May 22, 2017
Let me pose a question: “Is it a bad thing to give the average person a hand grenade with the pin pulled?” I think most of us would respond to that question with an emphatic “YES!” No one in their right mind would think it's a good idea in any possible reality to allow anyone without extensive military or professional training to access an explosive–especially not one that is live and has no safety device in use. Bad things would happen, and people would probably lose their lives; at the very least, there would be damage to property. No matter what, this scenario would be a very bad thing and should NEVER happen.
OK, now let me change that question a bit: “Is it a bad thing for every person with a network connection to have access to extremely powerful nation-state-level cyber weapons?” Hopefully you would respond similarly and say “YES!”
Just as the hand grenade juggling is a problem, so is the proliferation of nation-state-level exploits. These malicious tools and frameworks have spread across the world and are presenting a very complicated problem that must be solved. Unfortunately, the solution that we've currently been offered amounts to a variety of vendors slinging solutions and tools that, without good strategy, cannot effectively combat the myriad cyber artillery shells now being weaponized against every system that touches the World Wide Web. The bad guys have now officially proven that they can “outdev” the defensive technologies in place in many instances and have shown that it's highly likely that many installed legacy technologies are wide open to these weaponized attacks (anti-virus be darned) across the planet.
We have a problem for sure. Just as there would be a problem with untrained persons walking around with live explosives, we have a problem with possibly explosive outcomes on the horizon. The reality is that NSA level attack tools and government-“issued” weaponized exploits have leaked onto the net, and, within months, the bad guys had reconfigured them for their purposes, attacking more than 100 countries and many multinational companies. In a few noted and publicized instances, the malicious actors using these tools and frameworks literally reconfigured code blocks and exploit samples overnight to ensure their effectiveness.
How fast can a defensive tool vendor move to fight that threat? Do you think your AV tool vendor will move faster than a cybercriminal organization that has no bureaucracy and no motive other than profit?
An international cyber-criminal organization using nation-state-level exploits is a very bad thing. We should pay attention to that fact and realize that we will live with this now and for the near future. I know from working in classified environments for most my life that there is a reason that we tried to keep Pandora’s Box shut and that these exploits are extremely powerful. In a massively interconnected world, it's a very bad day when folks (evil or altruistic) on the net have access to what basically equates to tactical cyber nukes–ask anyone still dealing with the fallout from last week.
It will take a long time and a lot of work for the anti-virus vendors and endpoint protection folks to address the follow-on issues that are sure to come (more exploits are coming, of that I am sure). The time for technical preparation has passed and, in many cases, has already proven ineffective. It is far too late to beat the bad guys at their own game and keep trying to “out-tech” them. They move faster and are leveraging more powerful tools that do one thing and one thing only: find vulnerable systems and exploit the heck out of them. Strategy and optimality of defensive ecosystems should now be at the front of our minds, not fighting a battle by tossing tech at the enemy and hoping we have the bigger bag of ammo on our side.
Technology can’t save your network from these attacks on its own. The strategy you implement and how you use that entrenched secure ecosystem is where the difference will be made.