Winning the Cybersecurity Contest
Cybersecurity is a competitive endeavor. This contest is framed as ‘us versus them,’ attackers versus defenders, and good guys versus bad guys. Analogies to sporting contests are common, thus resulting in similar descriptive language. Given this view, it is natural to wonder who is winning the contest.
The large number of organizations impacted by the SUNBURST backdoor and Microsoft Exchange zero-day vulnerabilities imply we (team cybersecurity professionals) are losing. Unrelenting ransomware attacks also contribute to a sense of defeat. On the other hand, the takedown of a Trickbot malware-as-a-service botnet, disruption by law enforcement of the Emotet botnet, and closing of the DarkMarket dark web marketplace, are positive scores in ‘our’ favor. These results on both ends of the field make it difficult to determine who is winning.
Measure by Initiative
Based on recent events, it would appear the cybercriminals, cyber privateers and threat actors are winning. However, there is no definitive way to keep score in this competition. Maintaining a running tally is not possible. It also is difficult to know how many attacks are thwarted, and how many successful breaches remain undiscovered. Determining who has the initiative is the optimum way to calculate who is winning. To use the sports analogy, the key to victory is establishing momentum. The “big mo” in this struggle determines which side controls future actions.
In cybersecurity, owning the initiative makes the opponent work harder. Initiative affords attackers freedom to act against multiple opportunities. When the initiative is on the side of the defender, it narrows the avenues open for raiders. Controlling the agenda allows cybersecurity professionals to focus defenses in areas where an attack would be most likely.
Strategic Priorities
Determining who is winning is less important than remaining engaged in the fight. There are a number of activities organizations should adopt to gain an advantage on the cybersecurity playing field.
- Prioritization: Entities need to have a good game plan. Focused defenses require an understanding of what elements are most important. “Organizations should build their cybersecurity strategy on priorities,” explains Russell Norris, director of security studies programs at Rivier University. “Leadership evaluates threats, asset value, known vulnerabilities and risks,” Norris said. By basing a defense-in-depth schema on these components, resources can be allocated where they will have the greatest impact.
- Hand Off to MSSP: Organizations of all sizes are turning to managed security services providers (MSSPs) to supplement their internal cybersecurity operations. Partnering with an MSSP offers many benefits. They provide an experienced team of seasoned technicians. Through a 24x7x365 security operations center (SOC), the MSSP handles monitoring and management of security devices, security event analytics and provides comprehensive threat intelligence. By offloading many day-to-day operations, the internal security team can concentrate on more strategic projects.
- Run a Scout Team: In football, a scout team allows you to test your squad against the opponent; organizations should do the same with cybersecurity. Bryson Bort, CEO of SCYTHE believes companies must practice both defensive and offensive security to capture the initiative from cybercriminals. Real-world adversary emulation exercises, using red and blue teams, provides insight on what could or would happen during an attack. These simulations, coupled with frameworks like MITRE ATT&CK, allows organizations to sharpen their defensive strategy.
- Invest in People: People can be a critical component of security. Integrating people as an element of the security strategy requires creating a culture of safety and security. This can’t just be done with periodic security awareness training. Instead, security education must take into consideration how employees work, what their values are and their behavioral patterns. Cybersecurity education is a long-term effort that lays the foundation of knowledge, resulting in intellectual buy-in and changed behavior. With proper awareness, users will be much more involved in mitigating future risks.
- Left of Boom: When an attack does execute, it can be thought of like an explosion. This is the “boom.” Getting “left of boom” means identifying and disrupting the cyberattack chain before it reaches the exploitation phase. A proactive risk management program is required. Concentrating on activities that happen before an attack is successful requires vulnerability assessments, threat intelligence, security drills and strategic thinking.
The Contest Continues
Gaining and retaining the initiative in this battle requires constant work. The negative news about recent successful attacks and breaches can be demoralizing. However, organizations must continue working to improve and not give up. In poker, there is a saying: with a chip and a chair, you are still in the game. The cybersecurity community is very much still in the game – it’s a matter of capturing the initiative from the threat actors.
