The Red Pill of Resilience Kelly Shortridge (@swagitda_) COUNTERMEASURE 2017
A presentation at Countermeasure in November 2017 in Ottawa, ON, Canada by Kelly Shortridge
The Red Pill of Resilience Kelly Shortridge (@swagitda_) COUNTERMEASURE 2017
Hi, I’m Kelly
“The oak fought the wind and was broken, the willow bent when it must and survived.”
“The more you sweat in peace, the less you bleed in war.”
Resilience is about accepting reality, and building a defensive strategy around reality
Stages of Grief in InfoSec Etymology of Resilience The Resilience Triad: ▪ Robustness ▪ Adaptability ▪ Transformability 6
Stages of Grief
InfoSec is grieving that companies will never be invulnerable to attack 8
Denial – clinging to a false reality “We aren’t really at risk” 9
Anger – frustration that denial can’t go on “It’s your fault that I need security” 10
Bargaining – hope that the cause is avoidable “Maybe we can stop attacks from happening” 11
Depression – despair over the reality “We’re going to be hacked, why bother?” 12
Acceptance – embracing inevitability “Attacks will happen, but I can be prepared” 13
Lack of acceptance feeds solution fragmentation, FUD, and snake oil 14
Security nihilism isn’t the answer. Resilience is. 15
Etymology of Resilience
1858: Engineering – strength & ductility 20th Century: Psychology, ecology, social sciences, climate change, disaster recovery 17
Resilience in Complex Systems
Non-linear activity in the aggregate Intertwined components, unpredictability 19
Infosec is a complex system. Defenders, attackers, users, governments, software vendors, service providers, … 20
Ecological resilience Continually adapt; high degree of instability 21
Chestnut trees in eastern North America’s forests were wiped out by chestnut blight Oak and hickory trees grew in their stead 22
Evolutionary resilience assumes socioecological systems are co-evolutionary 23
Communities can diversify agricultural landscapes and production systems 24
Three central characteristics of resilience: Robustness, Adaptability, Transformability 25
Hurricane Harvey – primary damage was flooding from ongoing rain, not storm surges 26
Resilience is about the journey, not the destination 27
Accept the risk will exist Reduce potential damage & restructure around the risk 28
“A building doesn’t care if an earthquake or shaking was predicted or not; it will withstand the shaking, or it won’t.” – Susan Elizabeth Hough 29
Survival rests on embracing the unknown and accepting that change is inevitable 30
Robustness
Robustness: withstanding and resisting a.k.a. “engineering resilience” 32
Safe development paradox: stability allows risk to accumulate, compromising resilience 33
Focus on just engineering resilience leads to a maladaptive feedback loop 34
Suppressing fires in fire-adapted forests leads to a build up of fuel over time 35
Patching & retroactive hardening of vulnprone systems accumulates risk 36
Levees support further human development in at-risk floodplains 37
“Don’t treat the symptoms of bad planning with structures” 38
Technical controls shouldn’t allow exemption from cyber insurance requirements 39
Artificially creating a stable environment makes the system less adaptive to disruption 40
Coral in marine preserves are less resilient to climate disturbance than “stressed” coral 41
Design & test internal systems with the same threat model as externally-exposed ones 42
Problem: infosec is exclusively focused on robustness – how to stop / thwart / block 43
Infosec’s current goal is to return to “business as usual” post-breach. There is no such thing. 44
Other domains tried defying nature – it doesn’t work 45
Your systems must survive even if users click on phishing links and download pdf.zip.exe’s 46
Robustness is effective when you have diverse and layered controls 47
NYC’s excess heat guidelines: backup hybridpower generators, heat-tolerant systems, window shades, high-performance glazing 48
Diversity helps provide redundancy in uncertain conditions 49
APT BlinkyBoxTM doesn’t help when legit creds are used to access a cloud service 50
Don’t ignore correlated risk. Fragmentation can inject a healthy level of instability to foster resilience. 51
Pitfall of efficiency: more limited space in which your operations can survive 52
Up for debate: manageability via uniformity vs. minimized impact via diversity? 53
Decision trees are useful to map out necessary redundancies 54
Raising attacker cost is the bridge from robustness to adaptability 55
“Attackers will take the least cost path through an attack graph from their start node to their goal node.” – Dino Dai Zovi 56
Adaptability
Adaptability: reduce costs and damage incurred, while keeping your options open 58
Intergov’t Panel on Climate Change (IPCC): Incremental change creates a false sense of security – goal is managed transformation 59
Preserving habitats is unnatural & counterproductive. Wildlife naturally “tracks” ideal conditions. 60
Legacy systems are like preserved habitats. We need to be able to migrate to better conditions. 61
Example: patching inline PHP code Instead: single class for DB queries 62
Static indicators like high coral cover or fish abundance reflect favorable past conditions. Erosion of coral reef resilience is dynamic. 63
Ensure your threat models aren’t based on favorable past conditions 64
Survival strategy: comingle warm-adapted species with cold-adapted cohorts 65
Apps built with legacy systems and libs will not survive in an increasingly open API world 66
Uncertainty and surprise must be baked into your approach 67
Test adaptability to attacker methods with attack simulation or auto playbook testing 68
Chaos Monkey 69
Randomly kills instances to test their ability to withstand failure. It also makes persistence really hard. 70
Design your security architecture for survival even if individual controls fail 71
Rethinking security architecture is hard. The industry offers too much complexity. 72
Containers 73
Containers promote adaptability and support transformability @jessfraz | blog.jessfraz.com/post/talks 74
Containers = “isolated, resource-controlled, and portable runtime environments” 75
Easier to determine root cause Easier to transport to better infrastructure Easier to kill the infection & stop spread 76
Ongoing stress like ocean warming or overfishing makes coral less resilient in the face of cyclones or coral bleaching events 77
Complexity will erode your resilience in the face of new vulns or data breaches 78
Transformability
Transformability = challenge existing assumptions & reorganize your system 80
Prior example: inline code makes it difficult to reorganize your system vs. a single class 81
In disaster recovery policy, ideal is to change location & remove urbanization 82
2011: 6.3mms earthquake hit Christchurch Cost to rebuild of $40bn+ 83
NZ designated a “red zone” where land is too vulnerable & where rebuilding is uneconomic 84
Identify the red zones within your IT systems 85
Choose your own infosec redzone criteria: Publicly exposed, legacy systems, critical data, privileged access, overly verbose, single point of failure, difficult to update, … 86
Example: API consuming critical data should be in “red zone” whether it has vulns or not 87
Identify assets that fall under your red zone criteria & migrate them to a safer system 88
Example: Planned decommission of levees to assist migration Prohibits becoming a permanent “fix” 89
Continually consider how you can prepare in advance for migration 90
Complex systems require collaborative planning across stakeholders 91
Open sharing of protections in place, what risk remains, uncertainties in the approach 92
Partner with engineering – they benefit from flexibility and transformability as well 93
Your role is to manage state transitions. Consider how a resilience approach fits into engineering workflows. 94
2FAC @ Facebook: integrated 2FA into dev workflows without creating friction 95
“You can actually implement security controls that affect every single thing people are doing and still make them love it in the process” 96
Find someone with whom to collaborate & how security can fit into their workflows 97
Ensure your org is learning from prior experiences – foster a security culture 98
Conclusion
Infosec resilience means a flexible system that can absorb an attack and reorganize around the threat. 100
Robustness is optimized through diversity of controls 101
Adaptability minimizes the impact of an attack and keeps your options open 102
Transformability demands you challenge assumptions & reorganize around reality 103
“The history of evolution is that life escapes all barriers. Life breaks free. Life expands to new territories. Painfully, perhaps even dangerously. But life finds a way.” 104
Attacks will evolve. We can evolve, too. 105
Let’s strive for acceptance of our grief, and architect effective and realistic defense 106
The blue pill relegates us to the role of a firefighting cat who’s drunk on snake oil 107
Instead of accepting snake oil, take the red pill of resilience instead 108
“Good enough is good enough. Good enough always beats perfect.” – Dan Geer
@swagitda_ /in/kellyshortridge kelly@greywire.net 110
Suggested Reading ▪ Engineering resilience versus ecological resilience ▪ Resilience and disaster risk reduction: an etymological journey ▪ A strategy-based framework for assessing the flood resilience of cities – A Hamburg case study ▪ Vulnerability, Resilience, and the Collapse of Society ▪ Are some forms of resilience more sustainable than others? ▪ Flood Resilience: a Co-Evolutionary Approach ▪ The oak or the reed: how resilience theories are translated into disaster management policies ▪ Rethinking Ecosystem Resilience in the Face of Climate Change ▪ Building evolutionary resilience for conserving biodiversity under climate change ▪ Complexity and Planning: Systems, Assemblages and Simulations ▪ “Windows Containers” by Microsoft ▪ “The Netflix Simian Army” by Netflix 111
