Time is Money, Career & GDP
The iconic 5 part NIST Cybersecurity framework is missing a step. In between ‘Detect’ and ‘Respond’ should be ‘Contain’. Damage from cyber attacks is always material to the victim organization (globally totalling a staggering $600 billion or 1% of global GDP in 2018). It’s sadly also career-limiting for upto a third of the teams involved. In a mature cybersecurity ‘assume breached’ strategy, the goal is therefore to minimize and contain this debilitating attack damage, before the inevitable response and incident recovery processes kick in. All of which is triggered by accelerated threat detection time - the killer app for Chains of Custody!
Minutes vs Months
Two respected cybersecurity vendors lead the way with key data. CrowdStrike’s latest Global Threat Report includes the revealing ‘Breakout time’ metric, which highlighted a time to cyber attack damage as low as 20 minutes when Russian nation-state bad actors are involved.
That disturbing metric is in stark contrast with related recent results from FireEye’s M-Trends investigations. While Ransomware naturally skews recorded Dwell times (number of days an attacker is present on a victim network, from first evidence of compromise to detection) the 2018 figures reported by FireEye still range 2-4 months. Orders of magnitude between these respective damage and detection times proves there is ample opportunity for innovation in cybersecurity. Enter Chains of Custody.
Logically, the primary reason cyber attacks take so long to detect is that they’ve evolved the ability to hide very, very well. Correspondingly, Defense Evasion is the longest column of attacker tactics in the definitive Mitre ATT&CK matrix. Within that column, Indicator Removals are the most effective set of adversarial techniques used to evade threat hunters and forensic analysts alike. Splunk first identified this as an issue 4 years ago and more recently began homogeneously applying blockchain to address it. As ubiquitous privilege escalation vulnerabilities empower attackers to abuse centralized Admin authority / root credentials and certificates, that power is maliciously applied to bypass encryption & PKI to reconfigure and tamper with installed cybersecurity solutions. This vicious cycle is the core tactical problem not yet addressed by the cybersecurity industry.
From Vicious to Virtuous
Chains of Custody as a Service break that vicious cycle. Compromised centralized identities and certificates are no match for the irrefutable integrity of decentralized roots of trust. Tampering with hundreds to thousands of independent, globally distributed nodes on well-governed blockchains flips the script, and raises the cost of a cyber attack by orders of magnitude. Now we have a virtuous circle of tamper evidence and attestation of unprecedented integrity, rather than the vicious cycle of long dwell times where cyber attackers operate with impunity.
Getting started with Chains of Custody is easy, so why respond and recover when you can now detect and contain cyber attack damage faster than ever before?