This is how they Tell me The world

This is How they Tell me The World Ends: The Cyberweapons Arms Race

By Nicole Perlroth

Once in a while, it’s good to take a step back from the daily grind of security and governance to stop and think about where this is all going. Nicole Perlroth’s title seemed like an enticing opportunity for just such an interlude and, after shopping around I was able to get early access to this work and was satisfied with what it had to offer. She uses her narrative to guide the reader through the shady underworld of cybercrime, focusing on the growing zero day exploit market and providing some cool insights into its relatively banal and perhaps well-intentioned origins, leading into an overview of the current state, which is not quite world-ending but perhaps world-changing.

While most cybercriminals still take advantage of the old standard vectors, (i.e., misconfigured or unpatched systems and uneducated users), zero day exploits seem to offer special powers, enabling malicious actors to invade fully patched systems without alerting users. This has made them an irresistable tool to state actors with deep pockets, who are able to use them as the perfect surveillance tool for intelligence gathering. State actors have proven to be willing to pay large bounties for zero day exploits, which they secretly retain until they are needed for intelligence operations. Even large companies (i.e., the big 4) are simply unable to keep up with governments who are willing to pay 6 figures for critical exploits. This creates an incentive for independent bug hunters to keep their findings private, ultimately leading to less secure computing environments for all users. 

Up until now, over-eager attribution to ‘State Actors’ and APTs has been something of a clichè, it seems these type of actors may play a more dominant role in security incidents, as stockpiling zero-days has proven to be a valuable strategy by such actors, even including US and Israeli intelligence agencies. To parse the idea of ‘world-ending’ in a bit more detail, we can expect to encounter an increasing number of undisclosed vulnerabilities as time goes on. In Rumsfeldlish, these are ‘unknown unknowns’–issues that we didn’t even know we should worry about. In reality, zero-days are negative-days, since the impact could have already been encountered for an unknown amount of time prior to their discovery. If your system has been specifically targeted by a state actor using a zero-day, then there really isn’t much you could directly do to defend against it. However, it does raise the importance of general DR planning, including failover systems, site recovery strategies and offline backups. National borders also have heightened importance in this type of scenario, since a state actor would essentially have unlimited power to act within their own borders, so if your business strategy leverages cloud infrastructure, it might be worth considering how your global footprint could reduce the potential impact of rogue state actors in other parts of the world.

As I’ve hopefully illustrated, I am glad Nicole has created this insightful work, which is both an engaging narrative and a discussion starter security people.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *