I was at a conference recently at which Tim Crothers delivered the keynote. Tim has worked as a breach investigator for the better part of his career. He joined Target after their 2013 breach and currently leads their cyber security team. I got to hear him flip an information security paradigm on its head.

“The defender’s dilemma states that breaches are inevitable because defenders have to be right 100% of the time whereas attackers only have to be right once.”

That’s not empowering. As someone that advises clients, that’s not how I want them to approach their security. As a consumer, it’s not how I want organizations to think about securing my own personal data.

There is another way, and it starts by understanding what a breach means. A breach happens when data, from an individual or organization, is illegally copied. That’s known as exfiltration. It’s only possible when an attacker gets a foothold on a system. And that open window, between the foothold and exfiltration, is where the true failure happens.

Organizations tend to focus their spend on prevention. While prevention can be effective at mitigating known vulnerabilities, it’s the unknown vulnerabilities that should be of most concern. Since 2013, the Carbanak FIN7 syndicate has been connected to almost every major breach in the banking, hospitality, and retail industries. If you want to learn more about how they did it, here’s the full white paper. They’re professionals, persistent, and creative – they use attack vectors that no one has ever thought.

When an organization is not aware of prevention failures, it’s a sign that there’s a lack of detection capabilities. That’s evident with the time attacker’s have had in the breaches we’re seeing today. Tim said that it’s likely many breaches have gone unreported over the years. And only with the introduction of disclosure laws have we started to understand the wide-scale magnitude of breaches.

My big takeaway: Prevention protects you from what you know, but not from what you don’t know.

Creating the attacker’s dilemma

If an organization is to deal with risk and uncertainty, it shouldn’t have to adopt a defeatist mentality. It can start by weaving cyber security awareness into the company culture, earmarking an appropriate budget, striving for continuous improvement, adopting a mindset that emboldens.

Creating the attacker’s dilemma starts by asking this question: “How might we quickly detect prevention failures so that we can minimize the window that a foothold can be exploited?“

The new paradigm:

“Attacker’s dilemma forces an attacker to exfiltrate data without tripping a single detection instrument.”

What I love about reframing the defender’s dilemma is that it assumes prevention failures will happen. That’s more realistic because it’s already happening. Imagine having a detection net that sends timely alerts on prevention failures. The game turns into response, containment, and engaging attackers head-on.

The approach to creating the attacker’s dilemma

  • Focus on an attacker’s activities rather than the tools and exploits
  • Use the attacker’s needs and techniques against them
  • Balance prevention, detection, and response appropriately
  • Invest in people over tools

Focus on an cyber attacker’s activities rather than the tools and exploits

Attackers seek entry points into an organization so that a foothold can be established. That involves social engineering, usually through spear-phishing, and compromising Internet-facing systems like web applications, vendor platforms or remote access. Given these threats, it’s common to focus efforts on multi-factor authentication, encryption, monitoring, and vulnerability scanning. Yet, attackers assume that those safeguards are in place. That’s why attacks are asymmetrical, ones that bypass or sabotage a defender’s strengths while targeting their vulnerabilities. Using cyber security attack frameworks like MITRE ATT&CK or IBM X-Force Incident Response and Intelligence Services (IRIS) helps an organization identify gaps in prevention and detection.

 

Use the attacker’s needs and techniques against them

Attackers need access, intelligence, and targets. Use that against them by creating a detection net that uses deception, automation, and escalation. The concept is to create a lure that, when accessed, sends an alert to first responders. Here are some ideas that are just the tip of the iceberg:

  • Use honeypots in every part of your tech stack. Even better if you can deploy a honeynet.
  • Embed fake API keys on a public Github repository. Have a developer that has worked with your organization post it.
  • Create fake admin accounts to be cached on a local machine.
  • Use fake user accounts to respond to phishing attacks.
  • Post fake traceable data on an internal wiki.
  • Reuse breached credentials for fake accounts.
  • Deploy an internet appliance with default credentials.
  • Increase awareness in your organization by simulating phishing campaigns. Foster a positive security-aware culture.
  • Develop meaningful cyber security metrics.
  • Invest in deep web intelligence to understand who may be attacking you and why.
  • Use automation to dynamically restrict privileges based on escalating activities that would be considered adversarial.
  • Create infrastructure in an immutable fashion and alert on any filesystem modifications.
  • Invest in a security orchestration and automation framework to bolster your detection net.

This approach is like the dark side of a customer journey map — determining the attackers “happy path” and inserting lures that can lead to better detection and response. Most of these can be implemented by a team of any size, as long as they have DevOps capabilities.

 

Balance cyber security prevention, detection, and response appropriately

Organizations should determine the right level of prevention for themselves and then focus the remaining budget on detection and response. This balance can be tough since prevention feels like the right strategy because most attacks can be prevented, and yet it’s what we don’t know that is actually the most dangerous.

That’s why spending more on detection makes sense. It has a higher return on investment because it empowers you to identify prevention failures and respond to them just-in-time.

 

Invest in people over technology tools

Cyber security is just as much a people problem as it is a tool problem. Vulnerability scanning puts organizations into a defender’s mindset. There are limits with vulnerability scanning on immutable infrastructure and the attack surface is incredibly large. Tools tend to be rigid and cannot always adapt to rapidly changing situations, whereas people can. And when properly inspired, people can be endlessly inventive.

With an appropriate budget, a team can deploy a detection net, respond to prevention failures, and work with outside vendors. Since cyber security professionals are in-demand, level-up your team by sending them to an immersive security bootcamp – one that encourages students to get to root. Partner with a vendor that can do a blend of manual and automated penetration testing at a high frequency (e.g. bi-weekly to monthly).

Adopt Agile as a way of working. It’s a proven approach in software development for managing change, risk, and uncertainty. A framework like scrum equips an organization with the agility to respond to prevention failures. It also encourages constant iteration through the principles of transparency, inspection, and adaptation.

 

Final thoughts

As an ethical hacker and someone that values information security, I think creating the attacker’s dilemma is a mindset worth adopting. This way of thinking is more proactive, expands your toolset, and puts you in a more offensive position.

Email me to talk more about cyber security.

Headshot of Vince Cabansag

Vince Cabansag
Director of Technology