Is cybersecurity moving away from all the military language?

It seems like information security is swinging back to a more human-centred approach, using more human language. This can only be a good thing.
Written by Stilgherrian , Contributor

"Cyber Kill Chain is a registered trademark of Lockheed Martin," it says at the bottom of the SANS Institute's white paper, Killing Advanced Threats in Their Tracks (PDF). True. It is. But Lockheed or not, this military-style language has been pushed hard over the last three years.

Lockheed's Cyber Kill Chain model has been adopted by Tenable, to name just one vendor. Others have adopted similar frameworks, such as Websense's seven-stage kill chain, or Dell SecureWorks' multi-stage kill chain that goes around a circle -- all sufficiently different from each other to fend off the trademark lawyers.

Whichever one you pick, though, the idea is the same. Data breaches consist of a number of stages, starting with reconnaissance, then the crafting of an attack (usually a spearphishing email), the compromise of one machine, then more machines, and eventually the exfiltration of data. Defenders are supposed to be able to detect the attacker at each stage -- the theory being to provide "defence in depth".

Lockheed Martin's original presentation is its 2011 paper, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains (PDF).

The key phrase there is "intelligence-driven".

How do you detect an attacker at each stage of their attack? Your real-time intelligence systems will tell you what to look for. You'll need lots of data -- big data! -- to gather that intelligence, and big, grunty computers to analyse it in real time.

If your organisation is too small to run its own cyber intelligence team, well, by a handy coincidence, Lockheed Martin can provide one, as can other vendors.

I imagine they charge some sort of modest fee for this.

Three years ago, the AusCERT Information Security Conference 2012 was awash in military language.

We heard how "digital munitions" were being developed and actively stockpiled. Kaspersky Lab founder Eugene Kaspersky spoke of "cyber cruise missiles". We didn't hear the phrase "information assurance" so much as "defensive cyber operations", which obviously implies that there's another kind. And we were hearing such language not just from the military, but from civilian organisations, too.

"The undercurrent of this conference, I think, has been the nation-state, the cyberwar capability, and perhaps even cyberwarfare in both its defensive and offensive modes. Where we bring national security into the internet environment, which is what's happening now, a lot of things change," Graham Ingram, then the general manager of AusCERT, told ZDNet in 2012.

"The defence contractors in particular, and I haven't really got anything against them, but they chase the big money. OK? They're into national security, that's where the money is," he said.

Big-G government was waking up to the fact that modern society depends on the internet, just as the British Empire depended on the freedom of the seas. No longer were there separate government, military, and civilian environments. Now, everything was jumbled up with everything else -- banking, commerce, SCADA systems, grandmothers Skyping with relatives overseas, cat videos, the lot.

"I think what you've got is a series of defence contractors who are actually seeing that shift occur, and are trying to position themselves so that they can say, 'You've got a problem with national defence on the internet? Then guess what? We're here for you.' So I'm just wondering how much of this is positioning," Ingram said.

Now, there's plenty to like about the these kill-chain frameworks. They do give organisations a way to make sure they're providing defence in depth, with every layer covered, and with a balance of spending. But they also have weaknesses.

"As sexy as it is, the Cyber Kill Chain model can actually be detrimental to network security, because it reinforces old-school, perimeter-focused, malware-prevention thinking," wrote Giora Engel, vice president of product and strategy at LightCyber, in late 2014.

"Lockheed Martin's model is intrusion-centric, which was the focus of cybersecurity when it was created, and is indeed still the focus of (too) much cybersecurity effort today."

Those thoughts were echoed by Telstra chief information security officer Mike Burgess last week. Organisations that focus too much on attributing cyber attacks -- a classic "threat intelligence" task -- are distracting themselves from improving their defences, he told the Check Point Cyber Security Conference in Sydney. Telstra's Five Knows strategy quite rightly puts most of the focus on the organisation and its defences.

At the same event, Major General Stephen Day, head of cyber and information security at the Australian Signals Directorate, promoted the organisation's award-winning Top Four mitigations -- a strategy that can be adopted without reference to any threat intelligence at all.

And at this year's AusCERT conference, also held last week, there was a solid focus on the human element of defence -- especially on making everyone in the organisation less vulnerable to the spearphishing attacks that kick off the vast majority of intrusions.

I'm pretty sure this shift away from military-style thinking and language to the human side is a real thing, not just my perceptions of a couple of conferences. I asked around, and others had spotted it, too.

As one AusCERT conference attendee who worked for a major Australian telco put it, they've become more aware that their organisation can be attacked through the targeting of an "unknown influential person", such as an executive's personal assistant. Organisations need to be testing themselves for resilience against social engineering attacks, they told ZDNet.

Too much focus on the technical aspects of network defence, they said, is like having a high-performance car with good brakes and a full suite of air bags -- but then not teaching anyone how to drive.

Sure, setting up a cyber spook team is fun. Sure, we geeks love all the shiny toys. And sure, the vendors certainly love selling them to us. But humans will always be the weakest link. It's those humans we need to communicate with, and support.

Disclosure: Stilgherrian travelled to the Gold Coast as AusCERT's guest.

Editorial standards