Chaos Mathematics for Cyber Defense

The Cyber world has been out there since the 1980s when the first IBM PC entered the market. And the same problems have persisted since then: in the cyberworld, with thousands of cyber companies that employ the best minds in the world, the permanent situation is that attackers are always one step ahead and that a focused attack will always penetrate all existing defense systems.

This problem is what brought Cyber 2.0 into existence. Against all the protection systems deployed in the organization and at every level of information security, attackers always manage to penetrate, spy, exploit and destroy.

The reason is pretty simple: There is no system that cannot be hacked, as a result, information security personnel are constantly in pursuit of the next hack, preparing for the next penetration and finding themselves drowning in a sea of ​​alerts from various systems, all of which can eventually be bypassed.

Every new solution that comes up every now and then provides a solution for a new type of attack, which until now has not been blocked by the existing defense systems.

Cyber ​systems across the world, both offensive and defensive, are based on biological models and just like biology, when a new virus emerges everyone gets infected until we discover a vaccine. "Viruses" and "antiviruses" are not accidental terms borrowed from the world of biology by the cyber world.

It seems that cyber attackers are even more sophisticated than those in nature. For example, we can see cases in which attackers hack the organization's data through its users by sending a link or email, passing the known defense systems and installing and disguising themselves as a known program: a macro browser or an upgrade of a PDF reader, for example, ostensibly with the user's consent (without the user knowing it, of course).   

In the next stage, after the malicious software has tricked the initial defense, it systematically neutralizes all the existing defenses and spreads over the network, encrypts files, sends out information, enables remote control or just waits for instructions from its senders.

How, then, do you break this vicious circle?

In the first stage, we understood that the solution had to come from outside the biological world. It was clear that any solution, based on one biological model or another, would suffer inherently from the same problem: solutions like anomaly detection or behavioral analysis.

About seven years ago, while listening to the weather forecast, our CTO heard the newscasters talk about the weather being fickle and unpredictable. The term that came up was "chaos." The dictionary defines chaos as disorder. However, "chaos theory" is a term from mathematics that expresses order — not just order, but perfect order: two systems that start from the same point and pass through the same path will always produce the same result. But the slightest change in one of the systems along the way will result in its increasing deviation over time and a completely different result. Chaos systems are dynamic, with very high sensitivity to very small changes.

We thought it would be possible to build a system based on the same chaos laws but using a mathematical axis instead of a time axis, and that the chances of it being hackable, even if all hackers in the world tried to attack it, would be equal to the chance that all forecasters and scientists would be able to breach the weather system in a way that allows them to provide very accurate forecasts for every minute of the day over the next 15 years.

All the systems that exist today in the cyber world work according to the same principle, first detection and then prevention. That is, they first try to identify the malicious software and then warn them or stop them. Naturally, identification cannot be absolute. However, Cyber ​​2.0 skips a stage using zero trust: blocking without detection.

Even in the blocking phase, we identify failures in the existing cyber systems, which are the result of the system being destroyed or bypassed by the attackers. As soon as the system fails or is hacked, blockage will fail too. Cyber ​​2.0 is programmed to continue protecting the organization, even if it completely fails, is hacked, removed or modified.

How is this possible? The organization defines the software that is allowed to leave the computer (dozens of software programs, all of which were installed by the IT managers, including e-mail, accounting and Office). We define it as "legitimate "software. Any software that is not defined as legitimate, whether it is not legitimate, new, an unknown virus, or any other program, will automatically be defined as "illegitimate” and won’t be trusted.

Unlike all other cyber programs that try to stop what they think is malicious, the Cyber ​​2.0 system works the other way around: if the software is defined as legitimate by our system, the system will scramble the port through which it leaves. At the entrance to the next computer, the system scrambles the port again, which then returns it to its original number, and enters the computer as planned.

If, on the other hand, the program attempting to go out is not defined as legitimate, the zero-trust mechanism turns on, the port at the exit will not be scrambled but at the entrance to the next computer it will be scrambled and, therefore, it will be blocked. If I don’t know I don’t trust you. I will never scramble you.

Why is the system so powerful? Because any attempt to bypass or penetrate the software will cause the malicious software to leave its original port. However, from the start, Cyber ​​2.0 was supposed to let it exit its original port, meaning the system's downfall or bypass will not cause any changes and the software will be blocked.

An attempt to change the list of legitimate programs is also doomed to failure, since the chaos mechanism will block it.

Most importantly, there is no need for many layers of defense. There is no need to pursue and analyze alerts, and, importantly, the IT manager has peace of mind.

Cyber 2.0 was born from the concept that if we keep doing the same thing you will always get the same results. We don’t want to do detection prevention, we do prevention and then detection.