cyberspace if we invest in the right tools and if we take the time to look. The dark delta always needs to be top-of-mind when implementing your zero-trust security strategy for your enterprise IT network. The dark delta is vital in the way we look at security. If we are vigilant, we might see the tiger in the grass. If we are observant, we can identify the coral snake. I don't like tigers and snakes, but there are ways to avoid them.