We’ve witnessed a steady stream of attacks against corporate, government, military, and controversial targets. The victims continue to conduct postmortems to assess damage and mitigate threats, while the press and social media report “massive” data breaches, “inestimable” reputational harm, and “staggering” material losses. Whatever the final tallies may be, the attacks are of such frequency, scale, and apparent ease of execution that they raise serious questions about nearly every aspect of Internet security as we practice and deploy it today.
Before we rethink and re-engineer our defenses and countermeasures, it’s worth our while to reconsider how we think about attacks in general. Here are some lessons to learn from the attacks.
Motive is immaterial. Classifying attacks as acts of hacktivism, commercial or nation-state espionage, terrorism, cyberbullying, or acts of war is useful at a global strategic level. But recent events illustrate that the attackers are themselves ambiguous about their motives. At ground zero in such an unsettled landscape, you are best off acknowledging that your network could be targeted randomly or for any given motive. Rather than asking, “Is our organization a target for commercial espionage?,” you should ask, “What measures can we take to reduce risk from motivated attackers?”
FUD serves no one. Too many security vendors are seizing the opportunities presented by recent attacks to foster fear, uncertainty, and doubt (FUD) and to hype their products or services as a panacea for the hack de jour. Too many security products fail to live up to the hype. Others solve different problems from the ones you face. Together, they create a tsunami of information your staff cannot use or incorporate into operational or situational responses. Marketing FUD when the security community is facing serious scrutiny and growing skepticism can further erode confidence. Pay no attention to that man behind the curtain! There’s no silver bullet (or wizard). Trust no one who boasts otherwise.
Attackers know you better than you know yourself. We are reasonably good at designing networks, but we design with specific contexts in mind (e.g., service or content delivery and anticipated user behavior). Attackers understand our design objectives and look for things we’ve overlooked. They tinker. They ask, “What if?” They try to break (into) things. It’s not that we can’t be good at tinkering and breaking, but we don’t do it routinely. We have good handles on how our networks are supposed to behave. We monitor and respond to events to keep them behaving this way. But our management is overly reactive. Attackers are proactive and agile. They observe how our networks behave, discover the exploitable paths into our networks, and seize the opportunity to attack. You must do better than know your enemy. You must be your enemy. It’s time to encourage your IT to nurture curiosity and agility. Attack your own networks to expose and mitigate vulnerabilities before attackers do.
For now, expertise trumps technology. The security technologies we rely on most -- and the best security practices we apply today -- are deficient. Bluntly put, our technology is too immature and our instrumentation too primitive to run in the unattended mode that budgets too often dictate. We need to accept that this strategy is failed and why. For years, we’ve been turning on networks even though we cannot staff them with folks who can write secure code, who know at intimate levels how applications and Internet protocols behave, who can observe or analyze application and protocol behavior, who can distinguish suspicious activity from benign, and who can take corrective or remediating actions. Enough of our adversaries have these skills that if we are ever to pull out of this tailspin, we must invest in people to counter with greater expertise.