I am fond of saying criminal investigations are like puzzles. In order to complete a puzzle all of the pieces must fit, and the image must match the picture on the box. A criminal investigation is the same; all of the pieces of evidence must fit and accurately represent the truth. You cannot force a piece of evidence to fit anymore then you can force a puzzle piece to fit where it does not. Distorting a piece distorts the image, distorting evidence distorts the truth. If you don’t have all of the puzzle pieces, you can’t complete the puzzle. If you don’t have all the evidence, you can’t find the truth.
InfoSec would greatly benefit if we pivot away from mitigating risk and to focusing on finding the bad guy’s modus operandi (MO), and the supporting evidence that proves it. The cowards rely on remaining anonymous. The guy tapping the keyboard may forever be unknown, but his MO should be published to the world, and software designed to defeat him.
If two separate organizations in different industries get taken by the same MO, it’s their fault. The first one should have published the MO. This lack of sharing and obsession with mitigating serves only to further encourage the bad guys. This would be like if the Boston Police Department did not share its findings from the Boston Marathon Bombing with the rest of law enforcement. Every major agency in the country sent representatives to Boston for the formal debriefing. They then took those lessons learned and newly discovered MOs back to their home agency, and implemented new counter measures and techniques.
Evidence comes in all sizes and shapes, and as we have said, some of it is relevant, some of it is not. Instead of treating individual data points as incidents unto themselves, viewing them as puzzle pieces would be useful. Each piece of a puzzle is not a puzzle, it is part of a larger data set, group, or incident; it’s one piece of a puzzle. Assuming that each piece of data or evidence is somehow associated with another piece, the effort to solve the problem is focused on locating similar pieces, which also necessitates that the investigator keep the larger operational picture in mind. Or, in the case of a puzzle, keep in mind what the puzzle should look like when completed.
Can you solve a puzzle without knowing what it’s supposed to look like? Sure, but it’s much harder and takes much longer. In InfoSec you won’t have the picture or “solution” painted on a box. Nor do we know the truth about what happened at the beginning of a homicide investigation. By using the data or evidence you do have, you can start to paint the picture for yourself and template the “image” you are working towards.
In a puzzle we have corner pieces. Finding them sets context. Next we look for the straight edge pieces and so on. Using sets of pre-existing facts, assumptions, and tools enough data points will become available to either create an investigative strategy or outright solve the case.
Conclusion
The solution to the War on InfoSec is as much a puzzle as any complex criminal investigation. The world of Information Security is not alone in this conundrum. Law enforcement struggles in much the same way in its fight against transnational organized crime groups. The common theme between the two? Information Security, or more to the point, the lack there of.
Large transnational organized crime groups rely on the worlds cyber security being as porous as it is. The current and most profitable trend in organized crime lays in hacking, fraud and digital piracy crimes. These organized criminal groups from Eastern Europe, Africa, and China launder $30 to $40 Billion a year through California alone, and the majority of this is done through cyberspace in one form or another. This places the security of the world’s financial institutions, corporations, local business and communities at great risk. I propose that the solution lies, as it often does, in collaboration; collaboration between those on the front lines of InfoSec and those fighting transnational organized crime. This is the strategic level solution. The tactical level solution for the Information Security community is to adapt an “investigative mind-set.”
Incident Responders need to take the best practices used in organized crime investigations and apply them across the full spectrum of Information Security. That means InfoSec software tools need to be developed from an investigative perspective. There has to be a culture shift in how teams hire, train and operate. This means that InfoSec has to mature into its own craft. The IT shop of yesteryear is no more. The current technique of buying outdated software based on old paradigms with new functions recently added and hoping the bad guys don’t hack your company next, has failed.
I’m a street cop and as such I’ll keep it simple. Cops gotta be nerds, nerds gotta be cops, and the bad guys gotta be stopped.
This is part 5 of a 5 post series. To read the other posts, please see the links below: