It is time for an evolution in cybersecurity that focuses on adversary disruption
Despite major advancements in technology, the global approach to cybersecurity has remained the same for decades: Respond and recover. The same vulnerabilities repeatedly are exploited in similar ways, and this trend shows no signs of slowing because current security tools do not actually address the root causes of attacks. Even new artificial intelligence and machine learning techniques have mostly been aimed at improving response efficiency—as though there is nothing we can do but prepare for the worst and recover as quickly as possible. To slow the frequency of dangerous and costly cyberattacks, companies should be shifting their efforts toward focusing on adversary disruption.
Cyberattacks, and How We Respond to Them, Have Not Changed in Two Decades
In May 2000, one unwitting user on a computer in the Philippines used Microsoft Outlook to open an email message with the subject line “ILOVEYOU” and an attached file named “LOVE-LETTER-FOR-YOU.txt.” The attachment contained malicious code—a worm that moved through the user’s computer, overwriting random files and sending an email with a copy of itself to every address in the user’s Windows Address Book. Just 10 days later, the ILOVEYOU worm had spread around the world, infecting more than 50 million computers. Far from spreading love, the worm caused more damage than any previous cybersecurity incident: an estimated US $5.5 billion to $8.7 billion worldwide.
Seventeen years later, Microsoft announced a vulnerability within a resource-sharing protocol in widespread use across versions of the ubiquitous Windows XP operating system. The company quickly released a patch to fix the vulnerability, but countless systems had not been patched by the time the WannaCry ransomware attack began two months later. WannaCry eventually affected more than 200,000 computers across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars.
Despite significant changes to the state of technology and the internet between 2000 and 2017, these two cyberattacks were very similar. Both propagated by using relatively simple vulnerabilities in Microsoft operating systems and both were successful because of a lack of proactive cybersecurity.
Not only do the same kinds of attacks continue to work, but responses to cyberattacks also have not changed much either. With all our advances in technology, cybersecurity is generally still focused on response and recovery: Identify the infected computers, take them offline, rebuild or replace them, file a data breach disclosure, rinse and repeat.
Is the issue that it is impossible to defend against these vulnerabilities? Are hackers just too smart? Not necessarily. Response and recovery treat cyberattacks like natural disasters: inevitable, unstoppable and caused by forces outside our control. Meanwhile, adversaries continue to enjoy the fruits of their illicit labor. Popular methods of attack remain consistently successful because cybersecurity has failed to evolve to a posture of true prevention.
A Needed Evolution
The continued success of these cyberattack methods (and others) hinge on exploiting a limited number of key vulnerabilities that are commonly known to good and malicious actors alike. So, why are they still effective? The answer is that current standard cybersecurity methods are designed to respond to incidents but rarely, if ever, actively disrupt the adversary’s attempted attack. For example, cyberattacks or intrusions generally are handled via alerting after a breach has occurred. The alert triggers a cybersecurity team to go in and clean up the affected systems, and then set up or modify a firewall to block future attacks. Afterward, companies are required by law to file a data breach notification.
The most common approach to blocking attacks involves analyzing past and current threats and then distilling the results into indicators of compromise (IoC), such as IP addresses, domain names or hashes of known bad files. These IoCs are then fed into available cybersecurity tools, which are wielded like a giant hammer, blocking or denying any traffic associated with them.
This method aims to prevent attacks that are exactly like prior attacks. This perpetuates the problem, however, as hackers know about these protection methods and adjust. Subsequent attacks are designed to differ just enough from prior attacks to elude being blocked and ensure they avoid the new protections. This process is repeated time and time again. The cybersecurity industry is almost entirely locked in this detect-respond-recover approach, with little to no effort being made to actually prevent cyberattacks in the first place.
Rather than treat the cyber threat like a natural disaster, the cybersecurity industry needs to embrace a fundamentally new approach. Instead of relying solely on insufficient incident response and recovery methods that have been used for many years, a more sophisticated, proactive approach is needed to successfully prevent current cyberattacks and to predict and prevent future ones on a meaningful scale.
Operational challenges in the cyber realm have been exacerbated by an ever-growing landscape of disparate endpoints, heightened sophistication of cyberattackers and an increasing number of cybersecurity tools. While these challenges led to the development and implementation of SOAR platforms, which add efficiencies, most tools remain inherently “reactive.”
Cyberattacks or attempts at compromising a system are human-made events within a human-made environment. By focusing on disrupting the adversary’s methods, analysts can determine tactics, techniques and procedures (TTP) and then use those to develop solutions that provide truly preventive cybersecurity.