Cybersecurity strategy Risk management, cyber-warfare and incentives
Gergely Biczók (some slides from Levente Buttyán and Márk Félegyházi) BME CrySyS Lab [email protected]
ISSES SC meeting, Nis, Serbia October 29th, 2018 Cyber security strategy
§ Corporate cyber security strategy: a plan of actions designed to improve the security and resilience of corporate (cyber) infrastructures and services (def. inspired by ENISA)
§ This sounds very much like...
ISSES 2018 | 2 Risk management
§ Information security = risk management § Risk = Likelihood x Impact (of attacks)
§ factors affecting likelihood: – threats – entities who can do you harm (a.k.a. attackers) » skill level, motive, opportunity, resources, ... – vulnerabilities – weaknesses that can be exploited » ease of discovery, ease of exploitation, awareness, ... – countermeasures – precautions you take » technical and non-technical § impact: – potential loss you may experience » direct loss (decreased revenue, cost of recovery) » indirect loss (losing reputation, fines for non-complience) § likelihood and impact are difficult to quantify and subject to change!
ISSES 2018 | 3 Outline
§ Risk management § US Cyber Strategy § Cyber-warfare § Research on cyber-warfare modeling
ISSES 2018 | 4 Risk management: goal
§ vulnerabilities threats incidents losses
Goal: Minimize the costs associated with risks (threats)
ISSES 2018 | 6 Risk management: lifecycle
source: Systems Engineering Fundamentals. Defense Acquisition University Press, 2001
ISSES 2018 | 7 Risk management: standards
§ ISO/IEC 27000 series - Information security management systems – 27005:2011 - Information security risk management – generally accepted guidelines of implementing information management systems and also serves to perform audits – open source support: Enterprise Security Information System (ESIS) § NIST SP 800-30 § ISACA Risk IT § Open Source Security Testing Methodology Manual (OSSTMM) § ISO/IEC 15408 - Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC)
ISSES 2018 | 8 Risk Management: phases
§ risk governance (RG) § risk assessment (RA) – risk mgmt context – risk analysis – define criteria • identification » profile definition • estimation » requirements – risk evaluation – resources
§ risk monitoring and review § risk treatment (RT) (RM) – prevent – monitoring – mitigate – communication – awareness – transfer – accept
ISSES 2018 | 9 RG Risk management planning and governance
§ develop an enterprise risk management strategy § establish and maintain a risk management plan – risk appetite – risk tolerance § ensure that IT risk management is embedded in the system – integrate with business processes § provide resources for risk management § establish responsibilities and accountability
generic control of risk management
ISSES 2018 | 5. ESSENTIALS OF RISK GOVERNANCE
5. ESSENTIALS OF RISK GOVERNANCE
This chapter discusses a few essential components of the Risk Governance domain. They are discussed briefly, and more information and practical guidance can be found in The Risk IT Practitioner Guide. The topics discussed here include: � ���� �������� ��� ���� ��������� � ���������������� ��� �������������� ��� �� ���� ���������� � ��������� ��� ������������� � ���� �������
Risk Appetite and Tolerance
COSO Definition Risk appetite and tolerance are concepts that are frequently used, but the potential for misunderstanding is high. Some people use the �������� ���������������� ������ ��� � ����� ����������� ��� ���� �� ��������� ����������� ��� ���������� ���� ��� ���� ��� ����������� ������ ��� ���������� �� ��� ��� ����� ���������� �� ����� ���� � ���� ������������ ����������� ������ �� ���� � ������� �� ����� ������ �� ������� �� ������ �� ������� �� ��� ������� ��� ������� � ���� ������������� ���������� ��������� �������� �� ��� ����������� �� �� ��������� ���� ����� �� ���� �������� �� ��� ���� ����� �� ����� ���� �� ������� ��� ������� ���������� 10 ���� �������� ��� ���������� �� ��� ���� �� ������� ������ �� ��� ��� ���������� ��������� ������ ����� ��� ����� �� ������� RG ��� Establish and maintain a common risk view. Behavior towards risks Risk Appetite ���� �������� �� ��� ������ �� ���� �� ������ �� �������� �� ������ ���� ������ �� ������� ��� ����������� ���� ����������� ��� ���� �������� ������ ��� ��� ����������� ��� ����� ������� ��� ����������§ risk appetite: the property of engaging with risks � ��� ������������ ��������� �������� �� ������ ����� ����� ��������� ����� ���������� ������ � ��� ������������ ������� �� �������������� ������� ���� ���������������– risk-averse�� ����������� – risk����-neutral�� ��� ������ – risk�� ����-taking��� ���������� ����� �� accept to pursue a return? § risk tolerance: tolerance towards the difference from the risk Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be ��������� ������� ����������������� �� �� �������� ���� �� ��������level�� as���� defined����������� ���������� in risk��� appetite������������ �����
Risk appetite can be defined using risk maps. Different bands of risk Figure 7—Risk Map Indicating Risk Appetite Bands significance can be defined, indicated by coloured bands on the risk map shown in figure 7.
�� ���� �������� ���� ����� �� ������������ ��� ��������
� ������������� ������ ������������ ����� ��� ���������� ��������� ���� ���� Really Unacceptable ����� �� ���� �� ��� ������ ��� ������ ���� ��������� ��� ���� ����� �� �� �� e d tu this band might trigger an immediate risk response. i n Unacceptable
� ���������������� �������� ����� ����� ���� ����� ���������� ���� ��������� ag The enterprise might, as a matter of policy, require mitigation or another M adequate response to be defined within certain time boundaries. Acceptable � ��������������� � ������ ���������� ����� �� ����� ������� ���� �� ������� ������ ��������� ������ ��� ����������� ��� ������� �������� �� ����� responses Opportunity � �������������� ���� ��� ����� ����� ����������� ������������� ��� �� found by decreasing the degree of control or where opportunities for Frequency assuming more risk might arise ISACA, “Risk-IT framework,” 2009
���� ���� �������� ������ �� �� �������� ����� ���������� ��� �� ������ ��� ��� ���� �������� ������ ��� ������ ���� �� � ������� ������ISSES���� 2018 | ���������� ������ �� �� ���� ���� ��� ������� ���� ������� ���� ��� ���������� ����� �� �������� ����� ������� ���� ���� ���� ������ �� ���� ������� opportunity seeking. There is no universal right or wrong, but it needs to be defined, well understood and communicated. Risk appetite and ���� ��������� ������ �� ������� ��� ���� �� ���� ����������� ��� ���� �� ��� �� ���� �������� �������
Risk Tolerance ���� ��������� �� ��� ��������� ��������� ���� ��� ����� ��� �� ��� ���� �������� ��� �������� ����������� ����� ��������� ������� �������� �� �� ��������� ������ ��� ��������� ������� ��� ����� ��� �������� �� �� ������� �� ������ �� �� ������� �� ���� ��� ����������
© 2009 ISACA. ALL RI GHTS RE S E R VED. 17 11 Key factors for success RG
§ continuous support from top management § central management – common strategy § successful integration with business processes § optimize tasks and controls (avoid over-control) § compliant with company’s business philosophy § continuous training § never-ending process!
European Network and Information Security Agency (ENISA), “Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools,” June 2006
ISSES 2018 | 12 Risk assessment RA
# § Risk assessment !"#$% &'()*+((,((-,"%*+.%'/'%',( 0$%#$% =E(46F(4* =!B./*:#M0356(4B# =!01/F(4* <2&='*+'' =!B./*:#N35C/-05. =!B./*:#-5/*41(C*. <8-2&0'?4;%;:2&%"F;2"51 =!B./*:#(56#G(/(# =G(/(#(56#-5104:(/-05 24-/-C(7-/B ="*0?7* =!B./*:#(56#G(/(# – identification =!B./*:#:-..-05 !*5.-/-H-/B
=E-./04B#01#.B./*:#(//(C@ <2&='@+'' =G(/(#140:#-5/*77-)*5C*# A4%&;2'B6&12"C":;2"51 894*(/#!/(/*:*5/ ()*5C-*.O#IJ"2O#PJQO » persons, assets and system info N*62J>2O#:(..#:*6-(O#
=>*?04/.#140:#?4-04#4-.@# (..*..:*5/. <2&='(+'' ,-./#01#"0/*5/-(7# » technical / mgmt / operational controls =A5B#(36-/#C0::*5/. D$71&%;E"7"28'B6&12"C":;2"51 ;375*4(<-7-/-*. =!*C34-/B#4*D3-4*:*5/. =!*C34-/B#/*./#4*.37/. » information gathering – info sources =2344*5/#C05/407. <2&='>+''?512%57'/1;78-"- ,-./#01#2344*5/#(56# ="7(55*6#C05/407. "7(55*6#205/407. » threat sources – attacker model
= 894*(/&.034C*#:0/-H(/-05# =894*(/#C(?(C-/B <2&='G+'' ,-@*7-9006#>(/-5) » vulnerability identification =I(/34*#01#H375*4(<-7-/B H".&7"4556'I&2&%0"1;2"51 =2344*5/#C05/407.
– <2&='K+''B0=;:2'/1;78-"- analysis / estimation = K-..-05#-:?(C/#(5(7B.-.# =A..*/#C4-/-C(7-/B#(..*..:*5/ = ,0..#01#J5/*)4-/B# J:?(C/#>(/-5) =G(/(#C4-/-C(7-/B# =,0..#01#AH(-7(<-7-/B =G(/(#.*5.-/-H-/B » control analysis – security options (ROSI) =,0..#01#2051-6*5/-(7-/B
=,-@*7-9006#01#/94*(/# *L?70-/(/-05 >-.@.#(56# » =K()5-/36*#01#-:?(C/ <2&='L+'',"-.'I&2&%0"1;2"51 A..0C-(/*6#>-.@# categorize threats by likelihood =A6*D3(CB#01#?7(55*6#04# ,*H*7. C344*5/#C05/407.#
<2&='M+'' >*C0::*56*6# » impact analysis – system critical incidents ?512%57',&:500&16;2"51- 205/407.
<2&='J+'' >-.@#A..*..:*5/# – evaluation ,&-$72-'I5:$0&12;2"51 >*?04/ # » risk determination !"#$%&'()*+'',"-.'/--&--0&12'3&2456575#8'!759:4;%2''
!"#$%%&'%## ########### "()*#+
NIST SP800-30, “Risk Management Guide for Information Technology Systems,” July 2002
ISSES 2018 | !"#$ %&'($)&*&+,*&-.$'*%,*/+0$
!*,-./#0(,()*0*,12#13*#0-44-.,#.5,*/42#6,.5-,)#13*#7.1*,1-(8#/-464#(,9#/*:.00*,9*9#:.,1/.842# 0(;#(462#<=3*,#(,9#>,9*/#53(1#:-/:>041(,:*4#43.>89#?#1(6*#(:1-.,@##=3*,#43(88#?#-078*0*,1# 13*4*#:.,1/.84#1.#0-1-)(1*#13*#/-46#(,9#7/.1*:1#.>/#./)(,-A(1-.,@B# # 13 C3*#/-46#0-1-)(1-.,#:3(/1#-,#D-)>/*#E&F#(99/*44*4#13*4*#G>*41-.,4H##I77/.7/-(1*#7.-,14#J./#Risk analysis RA -078*0*,1(1-.,#.J#:.,1/.8#(:1-.,4#(/*#-,9-:(1*9#-,#13-4#J-)>/*#K;#13*#5./9#LM!H# #
*D?4@3 ':=?B4
0/' <=>94?@A7>731 '12345 $<=>94?@A>4M 0/' 642789 /CE>:73@A>4M 3:$,33@B; /C7232 !
.- .-
.:$%72; .:$%72;
J:22 %72; ,33@B;4?G2 0/' ,937B7E@34K 0/' F9@BB4E3@A>4 /C7232 H:23$I$+@79 L$*D?42D:>K %72;
.- .-
%72;$,BB4E3 %72;$,BB4E3 # NIST SP800-30, “Risk N78=?4$!OP"$$%72;$)7378@Management Guide for Information37:9$,B37:9$Q:7932$ Technology Systems,” July 2002 # ISSES 2018 | C3-4#41/(1*);#-4#J>/13*/#(/1-:>8(1*9#-,#13*#J.88.5-,)#/>8*4#.J#13>0K2#53-:3#7/.N-9*#)>-9(,:*#.,# (:1-.,4#1.#0-1-)(1*#/-464#J/.0#-,1*,1-.,(8#3>0(,#13/*(14O# # �� RD49$S=>94?@A7>731$T:?$U>@VW$V4@;9422X$4C7232$!$-078*0*,1#(44>/(,:*#1*:3,-G>*4# 1.#/*9>:*#13*#8-6*8-3..9#.J#(#N>8,*/(K-8-1;P4#K*-,)#*Q*/:-4*9H# �� RD49$@$S=>94?@A7>731$B@9$A4$4C4?B724K$!$(778;#8(;*/*9#7/.1*:1-.,42#(/:3-1*:1>/(8# 9*4-),42#(,9#(90-,-41/(1-N*#:.,1/.84#1.#0-,-0-A*#13*#/-46#.J#./#7/*N*,1#13-4# .::>//*,:*H# �� RD49$3D4$@33@B;4?G2$B:23$72$>422$3D@9$3D4$E:34937@>$8@79$!$(778;#7/.1*:1-.,4#1.# 9*:/*(4*#(,#(11(:6*/P4#0.1-N(1-.,#K;#-,:/*(4-,)#13*#(11(:6*/P4#:.41#R*H)H2#>4*#.J#4;41*0# :.,1/.84#4>:3#(4#8-0-1-,)#53(1#(#4;41*0#>4*/#:(,#(::*44#(,9#9.#:(,#4-),-J-:(,18;# /*9>:*#(,#(11(:6*/P4#)(-,SH# �� RD49$>:22$72$3::$8?4@3$!$(778;#9*4-),#7/-,:-78*42#(/:3-1*:1>/(8#9*4-),42#(,9#1*:3,-:(8# (,9#,.,1*:3,-:(8#7/.1*:1-.,4#1.#8-0-1#13*#*Q1*,1#.J#13*#(11(:62#13*/*K;#/*9>:-,)#13*# 7.1*,1-(8#J./#8.44H#### ## C3*#41/(1*);#.>18-,*9#(K.N*2#5-13#13*#*Q:*71-.,#.J#13*#13-/9#8-41#-1*0#R<=3*,#13*#(11(:6*/P4#:.41# -4#8*44#13(,#13*#7.1*,1-(8#)(-,BS2#(84.#(778-*4#1.#13*#0-1-)(1-.,#.J#/-464#(/-4-,)#J/.0#*,N-/.,0*,1(8#
!"#$%%&'%## ########### "()*#+$ 14 RT Risk treatment: options RT
§ avoidance § mitigation – eliminate incidents – testing determine the – reduce impact appropriate controls § sharing / transfer – disclaimer: no party is responsible – agreement: responsibility transferred – compensation » risk pooling: share losses » risk hedging: bet for losses § acceptance / retention – self-insure partially from: – accept losses Blakley, B. and McDermott, E. and Geer, D., “Information security is information risk management,” Proceedings of the 2001 workshop on New security paradigms, 2001
ISSES 2018 | 15 RT Risk treatment: controls RT
§ select risk treatment controls – prevention » firewall, authentication, locks – detection » IDS – recovery » backup, forensics – management » better data center for security information collection » information sharing – training / awareness » employee training sessions
ISSES 2018 | 16 RT Risk treatment: action plan
action plan = prioritize + implement actions / controls
§ prioritize controls / actions – cost-benefit analysis – importance of risk (impact) – effectiveness – difficult quantify benefit of unrealized losses (ROSI) § get approval for the action plan – top mgmt support is essential § implement the action plan – develop a policy w/ security policy – assign responsibility – performance measures and reporting § residual risks and acceptance
ISSES 2018 | 17 RM Risk monitoring and review
§ review and update processes and policies § document each stage of the risk management process – development and action plan (reasons and analysis) – changes and efficiency – legal basis – reuse of information
ISSES 2018 | US National Cyber Strategy 1.
ISSES 2018 | 18 US National Cyber Strategy 2.
§ (1) defend the homeland by protecting networks, systems, functions, and data;
§ (2) promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
§ (3) preserve peace and security by strengthening the United States’ ability — in concert with allies and partners — to deter and if necessary punish those who use cyber tools for malicious purposes
§ (4) expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet
ISSES 2018 | 19 US National Cyber Strategy 3.
§ Objective 1: „Manage cybersecurity risks. ...” – To actually have proper risk management!
§ Actions sound like a checklist from a risk management standard – Centralize security mangement (US very fragmented) – Align risk mgmt and IT – Supply chain – Govt. leads by example – Roles & responsibilities – Prioritize according to national risks
§ Two ideas coming up repeatedly
ISSES 2018 | 20 US National Cyber Strategy 4.
§ The economic aspect of cybersecurity – „a purely technocratic approach to cyberspace is insufficient” – „United States must also have policy choices to impose costs” – „activity that is contrary to responsible behavior in cyber- space is deterred through the imposition of costs through cyber and non-cyber means; ” – „Incentivize cybersecurity investments” – „Incentivize and adaptable and secure technology marketplace”
ISSES 2018 | 21 US National Cyber Strategy 5.
§ Cyber-warfare – „Russia, Iran, and North Korea conducted reckless cyber attacks that harmed American and international ...”
– „United States is engaged in a continuous competition against strategic adversaries, rogue states, and terrorist and criminal networks”
– „These adversaries are continually devel-oping new and more effective cyber-weapons.”
– „United States is positioned to use cyber capabilities to achieve national security objectives”
ISSES 2018 | 22 Will there be cyberwar?
§ CW was predicted since the ‘90s (Arquilla&Ronfeldt, 1993) – Small team of super-hackers can bring down larger armies – <-> Cyber capabilites enhance the dominance of strong actors (Lindsey, 2013) § Others (esp. high ranking officers) still sceptical (Rid, 2012) – Never was, is not, never will be – “Always violent, instrumental, and political in nature” § Conceptual debate is ongoing, but… § National Cyber Defense Agencies exist (USCYBERCOM/DHS, GCHQ, NKI in Hungary 2015-) § NATO CCD COE, Locked Shields § Strategic plan for nation-states and major US military org (e.g., US Navy Cyber Power 2020)
ISSES 2018 | 23 2009-2010: Stuxnet
ISSES 2018 | 24 2014: German steel mill
ISSES 2018 | 25 2015: The Remote Jeep Hack
ISSES 2018 | 26 2015 Xmas: Ukrainian power grid shutoff
ISSES 2018 | 27 2016 (and before, and after): elections
ISSES 2018 | 28 2016: The Mirai IoT nightmare
ISSES 2018 | 29 2016/17: Rasputin vs. universities
§ „Rasputin” breached university and government agency DBs – Cornell University – Univ. Of Cambridge – Dept. Of Housing and Urban Development – Postal Regulatory Commission § Using SQL injections against web apps ...
ISSES 2018 | 30 2017/18: Shadow Brokers and Territorial Dispute
§ April 2017: Shadow Brokers leak § 1 gigabyte of NSA’s weaponized software exploits – Against banks through Oracle DBs – Multiple Windows zero-days – ... § Territorial Dispute: Tools to detect other intelligence agencies present on the infected machine § Boldi and co. analyzed those
ISSES 2018 | 31 August 2018 and on...
ISSES 2018 | 32 Cyber-warfare: software vulnerability lifecycle
§ Software contains bugs – Some of these are vulnerabilities – Some of these pose a threat
§ Discovery of vulnerabilities – miscreants – exploit – honest users – assess risks – (Nation-states: do both!)
§ Develop and apply patches
§ Once patched, vulnerability ceases to exist – Once patched correctly!
ISSES 2018 | 34 Cyber-warfare vs. traditional warfare 1.
§ (Arms) Race against time § Starts with investment – Infrastructure – Hiring, skill development – Buying zero days § An adversary’s decision – Suppose it discovers a vulnerability – Patches his own system – Does not patch, but weaponizes and launches an attack – Does not patch, but weaponizes and stockpiles the weapon § Vulnerabilities have a limited time window – Can be discovered by other agents – Software may get replaced or upgraded – Bug bounty programs
ISSES 2018 | 35 Vulnerability timeline*
* Caulfield et al. The U.S. Vulnerabilities Equities Process: An Economic Perspective. GameSec’17 ISSES 2018 | 36 Cyber-warfare vs. traditional warfare 2.
§ Dynamic strategic decisions for agents with inherent tradeoff
§ What to do and when to do it
§ Cyber-warfare: defense may be at the cost of attack – Patching exposes the vulnerability (intelligence observes) – Weapon becomes useless!
§ Zero-day attack used can be – Useless – Mutated and reused against agent
ISSES 2018 | 37 Cyber-warfare vs. traditional warfare 3.
§ Attribution is very hard – Plausible deniability (involving contractors) – False flag attack (frame other organizations) – Legal issues, threat/retaliation not trivial
§ Signaling – Enemy can only observe the budget (through intelligence)
§ Copying a weapon is free – Advantage & disadvantage at the same time – Marginal cost is zero
ISSES 2018 | 38 Economics of (information) security 1.
§ Common view: technology solves the problem – buy better software – frequent updates to fix vulnerabilities – hire a security expert for audit
§ Why are systems still unsecure?
§ Answer 1: attacker’s advantage
§ Answer 2: misaligned economic incentives = selfish behavior goes against the technical goal of the system
ISSES 2018 | 39 Economics of information security 2.
Causes Consequences
§ no liability no security investments § network effects sw quick-to-the-market § monopolistic software correlated events § asymmetric information lemon market § Interdependence/ § externalities tragedy of the commons
GAME THEORY! *recall US Cyber Strategy! ISSES 2018 | 40 Game theory 101
§ Multi-party decision problems with interaction – Non-cooperative for now – ~ optimization § Player, strategy, utility – Players are rational – Utility function captures every aspect
§ What is the (likely) outcome of the game?
§ Equilibrium: solution concept – Strategy dominance – Nash equilibrium: mutual best-response – Subgame-perfect equilibrium: multiple rounds with time
ISSES 2018 | 41 A simple (game-theoretical) model 1.
§ Very limited quantitative/technical work (Moore et al. 2010, Czosseck&Podins 2014) § Joint ongoing research with QMUL (A. Khouzani) § Objectives of our new model – defense and attack simultaneously (patching vs. weaponization) – investment decisions for nation-states – temporal dimension § High-level game flow (continuous): – Invest – Loop [look for vulnerabilities] » if found a) patch own system b) weaponize & attack [(c) weaponize & stockpile)]
ISSES 2018 | 42 A simple (game-theoretical) model 2.
§ KISS – Two players, two strategies after investment: Release patch or Weaponize&attack, 3rd party attackers as background – Single platform, e.g., Windows 10: single pool of bugs – window of exposure T – time-discounted payoffs – Investment with diminishing returns (sublinear) § Solve the game with backward induction § Second stage: patch or weaponize? – Deferred action always dominated by instant action (discounting) – u(R) = 0, u(W) > 0 – (W,W) is the equilibrium, unless… » Negative incentives: new investment, multiple exposure windows (punishment), multiple bugs at the same time, attack ricochet, legal problems, losing economic collaboration (e.g. US - China)
ISSES 2018 | 43 A simple (game-theoretical) model 3.
§ First stage: how much to invest? – we know (W,W) is NE for the second stage, we feed it as input Expected loss from 3rd parties + expected Investment loss from other player + expected gain from cost own attack
Prob. of bug not Prob. of bug discovered by discovered by 3rd others Damage parties inflicted (discounted)
ISSES 2018 | 44 Visual comparative statics: example
§ (left) Higher gain G2 for Player 2 -> more investment in NE § Player 1’s investment can go up or down depending on sensitivity to loss L1! § (right) Similar trend with high sensitivity L2 for Player 2 § (not shown) if 3rd party attackers’ attack rate increases -> investment decreases!
ISSES 2018 | 45 Main result and future work § Very preliminary results imply a Prisoner’s Dilemma situation with general war as equilibrium
§ Future work § Integrate “The US Vulnerabilities Equities Process” by Caulfield et al. § characteristics of zero-days from real-world data § advances in attribution (code stylometry, machine learning) § repeated game with re-investments (e.g., different regimes) § Alliances and coalition
§ If done realistically, this yields a tool for calculating the cyber- defense (-attack) budget
ISSES 2018 | 46 Summary
§ Cyber strategy -> Risk Management -> Risk governance § A peek into the US Cyber Strategy § Cyber-warfare § Research on the economics of cyber-warfare
ISSES 2018 | 47