Stop Me If You’ve Heard This One

Here’s a controversial idea: the security industry is not making any progress.

Well, at least not in the way we were supposed to, or not as much as we think we are.

Sure, we are launching reusable rockets into space. We have self-driving cars, and smart phones, smart watches, and smart TVs. But in the security industry, I have a feeling that we’re holding ourselves back.

Take a look at the security conference circuit -- you may realize that while most talks tend to last about a year (to make the rounds across multiple conferences), some topics, or even specific talks, have a longer lifespan. Of course, when you are talking about fluffy topics like leadership, innovation, and the state of information security, a long life span is to be expected. We can talk ourselves blue in the face about how difficult the security industry is, how there will always be problems, how defenders keep failing, how the AV industry is dead (that’s the longest death I’ve ever seen, borderline torture!), and on and on.

But when a more technical topic comes to light, we must ask the question of relevance. Is this truly a new topic? Are we sure no one has presented this before? If not, a few more questions:

• To the presenter/researcher: What’s the point of presenting this again? Is there anything new since you have presented this last year? Do you have newer research topics that may benefit from exposure and sharing?
• To the conference: Are you comfortable with showcasing recycled research? Is your audience going to appreciate a talk that already went “through the speaking circuit” last year?

Long story short, we keep “educating” ourselves with old information.

One of the main reasons this is happening is due to the academic vs. professional gap. It seems to me that we are running in parallel tracks, conducting great research, but at the end of the day we rarely overlap, ultimately reinventing the wheel. In 2013, research published by the Fraunhofer Institute showed how it’s possible to transmit data over audio. Earlier this year, RIT published another paper about using audio as a side-channel for transmitting data. The only difference between the two papers was the medium (PC to PC on the 2013 paper, and using a phone call in the 2015 paper).

To drive this point home, I’ve published very similar research, with work proof of concept code to do exactly the same thing. This was published in 2011, and I have presented it in multiple conferences around the world. My research revolved around phone communications, but was applicable to any medium that would carry the sound far enough and with enough fidelity to the receiving end.

This issue reared its head again more recently. Research published by FireEye claimed to have broken ground on a new adversary tactic that the security industry has yet to understand -- utilizing legitimate sites (TechNet in that particular instance) as a C&C (Command and Control) to facilitate communications between malware and its operators. FireEye noted that, “Though the security community has not yet broadly discussed this technique, FireEye has observed other threat groups adopting these measures and expect this trend to continue on other community sites.”

My friends from RSA quickly noted that they have been tracking these same techniques for over a year (https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/). Furthermore, I remember during my web security days in 2008, we identified that the use of blogs, social media, and other legitimate services were going to pierce holes in the walls that security vendors were putting around the enterprise. I wrote about this in 2009. We still see this every day in the wild when we look at social media and the plethora of side-channel communications.

Somehow, we fail to look back and check whether someone has solved this before. We go out and market our “breakthrough” research as new and innovative. My friend Jack Daniel talked about this exact same problem at his talk “Standing on the shoulders of giants” (and the accompanying wiki at http://blog.shouldersofinfosec.org/). I’m left to wonder, what is really needed in order to apply additional due diligence rigor in our research? And this applies both to academia as well as the industry.

Here are a few more possible explanations for this problem:

• Information sources: this applies mainly to the academic vs. professional gap discussed above. They each have their own sources. Academics tend to have access to paywalled sources, which feel more “legitimate” because they are restricted and written by other academics (see how this becomes cyclical?). Likewise, the industry tends to rely on its own resources -- conferences, blogs, and articles. They often neglect to look even at the more open academic sources such as Google Scholar.
• Age gap: I’m afraid to put this on paper because it may peg me as old. I often run into younger researchers (industry and academic alike) that are so enthusiastic to hammer on an idea that they fail to look back even a few years (not to mention decades).
• Laziness: Despite the abundance of information these days, if we don’t get what we’re looking for in the first page of results, we write it off as “I’m onto something new.” Have we become so lazy and arrogant that we can’t run a few more searches using similar terms? Go beyond the first couple of pages of results to see if someone actually did something like this before.
• Marketing: If readers/listeners’ attention spans are as short as the writers/speakers, then why not recycle old content? Clicks are clicks after all. For serious information security practitioners, this should never be an excuse. For the industry to progress, we can’t let ourselves get caught in such patterns.

I’d hate to see my effort go into research that has been solved already. We have so many problems and new paths to blaze, that every time that I see a new “innovative, never-before-seen” research that reinvents the wheel, I cringe at the thought of what we might have missed.

I too am guilty of being over-eager in my research, but I am looking for solutions to the problem. I am getting more and more involved in the academic world as way of seeing how we can bridge this gap (and shout out to RIT for allowing me to work with you guys!) Another strategy is being involved in CFPs and making sure we don’t end up showcasing another version of something old. Conferences can help with this as well (thanks to BSides Las Vegas for the wonderful mentor program). But we still have many gaps.

What are your thoughts? How would you solve this?