In traditional Warfare Theory, it is accepted that a defending force has an advantage over an attacker. However, in the Cyber Warfare Theory, the common wisdom claims strictly the opposite, and gives the advantage to the attacker, as “The attacker can exploit just one vulnerability to get in, while the defender needs to protect all ways in.”
This discrepancy has caught the eye of Gartner's analyst, Dr. Anton Chuvakin, in a recently published blog post. In this column I’ll try to set the alleged contradiction and show how by defining a relevant defense strategy and setting the correct goals, defenders can regain their inherent advantage back.
"He who knows when he can fight and when he cannot, will be victorious." - Sun Tzu's warfare Wisdom: Use it! (and not just for slidedeck decoration)
Force Concentration and Strategic Depth
In order to understand why the defender's advantage rule of thumb seems to fail in the cyber domain, let’s examine its limitations in the actual battlefield. A known exception for this rule is the Guerrilla warfare.
Wikipedia defines the term of "Guerrilla warfare" in the context of the "Force concentration" as follows: "As they are usually the smaller in number an appreciation of force concentration is especially important to guerrilla forces, who find it prudent initially to avoid confrontations with any large concentrations of government forces. However, through the use of small attacks in out of the way areas, they may be able to lure their opponents into spreading themselves out into isolated outposts, linked by convoys and patrols, in order to control territory. The guerrilla forces may then attempt to use force concentrations of their own; using unpredictable and unexpected concentrations of their forces, to destroy individual patrols, convoys and outposts. In this way they can hope to defeat their enemy in detail. Regular forces may act in order to invite such attacks by concentrations of enemy guerrillas, in order to bring an otherwise elusive enemy to battle, relying on its own superior training and firepower to win such battles."
The key for the Guerrilla attackers' success is to cause their outnumbering opponents to spread their forces too thin. Having achieved that, the Guerilla attackers can choose the right place and time to strike, concentrating their forces to a single point where they can locally outnumber the defenders and win.
To counter that, the defenders strategy should strive using their "Strategic Depth". According to Wikipedia, "Strategic depth is a term in military literature that broadly refers to the distances between the front lines and the combatants' industrial core areas, capital cities, heartlands, and other key centers of population or military production. The key precepts any military commander must consider when dealing with strategic depth are how vulnerable these assets are to a quick, preemptive attack or to a methodical offensive and whether a country can withdraw into its own territory, absorb an initial thrust, and allow the subsequent offensive to culminate short of its goal and far from its source of power." In other words, by applying "Strategic Depth", defenders move the battlefield from the frontlines to a location where they gain better control, yet still keep the attacker far enough their critical assets.
Cyber Force Concentration and Cyber Strategic Depth
All of the mentioned warfare concepts have their equivalents in the field of Cyber Warfare. Internet connected endpoints are the Cyber Warfare's "isolated outposts" where the organization's "critical assets" resides elsewhere, typically within the organization's data center. The exact nature of these "critical assets" is of course specific to the organization and may take the form of a customer details database, financial stats, healthcare data or Point of Sale (PoS) machines. The distance between the "isolated outposts" and the "critical assets" is the "Cyber Strategic Depth". According to Mandiant, the typical Cyber Depth is deep, where APT intruders access approximately 40 systems on a victim's network.
Cyber attackers are in fact conducting Guerilla warfare and thus prefer to wage the battle on the "isolated outposts" of the Internet connected endpoints. This is where they gain their advantage and do not jeopardize their resources, ultimately allowing them to continuously attack until their battle is won. From the attacker standpoint, the reason why the endpoint's battlefield consumes very few resources is its generic nature, which allows the automation of the relevant attack weapons. The attackers' main weapon is the malware-bearing phishing email. In fact, Verizon's 2014 DBIR states that infecting users through a malware-bearing phishing mail campaign is still a highly effective method. Additionally, the attackers have what’s called the "first mover advantage" which allows them to evade Anti-Virus (AV) solutions as they can test their malwares against all AV solutions prior to distribution. Both sending phishing mail and creating a new variant of a malware can be highly automated to save the attacker resources.
The thing to point out is that once the attackers successfully infect a machine and penetrate into the victim's network, they are in an unchartered territory that is under the control of the defender. This is where they need to figure out the location of the target "core assets" and how to advance towards them. This is a very manual and therefore a very costly process which is conducted in a hostile (from the attacker perspective) environment. On the other hand, it is the defenders who can now leverage their familiarity of the "terrain" that attackers lack - either by passively detecting anomalous patterns or by actively planting landmines and honeypots for the attackers. As a result, the defenders can easily mitigate the attack by quarantining the infected machines from the network, cutting their communication lines to the malware Command and Control and stopping them from either spreading or retreating. Not only is the malware's immediate risk solved, but it turns the malware into a "sitting duck", waiting in paralysis for the inspection of the defender's forensic and disinfection solutions.
Using the Theory to Define a Relevant Defense Strategy
Many organizations still define their security strategy as "Never allow any machine to get infected". This statement, besides being unrealistic and thus bound to fail, is forcing these organization to wage war in the attacker's preferred battlefield. This erroneous strategy directly dictates the spending of the security budget on endpoint's security products such as Anti-Virus solutions - solutions that their creators have already admitted to be irrelevant.
On the other hand, organizations that have defined a relevant security strategy accept the fact that some of their machines will inevitably be infected and focus their efforts on preventing the attackers from reaching their core assets. As a result, they largely reduce their spending on endpoint security and focus on solutions that provide visibility, intelligence and control for their network.
Applying the knowledge that mankind has gathered on warfare theory over millennia to the much younger cyber warfare domain is a smart move. Security professionals should put this theory into real use, not just as a brainy Sun Tzu quote appearing as decoration in a security presentation. Specifically, knowing the theory can actually help defenders to choose their battles correctly and differentiate between triumph and defeat. Defenders should use their "Strategic Depth" to mitigate attacks not on the perimeter but deeper within their network where they can leverage on their strategic advantage. To do so, organization need to rebalance their security portfolio and budget and concentrate more on defending the network and less on endpoint security.