The Art of (Cyber) War: How Adversarial Thinking Strengthens Cybersecurity
Cybersecurity is unique compared to most other business operations, even most IT operations. Unlike marketing or network management—both of which tackle difficult and ever-changing challenges in the business operating environment—cybersecurity pits defenders against intelligent, creative and deliberate opponents.
Hackers are aware that they are actively hunted and thwarted at every step between target scoping and data breach. That means they are applying the full brunt of their ingenuity and technical expertise to avoid cybersecurity defenses as they pursue their goal.
Even though this struggle takes place in cyberspace, the lessons from real battlegrounds retain their relevance and significance. In the ancient military strategy text, Art of War, Sun Tzu makes the point “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”
Cybersecurity teams need to adopt an adversarial mindset that allows them to tackle the unique challenges of the cyberspace. This involves clearly understanding what their enemies are capable of and preparing an appropriate response.
Communication and visibility
The most valuable weapon on the battlefield is information about your team and their current state as well as your enemy. “If ignorant both of your enemy and yourself, you are certain to be in peril.” This holds true in reverse as well. Hackers want to know as much about your networks as they possibly can.
The first step in a targeted cyber-attack is recon. By scanning public facing systems, hackers can learn a great deal about an organization’s IT infrastructure, including potential vulnerabilities. Once they have made their way onto the system, a hacker’s first priority is to establish a persistent connection that allows them to maintain visibility into the network they have infiltrated.
As a result, the first priority of a cybersecurity team needs to be cutting off communication between their systems and hackers. This is especially true for botnets or cryptojacking malware in which the main benefit to hackers relies on sustained, two-way connections to the infected devices to leverage their computing power for DDoS attacks or mining cryptocurrency.
It is also important for cybersecurity teams to have visibility into their networks to understand what normal behavior is and what could be driven by hackers. It is easy for hackers to slip onto networks through unmonitored open ports or by infecting third-party devices that have access to internal networks if cybersecurity teams are watching them closely. By developing a strong understanding of the digital assets connected to the corporate network, cybersecurity teams can better protect themselves against threats targeting devices they are not regularly monitored.
At a higher level, cybersecurity teams need to know the current state of cyberspace, i.e. the latest malware, vulnerabilities and exploits in use by hackers so that they can better protect their systems. Monitoring and installing security patches to the systems they use on a regular basis significantly improves their defenses against these threats. They can also ensure that their malware defenses recognize and stop malware if they are consistently checking for new developments. This is easily achieved by monitoring new research from respected threat research teams or by joining an information sharing group that monitors threats relevant to that team’s industry.
Implement elite training
Cybersecurity skills are a constantly moving target that require continuous training. Hackers have a lot of bots at their disposal and a lot more IT appliance features they can exploit. Cybersecurity is a multidisciplinary field requiring comprehensive knowledge of computer network and systems, understanding the differences in IT/security architectures, and, of course, people and social engineering. It is a profession that requires continuous updates and training against the latest tools and techniques.
Militaristic philosophies of train, train, train against realistic opponents are necessary. “Victory usually goes to the army who has better trained officers and men.” By providing exposure to realistic situations that can arise during a cyber-attack, organizations can better prepare their cybersecurity teams to face whatever hackers throw their way, no matter what their previous experience level. Allowing your IT teams to play the roles of attackers and defenders also provides perspective. Red teaming with a multi-layered attack simulation that measures how people, networks, applications and physical security controls can withstand an attack from a real-life adversary is a must. But, it is equally, if not more, important for teams to practice in real-world environments which can be difficult to do.
There is a growing offering in the industry called “Cyber Ranges” that can simulate internet-scale environments to develop elite cybersecurity teams by imitating attacks on IT infrastructures. In these environments, cybersecurity teams can test their defenses against the latest hacker techniques and mimic successful breaches as case studies.
Cybersecurity is a rapidly-moving and evolving field, but the challenges it presents are not insurmountable. By taking some time to understand the enemy and how they work, cybersecurity teams stand a better chance of stopping them. “The supreme art of war is to subdue the enemy without fighting.”