Constructing the Maginot Line
Jack Rysnider over at Darknet Diaries recently did an absolutely fascinating piece on a CIA Operations officer Jim Lawler where they discussed some of the shenanigans and antics that the CIA has gotten up to over the years in order to get intillegence . But there was, a moment in the piece that really stuck out to me.
Jim talked about an operation to interact with someone working as an office secretary for a foreign intillegence agency. Jack of course asked him about the cyber impacts of exfiltrating data and Jim referred to the whole affair as a bit of a Maginot Line. He goes on to explain that why would they need data exfiltration or any sort of technology when they can just get exactly what they need straight from the source.
Why worry about doing the math on the accounting if you can just use a confidential source to ask the CFO for whatever it is you're actually looking for? It got me thinking about all the technology that we use on a daily basis to thwart cyberattacks. We as an industry until about the invention of cryptocurrency weren't really a "thing" so to speak.
Yes there were cybersecurity concerns certainly, but due to a myriad of factors even if you had the skill set to perform some form of cybersecurity attack, it would still prove to be entirely possible to figure out not only who did it but to capture them as well.
A combination of greater importance of computing resources, the internet, and a method of transferring funds that is by and large untraceable has led us to a time when Cybersecurity is now at the forefront of literally every organization out there. So much so that I've yet to talk with an enterprise that doesn't have Cybersecurity as one of the big ten in their risk ledgers.
But realistically what are we REALLY fighting here? To put it bluntly, the true risk to Enterprise from a cybersecurity standpoint is Ransomware. You might want to argue that there's the possibility of data exfiltration, but as I said, why invest in this incredibly costly and difficult operation when we know from our own red team engagements that Social Engineering works just as well and requires virtually none of the same level of effort or resources.
And the only reason Ransomware is any real threat is because the payment method is hard to track. I assure you that if we knew where the money was going, Ransomware would not be the problem it is today. Groups would likely be far less likely to invest in resources for development and deployment of ransomware if it weren't for the fact that the use of Bitcoin and other cryptocurrencies make it nigh impossible to figure out the actual source of the attack.
There's discussion of the use of Cyber warfare, yet Ukraine makes a pretty convincing argument that is not actually the case. Again, why would invest god knows how much money into developing a complicated program to take out a Power Grid when an explosive shell is far more effective. The attacks conducted by Russia against the Ukraine with Black Energy weren't done so they could make a move of tank battalions, it was simply to rattle and scare.
I think (my personal opinion only) this is because Russia and all the major powers know that if they actually wanted to get into a slug fest, they don't want to hinge their plans on costly and potentially ineffective attack methods that could be foiled at any point along the path revealing not only their intended first strike but also preventing said first strike.
Loading a jet with a bunker buster, pointing it in a direction and saying "Go" is a far more assured method for achieving victory. So why have we constructed this massive network of tools and governance checks that effectively just cause us run through hoops and ladders? I'll give you an example of something I discussed with some colleagues in the field earlier.
In a situation where you have an administrative account, how do you make sure that administrative account isn't used for bad things? What methods do you take to secure that account? The answers seem simple enough
- Require 2 Factor Authentication
- Prevent the account from performing actions outside of the administrative ones (IE stop that account from browsing random websites, etc.)
- Require complex passwords that will be difficult to crack (14+ characters etc.)
- Require audit logs that record when the account is used.
- I log in every day and memorize what it is and input it whenever I need to
- I have a 3rd Party Interface that remembers the password for me and so long as my normal account gets logged in then it can log in.