The Imitation Game: Turing's Lessons Applied to Cybersecurity

If you were fortunate enough to have seen the brilliant new film "The Imitation Game" chronicling British mathmetician Alan Turing's work to break the encryption of Nazi's Enigma machine, you witnessed many important lessons which can be applied today to cybersecurity.

Turing, an early pioneer of modern computing, was one of the first hackers. He applied the same principals attackers use today to exploit software and compromise computer networks in order to break the Enigma cryptography scheme employed by Nazi forces. The Nazi's used Enigma to encrypt military communication with an unprecedented cipher complexity of 150 trillion total possibilities.

What important cybersecurity lessons can we learn from the movie? Turing's epic hack which was depicted in this film, resulted in decreasing World War II by an estimated 2-4 years. Many military historians call this act the tipping point that helped aid the Allied forces in their quest to win the war.

Computer passwords, like Enigma's encryption, are vulnerable to commonly used words and phrases. By studying the probability of phrase occurences, Turing's team at Bletchley Park were able to apply a "dictionary attack" by replaying commonly used phrases like "Heil Hitler" against Enigma's cryptographic messages, thus successfully decreasing the cipher complexity by significant orders of magnitude.

Studying the tools, techniques, and tactics (TTP's) of your advesary can often be the determining factor to unlocking the patterns required to detect an attack. This was not only relevant to Turing's team finding patterns in Nazi military communications, but also applies to cyber attackers and is the basis of "cyber threat intelligence", which is quickly becoming a key defensive strategy to combat targeted cyber attacks. The study of Enigma operators and decrypted messages, showed consistant patterns and high probability of repeated phrases. Ein, which is German for "one" was included in 90% of messages. The discovery of the word "Ein", helped multiply the effectiveness of the "dictionary attack".

Use your advantage against your advesary. Turing's team took painstaking efforts to hide the fact the Allies broke Enigma's encryption. It was broken to allow unfettered spying on the enemy and to eliminate their ability to change their tactics or revise the encryption to a new cipher. The same technique happens to be one of the most effective methods to establish attribution behind an advanced cyber attack. Sometimes understanding an attacker's intent is the best indicator of attribution you can achieve. Advanced cyber intelligence programs rely on containment with persistance - meaning, allowing the adversary to continue their hacking in a spoofed or controlled environment without knowledge of detection. Warning: This requires a high level of capability maturity and can pose significant risks.

There is no such thing as a fool-proof security control. Enigma, although the pinnacle of security technology during it's time, was ultimately defeated by determined attackers from the Allied forces. Cybersecrity controls can continually raise the bar, but cannot completelty halt a determined cyber attacker. In fact, today's attackers have it much easier. In Turing's time there was no mechanism to connect billions of people in a matter of seconds, enabling the ability to collaborate for good or nefarious purposes. Today, with the internet, it's much easier to apply knowledge, computing power, and basic hacker techniques, to defeat the next generation of cybersecurity controls. Keep this in mind when developing your own organization's security strategy: there is no silver bullet product or vendor that can ensure 100% security. You need to build layered security into your organization at every stage possible. With some hard work and luck you can keep the bar high enough to avoid most attacks.

So while you're enjoying our movie reccomendation with a hand-full of popcorn, remember what lessons Turing taught us, and how you can apply them in your own cybersecurity program. Adopting a hacker mentality, thinking like an attacker, studying their techniques, and experimenting with new ideas, is not only critical for breaking security, but can also be the key to defending security as well.