Mitigating “The Legend of Sophistication” in Cyber Operations
The drumbeat of cyber incidents continues unabated, with breaches at email providers, insurance companies, defense contactors, telecoms, adult websites, government databases, and so much more. These breaches typically have at least one thing in common: someone calls them “sophisticated.”
But if everything is sophisticated, nothing is. This has relevance to the broader world of cybersecurity. In short, network defenders and observers should think more carefully about what exactly goes into “sophistication.” Upon a more detailed review, many intrusions simply don’t live up to the billing.
What does a more rigorous examination of sophistication look like? David Aitel, a veteran of the NSA and CEO of Immunity, looked at different measures of technical prowess and investment in malicious code. For example, intruders that take great care to preserve operational security – such as by creating custom code for each target, not re-using infrastructure between operations, and the like – are different from those who are sloppier or in a rush. Aitel wasn’t writing about sophistication directly, but if one starts to add up the various technical components in his model, together they start to look like something approximating sophistication. More sophisticated operators have more developed operational security, testing facilities, and so on. Full sophistication in every area of an operation isn’t always possible. The best intruders recognize that, with limited budgets and time, they need to understand what kinds of investments will make the most sense for a given operation.
In addition to the technical choices intruders make, there are aspects of sophistication that refer to the overarching mission. One of these elements is speed. As pioneers of network security monitoring regularly point out, intrusions don’t happen in an instant, but develop over time. The longer the intruders take, the more time defenders have to react and interdict the intruders before they can steal secrets or do damage. One sign of operational sophistication is the ability to operate quickly in a contested network environment.
Another is to do so without making too many mistakes. Computer hacking is often a complex and unpredictable business, and intruders sometimes have to take chances. But some of the errors caused by uncertainty or carelessness might undermine the operation’s effectiveness, while others could result in detection and compromise. All else being equal, sophisticated operators are probably less likely to have these kinds of slip-ups in the course of their work.
Most of the time when an observer speaks of sophistication in network intrusions, they’re talking about the scale and scope of the effort. Causing power outages or destroying nuclear centrifuges is hard, so operations that manage to do these tasks must be sophisticated. It’s important to not take this trend too far, as success does not always equal sophistication; plenty of technically sophisticated operations fail, while less sophisticated ones succeed – often against less-capable network defenders. To some degree, however, the heuristic of scale and scope should be an aspect of assessing sophistication. More ambitious and clever operations, ones that manage to accomplish a great deal or pull off a tricky strategic feat, are more deserving of the sophistication mantle.
Why is the landscape surrounding sophistication so muddled? Most obviously, victims of breaches have obvious incentives to overstate the sophistication of the intruders. For one thing, no one wants to admit compromise by a weak actor, as it raises questions about negligence and could harm public and investor relations. Even in breaches that were probably carried out by teenagers, such as the breach of British telecom TalkTalk, the victim described them as sophisticated and coordinated. There might be an economic incentive to overstate the sophistication of intruders too, if it leads to an easier or larger insurance payout.
Third-party observers also sometimes overstate the sophistication of the operations they uncover. In part this is because of competition for attention. In a world in which many breaches get written up in reports by security companies or make headlines, the natural tendency is to try to stand out. It may also be due to a lack of information, as the observers—especially media—won’t have access to the forensic data required for a more careful examination of the case.
All of this discussion about sophistication isn’t merely an academic exercise. When every case is described as unprecedented and every threat actor billed as nearly unstoppable, it fuels what I call “the legend of sophistication.” The effect of such a legend is to paint a picture of a world with so many talented adversaries that practical cybersecurity is out of reach. But this legend, like many tall tales, can be undercut by fact. Threat modeling is vital. If a careful examination of relevant incidents reveals that intruders aren’t as capable or clever as they’re often portrayed, that points to an opportunity: better countermeasures might keep them out, or at least raise their costs of action. Network defense, especially against the majority of threats, isn’t a mission impossible.