Cyber Events

Yesterday I was asked about “attack volumes” I see in the PwnDefend HoneyNet and it reminded me about what people think an “ATTACK” is and therefore spring my brain into thinking about how we as an industry communicate. Far too often I see “number of ATTACKS” being used my marketing/sales etc. where the numbers are simply ridiculous and not reflective of how offensive cyber operations actually work.

Let’s look at some examples:

“Gov. Greg Abbott warns Texas agencies seeing 10,000 attempted cyber attacks per minute from Iran”

Gov. Greg Abbott – article in the Texas Tribune by CASSANDRA POLLOCK

So let’s look at this:

• When is an event an incident?
• When is an incident not an incident and actually just an event?
• When is event an attack?

These questions whilst simple are rather difficult to answer because commonly I think people think largely in binary states.

Think of football, you have one team vs another. Often life is full of US vs THEM type scenarios.

Cyber Realities

Whilst sitting here drinking a tea, I was looking at some of the “messaging” that the industry has and does put out and I wondered why… well I didn’t really have to wonder for long.

From a SALES point of view, contrasts are very good for SALES, THIS vs THAT, GOOD vs BAD, GOOD investment vs BAD investment, so you can see how that goes!

• An EVENT can be an INCIDENT and an ATTACK
• An EVENT can be an INCIDENT and NOT an ATTACK
• An EVENT can be an INCIDENT and an EVENT at the same time
• An EVENT can be just an EVENT

Examples

This is not an exhaustive list, but I did want to show that something can have multiple states:

Event	Incident	Possible “Attack”	Actual “Attack” *
Single Failed Logon	Successful logon by unauthorised actor	Large number of failed logons attempts from a single SRC where the cause is not an error	A threat actor breaches systems and posts evidence and claims responsibility
Port Scan	Authentication bypass	Exploit payloads received from unauthorised source	A threat actor breaches systems and exfiltrates data
Web Scraping	Misconfiguration causing loss of sensitive information	High Traffic Load	High traffic load from an actor or group with the intent to cause loss of availability or increased cost
Service Fingerprinting	Loss of availability due to hardware failure	Large number of failed logons spread across multiple source IPs or accounts (e.g., password spray)	Insider steals data and sells to competition
	Denial of Service and extortion

This is clearly a very small list and there are basically an infinite number of scenarios, what I think we must remember is this:

• In an assume breach mindset there will be more events that are also incidents
• All incidents must have at one state been EVENTS
• Not all INCIDENTS are ATTACKS. An attack requires motivation, intent, and aggression

An attack might be invisible, the motivation may be obscured or simply not detectable by us (at a certain point of time or potentially ever). Events may or may not be connected. I think one of the things people struggle with when comprehending CYBER is that things are often living in the UNKNOWN space. This is a real struggle not only operationally but also when it comes to communications with “non cyber” people.

Closing thoughts

• Remmeber not everything in life is a BOOL
• We as an industry need to get better at being more honest (funny given our role is to protect integrity right!) at what is and isn’t an “attack”
• Lead with science and education, sensationalism is a game of one upmanship, the only outcome is everyone loses (much the same as the race to the bottom!)

If we are going to mature as an industry, we need to be better at tackling the hard tasks, communication and education, not just of the next generation cyber defeners, but to policy makers, shareholders, stakeholders and colleagues. Not everything is about “CYBER PEWS”.