There’s an ongoing debate in the cyber security community that to be good in cyber security, you need to think like an attacker. The danger with this ideology is that it’s prophetically false and leads to a false sense of security allowing you and your organization to be far more exposed than you ever realized. Thinking like an attacker lures the cyber security professional into a false sense of security based on their own egotistical sense of their intelligence or worse. The objective of the cyber security professional in today’s ever changing world is to become expert security strategists and to learn to think strategically like a general, not think like an attacker.
Think like An Attacker
I hear this all the time, and it’s frankly the wrong approach. I was really surprised when David Pollino, an SVP and Fraud Prevention officer, mentioned this in a recent interview that he gave. Pollino argues for learning the information for learning what type of information attackers are targeting and moving to secure that information at all costs. This is the fundamental reason learning to think like an attacker is the wrong approach when approaching cyber security. It’s a cause and effect approach and it focuses entirely on being reactive to the attacker and their actions.
When adapting the thinking like an attacker ideology, it usually goes one of two ways, the first being I am an attacker, how would I break this? The second being closely related and exactly what Pollino was hinting at: What information and/or targets are would attackers be attempting to steal?
There are several problems with this line of thinking…
Attackers are well armed
Would be attackers to your organization are well armed, they share information rapidly with one another or they have multiple people and resources at their disposal. A well sourced and outfitted group can quickly gather intelligence, strategize and change direction very quickly against your organization. Whereas your organization is a big ship, with layers of management and a business to run while trying to be safe. The attackers business is harming your business. They have one objective, you have many objectives. Therefore, while you’re still gathering your intelligence, they are planning for another attack based on the results of their last attack.
Attackers are Multiple
The really dedicated cyber security attackers far outnumber your organization or the resources your organization is probably willing to invest in cyber security. For every one cyber security professional you hire, I would bet there is 1 group consisting of 2 or more people attempting to attack your organization. You are vastly outnumbered, but you’re not outnumbered in the sense there is one massive army going to battle with smaller yet still massive army. It’s your army against 10’s -> 100’s of small distinct groups all watching and potentially sharing information with each other whereby you might respond to one group of attackers, another is waiting for that opening you just created or anticipating that response already.
Attackers Are Hard to Find
Learning all you can about your attackers is a difficult task to undertake. However Pollino suggests that we should, and we should learn their tactics and share the information around, across multiple agencies, organizations and partners. Sophisticated cyber attacks are difficult to replicate. The reason they’re difficult to replicate is usually once one organization is breached in a sophisticated attack, not only do they start to take actions to remedy the situation but it behooves the entire sector to ensure they aren’t exposed in a similar way and often competitors take actions to protect themselves from similar attacks or attack vectors and if they don’t they are foolish for doing so.
The other problem with trying to find out as much as we can, and learning our adversaries to the Nth degree is that, cyber security isn’t a glamours affair. This isn’t a war whereby the winning general writes autobiographies and historians are writing essays and analysis on well known cyber criminals. The material there to study is the attack itself and aftermath of the said attack as well as the methodology in which it was conducted, but because the holes are so quickly patched where possible, two attacks aren’t very often connected or similar in scope. Once an attack is successful, groups often change their methodology because they know the world is reacting, this makes the intelligence a little to little too late.
This isn’t a chess game, where I can go to the Internet and read all about how my opponent is going to use the Queens Pawn Gambit and castle late when challenged and be willing to sacrifice their rook to gain board position. This is a battle where it’s not a 1:1 fight to protect your data, it’s a 1:100′ of attacking adversaries who are looking to harm your organization. Those adversaries are always changing people, ideas and tactics.
Think Like a General
The reason I despise the thought process of think like an attacker is that it’s too reactionary and it doesn’t take into account what you value within your organization. A far better approach is to think like a General, the cyber security effort within your organization really must be run like a general running a base on the front lines. You’ve got several objectives to set up and get running in short order within your environments.
Objective 1 – Determine what’s Valuable
Rather than being reactive, figure out what you want to protect and what’s valuable to your organization. This is going to be critical because you can never lose sight of what’s valuable and what you’re ultimately attempting to protect. In a reactive mode, you may shift troops around to face 1 threat after another, and it would be easy for your enemy to fool you into thinking they’re after one objective when really they’re after a different objective and they’re just waiting for you to screw up. Or worse yet, when faced with 100’s of different adversary groups, you cannot possible react to all of them who might attack at different times with different attack vectors. By knowing what is important to you, you can formulate your lines of defense and where you’re going to make your last stand.
Objective 2 – Know Your Weaknesses
Knowing your weaknesses is crucial to any form of success that you’re going to have. My favourite way to know one’s weaknesses in cyber security is through effective threat modeling. Threat modeling is a concept that really should be applied more and more, however it’s not for some strange reason it’s poorly understood I think. Some would argue that threat modeling is a lot like thinking like an attacker, however it’s not. Threat modeling discusses how a threat might be realized, and what the consequences of a threat realization are. The difference is if I am planning a defense on the base.
Thinking like an attacker, will lead you down the path of asking questions like “How will someone illegally enter the base?” – “How will someone steal a vehicle, plant a bomb, etc.”? – It directly leads to you planning defenses for what the attacker will attempt to do. The problem is, you have no idea what the attackers objective is, and what happens if you don’t realize a situation the attacker is attempting to realize, you cannot plan your defense for that.
– Thinking like an attacker leads you down a myopic view of the world and the potential threats you might encounter.
When Threat modeling, all the threats are discovered and placed on the table. No threat is too big or too small for the base, or your software organization. If an attacker can infiltrate the base, and steal a vehicle – ok that sucks, but it’s not as bad as having a bomb placed by where your soldiers live. So in this instance, the threats are evaluated and, you know where you're most vulnerable relative to what you’re trying to protect and you can place counter measures and defenses in place for the most severe threats and you might just mitigate a non severe threat.
Objective 3 – Reduce your Attack Surface
Rather than being reactive, take the fight to the attackers, force them to come at your organization on your terms where you allow. Don’t wait to see where they’re going to come in. Taking the example of the base, don’t have 3 gates to your base to defend when 1 will do, similarly don’t have more holes in your firewall than absolutely required. Where you’re choosing to mitigate the threat of an attack rather then furiously defend against it, move what you really protect as far away from that attack vector as you possibly can. Make your foot print small, if an attacker can get it, through an undefended access then limit what they can get access to and the damage, to some non-critical systems or some systems which don’t contain the ultimate prize for your attackers.
Conclusion
I think it is well also for the man in the street to realise that there is no power on earth that can protect him from being bombed. Whatever people may tell him, the bomber will always get through, The only defence is in offence – Stanley Baldwin, British Parliamentarian.
There are only two types of companies: those that have been hacked, and those that will be – Robert Fueller, Former FBI Director.
It’s a forgone conclusion that your organization is going to be breached. Trying to prevent every would be attacker from breaching your organization is a futile effort. The objective of the cyber security professional must be to help an organization realize what that organization values and protect it at all costs. Breaches are going to happen, the job of security is to limit the damage and mitigate what happens as a result of the attack.
The post Think Like a General appeared first on Security Synergy.
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
