Lately I’ve been thinking about threat response and new ways my environment can be threatened by an adversary. I keep asking myself a few simple questions, and I ask them all the time. What I am seeing now? Where will the next attack come from? What’s next?
To take a step back, my typical approach is to focus on my assets rather than attack vectors. Although critical to understand, individual attack vectors are not useful to guard against. Vectors are not quantifiable because they are unlimited. Resources available to me are limited, however. There will always be something new that I may not have thought of, but my adversary did. After all, I have to be right all the time and the bad actor has to be right only once.
Assets are a finite quantity. Assets I can understand, define, enumerate, qualify and quantify. They hold value to me and my organization. I can use various techniques and methodologies to protect them. I’ve been successful in layering defenses, diverting attacks, obfuscating access to my assets, deceiving attackers, micro segmenting my networks using true Zero Trust models, prediction, monitoring and automated responses, threat hunting and importantly - user education and validation that it “took”. Therefore, I can state with a high degree of confidence that I can successfully guard my assets.
My adversaries continue to evolve their tools and techniques. They are smart, dedicated and well incentivized. I look for ways to out-evolve my adversary and on board new tactics. It’s worked well in the past. My Deep Learning defenses were there 6 years ago and saved my networks from new threats, before AI became a buzz word. Zero-trust protection was there for me too, as had Identity Management and MFA. So what’s next?
I no longer think that my “military-grade” encryption is good enough. Brute force is the new threat. I’ve seen GPU machines that can break hashed credentials in a few hours to a week. I understand that Shor’s, Grower’s, QAOA algorithms can be used to break encryption using quantum machines, and GANs are pretty good at it too. Incidentally, you don’t need a powerful general purpose quantum computer like Google’s one, you can do it on a D-Wave or a Fujitsu annealer. I have whitepapers where math checks out, that give you a blueprint on the tactics. It’s time to move to post-quantum cryptography and it’s time to do it yesterday.