The Red Pill of Resilience Kelly Shortridge (@swagitda_) COUNTERMEASURE 2017

Hi, I’m Kelly

“The oak fought the wind and was broken, the willow bent when it must and survived.”

“The more you sweat in peace, the less you bleed in war.”

Resilience is about accepting reality, and building a defensive strategy around reality

Stages of Grief in InfoSec Etymology of Resilience The Resilience Triad: ▪ Robustness ▪ Adaptability ▪ Transformability 6

Stages of Grief

InfoSec is grieving that companies will never be invulnerable to attack 8

Denial – clinging to a false reality “We aren’t really at risk” 9

Anger – frustration that denial can’t go on “It’s your fault that I need security” 10

Bargaining – hope that the cause is avoidable “Maybe we can stop attacks from happening” 11

Depression – despair over the reality “We’re going to be hacked, why bother?” 12

Acceptance – embracing inevitability “Attacks will happen, but I can be prepared” 13

Lack of acceptance feeds solution fragmentation, FUD, and snake oil 14

Security nihilism isn’t the answer. Resilience is. 15

Etymology of Resilience

1858: Engineering – strength & ductility 20th Century: Psychology, ecology, social sciences, climate change, disaster recovery 17

Resilience in Complex Systems

Non-linear activity in the aggregate Intertwined components, unpredictability 19

Infosec is a complex system. Defenders, attackers, users, governments, software vendors, service providers, … 20

Ecological resilience Continually adapt; high degree of instability 21

Chestnut trees in eastern North America’s forests were wiped out by chestnut blight Oak and hickory trees grew in their stead 22

Evolutionary resilience assumes socioecological systems are co-evolutionary 23

Communities can diversify agricultural landscapes and production systems 24

Three central characteristics of resilience: Robustness, Adaptability, Transformability 25

Hurricane Harvey – primary damage was flooding from ongoing rain, not storm surges 26

Resilience is about the journey, not the destination 27

Accept the risk will exist Reduce potential damage & restructure around the risk 28

“A building doesn’t care if an earthquake or shaking was predicted or not; it will withstand the shaking, or it won’t.” – Susan Elizabeth Hough 29

Survival rests on embracing the unknown and accepting that change is inevitable 30

Robustness

Robustness: withstanding and resisting a.k.a. “engineering resilience” 32

Safe development paradox: stability allows risk to accumulate, compromising resilience 33

Focus on just engineering resilience leads to a maladaptive feedback loop 34

Suppressing fires in fire-adapted forests leads to a build up of fuel over time 35

Patching & retroactive hardening of vulnprone systems accumulates risk 36

Levees support further human development in at-risk floodplains 37

“Don’t treat the symptoms of bad planning with structures” 38

Technical controls shouldn’t allow exemption from cyber insurance requirements 39

Artificially creating a stable environment makes the system less adaptive to disruption 40

Coral in marine preserves are less resilient to climate disturbance than “stressed” coral 41

Design & test internal systems with the same threat model as externally-exposed ones 42

Problem: infosec is exclusively focused on robustness – how to stop / thwart / block 43

Infosec’s current goal is to return to “business as usual” post-breach. There is no such thing. 44

Other domains tried defying nature – it doesn’t work 45

Your systems must survive even if users click on phishing links and download pdf.zip.exe’s 46

Robustness is effective when you have diverse and layered controls 47

NYC’s excess heat guidelines: backup hybridpower generators, heat-tolerant systems, window shades, high-performance glazing 48

Diversity helps provide redundancy in uncertain conditions 49

APT BlinkyBoxTM doesn’t help when legit creds are used to access a cloud service 50

Don’t ignore correlated risk. Fragmentation can inject a healthy level of instability to foster resilience. 51

Pitfall of efficiency: more limited space in which your operations can survive 52

Up for debate: manageability via uniformity vs. minimized impact via diversity? 53

Decision trees are useful to map out necessary redundancies 54

Raising attacker cost is the bridge from robustness to adaptability 55

“Attackers will take the least cost path through an attack graph from their start node to their goal node.” – Dino Dai Zovi 56

Adaptability

Adaptability: reduce costs and damage incurred, while keeping your options open 58

Intergov’t Panel on Climate Change (IPCC): Incremental change creates a false sense of security – goal is managed transformation 59

Preserving habitats is unnatural & counterproductive. Wildlife naturally “tracks” ideal conditions. 60

Legacy systems are like preserved habitats. We need to be able to migrate to better conditions. 61

Example: patching inline PHP code Instead: single class for DB queries 62

Static indicators like high coral cover or fish abundance reflect favorable past conditions. Erosion of coral reef resilience is dynamic. 63

Ensure your threat models aren’t based on favorable past conditions 64

Survival strategy: comingle warm-adapted species with cold-adapted cohorts 65

Apps built with legacy systems and libs will not survive in an increasingly open API world 66

Uncertainty and surprise must be baked into your approach 67

Test adaptability to attacker methods with attack simulation or auto playbook testing 68

Chaos Monkey 69

Randomly kills instances to test their ability to withstand failure. It also makes persistence really hard. 70

Design your security architecture for survival even if individual controls fail 71

Rethinking security architecture is hard. The industry offers too much complexity. 72

Containers 73

Containers promote adaptability and support transformability @jessfraz | blog.jessfraz.com/post/talks 74

Containers = “isolated, resource-controlled, and portable runtime environments” 75

Easier to determine root cause Easier to transport to better infrastructure Easier to kill the infection & stop spread 76

Ongoing stress like ocean warming or overfishing makes coral less resilient in the face of cyclones or coral bleaching events 77

Complexity will erode your resilience in the face of new vulns or data breaches 78

Transformability

Transformability = challenge existing assumptions & reorganize your system 80

Prior example: inline code makes it difficult to reorganize your system vs. a single class 81

In disaster recovery policy, ideal is to change location & remove urbanization 82

2011: 6.3mms earthquake hit Christchurch Cost to rebuild of $40bn+ 83

NZ designated a “red zone” where land is too vulnerable & where rebuilding is uneconomic 84

Identify the red zones within your IT systems 85

Choose your own infosec redzone criteria: Publicly exposed, legacy systems, critical data, privileged access, overly verbose, single point of failure, difficult to update, … 86

Example: API consuming critical data should be in “red zone” whether it has vulns or not 87

Identify assets that fall under your red zone criteria & migrate them to a safer system 88

Example: Planned decommission of levees to assist migration Prohibits becoming a permanent “fix” 89

Continually consider how you can prepare in advance for migration 90

Complex systems require collaborative planning across stakeholders 91

Open sharing of protections in place, what risk remains, uncertainties in the approach 92

Partner with engineering – they benefit from flexibility and transformability as well 93

Your role is to manage state transitions. Consider how a resilience approach fits into engineering workflows. 94

2FAC @ Facebook: integrated 2FA into dev workflows without creating friction 95

“You can actually implement security controls that affect every single thing people are doing and still make them love it in the process” 96

Find someone with whom to collaborate & how security can fit into their workflows 97

Ensure your org is learning from prior experiences – foster a security culture 98

Conclusion

Infosec resilience means a flexible system that can absorb an attack and reorganize around the threat. 100

Robustness is optimized through diversity of controls 101

Adaptability minimizes the impact of an attack and keeps your options open 102

Transformability demands you challenge assumptions & reorganize around reality 103

“The history of evolution is that life escapes all barriers. Life breaks free. Life expands to new territories. Painfully, perhaps even dangerously. But life finds a way.” 104

Attacks will evolve. We can evolve, too. 105

Let’s strive for acceptance of our grief, and architect effective and realistic defense 106

The blue pill relegates us to the role of a firefighting cat who’s drunk on snake oil 107

Instead of accepting snake oil, take the red pill of resilience instead 108

“Good enough is good enough. Good enough always beats perfect.” – Dan Geer

@swagitda_ /in/kellyshortridge kelly@greywire.net 110

Suggested Reading ▪ Engineering resilience versus ecological resilience ▪ Resilience and disaster risk reduction: an etymological journey ▪ A strategy-based framework for assessing the flood resilience of cities – A Hamburg case study ▪ Vulnerability, Resilience, and the Collapse of Society ▪ Are some forms of resilience more sustainable than others? ▪ Flood Resilience: a Co-Evolutionary Approach ▪ The oak or the reed: how resilience theories are translated into disaster management policies ▪ Rethinking Ecosystem Resilience in the Face of Climate Change ▪ Building evolutionary resilience for conserving biodiversity under climate change ▪ Complexity and Planning: Systems, Assemblages and Simulations ▪ “Windows Containers” by Microsoft ▪ “The Netflix Simian Army” by Netflix 111