Creolisation, Tergiversation and Equivocation of IR language

July 20, 2018 in Off-topic, Preaching

There is a lot of fun made of marketing language of infosec. Anyone who is a bit technical knows that it’s a snake oil game that aims at selling at all cost, and the cyber terms coined by the marketing gurus make us all shake our heads (cyber pathogens, cyber Armageddon, cyber Pearl Harbor, cyber 9/11, etc.).

For a change, I’d like to talk about the language of the people working in IR. I find it quite interesting and actually struggle a lot with adapting to use certain terms as they sound quite foreign to me, if not pretentious.

Newcomers entering this field don’t have an easy life, at least from a linguistical perspective. The field is relatively new, many people still enter it by chance, or thanks to their background from their past work in various ‘related’ disciplines: law enforcement, digital forensics, audits, fraud analysis, network engineering, system architecture, reverse engineering, malware analysis, intelligence services, helpdesk, as well as completely unrelated: chemistry, biology, medicine, music, and many other disciplines. They bring their habits, language, points of view, and attitude which I think make an impact on the IR lingo: one that resembles a pompous creole language of sort.

Many people who came to IR with Digital Forensics experience tend to be very cautious and make lots of statements that are very much aligned with the legal responsibility they encountered as forensic experts testifying in courts. They bring tones of words and statements that often may feel like weasel words to technical people who never experienced the harsh scrutiny witnesses face in court. Hence, we start saying ‘allegedly’, ‘probably’, ‘it would seem’, ‘evidence suggests’, ‘I believe’, etc. more often than in the past. Everything is possible, but… everything is also uncertain.

The non-technical individuals with a background in military, intelligence brought us the very large corpora of terms that even a few years no one in infosec heard of. There are no more ‘bad guys’, ‘virus writers’, and ‘hackers’. Now we all talk about ‘actors’, ‘adversaries’, ‘intel’, ‘TTPs’, ‘indicators’, ‘HUMINT’, ‘SIGINT’, etc. and since we entered the geopolitics we also have ‘attribution’, ‘nation state actors’, plus ‘red teams’, and ‘blue teams’. And let’s not forget to mention the popular units ‘8200’ or ‘61398’. Oh, and we totally ‘nuke’ things.

Let’s admit it. Compliance guys came up with a lot of good ideas. While many technical people don’t like compliance, or auditors, and they perceive these ‘checkbox activities’ as the core ignorance of this industry, it is really important to highlight that these compliance frameworks do impact organizations in a very positive way. They bring structure, force orgs to create processes introducing accountability, affect the architecture, and change the way they do business. As for the language, we all now know about ‘confidentiality’, ‘integrity’, and ‘availability’, don’t we? We also know about ‘business resilience’, or ‘disaster recovery’. And lo, and behold – we even started thinking more about the business we protect than just looking at the technical aspects of attacks and just eyeballing the blinkenlights. While being a ‘cost center’ it is important to have a bit of a thought about the ‘customer’, and where the monies come from. And in my experience the last bit appears in conversations far more often now than say 10 years ago (in technical circles). Then we have ‘findings’, ‘RFIs’, ‘risk scores’, ‘risk posture’, ‘risk management’, and ‘data in transit’, ‘data at rest’, and lo and behold… ‘security controls’, and ‘acceptable use policy violations’. POS malware brought also a lot of opportunities to discuss ‘magnetic stripe’, ‘track data’, and ATMs. IR is becoming compliance on so many fronts!

Then we have network engineers; even today we can come across guys who use a bit archaic terms like ‘octets’ for bytes being transmitted in packets. You probably rarely hear of datagrams, but you definitely hear ‘egress’, ‘ingress’, ‘routing’ all the time. Many younger people find these concepts a bit unclear as in 2018 we all tend to think of uploading / downloading, or sending / receiving data, because … well… that’s how internet works today (in general, I think the mindset of many people entering the IR now is on a much higher level of the OSI model than say… in 2000).

Scientific language brought us ‘viruses’ or ‘samples’ of course, but there are now also ‘implants’, ‘payloads’, ‘detonation’, and ‘anomalies’, ‘regression’, ‘machine learning’, ‘clustering’, and ‘graphs’. And then the whole gallery of code names borrowed from the animal kingdom (‘pandas’, ‘bears’, ‘kittens’, ‘tigers’, etc.). We do ‘Proof Of Concepts’, in the ‘labs’, and we work our ideas starting with ‘hypothesis’. And as for the medicine… some time in 2017 there was a Twitter question about the tech terms that have their roots in medicine. I, among others, contributed quite a few answers to that thread. I thought it will be nice to just drop a superset of IR-related terms here:

abort, agent, anatomy (of a virus), anomaly, antiviral, assessment, attack, backbone, backtracking, bacteria, blackout, blue pill, buffer, cell, census, channel, check-up, clone, compress, congestion, contagion, containment, contamination, defect, defense, diagnose, diagnostics, disc, disease, disinfect, dissection, dissemination, DNA, downstream, epidemics, eradication, exercise, extract, gene, genetic, heartbeat, host, hub, hygiene, immune, immunize, implant, indicator, infection, infestation, influenza, inject, injection, inoculation, isolation, lab, life-support, malignant, microb, monitoring, mutation, nematode, outbreak, patch, pathogen, pathology, patient 0, pattern, penetration, post mortem, probe, prophylactics, quarantine, recovery, red pill, remedies, replication, retrovirus, sample, sanitization, scanning, screen, segment, spread, stat, stop the bleeding, strain (as in malware strain), stress test, subject, system health, tag, test, transmission, trauma, triage, USB condom, vaccine, vector (as in attack vector), virus, vitals, vulnerabilities, worm, x-rays (type of malware scanning), zombie

And last, but not least – let’s not forget about the ‘centrifuges’. Who in infosec would ever imagine talking about stuff like this 10 years ago… ???

Despite all the efforts to stay technical and binary, it would seem that we are more and more vague, indecisive, perhaps way over our heads. We are accidentally ‘jacks of all trades’ in our roles that are dealing with more ambiguity, uncertainty and pure ignorance (our own!**) that needs quick and urgent fixing all the time (**not a fault, just we don’t know everything and we always find something new to learn) than any other IT position.

We are cyber-warriors, cyber-ninjas, white hats, busticati, evangelists, thought leaders, and even celebrity CISOs. But perhaps also, and often without any bad intent, just very lucky career-oriented, fad-driven, over-entitled imposters and… kinda infosec bots. I am confident in my belief that we should wait for more evidence to support my hypothesis, and until then, let’s tentatively agree that IR is an art, and if we lived in ancient Greece, there would be totally a dedicated muse for that.