Know Your Enemy, Be Your Enemy: A Look At ‘Adversarial’ Cyber Security
For many enterprises, mindset is crucial when it comes to cyber security posture. Risk assessment and evaluation, along with identification and intensive problem solving are all demanded when guarding the 360-degree perimeter.
That is to say that the active cyber security practitioner needs to be thinking like an adversary, a black hat. That may seem like a peculiar task – to embody the mind and spirit of a bad actor looking to extract insider information, trade secrets, data or demand a ransom. Does that mean the security professional has to stoop to that level?
No, but what they must be cognizant of is the ever-changing threat landscape – the way malware strains evolve and morph and propagate, or the deceptive ways hackers are tapping into financial institutions or those that host protected health information (PHI).
In a recent article for Forbes, CTO, writer and consultant Dan Woods penned an installment of a series about this very topic: adversarial cyber security.
Early in his comprehensive feature, he advises enterprises to adopt a “portfolio” approach to their cyber security, similar to what one might encounter in a financial discussion. In the context of security, “portfolio” would mean carefully allocating resources to make sure your bases are covered – because no enterprise (SMB, large enterprise or otherwise) can mitigate or avoid 100% of the cyber threats.
Much of Woods’ early advice stems from identification – truly understanding what the enterprise requires, allocating resources appropriately and building a product-focused portfolio from there.
Despite the extra effort, Woods points out, no enterprise is impenetrable. “But the businesses that are most successful at counteracting the threats to their specific crown jewels will be those best positioned in today’s volatile and ever-evolving cyber security landscape,” he wrote.
In speaking with CrowdStrike CEO George Kurtz, Woods was further able to underscore his points about allocation and risk. That’s because Kurtz’s business approach is wholly “adversary-centric,” according to the article.
Security professionals may not completely grasp the depth of a hacker’s desire if they cannot think and plot like them. So, before a CISO brings an enterprise to the market for a new solution, both Kurtz and Woods advise a structured vetting and assessing process.
Kurtz’s tips include knowing the organizational needs and understanding what the “crown jewels” are. Also, monitoring the threat landscape to see where hackers are focusing their attention. He also advises threat modeling to ascertain various protection methods and to determine the maturity of the cyber resiliency program.
The CEO explained that different hackers have different motivations: Some would lift intellectual property; others might target user information. To further profile them, a practitioner might ask how effective one would need to be to breach the system.
“You need to do this, so that you understand whether your attackers are bringing bayonets or bazookas to the battlefield.” Kurtz told Woods for the Forbes story. He also outlined a pivotal piece of information, being third-party risk assessment; this means understanding that when outside parties hold sensitive information, your risk profile rapidly expands.
The bottom line is that CISOs and the security team must be prepared to combat a wealth of different attacks, and the only way to prepare for a breach is to think as the hacker might.
Both security contributors suggested cyber pros be prepared to handle these incidents in real time. That means the entire security architecture must be programmed accordingly – it must be responsive amid a breach or during the investigatory stages.
To remain in an advantageous position, the security professionals advised enterprise officials to create a maturity model. In doing so, the team will learn how their peers handle similar threats. This is a crucial stage because one small advantage, one way or another, could strike at the heart of the business.
Kurtz said the conversation is more about preventing breaches in general, versus protecting the perimeter against a specific type of threat (say, malware).
Seguing into a discussion on malware, the contributors suggested that in the past five years, there has been a divergence from malware-related attacks. That is why the team must look beyond malware or the minutiae, and examine the wider layout – the growing landscape, sophisticated hacking maneuvers, etc.
The escalation of the threat landscape is perfect incentive for security pros to latch on to this method – and in fact think like an adversary. Knowing your opponent is oftentimes half the battle. In instances such as this, it could prevent a mega-breach, or protect the brand and the integrity of hundreds, thousands or millions of people.