In the last article, we discussed the development of cyber security threats and some different approaches for protection. We have also learned about LACS, the innovative, agile set of techniques that is disrupting the way companies handle cyber security.
Think like a hacker
The cyber battlefield is a war where assets and sometimes lives are lost. It is of the utmost importance to constantly innovate the methods used to fight this war. You must always be one step ahead of knowing and thinking like your enemy.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
-Sun Tzu, The Art of War
Why, Where, How?
Many specialists ask how they can create an ideal cyber security defence.
Strategy 1: You can’t fix the weakest link
What is the weakest link in an application’s security?
- Cross-Site Scripting?
- Insecure Cryptographic Storage?
- The small thermal exhaust port which leads directly to the reactor system?
- Humans (otherwise known as users and employees)
If you answered A or B, then you are a nerd!
If you answered C, then you have watched too many Star Wars films!
If you answered D, then you are correct!
The best defence is a good offence
Governments, intelligence agencies, law enforcement and private companies are evaluating the possibility to adopt offensive approaches to defend their assets from cyber attacks.
While in private industry the concept of an offensive approach to cyber security is relatively new, the idea has been extensively evaluated in government and military environments. In these settings, offensive cyber security has long been debated. Countries have gone to great lengths to develop systems that can respond if an attack is detected.
In future articles, we will go over several systems and tactics. You can find a brief overview of these below.
- Planning – Counter defense, battle planning, attack options, risk assessment
- Reconnaissance – Advantage reconnaissance, espionage, situational awareness
- Defense – Monitor, detect, restore, respond
- Offense – Destroy, disrupt, degrade, exploit
- Deterrence – Deterrence focuses on making potential adversaries think twice about attacking, forcing them to consider the costs of doing so, as well as the consequences that might come from a counterattack.
There are two main principles of deterrence.
- Convince would-be attackers they won’t succeed, at least without enormous effort and cost beyond what they are willing to invest.
- Make sure adversaries know there will be a strong response that might inflict more harm than they are willing to bear.
- Detection – It usually takes organisations up to 6 months to detect a breach and years to assess the financial or reputational damage from attacks. Sometimes it can have a viral effect and result in having to replace the entire infrastructure.
- Honeypots – Rather than spending a tonne of effort on securing your infrastructure, you have to think like a hacker. You need to understand where you would target first and where the weak points are. Understand the access points of your organisation that have the lowest priority or are not connected to vital information. Expose them as backdoors, put in honeypots and start detecting your enemy’s activity.
“Appear weak when you are strong, and strong when you are weak.”
-Sun Tzu, The Art of War
Even when you are constantly being attacked, you can benefit by enabling controlled attack strategies and activating mitigation techniques.
- Control – You have to constantly enable monitoring and alerting of the system. Do not panic during an attack. You can make yourself vulnerable by closing down access points and allowing the hacker to see your response activities.
- Navigate – You have to be prepared and have target access points in your infrastructure where you would like to reroute the attack. You want to make the hacker think that they are on the right path.
- Expose – Hackers will be satisfied if they get to the target, os make them think they got there. Expose some useless piece of data or low-priority public information. The hackers will never think you guided them during the whole process.
“In the midst of chaos, there is also an opportunity.”
-Sun Tzu, The Art of War
A simulation of a hacker attack (White Hacking) is a technique used by security specialists to identify and analyse vulnerabilities in the system. The most effective approach is to cover the attack surface which consists of the 3p’s.
- Perimeter – The perimeter is the infrastructure you run. For this, you perform the most obvious attacks described in OWASP and ISO standards and discover prioritised and non-prioritised access points.
- People – Perform social engineering tests on the people that work in the same structure, understand the maturity of the staff and the possible impact of an attack.
- Partner – It is not enough to protect and educate your own staff, but partners and vendors as well. One zombie computer that has access to the network can be a good fit to your sensitive information. Perform tests to identify how vulnerable your partners and their infrastructure is.
The lean approach involves using all of the techniques mentioned above. But, it skips the planning phase and implements security improvement in small batches based on real data from attacks.
- Build – Create a prototype and perform tests. This prototype can be a small piece of an application. There is no need for extensive security, and this will allow you to have real data on attacks.
You can publish this application and put some marketing behind it. Once hackers know about you, they will attack you, but you are using them for data.
- Measure – Understand access points for attackers and system vulnerabilities.
- Learn – Improve your system based on real attack data and field testing. Use this data to constantly improve.
To be continued
In future articles, we are going to go into detail about the techniques mentioned above and give real-life examples of them. We will also show the effect of using LACS.
We are interested in building a community to create a system of techniques and best practices. We encourage you to get connected and collaborate on this.
The next steps will be to document these processes and test them as a community.
And finally, collaborate on a book!
- Cyber Security