Cyber-attacks are generally due to the introduction of malicious code or actions external to the target systems. Attacks are instigated by ‘external others’ who inject content or deploy that code to places where vulnerabilities (physical or electronic) exist, in order to effect some response change in the receiving system that benefits the attacker.
This disruption of the target responses is calculated to result in the extraction of ransom, denying access to the system, or influencing the integrity of the contents (e.g. to make a political statement). Compromising the Confidentiality, Integrity and Availability of the target system is the name of the game.
Cause and effect has been studied widely in the literature on systems behaviour, and is widely employed in Total Quality Management (TQM) and production and control systems where processes are utilised to dampen the effects of external influences and provide appropriate responses to system threats. The mantra of the Quality movement is that ‘people do not fail, processes do’ – to which we might add that computers occasionally do.
One of the most powerful tools in the TQM toolbox is the Cause and Effect ‘Fishbone’ (Ishikawa) diagram originally used to visualise how the processes employed can mitigate or prevent defects introduced in manufacture. Applying this model to Cyber defence follows a similar train of thought. In the internet age, the root cause of injection attack problems is external to the organisation but part of the wider network and to be resilient the system in focus uses the feedback from effects to improve and harden the system.
The six sources of system defence variation are:
- People: Those personnel tasked with maintaining the systems.
- Methods: How the business and defence process is performed and the specific controls for doing it, such as policies, procedures, and rules.
- Machines: Any equipment that is required to accomplish the job. Computers, Routers, Firewalls, etc.
- Materials: The software required to deliver and protect both the business process and defences.
- Measurements: Data, warnings, alarms or intelligence generated from the defence process that are used to evaluate its quality and effectiveness.
- Environment: The conditions, such as location, network location and gateways to other networks.
Production of a ‘two-headed’ fishbone diagram allows mitigating actions to be taken by the system to prevent the attackers’ preferred effect taking effect. The effects of previous attacks are incorporated into an agile feedback loop that amends the processes and provides protection from future attacks. An example is included below, with each defence variation adding a layer of protection to the system in focus.
The study of systems theory provides greater insight into how such cyber-attacks take hold by considering advanced socio-technical systems – not from the reductionist perspective of the physical response, but by the biological responses of network behaviour. Cause and effect in complex systems is not only physical. I get a different response if I kick a stone to the response I get if I kick a dog. That is, the stone will just move but the biological cognitive processes of the dog will allow it to analyse the incoming cause of the problem and make an adaptive response to the situation by either biting me or running away.
Business process works in a similar way. Processes underpin the adaptive responses of complex systems by providing the requisite variety to adapt to the environment and maintain their integrity by guarding themselves from subsequent attacks rather than being the passive recipients of events.
It is interesting to note that in the wake of recent sustained cyber-attacks like WannaCry or the dDOS attacks of 2016 that the socio-technical responses to these attacks have meant that subsequent attacks, where organisations were warned that the attackers had modified their software, have had lesser effects on services. Processes implemented in the nested response systems of the internet transform the effect of attacks into the adaptation and inoculation of systems against repeated malicious causes.
If you would like more information on cyber resilience read my (external) post on ‘7 Ways to build Cloud Resilience in your Organisation’ here .
See also on this blog: