Approaching Cybernetic Security

Cybernetic frameworks, the dialectical method, and the science of security

0. Defining Terms

What's cybernetics?

At its core, cybernetics is the study of feedback loops. You have an input, that goes into a process, which produces output that becomes input again, either for the same process or a different one. The thermostat in a building is an example of a cybernetic system.

What's dialectics?

In philosophy, dialectics is seeing the contradictions between things, how they interact, and how they propel themselves and each other forward through time. Within the scope of this paper, we will specifically be looking at the dialectic between theoretical knowledge (specific examples will be notated in green) and applied knowledge (which will be notated in red.)

What's a framework?

A framework is a pattern to loosely follow to carry out a process. It's a guideline, essentially. An example would be the frame of a house; the structure is there, and everything else can be customized to your needs.

What's a vulnerability?

Within the context of security, a vulnerability is something that can be exploited. This could be a missed patch, misconfigured access controls, or even a lack of training. It's similar to the common usage of the word.

What's mission criticality?

This refers to how important a specific asset is to day-to-day operations.

1. Vulnerability Management

Vulnerability management is just that; ensuring that you have as few vulnerabilities as possible, and ensuring the ones you can't completely escape are handled or mitigated within the best of your ability.

To start you need to find out what exactly it is you need to protect. This is the discovery phase. Some tools you can use for this involve an all-in-one scanner such as Nessus, which will include very good info on what you have. You could also use a port scanner such as Nmap to determine which machines are doing what based on open ports (as well as their running operating system)

Once you have a list of all your assets its time to actually asses exactly what it is you have. What operating systems do I have? Is this database using MongoDB or PostgreSQL? Do I have any particularly vulnerable software installed on these workstations? You can check all CVEs (common vulnerabilities and exploits) at cve.mitre.org

Next, prioritize the most vulnerable assets, keeping in mind mission criticality. Your web server will be slightly less important than the database holding credit card information, for example. NOTE: when everything is the most important asset, nothing is. It may seem tough, but you will have to prioritize some things over others.

It's time to draw up reports of your findings. These can either go to the asset owners, or potentially up if they affect the entire system. Remember that some stakeholders may not be technically inclined, so using human language is important. Clear and concise communications are the key here.

It may not be Tuesday, but it's time to patch! In most cases, you don't want to patch everything all at once just in case the patch breaks something. Patching is a bit like switching to a new kind of lotion; you want to test it in a small spot first to ensure you don't break out in hives later. Although in this case, the stakes are a little higher. No pressure! Your most dangerous parts of your system will be the ones that are so old they can't be patched anymore. They've passed something called End of Life, which means they are no longer supported by the manufacturer. It's important to keep up with announcements from these manufacturers announcing end of life, so that you can find new solutions to replace old assets. After the end of life, if a new exploit is found for the asset, it will become common knowledge quickly, and be ruthlessly exploited.

The last part of the cycle is the verification phase. Observe your systems and see how they handle the patch. Did it work? Are they still operational?

What does this look like, exactly?

The figure shows the general process for vulnerability management. Keep in mind, this is a process, so cybernetically it will have inputs and outputs which will be expanded on and defined later in this paper.

2. White Hat Hacking

Penetration testing is a bit like a simulation of an actual attempted cyberattack. A white hat's job is to emulate what a bad guy (a black hat) could do to your system, and keep you informed so you can remediate issues they find.

Much like vulnerability management, hacking has its own framework, called the MITRE ATT&CK framework. While the MITRE ATT&CK framework is mostly used for classification of actual breaches, and not all steps are used, and some may be encountered or employed in a different manner, the usual steps are; recon, resource development, gaining access, execution of malware, persistence, privilege escalation, evading defenses, credential access, discovery, lateral (sometimes called East-West) movement, collection, command and control (c2), exfiltration, and lastly impact.

Within the scope of penetration testing, your job is just to see what you can find from the outside, attempt to gain access, maintain access for as long as you can, then report your findings to the relevant parties, while operating within the pre-agreed-upon rules of engagement. The fun thing about hacking is that you have to get a little creative with it; black hats are incredibly resourceful, so white hats must be as well.

What does this look like?

3. The Dialectics of Learning

With all of our terms defined, we can now begin piecing everything together. As stated in section 0, dialectics is a philosophical tool in which you observe separate phenomena and decipher how they interact with each other, change each other, and propel one another forward through time. In any process of gaining knowledge, your theoretical knowledge will influence your hands on tests in which you gain applied knowledge. The immediate feedback from your testing then goes on to update your theoretical knowledge. It's a cyclical process with a potentially undefined beginning and no end.

That's all well and good, but what does this have to do with security?

You will gain theoretical knowledge during the vulnerability scanning process, such as a patch supposedly fixing an exploit, or overall deciding your system is secure or not "in theory". You cannot know if this theoretical knowledge is valid or not until you put it to the test, actually verify that what you thought was true is true and update that knowledge accordingly. On the opposite side of the coin, the gathering of hands on knowledge will flail around blindly without prior background information. Testing a specific part of a system will require its own theoretical knowledge gathering, potentially on that specific part of the system. These two concepts cannot be separated. Having theoretical knowledge with no applied knowledge makes you an egghead. Applied knowledge with no theoretical knowledge is potentially dangerous.

4. Cybernetic Security

Much like dialectics, cybernetics is also a cyclical process. Inputs go into processes that spit out outputs that become inputs. Within cybersecurity, your vulnerability management is a process, and your penetration testing is a process, both with outputs that become inputs into each other.

Your vulnerability management will provide you with the theoretical knowledge that your system is secure. It also can provide theoretical knowledge that recent patches made individual assets secure. You put this knowledge to the test by actually testing it, trying to break in and break things, so you can verify with certainty that everything is secure. Additionally, the applied knowledge gained during the penetration test not only corrects (or affirms) your theoretical knowledge, but may find new vulnerabilities in the process. The dialectic is complete, we have a closed feedback loop, and both processes are able to move forward.

5. The Environment

In a vacuum, our process is sound, but no system exists in a perfect vacuum. There are external factors at play that we need to consider in our intertwined system here; in cybernetics this is it's own nebulous black box system known as the environment. Outside factors can contribute to your applied knowledge, such as in the event of a breach, or they can contribute to your theoretical knowledge, such as bulletins from external manufacturers.

The factors that could be contained within the environment are too numerous to list, not only due to its opacity (think unknown unknowns) but also due to its chaotic nature. The environment, at the end of the day, comprises of every other system in existence.