Quoting Sun Tzu might be a cliché, but there is truth in clichés, writes Ben Banks MBCS, cyber security consultant at Additive Security. Sun Tzu’s idea represents a clear manifesto for offensive security, but there is also a defensive aspect to unpack - the power of formlessness.
So, what is ‘formlessness’? Here it does not mean to be devoid of all form - that is just noise. It is more that the proper form can only be seen from one vantage point. In the formless strategy can only be inferred when looking at all elements in context. It is axiomatic that the observer can only separate signal from noise from a single observational point of view.
Undergoing constant change
Today's computing ecosystems are dynamic. The zeitgeist of IT modernity is infused with the language of change. Systems and people are transforming, sharing, sprinting, automating, mining, converging, elasticating, autonomising, decentralising, learning, cloud-enabling and as-a-servicing.
Being buffeted by the constant winds of change can get uncomfortable for cybersecurity practitioners. As a discipline, we relax in the quiet times of stasis and find comfort in establishing the common understanding of best practice. We all feel the fear of the chaos-monkey bringing unpredictable forces to bear on what we know to be effective.
Reflecting on the Sun Tzu’s idea, opens up the possibility of another way. Systematically making valuable things formless is a potent defensive tactic. Embracing formlessness, ephemerality and mutability without causing chaos is the key. Technologies that are built for dynamism can make that end achievable with effort and forethought.
There are three key goals to unlocking the defensive power of formlessness:
- Knowing what valuable assets to protect and how.
- Reducing the cost and risks of change to as near zero as possible.
- Adding helpful layers of abstraction to infrastructure.
Knowing what valuable assets to protect and how
This is cybersecurity 101 - it's also the foundational step in formless defence. The precise location of the valuable assets to protect and protective controls to be applied in those locations, is the original image we are seeking to add noise to. In the idea of formless defence, it enables the ecosystem to maintain integrity in a dynamic environment. Integrity is the driving factor maintaining the organisation's view of its informational self. Adding noise is the easy bit. Maintaining integrity is harder.
Integrity is quite different from confidentiality and availability. One can make things confidential or available. One can even make things integral (a necessary part of some whole). One can say something is authentic. None of these reflect our intuition of integrity in this context. Integrity is telling us something about the subject in and of itself - it is what it is. We must be mindful of making a categorical error - to treat integrity as a predicate.
Marking valuable information with additional tags is useful in managing integrity. Like ants using pheromones to optimise colony behaviour and to identity messages from within their own community. In this context information with certain classes of tag must subscribe to certain controls. A naive example might be that datasets tagged with odd numbers are transactional and therefore the host system must subscribe automatically to all the PCI controls. Building a taxonomy of valuable information and the associated level of risk is a useful formative exercise. The taxonomy informs the tagging and the service subscriptions need to be in place for systems to hold that class of information.
Near zero risk and cost of change
Being formless requires pervasive and perpetual change. Changing must be easy and cheap whilst maintaining integrity. Before touching on the plethora of technologies that support high dynamism there are two additional elements needed for maintaining integrity - a duplicate and a conductor.
The duplicate (n) is a mirror of the production ecosystem (n-1) with tagged format preserving non-production datum. Apply all changes to the n mirror ecosystem before cascading them to the n-1 production infrastructure if they pass appropriate automated acceptance tests.
The conductor keeps order. The conductor is a central registry of services and required parameters. It keeps the beat of change in the duplicate. On the second Wednesday the IP address of the syslog and SIEM services changes. The conductor issues instructions to lower-level orchestration systems responsible for further deployment execution. The conductor helps keeps chaos at bay.
Ephemerality of infrastructure and authentication is also a core concept in enabling formless defence. Ephemeral systems are designed for 'one time' use. A new, clean, gold-imaged system is deployed every time it is used. As systems are cycled, that system is wiped and resources returned. This is increasingly the default in managed service providers (MSPs). Any one upgrading their phone recently has seen that the handset is becoming an ephemeral interface to services. Authentication credentials should also be as ephemeral as possible. One time use passwords (or second-factor tokens) for privileged operations should be enforced.
There are myriad technologies available for reducing the cost of change. Using standardised web-service interfaces. Containerisation supporting application portability. Infrastructure as code enables high levels of automation with near-real time simultaneous execution. Rotating diverse platform as a service and infrastructure as service suppliers without interruption can be the norm as service offerings align and are commoditised. Blockchain-type techniques could provide a cryptographically strong distributed ledger of tokens that are organisationally unique. Using machine learning algorithms, dynamically profiling application's resource usage where sudden outliers are early warning signals or identifying any unintended consequences of change.
Layers of abstraction
Adding layers of protective abstraction - or access brokers - that execute instructions away from the requester have two significant additions to the formless defence strategy.
Firstly, abstraction can provide an intermediary layer to abstract unsafe operations - similar to the concept of a glove box for working with toxic materials. There are many technologies in this space which, if used properly, can significantly reduce risk. These include, but are in no way limited to, virtualisation, internet proxy servers, zero-trust networks, application sandbox machine virtualisation, network micro-segmentation and Virtual Desktop Infrastructures (VDI). In formless defence, these techniques reduce the assumptions an adversary can make about the execution environment and increases the steps required to take gain access.
Secondly, formless defence is simplified if there is a single interface point for a service delivered by some cluster of systems (for example, a network-load balance (NLB) hosting a singular IP address that dynamically farms work out to a pool of ephemeral computing resources). The doctrine of constant change requires that the IP address that masks the pool should change too.
Putting it all together
The Mitre Att&ck framework describes a cyber-attack, in a series of target states for an attacker to achieve, to fully compromise information systems. The list below maps these phases to where formless defence is disruptive:
- Gaining initial access - Mutability and dynamism in edge systems.
- Getting your code executed - Abstraction.
- Achieving persistent access - Ephemeral systems use.
- Elevating your access privileges - Ephemeral credential use.
- Evading existing defences - Mutability in internal systems. Dynamism in security systems.
- Getting access to bona fide credentials - Ephemeral credential use.
- Discovering what you can about the target - Mutability in internal systems
- Moving laterally around the target - Use of information marking. Machine learning enabled deep data analysis.
- Collecting as much valuable information as you can - Use of information marking. Machine Learning enabled deep data analysis.
- Exfiltrating that information - Use of information marking. Machine learning enabled deep data analysis.
- Taking command and control of the target - Ephemeral system use. Mutability in edge systems.
Embracing formless defence through the use of technologies, which inherently support high levels of dynamism, will empower architects to leverage potentially powerful tactics to disrupt threats and put integrity in its rightful place in the CIA triad.