Human vs autonomous cyber-defence

By Paul Theron, a Professor of Cyber-secure Engineering Systems and Processes at the Manufacturing Informatics Centre, Cranfield University. He was previously director of the Aerospace Cyber Resilience research chair in France, funded by Thales, Dassault and State-Major de l’Armee de l’Air. Paul continues to be an active member of NATO’s IST 152 Research & Technology Group on Autonomous Intelligent Agents for Cyber Resilience.

There’s an estimated shortage of 50,000 cyber defence specialists in the UK, and up to two million worldwide. Despite the obvious career opportunities, the number of young people opting for IT-related qualifications is falling (down 17% this year says the British Computer Society). We want a digital economy, we want to be consumers of slick IT services, but at the same time we don’t necessarily want to be stuck dealing with its ugly complexities, the breakdowns and crises.

In response to the shortage, there is the current push for a national cyber-skills strategy, for creating a stronger stream of young recruits, for professionalisation of status, up-skilling and re-skilling of general IT staff. But it’s been admitted that this will take time, 10 years or more, to have an effect. And in the meantime, in the UK and across global networks, IT systems used by many organisations – both old and new – are looking more stretched, more exposed and more fragile.

The scale and level of organisation behind the threats will look very different by then. There has already been a sharp evolution of cyber-attacks from hobby to highly organised, targeted and strategic activity, and this will only accelerate. Cyber-attacks have increased in number and the cyber threat is today’s “new normal”. Attackers’ goals are increasingly ambitious; they tend to multiply attack vectors and targets and to continuously increase the sophistication and diversity of their attacks. They attack cyber defence mechanisms themselves to perpetrate in-depth attacks, with low-key wide-ranging attack strategies used with a view to generating severe systemic impacts. Attack technologies have improved from simple programs overriding systems’ functionalities, to scripted pervasive software capable of replication and designed to take control of systems’ security privilege management functions, and finally to remotely controlled software agents that can be activated by a Command & Control server itself masked behind layers of camouflage false IP addresses and routes.

This “new normal” creates a climate of permanent uncertainty and distrust both in systems and societal forces, and even in people operating or simply using systems. As technology makes progress, attack technologies will progress again, with reports that Autonomous Intelligent Agents for cyber-attacks are already being developed to defeat current cyber-defence technologies and to increase attackers’ strike power against teams of human experts. Cyber defence involves some tricky tactics. A clumsy response from a cyber response team, looking to just switch off a system or stop a piece of malware, can spark even more damaging retaliation in terms of wiping data or causing IT paralysis. Humans can be good at developing responses, but are mostly late and slow, especially when it comes to complex systems.

Besides, the focus of research and development in cybersecurity is too much skewed towards the area of protection: to the upgrading of security measures, like cryptography, firewalls, anti-virus software, authentication methods, etc. All of these are important building blocks for cybersecurity. However, organisations need more specialist people to deal with breaches of those basic security systems, working on a response to attacks, and to ensure lessons are learned. Cyber-resilience includes both cybersecurity and cyber defence.

Developing autonomous cyber defence systems can provide the next level of sophistication needed to monitor and manage this escalation. The growing use of big data and machine learning techniques will provide the ‘always on’ supervision power that any number of skilled cyber-professionals couldn’t compete with. But there’s also the potential for swarms of pro-active, self-learning cyber defence agents to work across the web on the side of national infrastructure and lawful activities.

Multi Agent Systems are made of a set of individual agents. Its multiple agents, while acting locally on the basis of their individual knowledge and rules, cooperate together towards a common goal, which requires some form of collective intelligence. They are close to naturalistic behaviours such as ants’ and bees’, their connectivity is in line with the doctrine of information superiority through high connectedness, their versatility implies a vast number of configurations and functions for a wide variety of issues, they help the decentralisation, distribution and sharing of resources and decisions.

They are a set of software or hardware (possibly human) entities, including sensors, actuators, repositories, cyphers, transmitters, cognitive functions. The agents embed their own methods, policies, self-management capabilities, resources, energy-generation features and capacities for hiding, detecting and understanding attacks and their various signals; they are capable of devising their own reaction plans, keeping ‘Situation Awareness’ for sense making and changing or optimising reaction plans when and as circumstances require. They use local and distributed resources to perform or optimise tasks, collaborating with human operators as and if needed, at the same time as learning and improving their own capabilities.

The autonomous system of agents interacts through rules and methods, interfaces, communication and cooperation protocols, discovery and invocation procedures, runtime enablers – in this way creating collectively the intelligence. So not just exchanging data but building together their own emerging capabilities required to carry out cyber defence missions, able to adjust their goals and make decisions and choices in response to the changing context. They work according to a set of ad hoc policies, either administrator-defined, or devised or optimised according to actions and circumstances.

As a result, these can be designed to recognise patterns of actual and potential attacks and the agents can be used to manage the most appropriate forms of counter-measures for each individual attack. The report of their activity can be used by experts to recommend and implement adaptations based on greater breadth and depth of knowledge. These autonomous agents will flag only when expert human intervention or a key judgment call is needed – so merely requiring occasional oversight and input.

This is one future of cyber defence that can offer a through-life and affordable option for supporting large-scale and complex systems, like the Internet of Things, as well as for civil and military operations. It’s an approach that needs serious testing before being put into practice on the live web. With this in mind, we are creating a large-scale Internet of Things simulator, involving interactions with and between millions of objects. It will provide the kind of rich, complex and fast-moving cyber environment that’s needed for replicating modern levels of IoT transactions and those to come.

Autonomous cyber defence is for the medium-term – we’re talking in terms of being operational within seven to 10 years – but needs to be part of cyber-defence planning now, for taking a pro-active, future-looking stance rather than being in a position of always chasing problems, generating evermore interest from cyber-criminals. It will also become essential in a context where the attacks are being run themselves through their own Multi Agent Systems, which would be impossible to defend against with solely human expertise.

We’re still at the stage where fundamental, blue sky research is urgently needed to turn a collection of priniciples and smart ideas into working technology. That means therefore the early attention and involvement from a wide range of beneficiaries: from governments with the key responsibility for defending national infrastructure and economic security, to state defence institutions, national intelligence agencies and the wider defence and security industry.




Google Internet Hijack-Comment

News has broken that Google has been hit by the ‘worst ever’ internet hijack in the company’s history, security experts fear. Information from Google searches, cloud-hosting services and the company’s bundle of collaboration tools for businesses – known as G Suite – were all affected. Data was intercepted by servers in Nigeria, China and Russia – including those run by major state-owned telecoms providers.

Security experts suggested the hack was a ‘wargame experiment’ – meaning it may prelude similar, more widescale attacks from the nations involved in future. The type of traffic misdirection employed, known as border gateway protocol (BGP) hijacking, can knock essential services offline and facilitate espionage and financial theft.

Gavin Millard, VP of Intelligence at Tenable explains how this attack works.

“BGP [the routing protocol favoured by many as it affords a level of fault tolerance required to send traffic around the globe] wasn’t designed with security in mind.

“There has been a noticeable uptick in recent years of abusing BGP through hijacking and the manipulation of where data flows, similar to the issue observed against Google.Whilst methods to introduce a level of security into routing do exist, at the core BGP is based more on honour than strict validation of what routes are advertised.

“From a security perspective, the main concern surrounding BGP hijacking and manipulation is the possibility that data could be re-routed through a hostile network, collected for further analysis or malicious payloads like malware injected into the communication stream.

“Fortunately there are advances in improving BGP to ensure traffic is sent via the best path rather than subverted, but these changes take time to gain broad adoption.”



Top Ten Cybersecurity Predictions for 2019

By Ian Kilpatrick, EVP Cyber Security, Nuvias Group

1. Increase in crime, espionage and sabotage by rogue nation-states

With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cybersecurity teams will need to rely on breach detection techniques.

2. GDPR – the pain still to come

The 25th of May, 2018 has come and gone, with many organisations breathing a sigh of relief that it was fairly painless. They’ve put security processes in progress and can say that they are en route to a secure situation – so everything is OK?

We are still awaiting the first big GDPR penalty. When it arrives, organisations are suddenly going to start looking seriously at what they really need to do. Facebook, BA, Cathay Pacific, etc. have suffered breaches recently, and will have different levels of corporate cost as a result, depending on which side of the May 25th deadline they sit.   So GDPR will still have a big impact in 2019

3. Cloud insecurity – it’s your head on the block.

Cloud insecurity grew in 2018 and, unfortunately, it will carry on growing even more in 2019. Increasing amounts of data are being deployed from disparate parts of organisations, with more and more of that data ending up unsecured.

Despite the continual publicity around repeated breaches, the majority of organisations do not have good housekeeping deployed and enforced across their whole data estate in the cloud.  To give an idea of the scale, Skyhigh Networks research indicated that 7% of S3 buckets are publicly accessible and 35% are unencrypted.

4. Single factor passwords – the dark ages

As if we need the repetition, single-factor passwords are one of the simplest possible keys to the kingdom (helped by failure to manage network privileges once breached).  Simple passwords are the key tool for attack vectors, from novice hackers right the way up to nation-state players. And yet they still remain the go-to security protection for the majority of organisations, despite the low cost and ease of deployment of multi-factor authentication solutions. Sadly, password theft and password-based breaches will persist as a daily occurrence in 2019.

5. Malware – protect or fail

Ransomware, crypto mining, banking Trojans and  VPN filters are some of the key malware challenges that continue to threaten businesses and consumers. Live monitoring by Malwarebytes, Kaspersky and others, has shown that the mix of threats varies during the year, but the end result of malware threats will be a bad 2019.

Increasing sophistication will be seen in some areas such as ransomware, alongside new malware approaches and increased volumes of malware in other areas. Traditional AV will not provide sufficient protection. Solutions that have a direct malware focus are essential for organisations, alongside tracking of network activity (in and out of the network). With Cybersecurity Ventures predicting that ransomware damage costs will exceed $11.5 billion by 2019, it certainly won’t be going away. Oh yes, and make sure that your backup plan is working and tested.

6. Shift in attack vectors will drive cyber hygiene growth.

The ongoing shift of attack vectors, from the network to the user, is causing a reappraisal of how to manage security. Driven partly by the shift in boardroom awareness, and partly by GDPR, many organisations are recognising, perhaps belatedly, that their users are their weakest link.

Not only is there a greater awareness of the insider threat from malicious current and ex-staff, but there is also a growing recognition that staff cyber awareness and training is a crucial step in securing this vulnerable area. The response from organisations will take the form of cyber education, coupled with testing, measuring, and monitoring staff cyber behaviour. Increasingly, Entity and User Behaviour Analytics (EUBA) systems will be adopted, alongside training programs and automated testing, such as simulated phishing and social engineering attacks.

7. IOT – the challenge will only increase.

We’ve already seen some of the security challenges raised by IoT, but 2019 will significantly demonstrate the upward trend in this area. Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organisations, with minimal thought by many as to the security risks and potential consequences.

Because some IoT deployments are well away from the main network areas, they have slipped in under the radar. In the absence of a standard, or indeed a perceived need for security, IoT will continue to be deployed, creating insecurity in areas that were previously secure. For the greatest percentage of IoT deployments, it is incredibly difficult or impossible to backfit security. This means that the failure to segment on the network will further exacerbate the challenges IoT will create in 2019 and beyond.

8. Increasing risks with shadow IT systems and bad housekeeping

Shadow IT systems continue to proliferate, as do the number of applications and access points into systems, including legacy applications. In the case of shadow IT systems, these are indefensible as they are; and in the case of increasing applications and access points, if they relate to old or abandoned applications, they are difficult to identify and defend.

In both cases, these are an easy attack surface with significant oversight, internal politics and budget challenges, and were previously seen as a lower priority for resolution. However, there has been both an increased awareness of the opportunity for attack via this route, and an increase in the number of attacks, which will accelerate in 2019.

9. DDoS – usually unseen, but still a nightmare

DDoS is the dirty secret for many organisations and attacks will continue to grow in 2019, alongside the cost of defending against them. Nevertheless, DDoS attacks aren’t generally newsworthy, unless a big name organisation is involved, or the site is down for a long time. And, of course, the victim does not want to draw attention to their lack of defence.  That’s not good for custom or for share prices.

The cost of launching an attack is comparatively low, often shockingly low, and the rewards are quick – the victim pays for it to go away. Additionally, cryptocurrencies have aided the money transfer in this scenario. Yet the cost for the victim is much higher than the ransom, as it involves system analysis, reconstruction and, naturally, defending against the next attack.

10. Cybersecurity in the boardroom

A decade, perhaps two decades, late for some organisations, cybersecurity is now considered a key business risk by the board. 2019 will see this trend accelerate as boards demand clarity and understanding in an area that was often devolved as a sub-component of the CISO’s role, and was not really a major topic for the boardroom. The financial, reputational and indeed C- Suite employment risks of cyber breach will continue to drive board focus on cybersecurity up the agenda.




Have funding cuts to forensic science impacted the delivery of justice? Lords to hear evidence

On Tuesday 6th November the House of Lords Science and Technology Select Committee will question legal academics and major private sector forensic science providers on the UK’s use of forensic science in the criminal justice system.

The Committee will explore with the witnesses the differences between what forensic science provision is available to the prosecution and defence and whether the understanding of forensic science in the court system is good enough to avoid miscarriages of justice.

The spend on forensic science by police in the private sector has been reduced by over 50% since 2012. In the second session the Committee will question witnesses from the three largest private providers of forensic science services in the UK to assess whether this has changed the services they can provide. They will also explore what implications this has had for the sustainability of the market, especially in the light of the recent volatility which has seen Key Forensic Services going into (and then being bought out of) administration.

The first evidence session will begin at 3:25pm in Committee Room 4a of the House of Lords. Giving evidence will be:

  • Professor Carole McCartney, Reader in the School of Law, Northumbria University
  • Professor David Ormerod QC, Chair in Criminal Law, UCL, Law Commissioner for England and Wales, and Deputy High Court Judge.

Giving evidence to the Committee at 4.30pm will be:

  • Mr Paul Hackett, Group Managing Director, Key Forensic Services Ltd
  • Mr David Hartshorne, Managing Director, Cellmark Forensic Services
  • Dr Mark Pearse, Commercial Director, Eurofins Forensic Services

Questions the Committee are likely to ask include:

  • Who should be responsible and accountable for ensuring high quality research in forensic science that supports high quality delivery of forensic science to the police and the courts?
  • What is the scientific evidence base for the use of forensic techniques in the reconstruction of crimes, and their investigation and prosecution?
  • Where are the gaps in the criminal justice system in the understanding, and research of, forensic science?
  • Is the current market for forensic services in England and Wales sustainable?
  • What powers should the Forensic Science Regulator have and how well does the current system of accreditation work?



Eurostar accounts hit by hack attack

It has been reported that Eurostar accounts have been hit by hackers. The rail service had to reset its customers’ login passwords after detecting attempts to break into an unspecified number of accounts. Eurostar have not said whether any of the attacks were successful but did say that payment details were not affected.

Below is a comment from Dr Guy Bunker, SVP of Products at data security company, Clearswift, that looks further at the news that Eurostar had to block access to their website because of the hack that took place between 15th and 19th October.

Dr Guy Bunker, SVP of Products, Clearswift, comments on the Eurostar hack attack:

“With the commercialisation of cyber-attacks, the opportunity for more cyber-criminals to attack more sites increases. This is what we see at present as the latest attacks are going after the next set of organisations which hold critical data. We know any organisation is a potential target and this proves the case. On the plus side, Eurostar obviously have a number of security controls in place, including the obvious one of looking for failed login attempts. These days gathering the intelligence from systems and applications around ‘security events’ is not difficult, however, often interpreting them and carrying out an action in a timely manner is an issue – not in this case.

Whenever there is a new set of usernames / passwords leaked on the dark web there is often a sudden increase in brute force attacks such as this – trying the username / password which has been exposed against other websites. If this can be ‘zippered’ (correlated) to another set of leaked data, then there is a good opportunity for a cyber-attacker to breach a system. Of course, a failed attempt is easier to recognise than a successful first attempt by an attacker – the challenge then becomes whether this was the attacker or the actual person. In this case correlating the times of both failed and successful attempts is required.

Good security relies upon multiple factors, and for individuals who use services like Eurostar there is a need to ensure they have unique passwords, such that if one site is compromised, then others won’t follow as a matter of course. Eurostar as with many others use the users email as the username – meaning that can be readily guessed, but also will be used on other sites. Having different usernames for different sites along with different passwords can be seen as inconvenient, but when it comes to safeguarding your personal information it is undoubtedly worthwhile.”



Iranian hackers target UK universities

It’s being reported that Iranian hackers have targeted at least 18 British universities, including those certified by the National Cyber Security Centre (NCSC) to provide degrees in cybersecurity.

Pravin Kothari, CEO of CipherCloud, noted:

“Iranian cyber attackers have targeted U.K. universities using the same phishing attacks that have worked successfully for most cyber attackers for years. The insult to injury here was the fact that these cyber attackers went after some of the U.K.’s best cyber universities. The phishing emails direct university student and employees to a fake website page where they are prompted with a login. This enabled the cyber attackers to harvest the authentication data and then subsequently use it to penetrate the accounts and networks.

The solution? In this particular scenario, two-factor authentication would have stopped these attackers cold. Technologies like access control with time travel detection could have noted the logins coming from two different IP addresses, in two likely very disparate geographical locations, perhaps at near the same time. User Entity and Behavior Analytics (UEBA) might have also noted attempted bulk file downloads or other atypical behavior by the cyber attackers. Finally, if the data stored within the university clouds is encrypted end-to-end, then the cyber attackers would only have access to unintelligible encrypted data. Cloud security basics still apply and can work better than ever. You only have to use them!”