Security and defense theory are inextricably entwined. Consider medieval castles. They were designed as a defensive mechanism that provided security to those within, most of whom were simply civilians hiding behind the walls for protection from invaders. Within cybersecurity, multiple concepts from defense and war theory can be applied to better address the cyber risks facing organizations. In fact, the term Bastion Host refers to a Bastion which has very militaristic connotations. In previous posts, the concepts of security cycle theory, attacker motivations, and threat adaptation have been explored. Another critical concept is that of asymmetric threats.
The terms Asymmetrical Warfare or Asymmetrical Threats can be summarized simply as the asymmetry that exists between two adversaries and the tactics used by the weaker adversary to render the strengths of the stronger adversary moot. It is rare, though mathematically possible, to have parity between adversaries. Consider team sports, as an example. While not security nor defense related, there are indeed two adversaries playing a game against each other. Each side will have advantages and disadvantages. Within security and defense, it is a bit more profound. Consider the US Military for a moment. Since the end of World War II, which is often thought of as the start of US hegemony, the United States has arguably fielded the most powerful conventional military in the history of the world.
Despite this fact, the US has struggled in conflicts in Vietnam, Somalia, and most recently in Iraq, and Afghanistan. In each of these theaters it was groups of lesser trained, less well-equipped insurgents that created significant challenges to the US military. The US is not alone in this dubious distinction of struggling against militarily weaker opponents. The powerful Prussian military was defeated by a much weaker opponent, France, under the command of Napoleon, and in 1989, the Soviet Union was defeated by the Afghanistan resistance movement after 10 years of bloody guerilla war. If Prussia and the USSR were militarily superior to their foes, how did they end up losing their respective wars? The losses were largely due to the application of what we now term asymmetrical warfare.
In a basic sense Asymmetrical Warfare applies to the strategies and tactics employed by a militarily weaker opponent to gain advantage of vulnerabilities in the stronger opponent therefore rendering the advantages moot. As an example, few military forces on the planet would face the US military in open combat in a Mahanian naval battle or with the US in a linear, kinetic tank battle. As can be seen by the US routing of the Iraqis tank forces during the Battle of Medina Ridge in Desert Storm, doing so would lead to near certain defeat.
If an inferior military opponent cannot face the US in open, linear, kinetic warfare, how do they fight? They employ strategies that render US military might irrelevant or at least less relevant. Guerilla warfare is a form of irregular warfare and is an example of an asymmetric strategy against a militarily superior foe. Other examples include cyberwarfare and information warfare.
As stated in the 1961 military classic “On Guerilla Warfare” by Mao Tse Tung:
“At one end of the spectrum, ranks of electronic boxes buried deep in the earth hungrily spew out endless tapes. Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently....in forty minutes the countdown begins.
At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree. Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle. Draped around his neck, a sausage-like cloth tube with three day’s supply of rice...In forty minutes his group of fifteen men will occupy a previously prepared ambush.”
This is a classic example of asymmetrical warfare. The US, and many other powers through history learned through experience that technology and military might alone cannot win a war or even a battle against a determined, creative, adaptive adversary applying asymmetrical tactics. The impact of such tactics is so profound in fact, that the need to counter asymmetric threats such as irregular warfare created a new type of defense called COIN or Counter Insurgency.
The concept of asymmetrical warfare merits further discussion to understand the applicability to cybersecurity. When applying the concept to the business, and specifically the Information Security arena, it is more appropriate to apply the concept of asymmetric threats as posited by C.A. Primmerman of the Defense Threat Reduction Agency (DTRA). Without going through too much of the math and adapting Primmerman’s original theory, we can state that a threat can be expressed using the following two statements:
- Adversary A would attack Business A by doing X
If we transform this statement by projecting the adversary’s actions onto the business, we get
- Business A would (or could) respond to Adversary A’s attack by doing X.
Now we have the simple conclusion that statement (1) represents an asymmetric action if statement (2) is false, and it represents a symmetric action if statement (2) is true.
As an example of this concept working in practice, consider the following:
- Adversary A attacks Business A by employing a Distributed Denial of Service (DDOS) attack.
The transformed statement is then:
- Company A would respond to Adversary A by employing a Distributed Denial of Service Attack.
Statement (2) is obviously false as companies would not consider a DDOS attack against a data thief. In this scenario then, the threat in (1) is asymmetric.
According to Pimmerman, an Asymmetric Threat must meet three criteria. These have been modified for our purposes and include:
- It must involve an exploit, tactic or strategy that the adversary both could and would use against an organization.
- It must involve an exploit, tactic, or strategy that the organization could not or would not employ against the adversary.
- It must involve an exploit, tactic, or strategy that, if not countered, could have serious consequences.
As can be seen from the three criteria above, companies operating today are facing nearly constant asymmetric threats and are put into a position of constantly working to defend against an increasingly creative, motivated, and adaptive adversary. As any student of military strategy can attest, being in a purely defensive mode is a losing proposition. A famous quote that appears appropriately relevant now is one by Julius Caesar. In it he states:
“There is no fate worse than being continuously under guard, for it means you are always afraid.”
Many, but not all, businesses, however are still stuck in the mindset that simply employing expensive technology and adept technicians wielding the newest cybersecurity controls to protect their organizations will allow for the best protection against, a creative, motivated, adaptive adversary that has fewer resources at their disposal yet have become masters of asymmetrical attacks. This is akin to simply hiding behind castle walls while an enemy begins to mine, undetected, beneath the walls.
What are some examples of asymmetrical attacks that cyber attackers may use against organizations? Clearly, a direct attack against a firewall would be similar to a linear, kinetic attack against a castle wall. Attackers that use phishing to gain a foothold into an organization to then install ransomware would be an example of asymmetrical actions.
Understanding the above, the obvious question becomes:
“What can a business do to counter the asymmetry that exists between current cyber threat actors and the organization?”
Again, going back to understanding how the military employs tactics to counter asymmetric threats such as irregular warfare can be instructive in cybersecurity. Within COIN, intelligence is paramount. As stated by Gen. Sir Frank Kitson when referring to COIN operations:
“If it is accepted that the problem of defeating the enemy consists very largely of finding him, it is easy to recognize the paramount importance of good information.”
As Gen. Frank Kitson indicated in the quotation above, the key to defeating an insurgency lies in dominating the information battlefield rather than the supremacy of military might. The same concepts apply to business and cybersecurity. Adding to this the National Security Agency states:
“To effectively resist attacks against information and information systems, an organization needs to characterize its adversaries, their potential motivations and classes of attack.”
Sophisticated companies understand that the basic “blocking and tackling” of network and application security as well as patching are fundamental components of security but they also understand that gaining a deeper understanding of where the seams exist within their security that may allow a threat actor to gain advantage is critical as well.
The first components to defending against these asymmetrical threats is the application of intelligence. Advanced Threat Detection should be the first step and is consistent with the need for intelligence in defending against asymmetrical adversaries. Advanced auditing and logging along with vulnerability testing are paramount to identifying attackers and finding the seams that they may try to exploit.
Relevant real world training in addition to the development and enforcement of policies are just as critical as technology. If one looks at how business email compromise is conducted, the clear majority of it could have been prevented by following established policies and processes as opposed to mere employee technological solutions. The same can be said with standard phishing attacks and other social engineering attacks.
In summary, attackers are increasingly employing asymmetrical attacks against organizations. While the standard network and application layer technologies will always be necessary to stave off the standard script hackers and amateur attackers, advanced asymmetric threats require advanced intelligence and analytics to efficiently identify and address the attacks.