Cyber domain black swans

What are black swans? In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors.

A black swan is an incident that you didn’t participate. It’s a sign for the irrational way of human thinking. When you see only white swans, you don’t think there is a black one. In the cyber domain, there are black swans in defence and offence.

In defence, a black swan is a way someone has passed all your defences, although you thought you covered all the attacking vectors. Edward Snowden is a good example. Other examples are Angler Exploit Kit, Taomike SDK or the latest ransomware that would publish your files if you don’t pay.

In offence, a black swan is a way that a hacker has been caught in a way he didn’t predict. It could be a trap or another mechanism that exposed him before he got what he wanted. Worst, it could be a way that the defender applied to attribute the attack to him.

To make the discussion clearer, let’s look at basic assumptions in both offence or defence. The defender assumes that the attacker is already in his network. From the defence perspective, the operating space is divided to perimeter and the internal network.

Tools like Firewalls, IDS/IPS and Anti-DDoS are examples to perimeter defence. Behavioural analytics solutions are the most common for the internal network. The defender is looking to create black swans in the attack vector path that would expose/block the attack in the external/internal domains.

A hacker assumes that the attacking vector will be exposed by the defender. From the offence perspective, there are no external/internal domains. the hacker has a goal, collect information or cause a damage. to do it, all options are on the table, including HUMINT and digital methods.

When I talked to Israeli hackers about their definition for a black swan, the most common answer is an exposure they didn’t predict.

“When you plan an attack, you should think for every move that you will be exposed. the question is what do you do then [What-If scenario]”, Said a well known Israeli hacker.”In some scenarios, the defender will get an alert in the SIEM, but will dismiss it as not important. In others, you will be exposed inside the defender network, and a decision should be taken – to abort or use deception. In some cases, a black swan can be a backup procedure you didn’t predict up front”.

As mentioned before, a black swan is something that you can’t predict. if, for example, the hacker is bribing or blackmailing some of your information security stuff in advanced, that’s a black swan for you.

If the attacker is implementing a malicious electronic chip in the network equipment that you bought from a known manufacturer [As did the NSA with Cisco equipment], that’s a black swan for you. If your CEO of is hiring a “Cyber mercenary” from the darknet to hack your company, that’s a black swan for you. Another could be a mini computer with Kali Linux hidden in your network pretending to be a legitimate network entity.

A recent black swan scenario happened at DISA [Defense Information Systems Agency] by the contractor that hired Russian programmes. They implemented a code that apparently led to the presence of viruses in the U.S. military’s communications systems.

There is no doubt that in today’s cyber domain, it’s all about black swans. The defender wants to surprise the hacker and vice versa. that’s the reason why defence solutions companies are looking for hackers, and hackers are looking for experience in defence procedure   – it’s take one to know one.  Writing code is not enough. If you don’t think as a hacker [or defender], you won’t be able to see your black swans.

Written by Ami Rojkes Dombe

Edited by Pierluigi Paganini

(Security Affairs – black swans, hacking)