Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

How Can Cyber Defenders Regain the Advantage?

In traditional Warfare Theory, it is accepted that a defending force has an advantage over an attacker. However, in the Cyber Warfare Theory, the common wisdom claims strictly the opposite, and gives the advantage to the attacker, as “The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.”

In traditional Warfare Theory, it is accepted that a defending force has an advantage over an attacker. However, in the Cyber Warfare Theory, the common wisdom claims strictly the opposite, and gives the advantage to the attacker, as “The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.”

This discrepancy has caught the eye of Gartner’s analyst, Dr. Anton Chuvakin, in a recently published blog post. In this column I’ll try to set the alleged contradiction and show how by defining a relevant defense strategy and setting the correct goals, defenders can regain their inherent advantage back.

He who knows when he can fight and when he cannot, will be victorious.” – Sun Tzu’s warfare Wisdom: Use it! (and not just for slidedeck decoration)

Force Concentration and Strategic Depth

In order to understand why the defender’s advantage rule of thumb seems to fail in the cyber domain, let’s examine its limitations in the actual battlefield. A known exception for this rule is the Guerrilla warfare.

Wikipedia defines the term of “Guerrilla warfare” in the context of the “Force concentration” as follows: “As they are usually the smaller in number an appreciation of force concentration is especially important to guerrilla forces, who find it prudent initially to avoid confrontations with any large concentrations of government forces. However, through the use of small attacks in out of the way areas, they may be able to lure their opponents into spreading themselves out into isolated outposts, linked by convoys and patrols, in order to control territory. The guerrilla forces may then attempt to use force concentrations of their own; using unpredictable and unexpected concentrations of their forces, to destroy individual patrols, convoys and outposts. In this way they can hope to defeat their enemy in detail. Regular forces may act in order to invite such attacks by concentrations of enemy guerrillas, in order to bring an otherwise elusive enemy to battle, relying on its own superior training and firepower to win such battles.”

The key for the Guerrilla attackers’ success is to cause their outnumbering opponents to spread their forces too thin. Having achieved that, the Guerilla attackers can choose the right place and time to strike, concentrating their forces to a single point where they can locally outnumber the defenders and win.

To counter that, the defenders strategy should strive using their “Strategic Depth”. According to Wikipedia, “Strategic depth is a term in military literature that broadly refers to the distances between the front lines and the combatants’ industrial core areas, capital cities, heartlands, and other key centers of population or military production. The key precepts any military commander must consider when dealing with strategic depth are how vulnerable these assets are to a quick, preemptive attack or to a methodical offensive and whether a country can withdraw into its own territory, absorb an initial thrust, and allow the subsequent offensive to culminate short of its goal and far from its source of power.” In other words, by applying “Strategic Depth”, defenders move the battlefield from the frontlines to a location where they gain better control, yet still keep the attacker far enough their critical assets.

Cyber Force Concentration and Cyber Strategic Depth

Advertisement. Scroll to continue reading.

All of the mentioned warfare concepts have their equivalents in the field of Cyber Warfare. Internet connected endpoints are the Cyber Warfare’s “isolated outposts” where the organization’s “critical assets” resides elsewhere, typically within the organization’s data center. The exact nature of these “critical assets” is of course specific to the organization and may take the form of a customer details database, financial stats, healthcare data or Point of Sale (PoS) machines. The distance between the “isolated outposts” and the “critical assets” is the “Cyber Strategic Depth”. According to Mandiant, the typical Cyber Depth is deep, where APT intruders access approximately 40 systems on a victim’s network.

Cyber attackers are in fact conducting Guerilla warfare and thus prefer to wage the battle on the “isolated outposts” of the Internet connected endpoints. This is where they gain their advantage and do not jeopardize their resources, ultimately allowing them to continuously attack until their battle is won. From the attacker standpoint, the reason why the endpoint’s battlefield consumes very few resources is its generic nature, which allows the automation of the relevant attack weapons. The attackers’ main weapon is the malware-bearing phishing email. In fact, Verizon’s 2014 DBIR states that infecting users through a malware-bearing phishing mail campaign is still a highly effective method. Additionally, the attackers have what’s called the “first mover advantage” which allows them to evade Anti-Virus (AV) solutions as they can test their malwares against all AV solutions prior to distribution. Both sending phishing mail and creating a new variant of a malware can be highly automated to save the attacker resources.

The thing to point out is that once the attackers successfully infect a machine and penetrate into the victim’s network, they are in an unchartered territory that is under the control of the defender. This is where they need to figure out the location of the target “core assets” and how to advance towards them. This is a very manual and therefore a very costly process which is conducted in a hostile (from the attacker perspective) environment. On the other hand, it is the defenders who can now leverage their familiarity of the “terrain” that attackers lack – either by passively detecting anomalous patterns or by actively planting landmines and honeypots for the attackers. As a result, the defenders can easily mitigate the attack by quarantining the infected machines from the network, cutting their communication lines to the malware Command and Control and stopping them from either spreading or retreating. Not only is the malware’s immediate risk solved, but it turns the malware into a “sitting duck”, waiting in paralysis for the inspection of the defender’s forensic and disinfection solutions.

Using the Theory to Define a Relevant Defense Strategy

Many organizations still define their security strategy as “Never allow any machine to get infected”. This statement, besides being unrealistic and thus bound to fail, is forcing these organization to wage war in the attacker’s preferred battlefield. This erroneous strategy directly dictates the spending of the security budget on endpoint’s security products such as Anti-Virus solutions – solutions that their creators have already admitted to be irrelevant.

On the other hand, organizations that have defined a relevant security strategy accept the fact that some of their machines will inevitably be infected and focus their efforts on preventing the attackers from reaching their core assets. As a result, they largely reduce their spending on endpoint security and focus on solutions that provide visibility, intelligence and control for their network.

Conclusions

Applying the knowledge that mankind has gathered on warfare theory over millennia to the much younger cyber warfare domain is a smart move. Security professionals should put this theory into real use, not just as a brainy Sun Tzu quote appearing as decoration in a security presentation. Specifically, knowing the theory can actually help defenders to choose their battles correctly and differentiate between triumph and defeat. Defenders should use their “Strategic Depth” to mitigate attacks not on the perimeter but deeper within their network where they can leverage on their strategic advantage. To do so, organization need to rebalance their security portfolio and budget and concentrate more on defending the network and less on endpoint security.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...