Here are some practical recommendations from an expert on playing defense that I found today in a document on the Internet: To be sound in our defense, we must be able to adjust our defense. Much of our defensive interference will be dictated by the offensive alignment. Use the standard adjustment unless the game plan dictates otherwise. Do not look back for the ball until the receiver starts his catching motion or slows up.
In case you're wondering where these suggestions came from, the last sentence sort of gives it all away: They are from the 1984 New York Giants Defensive Manual. Now, I fully acknowledge that the respective strategies for playing defensive (American) football and for stopping cyber threats will have obvious differences (for example, cyber security hurts more). But I believe our community can learn much from the real-time, situational nature of professional sports.
I recently had the great privilege to reconnect in New York City with my friend Steve Ryan, former Deputy of the NSA's Threat Operations Center (NTOC), also known as the "cyber nerve center of the NSA." Steve's new start-up venture, Trinity Cyber, is focused on active cyber defense, with emphasis on interfering with a malicious adversary during a real-time attack. This requires a combination of situational awareness and pre-planned diversionary responses.
Seated outside in the shadow of 195 Broadway, I asked Steve how one might go about actively interfering with an adversary, and his practical experience at the NTOC was obvious: "We focus on the adversary's tradecraft rather than traditional indicators of compromise, like IP addresses and domains," he said, "and we have to be invisible to the attacker. We then use this information to provide an interactive response, and to learn from the methods to install real-time protections."
This concept of adjusting to an attack has been missing across most of our cyber defensive community for years. The typical approach is comprised instead of static IT safeguards that are nailed into a position that doesn't change once an offensive initiative has begun. Imagine the New York Giants manual dictating that defenders hold their position on the field regardless of how the play is unfolding (although sometimes against Dallas, that is exactly what they do.)
One of the most familiar aspects of a static defense involves predictable responses to probes and other active offensive measures. If an adversary launches a familiar SQL injection attack, for instance, the presence of a WAF or the familiar response cadence from the targeted application on the targeted OS, offers way too much information to the intruder. Trinity Cyber cleverly interferes with this process through crafted responses.
Steve explained how his platform offers many different interference responses to the defender when evidence of an attack emerges: "As live data is collected, the defender can agilely counter to the adversary's move in pre-crafted ways, as opposed to responding with just a block. The defender can neutralize the attack, divert to a quarantine, allow the traffic to pass, and on and on." These are all great options, and clearly improve any real-time cyber defense.
We both agreed that existing static cyber defenses have been proven ineffective at stopping nation-state actors. In addition, automation often leads to faster versions of after-the fact responses, and compliance initiatives have done little to improve the situation. We also agreed that adjusting the mindset of the defender toward using tradecraft insights and deceptive response would require some work. But in the end, it seems clear that the effort is well worth the time.
And by the way, if you are reading this article and you have any influence with the New York Giants defensive coordinators, would you please ask them to remind our defensive backs to actually turn around and look for the football next season once that Dallas receiver is about to pull down a fifty-six yarder? Now that I think of it, maybe the New York Giants need a tough, motivational session with Steve Ryan and the Trinity Cyber team. (Too bad he's a Pats fan.)