Change It Up
Most security and policy is focused on definite, measurable indicators. Which is why cryptography is so popular, and artificial intelligence is growing. It is deterministic, you can go back and see how a decision was arrived at. It produces very simple results. Does the hash of the message match the hash it sent with, yes or no? A doctrine very popular in SIGINT(signals intelligence).
Enveloperty follows a more murky, organic tradecraft approach. Enveloperty empowers the users natural intuition and perception to detect indicators of concern. A tried and true methodology found in HUMINT(human intelligence) for centuries. A approach modern attackers are not investing in defeating. When attackers get neck and neck with defense like they are in AI, it’s time for defense to take a left turn.
Most security and policy is focused around cryptographic methods to verify a secure and safe channel for two parties to communicate. These solutions ask the question, “can we communicate?”
Enveloperty takes a step outward. Our hypothesis is that the key question to security, is not can, but should. Enveloperty is all about asking the question, “should you communicate?”
For example, the Snowden leaks. Just like clever attackers, the way Snowden amassed so much information is not gaining access to the system, but by horizontally moving throughout the system. They take their initial access, expanding and escalating it until they are off in areas they aren’t allowed. Or in the Snowden case, was allowed, but shouldn’t have. Long story short, there are two people with access to everything. The executive leadership, and the sysadmins.
Tunnel Characteristics
Enveloperty’s approach is to have users create specific, finite, discrete tunnels to and from trusted contacts. These tunnels have certain characteristics like
- Specific
- Each tunnel should be unique and built for a specific contact. Multiple contacts should not share the same tunnel. The tunnel should also have finite parameters to be discussed. It should be marked that a tunnel from a jr engineer does not have permission to ask to buy things or transfer money.
- Finite
- These tunnels should only be created as needed. Anything like credentials or money should only be discussed on a tunnel. So if a user only has 12 tunnels, the exposure to phishing is 12. Severely limiting the attack surface.
- Discrete
- Other tunnel addresses can not be derived from exposed tunnel addresses. An attacker should not be able to derive your banks unique tunnel address by the address you gave your dry cleaner. Which is the main flaw of the + alias system. Valid email addresses are leaked by using aliases.
Embedded CI(counterintelligence) Tradecraft Principles
Enveloperty approaches this problem emphasizing to the user putting skin in the game and taking the time to wonder what is odd about a contact. Have users skin in the game by making a mistake visible, incentives them to execute the organizations doctrine. Detecting deception is in essence just following up on what seems off about a situation. CI tradecraft principles embedded in Enveloperty are
- Isolate
- Just like in science you want only a single variable changing for attribution, in CI you want to isolate a subject so no anterior influences can have influence. Tunnels are isolated to a single contact to reduce noise.
- Rationale
- There are a finite number of reasons why a contact should be valuable enough to earn a tunnel. Supplying rationale captures a snapshot of your thinking in the moment. Email that doesn’t come through a tunnel should be regarded with exaggerated suspicion.
- Confidence
- The essence of being robust in a adversarial ecosystem is to have flex and understand the probability of being wrong. Rating the confidence in your evaluation gets the user to think about what should transpire in the tunnel. Lets say a contact asks for money, if you have high confidence then sure, if you have low confidence, then maybe you reach out through another line to confirm.
- Suspicion
- Have you ever thought something in your head, but when you said it or wrote it, it sounded really bad? That’s the point of suspicion text section. The act of forcing the user to write out what feels wrong, may make them realize that the situation is much more serious. The coup de grace is the section where the user has to write in what makes them suspicious about the contact. The heart of good CI is simply researching the things that don’t feel right. This is where organic intelligence really does something that artificial intelligence can’t. The gut feeling of the user as they pull together all of their experience and examine the story told by the contact. The feeling is not quantifiable, but is a spectacular resource.
- Honeypot
- Enveloperty is a passive honeypot naturally, but can be leveraged into active jamming. Because each address is supposed to be held by only one contact, if the tunnel is compromised it is obvious where the information was stolen from. If a contact is a bad steward of your information, you can passively find that out very quickly with confidence.
- Jamming
- Furthermore, loaded addresses can be given out and registered with the organizations that collect and sell contact information. So users of those addresses are immediately recognizable as having purchased your information, and can be treated as such. A single fake address can be given out to multiple organizations to increase confidence in its authenticity, or many addresses can be given out to straight up jam the system. Verify thirteen different addresses for your CEO, imagine peoples faces as they try to figure out which if any of those addresses are valid, knowing that if they pick wrong, their organization will be blacklisted.
Skin In The Game
These indicators are recorded in the Enveloperty system and displayed when a user interacts with a specific tunnel, and is available for their security team. The security team could for example investigate low confidence tunnels or pull keywords from the suspicion paragraph section for investigation. Furthermore, should a incident occur, the indicators are a recorded snapshot of how the user felt about the tunnel. Information that can be used to improve an organizations security.
With these indicators in place, users have skin in the game. If they miss a huge suspicion or over ride a indicator to wire money, it is recorded. So they will be held accountable, encouraging them to not just think about whether they can do a thing, but whether or not they should. Addressing the key to phishing, getting people to do what they shouldn’t.
A big deal only if you make it
The approach Enveloperty is taking seems novel in that most solutions progress further into algorithmic approaches, not away. This change in direction can majorly upset hackers approaches, as they have to reformulate against different defenses. But the organic approach can only be, if people use the software. Discussion and sharing is how ideas spread. Ideas spreading is how customers are discovered. Customers are how software grows and evolves. So if you like the idea of organic intelligence, talk about it!