24 April 2018

How to build resistance to cyberattacks in 2018 and beyond

If one were to ask who the strongest nation-states of all time were, who would come to mind? The Roman empire, the Ottoman empire (which would span six centuries), the Qing dynasty, France in the 18th century, Great Britain at the turn of the 20th century, The United States post-WWII. What did all of these empires have in common? They were part of major world wars, and they were constantly under attack or in a mode of conquest for land, wealth, and/or resources. Simply put, they were “battle ready.” Resistance to attack builds strength. The best defense is offensive: it’s proactive, aggressive, and anticipating. In the evolving cyber war, we’ve traded physical weapons for malware attacks, but there is no reason we should abandon the tactics that once provided strength and national security to empires that spanned multiple centuries. Today’s cyber leaders, in the private sectors and the public sectors alike, should take a few pages out of the military playbooks throughout history. How can we be the Winston Churchill, the Napoleon, the Dwight Eisenhower of our security teams?

Cyber fortification

The public and private sectors face a mounting number of cyber attacks and sophisticated tactics. Our defenses have been circumvented, and our cyber strategy is being put to the test as we come to terms with a growing cyber talent and technology gap. We’ve been putting emphasis on how compliant we are to best practice standards and the number of vulnerabilities we find through testing. This is similar to reporting military victories on body counts -- it’s flawed and not focused achieving the strategic objectives.

Training like we fight

Instead, we should consider a realistic measure of how resistant we are to attack. There is no better way to get a realistic measure than to mimic the attack and measure resistance to it. Some of the best military training occurs in simulated environments, where soldiers participate in war games that exercise their skills and expose their weaknesses in near real-world scenarios. Think about the great military generals who studied their troops’ performance, analyzed personnel readiness, prioritized resources, and tracked where the enemy was advancing and retreating. They used their training exercises and intelligence gathered to make the best decisions that would lead to victory and minimize risk.

We need tools that help us mimic the attack and understand our hardness against attack. We need to be able to analyze our weaknesses and prioritize them in terms of risk, cost, and benefit. Then we need to assign a value to them, ensure sound decision-making, and take strong actions.

Five steps to practical cyber resistance

First, take an approach that utilizes humans and technology. In 2018, you can’t rely solely on automated scanning; you need to engage vetted, trusted hackers to help you understand what an attacker would see when he looks at your attack surface.

Second, gather data beyond just the quantity and impact of vulnerabilities found in your systems. Measure attacker cost — how much effort would an attacker have to exert to break into your systems? Measure attacker payout — what would they gain if they did break in? People are rational, even criminal hackers; the benefit has to exceed the cost for them. Defenders must strive to raise the cost to the attacker.

Third, benchmark against peers. It’s difficult to know how strong or weak you are unless you can compare yourself against someone else.

Fourth, prioritize resources. Assess the strength of your assets’ security and prioritize the weakest of your highest-value assets first. Apply effort where you’ll get the greatest leverage in the long run.

And finally, keep track over time. Attacker resistance won’t happen overnight. You need to measure and track it constantly with a goal of building up hardness in the long term.

Warfare is evolving to include the cyber sphere, and the enemies are not only nation-state hackers from countries such as China, Russia and North Korea, but also solo hackers with seemingly no affiliation to a state or group. And unlike the days of old, the attacks of these battles aren’t concentrated to soldiers on a battlefield; they can affect government agencies, private companies, and millions of civilians at a time indiscriminately. Organizations must start to plan their cyber defenses with the goal of increasing attacker resistance and increasing the cost for an adversary to conduct their operations.

Mark Kuhr is the CTO and co-founder of Synack, a cybersecurity company that harnesses the power of crowdsourced hackers and a data-driven platform to secure digital assets.

No comments: