I came across an intriguing headline the other day: Malware coders adopt DevOps to target smut sites. The article, unfortunately, is fairly vague about what exactly that means, but it got me thinking about the potential implications.
It’s all just a function of rivals competing. Just as Company A has to find a way to work more efficiently and bring better products and services to market faster than Company B, malware developers need to be faster and more agile than their targets. In either scenario DevOps can give one or both parties a competitive boost.
Although the article in question simply says malware developers are “now engaged in DevOps,” and claims it’s the first time that behavior has been seen from the dark side, the reality is that malware developers—even those in organized cybercrime groups—have always had an element of DevOps to them. By their very nature they’re more inclined to have shared responsibilities and to exhibit the sort of jack-of-all-trades cross-functionality that we expect to find in young startups.
“It has always been the case that most attackers embrace much more of a DevOps pattern than defenders. Most of these folks were born of the Internet way of thinking and nowhere in their playbook do they have the traditional data center change controls or any other big enterprise methodology,” declared TK Keanini, CTO of Lancope.
The problem that many organizations face when it comes to mounting an effective defense is a lack of situational awareness of their own environment. In many cases the attackers actually know more about the organization’s network, and the assets connected to it than the organization itself.
Effective defense also requires agility. Companies need to be able to adapt quickly and implement changes without impacting business continuity. Keanini says, “DevOps is one way to do this and something like the Rugged Manifesto does a great job of capturing the essence of what it will take to battle this threat day in and day out.”:
The Rugged Manifesto
I am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security.
I recognize these things – and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.
The question is, “How?”
Keanini—ever the strategist—references the OODA loop, conceived by USAF Colonel John Boyd. OODA is an acronym for Observe, Orient, Decide, and Act. The concept was originally designed for military combat operations but can also be applied quite effectively in many areas of business. Applying it to network or endpoint security, the idea is to at least raise the cost of observation and orientation for the opponent—in this case the malware developers.
“DevOps can deliver this because change can be implemented as a defense whereby the adversary never has time enough to make enough of an observation, or orientation accurate enough for effective decision and action,” clarified Keanini.
There are a few different elements involved here. Continuous monitoring and continuous incident response are both applications of a DevOps mentality that can help organizations mount a more effective defense against sophisticated attacks. The OODA loop Keanini refers to is less about response, and more about applying DevOps philosophies to take away the strategic initiative from the attackers in the first place.
One thing is certain, if the malware developers implement policies that enable them to craft and deploy attacks faster, businesses will have no choice but to figure out some way to adapt and defend more quickly as well.