As I keep telling people, cyber is a great unknown. If anyone tells you they1 – know what is happening (what we are doing) and 2 – know what we are going to do in the near future and 3 – know what the bad guys are going to do in the near or middle future
– they’re lying.
Right now we have a whole bunch of blowhards pontificating how good they are and what they’ve done in the past, and that’s about it. All the experts in the world, lined up side by side, can’t tell you how much the bad guys are getting out of us and past us and how and they don’t have a clue how to stop it. If they tell you they do know, you have my permission to shoot them in the face, figuratively and metaphorically, of course. Don’t forget, these are not men of action. Because of the very nature of what is called an Advanced Persistent Threat, they do not know how the bad guys are getting past our defenses. On top of that, because of all the noise created by less skilled, less sophisticated groups or braggarts, we tend to fixate on them and let the quiet, small in number, skilled and stealthy ones slip right beneath the figurative submarine chains.
The only ones who really have a clue, and as much as many people hate to admit it, is the NSA. Just last night somebody asked me ‘why does NSA need all that data?’ If you detect one tiny thread of somebody infiltrating a network, that is only one thread. If you detect five threads, perhaps 50, have you seen the big picture? How about 5,000 or even 5,000,000? At what point can we say we can detect MOST (never all) attempts to infiltrate all networks? Only NSA can see the big picture, because they collect the ‘biggest data’. …and still they will not detect everything, nor are they supposed to, allowed to or even have the capability. I suspect they also don’t really have the desire to be the world’s cyber police.
Now let’s talk more stark reality for a moment, and allow me to paint an even bleaker picture. The United Nations (through the ITU in the cyber world):
The Purposes of the United Nations are:
1. To maintain international peace and security, and to that end: to take effective collective measures for the prevention and removal of threats to the peace, and for the suppression of acts of aggression or other breaches of the peace, and to bring about by peaceful means, and in conformity with the principles of justice and international law, adjustment or settlement of international disputes or situations which might lead to a breach of the peace;
Even the UN does not have the capability to see the real big picture, and how could they? If you combine the capabilities of all the cyber and intelligence organizations in the world, you still don’t have the capabilities of the NSA. Now, add the NSA to that mix and you still will not see the total picture. We seldom hear of law enforcement in the cyber world, but Interpol plays a part (http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime), albeit a minor part. Put that all together and you will have a fairly clear picture but we will never see into all the dark corners of the world.
There will always be some group(s) which escape the dragnet of our law enforcement and intelligence collection. That is their job and they improve every day. Perform a crime in a manner that cannot be detected. Steal Intellectual Property without the owners knowledge. Infiltrate a government’s network without leaving a trace.
This is the curse of signature based detection. Whenever we, collectively, decide to switch to behavioral based detection, the balance of power will switch to the good guys.