© 2019 SourceMedia. All rights reserved.

The best cyber security defense: Thinking like an adversary

A line from Mr. Robot’s Ray Heyworth sums up the failure of much of today’s cybersecurity thinking: “Control is about as real as a one-legged unicorn taking a leak at the end of a double rainbow.”

Enterprises need to shift their mindset from thinking primarily from a defensive perspective to thinking about how an attacker would infiltrate their system and use that knowledge to inform their defensive posture. But what does it mean to think like an adversary? What does this actually look like in practice?

Enterprises know they have a “security problem,” but many have only a vague understanding of how to solve it. They might think that AI could help prevent malicious access to their network and help safeguard their sensitive data but aren’t sure about the particulars (or even the how). There is a simplistic conversation going on about security in the industry that centers on what security tools are on the network and what function they serve. It’s simplistic because it isn’t the whole story.

Part of this is because companies are dealing with a limited set of data informing their security outlook. The common information and context about cybercriminals are heavily influenced by mechanisms like marketing and media, neither of which actually care about solving the problem.

adversary.jpg
A stream of binary coding, text or computer processor instructions, is seen displayed on a laptop computer screen as a man works to enter data on the computer keyboard in this arranged photograph in London, U.K., on Wednesday, Dec. 23, 2015. The U.K.s biggest banks fear cyber attacks more than regulation, faltering economic growth and other potential risks, and are concerned that a hack could be so catastrophic that it could lead to a state rescue, according to a survey. Photographer: Chris Ratcliffe/Bloomberg

For cybersecurity professionals, information is hard to come by for two primary reasons. One is the difficulty of gathering or accessing the right data. The other is the current (and ineffective) focus on generating alerts in siloed data – and then attempting to make sense of the ensuing flood of alerts and turning this noise into a coherent story of what happened, how it happened and what risk it poses to the business.

Typically, the most advanced cyber operations—and the tools that go along with them— are only deployed against the most hardened targets. Yet the vast majority of network intrusions, even those executed by nation-state actors, use simple tactics like spearfishing. It is important to keep in mind that the principle of low-hanging fruit applies here. No matter who the adversary is, they will use the lowest-level-of-effort tactic or tool they can to achieve their objective.

Shifting the Paradigm and Thinking Like an Attacker

Many security teams in the corporate world are attuned to thinking defensively – lots of blue team work, less red team work. This defensive thought process takes the form of questions like, “What defensive tools do I need? How high do I build my walls? How much barbed wire do I put on top of them?”

These are important questions to ask, but your security team should instead be asking them in the context of who your adversaries actually are, how they work and how they think. With insight on those questions, a defensive posture that is efficient and effective becomes possible.

That isn’t what’s happening right now, though. Organizations are stuck in an outdated paradigm in which perimeter security was the end-all-be-all of securing a network. You can build the tallest wall, but if the adversary coming after you has the resources and ability to scale it – or the ability to tunnel under it – it doesn’t matter how high you build it. You could spend millions of dollars on firewalls, proxies, and intrusion detection and breach detection systems and have them be completely useless in the face of what your actual threat is.

The challenge is that most enterprise systems rely on a previous or even current understanding of the adversary to be able to detect what the adversary is doing now. However, today’s adversaries are constantly changing their tools, tactics, and infrastructure. So instead, focusing on network activity is a more effective posture. This “bytes on the wire” ground truth could be, for example, netflow. It’s incredibly hard for adversaries to hide byte movement from one computer to another; using it as the foundation for threat detection is a logical next step.

Enterprises face a threat landscape that is immense in scale and exceedingly complex, which means a more strategic approach to security is required. Systems and tools are a core component, but reframing the approach to think like the adversary is key. The boat doesn’t need to be rocked, though. This doesn’t have to be revolutionary; it can be an evolutionary approach. The Mitre ATT&CK framework is a great starting place to look at adversary behavior and how to approach a defensive posture.

Companies are facing all types of threats – from the pedestrian to the most complex. That makes learning to think like an adversary a foundational strategic advantage.

For reprint and licensing requests for this article, click here.