Still the Only Way to Beat the Hackers
We give up billions of dollars a year to the Bad Guys. Priceless data. Our very privacy. They encrypt and lock our database systems or commandeer our medical systems risking hundreds of lives until we agree to pay up. It may be years before we discover the full impact of the 2020 Russian cyber attack that penetrated the core of all federal government networks.
How does this happen? There are many and varied ways but generally, they slip in much earlier, sometimes months or years earlier, learning the lay of the network, where things are located, acquiring access codes and so forth. Often, a sleeper program is planted that they activate later when they are ready to take control.
The one constant is all these cases is, they depend on us to have logically constructed and named systems, with expected, classically designed networks and protocols that they can understand, encryption they can defeat and, most importantly, they need these things to stay the same until they launch their attack. It perhaps reflects too much dependence on traditional encryption and hardened defensive lines rather than an acceptance that almost any defense can be compromised given enough time and persistence. What happens once an attacker gets inside your wire is just as critical as standard defenses.
Obfuscation is the key if you want to succeed and survive in this age of state sponsored hacking and data theft. It is simply foolish to put out databases, software or coded massage traffic that is laid out in logical fashion, so that a hacker can walk in, so to speak, take a quick look around, grab a donut and cup of coffee and begin stealing all your stuff.
We have got to get smarter at this folks. We’ve been trained to write pretty, logical code, lay out our data dictionaries and databases in simple, normalized fashion. Name things obviously so that in years to come the next guy can support your code more easily. This is really important to major organizations, lessons hard learned after decades of 1960s and 70s legacy spaghetti code that, to this day, nobody will touch.
Exposing all that neatly laid out stuff to Russian or Chinese state sponsored hackers is just nuts.
Whether you are designing a new data center, network, website, database or smartphone app, you must make nothing function as it seems. You must make it totally non-obvious. They way must be laid with traps, distractions, illusions, dead ends, red herrings and honey pots. Your objective must be to (1) give a hacker nothing to see here, (2) give him something to see over there (3) if he comes back here give him false places to go and time-wasting things to do.
Encryption is great for a while but what’s better is if the hacker never suspects the jewels are here to begin with. That means, fake folders, fake databases, maybe lots of fake databases, fake names, weird misleading table and column names, encrypted data elements in the data columns, fake encrypted data, honeypot data set out for the hungry hacker to steal (a big table of names, addresses, credit cards and SSNs, passwords, etc., all fake, for instance). And when you shut down a system for the night or weekend or unplug its thumb drive.
Don’t just encrypt. Rename the files! Have some encrypted dummy data files with authentic sounding names to fill in as hacker bait, just make the size, name and structure look and sound convincing.
Don’t put your stuff where they expect it. Instead of MyGreatApp.Exe being in C:\Program Files\My Company\MyGreatApp\, try calling it EULA23.EXE buried in amongst a bunch of other boring and innocuous looking weird files in C:\PrintStore\Whatever\Dot Matrix\Util\Update\? How many hackers do you think are going to go cruising for donuts there?
If enough developers and data companies started embracing a holistic approach to Total Obfuscation, especially the part about honeypot dummy data files, the dark web would soon be awash in worthless dummy data. Criminals would be angry at other criminals for ripping them off with stolen data that doesn’t work. Soon, the Hackmunity would be on its back foot and realizing the golden age of Walk-In Donut-Coffee-Steal, is over.
It’s time for the age of the Shifting Rabbit Hole and Hacker Vertigo to begin and there’s all kinds of professionally crafted Rabbit Holes that can be made. Like home security, you just have to make it hard enough that the Bad Guy goes to a softer target down the road.
Certified Master Ob’s could earn big bucks designing deviously clever custom Ob Schemas to protect our most sensitive assets. It could be taught in seminars or certification classes. Even though the hackers would go to the same classes, it would only alert them to the concepts, not the information they would need to penetrate any account because the specifics of how you layout a system, the naming, the locations of things, the types of honey, all of it would, and must, vary from project to project. Indeed, they should be designed in such a way that they can be re-Ob’ed on an irregular basis like every third then seventh week or each last Friday of the month perhaps, via automated means to rename or relocate, restructure or whatever is needed to keep the hackers from gaining and maintaining a working presence.
So, even if the bad guys got into some hospital net and were three weeks into trying to dope out what in the h@ll was up with this crazy network, it would all change at the end of the month including their access point and they’d be locked out once again.
Now, I hear what you’re saying: There are jillions of legacy systems out there that are running just fine and we ain’t gonna rip them open and start switching everything around and renaming everything to make it goofy looking. Consider an Obfuscation Layer. An Interface between your legacy assets and the world. Your source code looks the way it always has, yet it compiles into something quite different.
There is a need and major market opportunity for tools here. Imagine still developing your apps in classic clean Rust or Java and your SQL Server or SQLite databases names as before but before you deploy, you run ObSecOne or something that obfuscates your code (yes, there already are some code obfuscaters out there but most come up short of real Ob) and your database structure AND adds all the Herrings, Honeypots and such plus throws in some authentic-looking dummy tables, code modules and databases for good measure, delivering a complete package that shields your IP and data in an Ob Storm that no hacker could unwind in a lifetime. That’s where we need to go, utility makers.
We must also provide facilities for coordination and OFFLINE secure documentation. There will be websites and external systems that communicate with the system in question that would also have to be re-keyed for each transition with new connection strings or whatever to fit the new Ob Schema. But that is the role and reason for these needed tools and the proposed title of Master Obfuscator.
Think of that person like a DB Admin. Once you develop the procedures, run the Ob utilities and automate it as much as possible, it will become as normal as anything and you will be receiving all the admiring glances at the next big IT meeting. Yeah. The Person That Doesn’t Get Hacked Anymore.
This is not a wild new concept, Security Through Obscurity has been debated for decades. The effectiveness of obscurity in operational security depends by whether the obscurity lives on top of other good security practices, or if it is being used alone. When used as an independent layer, obscurity is considered a valid security tool.
In recent years, security through obscurity has gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception. NIST’s cyber resiliency framework, 800–160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment. The research firm Forrester recommends the usage of environment concealment to protect messages against state actors and other advanced persistent threats.
We can overcome the ransomware, data theft, loss of national security and IP leaks. All it takes is a bold new way of thinking about protecting our stuff with a hybrid of existing defensive technology, advanced Obfuscation and perhaps even little Offensive mindset. Any takers on that last one?
To misquote a PT Barnum misquote, Never give a hacker an even break.