History lessons 4: What to do when an anomaly is detected?

David Rogers continues his blog series — commissioned by on-chip monitoring experts UltraSoC (now part of Siemens) examining security through the ages and highlighting lessons for emerging and future technologies.

There are many tales from history where things have been detected that have led to plots being uncovered. Some of this has been driven by prior knowledge, sometimes the actors involved are already under suspicion in some way and in other cases it is pure chance and luck.

Guy Fawkes
Source: Edgar Wilson “Bill” Nye (1850-1896 [Public domain]

The gunpowder plot to blow up England’s parliament in 1605 was ultimately discovered because of a message to a Catholic parliamentarian warning him to stay away from the opening of parliament on November 5th. It was dismissed as a hoax at the time, but the King’s suspicions were raised and he instigated searches of parliament, increasing security. On the night of November 4th, Guy Fawkes was discovered and caught as he was leaving the place where he had stored the gunpowder underneath parliament. It appears that this was genuinely an artefact of the increased vigilance, as a few days before, Guy Fawkes had reported to his co-conspirators that “he found his ‘private marks’ all undisturbed” at the site where the gunpowder was stored. This seems to indicate that Guy Fawkes had taken his own precautions against the discovery and potential sabotage of the plot.

Another interesting story of discovery and detection is the Babington plot against Queen Elizabeth I. Queen Elizabeth’s spymaster, Francis Walsingham, discovered that a group of Catholic plotters led by a man called Anthony Babington were communicating with Mary Queen of Scots in order to depose Elizabeth and put Mary on the English throne. Walsingham first used an agent to change and control the channel by which Mary was communicating, ensuring that messages to and from her were hidden in the corks of beer barrels. This allowed him to have them intercepted and deciphered. The plot was allowed to continue, while Walsingham waited and gathered further evidence through the letters.

In the technology space, detection and response mechanisms exist on the network side mainly. Network traffic analysis tools are now backed by AI and machine learning techniques. The techniques for handling large volumes of network traffic and processing this at scale to discover anomalies have come a long way but are yet to really properly take into account what is going on with the end points and certainly not the innards of them to a chip level.

Attackers already have a variety of ways to evade detection, having fought a cat-and-mouse game for many years. Intrusion detection and anti-virus systems often whitelist domains – so if an attacker is exfiltrating data through a legitimate service – Amazon AWS, or Google for example, it may be that a compromise is never detected. Equally, modern malware often protects its command and control channels by using encryption, a logical thing to do given that many enterprises and tools will be looking for maliciousness within traffic. Another factor is that the barriers to entry have been lowered significantly through free encryption certificate issuing services such as Let’s Encrypt. For a defender, deciding exactly what to look for is driven by external factors and intelligence feeding into systems that look for anomalies.

If something is infiltrated into a device it may also never exfiltrate its data out over a corporate IP-connected network and may never need to connect to a command and control server that way. There are now a multitude of connection types available to devices and many of these will both leave and not be in control of the business. Bluetooth, low-power radio networks and mobile radio connections could all be used at the right time to move data from a compromised device.

Of course the attacker may not want to take any data at all, they might just want to compromise as many devices as possible and lie in wait to turn on some form of destructive attack at a later date, such as a Distributed Denial of Service, ransomware or wiper-style deletion attack.

All of these types of compromise point to the need to have additional intelligence from devices themselves rather than just relying on the network traffic and there is no better place to do this than the foundations of the device itself, inside the hardware.

No matter where anomaly and intrusion detection are taking place, false positives are always going to be a problem and a risk. They could cause a defender to become fatigued with the number of alerts they are getting or to misplace resources. For safety critical systems, taking the wrong action on a security anomaly could create an unsafe situation for a system’s users.

What if the attacker deliberately behaves in a way that causes the system to do something?

Sophisticated attacks may seek to trigger false positives. Bruce Schneier’s book ‘Secrets and Lies’ talks about Mujahedeen attacks on Soviet bases in 1980s Afghanistan, where fence sensors would deliberately be triggered by throwing a rabbit near them. By doing this repeatedly, eventually the sensors would be turned off and next thing there would be a vehicle through the fence.

One could imagine this happening against monitoring at a low level in devices and the trick to dealing with this is to resist the temptation to take immediate action. Events should be appropriately assessed and systems designed in such a way that they do not tip-off or alert the attacker that the system is aware of anything out of the ordinary happening. This in the long-term also allows the defender to potentially gather intelligence on the attacker for later attribution efforts or for forensic purposes. Deciding exactly when to take action relies on taking a measured approach to whether damage or harm is going to be caused. This may be a human decision, but it may also be automated, so making sure the right decision is made is paramount.

‘Babington with his Complices in St. Giles Fields’, 1586
(Public domain)

In the Babington plot, Walsingham even manipulated Mary’s communications, adding text to a letter from her, requesting that the conspirators were named. This caused Babington to reveal their names, leading to the unravelling of the plot.

Manipulating attacker traffic in a system to send back false data or to lead the attacker into blind traps is much more sophisticated and a potentially risky operation, but could be possible, with the defender significantly regaining the initiative over an attacker.

In the case of Mary Queen of Scots, Walsingham waited until exactly the right moment to trap her having taken control of the situation to this point. The evidence in the end was so damning that it caused the linguist who deciphered her messages to draw a gallows on the letter before he passed it to Walsingham.

For more on how historical security measures and failures can help instruct the future of security design for hardware in connected devices, check out the webinar (co-hosted by UltraSoC CSO Aileen Ryan and Copper Horse founder and CEO David Rogers) accompanying this series of blog posts.

Next blog post in the series >> 5/5 The game of defence and attack

Previous blog post in the series << 3/5 Confusing the guards and what it means for future hardware chip design

About the author

David Rogers is Founder and CEO at Copper Horse.