Recapping the H-ISAC Fall Summit – Asymmetric Cyberwarfare and OODA Loops
Written by: Joseph Salazar, Technical Marketing Engineer – This year’s H-ISAC Fall Summit took place in San Antonio, TX, where the theme was “Never Stand Alone”. It’s a fitting slogan for the event given the proximity of The Alamo, as H-ISAC’s goal is to provide a trusted community and forum for coordination, collaboration, and sharing of Physical and Cyber Threat Intelligence and best practices. As a Gold Sponsor and Navigator program participant, Attivo Networks had a tremendous opportunity to engage with the healthcare community to discuss security concerns and challenges.
The event was great for networking with other security professionals and seeing emerging trends in healthcare security. As always, there is concern for protecting patient healthcare data, but there is also a growing focus on securing medical devices, whether ICS-SCADA or IoT, as they proliferate throughout the environment. I had several discussions with other security professionals about the difficulties in securing medical devices on the network, and for many of them it was a growing priority in their organization for 2019. As we’ve mentioned before, Deception Technology is ideally suited to rapidly detect and respond threats that target Operational Technology devices on the network, and the security professionals I talked to were seriously considering it for early and accurate threat detection in a traditionally difficult to secure environment.
In fact, it is my impression that there is a growing awareness of Deception Technology as a detection control for internal threats. Out of the blue late one night, a customer of ours had an informative impromptu discussion with a Deception Technology sceptic about how they were using deception technology for threat detection, network visibility, and incident response. It is heartening to see more organizations leveraging deception as a viable option for their internal threat detection concerns and sharing that knowledge and experience with peers.
I also had the opportunity to present a well-attended talk on how organizations can leverage Deception Technology for an Active Cyber Defense. My perspective is a little unique, as it is heavily influenced by my military service as well as my Information Security background. Unlike similar talks that focus on the technology and capabilities, I spoke strategically about why one should look at Deception Technology through the lens of Asymmetric Cyberwarfare. Most organizations view compromises and breaches as a function of preventative security, but I focused on treating cyberattacks as guerilla warfare in the network as there are many parallels. The attackers have the advantage of situational awareness and stealth to not only gather intelligence on defenses and targets, but also to stay hidden until they strike. As a small, agile adversary, they can blend in with the regular operating environment, plan their activities, and execute before the defenders can adequately react.
This advantage can be described through the OODA Loop, a decision-making cycle documented by Colonel John Boyd, USAF, after studying air combat over Vietnam. He realized that pilots went through a continuous process that cycled through four phases while engaged with the enemy: OBSERVE what is happening, ORIENT to the situation, DECIDE on a course of action, then ACT on it. Pilots who cycled through this process faster than their opponent usually won the engagement. The attacker’s advantages of situational awareness and stealth allow them to cycle through their loop faster than the defenders. To get inside the attacker’s OODA Loop, the defender can either find a way to cycle through their OODA Loop faster or slow the adversary’s loop by adding friction. This is where a comprehensive Deception Technology solution comes in. Through deception, defenders can skew the Observe and Orient phases of the loop with misinformation and misdirection, directly affecting the attacker’s advantage of situational awareness. Forcing the attacker to Decide and Act on incorrect information allows the defender to detect them early, compromising their advantage of stealth. Through deception, the defender adds friction to the attacker’s OODA Loop, seizing back the advantage from the adversary.
The rest of the talk focused on using Deception Technology for Active Cyber Defense. When I mention Active Defense, most people think of using Offensive Cybersecurity actions and “hacking back” but this is far from the case. Active Defense is more like using a Patriot Missile to shoot down an incoming SCUD, as opposed to a passive or static defense that waits for it to hit its target. This is purely for defensive purposes, not “hacking back”. From the perspective of Active Defense, deception makes it costly and resource-intensive for an attacker to progress an attack. This overlaps with adding friction to the attacker’s OODA Loop and shifts the asymmetric nature of in-network Cyberwarfare by returning the advantage to the defender.
Every H-ISAC summit brings a new opportunity to not only share more about Attivo Networks Deception Technology, but also to network and maintain relationships with the healthcare security community, which is always valuable. This event was no exception, and we look forward to many more.