Preventing Hacks at CERNA chat with Andrés Gómez
Have you heard about God’s particle? In 2012, the Large Hadron Collider
LHC) found the Higgs Boson; a particle predicted to exist in the
1960s thanks to the work of Peter Higgs and other physicists. The
consists of a 27-kilometer ring of superconducting magnets with several
accelerating structures to boost the energy of particles along the way.
finding the Higgs Boson had cost around
13.25 billion. Now you
have a sense of what we will discussing in this post.
Figure 1. Large Hadron Collider.
A good friend of ours and former
Fluid Attacks security engineer, has
been working in that huge scientific project. Andrés is a final
student in Computer Science at the Goethe University in Germany. His
work has focused on securing the computer grid that allows many
physicists around the world to analyze data on subatomic particle
collisions at the
LHC. He has a fantastic record in cybersecurity.
Before starting his doctoral studies, he found several serious
weaknesses in commercial software. One of his most striking findings was
the CVE-2013 3174
which refers to a Remote Execution Vulnerability affecting Microsoft
Windows Systems. You can read more about Andrés in his academic
or Twitter account.
What is your doctoral thesis about?
- “It is about creating a security monitoring system for the
ALICEis one of the major
LHCexperiments. The grid is made up of computer centers interconnected around the world that allow scientists to run applications for analyzing data obtained from particle collisions inside
ALICE. My project is composed of a software framework that isolates applications scientists use in a sandbox. Then, it collects information about the behavior those applications, classifying them as normal or malicious using Machine Learning (
ML). And finally, it allows performing actions upon detection of malicious behavior, such as sending alerts or stopping their execution.”
That’s amazing. Researching protecting such a tremendous scientific
“device” is undoubtedly a huge challenge. Andrés has been featured
in the prestigious magazine
He told us that the
CERN, owner of the
LHC, is a constant target for
cyber attacks and that this is not surprising: many
CERN systems are
exposed to the Internet. We wanted to know more about
ML in his work…
Tell us a bit about how ML contributes to the framework you developed
- “I used two
MLmodels. The first performs a classification of applications into malicious and non-malicious. The other generates synthetic attacks to improve the training of the first. I used thousands of examples of typical applications as well as
Linuxmalware for training and testing both models. My framework managed to identify malicious software with an accuracy of
99%and less than
0.06%of false positives.”
Impressive. We see a link to what we shared days ago on
antifragility and this cutting-edge work. By constant
training and exposure to stressors, the framework makes itself better
and better (just like lifting weights). According to Cybersecurity
by 2021 it is estimated that cybersecurity damages will add up to
6 trillion in the world,
3 trillion more than in 2015. These
designs, capable of detecting security weaknesses and responding are
seen as an answer for the rampant threats nowadays. If you want to dig
deeper into Andrés' work, here is a
link of a recent paper.
Figure 2. Gomez Ramirez, et. al. (2018) Proposed Arhuaco design architecture.
Now, we turn to more general security-related issues with him.
In your opinion, what trends in cybersecurity we should pay more attention to?
“I think of three relevant topics:
One is the use of Artificial Intelligence (
AI) for both attack detection as well as for vulnerability detection. I focused on the former in my doctoral research.
Another is the implementation of cryptographic techniques to increase reliance in execution environments, so user privacy is improved. For example, by using something called homomorphic encryption, an end-user could cipher his/her sensitive information before sharing it with a third-party (i.e., a company). The third-party can then perform operations over the encrypted data and finally, the user deciphers the results. No one (especially potential attackers) has access to plain, actionable data. Homomorphic encryption is used, for instance, in blockchain-based applications.
The last trend is the emergence of computer systems designed from formal mathematical models which, in theory, are vulnerability-proof.”
An example of that vulnerability-proof software can be found here.
As a company focused on proving security in an offensive way,
definitely a focus of research for us. Although we haven’t yet got dirty
AI artifacts, is something very likely to happen
What threats are worth "having on the radar"?
- “In general, with the rise of
AI, I believe we will start to see more attacks that learn automatically from the environment where they are carried out. Attacks on "Internet of Things" (
IoT) devices have also wreaked havoc in recent months. Finally, the leakage of sensitive user data is becoming more problematic as time passes on.”
IoT weaknesses and leakage of sensitive information are well under our
scope. We provide Continuous
hacking, as well as One-shot
hacking. If you have
deployed on your premises, we can help you identifying attacks vectors,
as well as providing ways to increase their security. We can help you to
protect better your sensitive information.
Our services rely on highly-skilled security analysts as well as on technology designed to deliver real value to your company. But, we go further. Get in touch so we can discuss how we can help you.
We continue our conversation with Andrés.
What do you think is a persistent problem within organizations?
- “I would say there are still many companies receiving well-intended warnings from third parties concerning security holes in their systems. But, instead of taking a good skill in fixing the problems and thanking the contributions, what they do is threaten or sue the guy pointing to the risk.”
This is a sensitive topic and a critique. We know that some companies foster this kind of actions in what is called Big Bounty programs, with clear rules and rewards. These companies, presumably, have reached an understanding of the costs of a cybersecurity breach, so these programs are a win-win. Is it a matter of rules? Is it a matter of incentives? It is a topic worth discussing in more depth in the future.
We want to conclude this post with two quick questions to Andrés:
Where should companies focus their learning efforts to improve their risk management?
- “Organizations should adopt a data-driven strategy and invest in automation. They should also invest in research to stay relevant in a continuously changing field.”
Do you expect any further development based on your doctoral thesis?
- “I am exploring to go further with the framework. The idea is to push what has been developed so far in a research stage into a commercial product that can be put to work in different organizations.”
We hope you liked this post in which we shared some experiences and opinions with Andrés. We would love to hear from you on these topics. Drops us a mail to [email protected] and engage with us!
Thank you, Andrés!