Both sound and security events exhibit timbre, style, structure, and history. When evaluated with long-term proactive defence in mind, musical concepts such as chord structures, motifs, and improvisation can enhance our understanding of security events and may even help us anticipate future cyber threats.
Three chords and the truth
Some of the best-known and best-loved songs in Western popular culture are comprised of as few as three chords. It sounds simple enough. Any aspiring musician with a trusty red guitar will learn basic chords from day one, but it’s what musicians do with those three chords that make a song interesting or memorable. Chords that are played simultaneously or in close temporal proximity tell a story; they are an indication to us that something is going on.
The same principle holds true for cybersecurity. We may notice that a document here or there is leaving the network and travelling offsite. Assuming the frequency is intermittent and the content non-sensitive, such actions may not be significant in themselves. But let’s say metrics indicate a sudden spike in attachments or more frequent extractions of valuable confidential data. Suddenly, those emails become significant indeed. Not only do they indicate that something is going on; they indicate that we should investigate that something and determine the level of risk.
Much in the way a succession of chords in a song—and the pace at which they occur—can evoke a melody or signal a chorus, the speed and sequence of a cyber attack can help us determine the level of sophistication of the attacker, the style of the attack itself, and where the attack might be headed next. The same three chords from a country or rock tune may sound completely different in the hands of a jazz musician—rearranging the notes will produce different sounds, different themes, from the same basic chord structure.
Variations on a theme
What’s more, those themes are likely to repeat. Repetition of a motif is as common in music as it is in security. Beethoven’s Fifth Symphony includes many variations on a single theme; a computer virus may show similar variations. The four-note opening motif in what may be the most famous and most often played piece of music in the world is not only repeated throughout the composition, but the motif technique itself was commonplace in the musical language of Beethoven’s contemporaries and used throughout other compositions by other artists of the day. Beethoven took a simple idea and extended it, expanded it in all different ways to achieve specific desired effects. Security events are no different—the same motifs can be recycled over and over again to achieve desired outcomes.
Perhaps the most common motif in cybersecurity is the unwitting victim scenario: someone is enticed to click on a link or open an attachment and an attack begins. The re-use of malware or viruses and botnet hijacking of command and control infrastructure are two other examples of cyber motifs. Data patterns, repetitive behaviours, and timing between events can signal additional motifs or attack resources. How and when and at what intervals a pattern is repeated turns a motif into action, and the repetition of motifs create conceptually similar attacks.
Motifs are also analogous to cyber signatures. Patterns of bits and bytes can be detected in a stream of data or information to form an attack signature, and that signature can be used to identify attacks that target specific vulnerabilities (think Heartbleed). Operationally, a worker willing to sell sensitive data for a quick buck will have a very different signature from the accomplished industrial espionage expert or celebrated black hat. And when the attacker behaves like a jazz musician, playing the music over and over in new and ingenious ways each time—new tunes, inventive chord changes, collaborative or interactive adaptations—then the beginner’s red guitar will not be sufficient to thwart the attack.
Improvisation: magic in the music
Common security technologies such as firewall, antivirus, encryption, and authentication tools provide the equivalent of chord structures and motifs in the form of protection layers, but they do not necessarily have the capability to adapt or improvise in real time to combat malware that is inherently flexible. They cannot move, pivot, or otherwise adjust to an intruder whose infiltration tactics shift at will.
Security teams need tools and systems that allow them to communicate creatively and effectively. They need ways to tie their many defensive tools together, to move in time using repeatable protocols. They need to be able to take same basic materials and present them in continually more complex and varied forms. Much in the way a jazz group will collaborate and build new harmonies on the fly, will pick up each other’s cues and timing, security teams need tools that will allow them to adapt their rhythms, phrasing, and notes to meet the ever-evolving attack scenarios and remediation requirements on the security stage.
> See also: Mobile malware: the new school
After all, despite wide and varied attack styles, cyber threats still possess inherent levels of predictability and recognition that security teams can build from to become better equipped to handle attacks, more adept at virus detection and remediation, and more accurate in their identification of bad actors and network and system risk.
A roll of the dice
At the end of the day though, we have to recognise the tune; we have to understand and contextualise the data we receive—and there’s an inherent danger in looking at that data too closely. We can rely too much on predictive analysis tools and miss the signs of a faulty prediction. Influence, style, and mood can affect improvisation in a security context as much as in a musical environment: the same person may improvise differently in different situations, so security teams must learn to use different approaches to try to anticipate attack moves without removing themselves from the attack-response loop.
In other words, security strategies cannot unfold like a Mozartian dice game without the kind of creativity, labour, and inspiration that made Mozart’s music so effective. Purely objective approaches that fail to account for improvisation and natural variance can create unrealistic security expectations—and rather dull pieces of music. As with their musical counterparts, security metrics must be tempered and adjusted continually in order to be successful. No good musician will play the same song exactly the same way each time s/he performs. Performance to performance, differences will be present, yet somewhat predictable. That predictability is key to understanding innovative and productive approaches to cybersecurity defence.
> See also: The future of cybercrime
Chord structures, motifs, and improvisation offer security teams the basis for confidence, completeness, and congruity—all of which can be found in musical structure and security metrics if we learn to listen. If we have the confidence to ensure the data we have are useful and actionable, completeness in our defensive strategies, and the congruity required to keep all parts of that strategy moving together in concert, we’ll find our security teams singing from the same songbook, keeping the rhythms appropriate to various attack scenarios, and hitting all the right chords—a virtuoso security performance.
David Scott, Chief of Software Development at CSG Invotas
