This piece began as a short and simple LinkedIn post inspired by a walk with our dog one summer evening. We live in New York City and our dog’s name is Molly, an Australian Labradoodle. The post garnered a pretty good-sized number of impressions as it clearly resonated with the folks on that platform who follow my musings and observations. So this is the expanded treatise on the subject that dogs are good infosec professionals by nature and we two-leggeds can learn a thing or two from them about cybersecurity strategy.
Attack Surface
It’s not the sidewalk pavement surface itself that is interesting, it’s the cracks between them. Good smells aggregate between the pavement stones of the sidewalk and the same is true for our digital assets. The attacks focus on the gaps and cracks between the assets more than on the assets themselves. The same can also be said about process gaps. Take the new hire process that is responsible for onboarding new employees. Someone is being elevated from no privileges to one of trust and, depending on the role, privileged access. Dragos.com was targeted in such a manner and, to their credit, wrote about the incident so that we all might benefit from their experience. The gap or “tactical edge” in this process was the steps and the time period between an offer letter and employee start date.
The personal email address of that soon-to-be employee was compromised (probably immediately after posting on social media that they were excited to be starting a new job) after which the threat actor attempted to take over initial steps in the onboarding process. Thanks to good anomaly detection and monitoring, the attack was thwarted. The infosec process known as “threat modeling” is not as widespread as it ought to be, especially if we are now needing to include HR functions and the pre- and post-interview process steps. We would all do well to take a fresh look at our own onboarding processes and cybersecurity strategy to see if there are any “trust gaps” where the baton of information is handed from one system to another that could be intercepted or commandeered by bad actors. Insider risk programs should also be expanded in scope to include pre-hire identification of employee BYOD assets, identification of public IP addresses that we will eventually see showing up in our VPN logs, and the security post of personal accounts of users before their first day of employment such as MFA.
Zero Trust Attitude
Dogs exhibit the spirit of “zero trust” automatically and instinctually. When Molly sees another dog on our walks, it doesn’t matter whether she has met that dog a hundred times before or not, she still approaches the other dog with an attitude of uncertainty. Can I sniff you? How are you looking (and smelling) today? Is there something new or odd about your gait, is your tail wagging happily? Are you recently groomed and bathed? There is no doubt that there are a myriad of chemical indicators of the other dog’s mental and physical health that are being communicated to Molly’s olfactory system that are well beyond our mere human capabilities of perception.
Checking briefly for a little substantiation of this, I read that a canine’s capacity for odor detection has been reported to be as much as 10,000–100,000 times that of the average human, and the canine lower limit of detectability for volatile organic compounds is one part per trillion (ppt). It’s no wonder that dogs like to stick their heads out of a moving car window… it must be a real rush to have all that information stimulating your senses.
Cone of Shame
If you’ve seen the Disney movie “Up” or you are a dog owner who has had to experience this directly, you will know what is meant by the phrase “cone of shame.” A veterinary doctor will prescribe this apparatus to be placed around the neck of a dog, usually made of white plastic of sufficient length to keep the dog from being able to sniff or lick various body parts so that they have time to heal or for medicine to have a chance to be absorbed by the skin.
I wonder if there could be a cybersecurity strategy equivalent of this cone of shame? Maybe some kind of API endpoint header or client/server header that declares the number of days since the asset was last breached or compromised. When two dogs (or IP addresses in this analogy) meet, maybe the three-way TCP handshake should also be accompanied by the as-yet-defined protocol of TCP sniffing and for us to devise an obvious method for an asset to declare that it has been digitally admonished recently with a cone of shame as well.
Barking and Threat Detection
Not only do dogs have a vastly more involved and nuanced system of perception when it comes to smell, they also have a superior range of hearing. The frequency range of human hearing is about 20–20,000 Hz, while dogs can hear sounds between 40–60,000 Hz. A passing ambulance or fire truck is likely producing sounds that are outside of the human range, but Molly definitely takes notice, as do most dogs, and feels compelled to “sing along” with the siren and throw in a few barks between her howls and vocalizations. Dogs can also hear sounds four times farther away than humans. However, they can only discriminate resolutions of about 1/3rd of an octave, while humans can discriminate resolutions to 1/12th of an octave.
In my original post on LinkedIn about lessons that our dogs teach us about cybersecurity strategy, I referenced the movie “101 Dalmatians,” in which Perdita and Pongo make use of the communication network among dogs known as the “twilight bark” to advise others of the abduction of their puppies. One might, in a manner, think of the new SEC disclosure and reporting requirements as a form of the twilight bark. Or the DORA reporting requirements taking shape in the European Union for financial services entities. Our collective resilience as a society, an economy or as a business owner is predicated on timely information sharing and threat detection.
How can we improve our range of “hearing” so that we can perceive threats that are operating at novel frequencies? The audio frequency analogy works in my view as a means to help us reconceptualize our understanding of threat detection. Just as money laundering schemes and organized crime try to find ways to avoid detections for SAR (Suspicious Activity Reporting) thresholds of $10,000 in some economies, I am convinced that some “low and slow” breach activity could be detected if we were to work on tuning our apparatus of detection to include a wider range of activity. Dutch chipmaker NXP only became aware of their own breach when the investigation of Transavia’s breach led security researchers to notify them of traffic with their headquarters.
Pack Theory
“Leading from the back” is a business management philosophy that was, if I’m not mistaken, inspired by wolves and wolf packs. The alpha wolf is there at the back of a progression of wolves in transit to protect the older and more vulnerable wolves from predators and other threats like accidents such as crossing a river or a narrow trailhead through the mountains. Although these lupinus management books talk about leadership within an organization, it’s worth mentioning that many of the same lessons for group strength and resilience apply between organizations.
Here is the point where I make the pitch for everyone to join an ISAC: Information Sharing and Analysis Center. If you are not in a particular industry that has a dedicated sector ISAC like mining and metals (MM-ISAC), or maritime transportation system (MTS-ISAC), then you are most certainly welcome to join the IT-ISAC, since every company has an IT function that can benefit from threat intelligence sharing and group awareness of trends and indicators of new campaigns and tactics of bad actors. Over the last few years, I’ve worked with and been a member of over ten of these ISACs, presenting threat intelligence briefings and giving presentations on third-party risk management and other subjects. Membership is usually based on the size of your organization, so fees are variable.
But keep in mind, just joining a gym doesn’t suddenly make you fit and trim. You have to put in the work to get any substantial results. The same is true of threat intelligence sharing communities. Collaboration and communication is not a one-way street. What you can offer the community of practice is just as important as what you can receive. But I can guarantee that you will see the benefits of joining an ISAC and being an active participant. You will upscale your company’s security posture, grow the talent and knowledge of your team, and deliver on the mission of a strong cybersecurity strategy: the avoidance of harm.
Want to learn more about building a comprehensive cybersecurity strategy? Contact us.