Too Many Organizations Focus on the Means, Rather than the Ends
I’m sure we’re all familiar with the famous question that asks “Do the ends justify the means?” While this question is believed to be more than two thousand years old, I believe we can learn an important information security lesson from studying it. Over the course of my career, I have observed that in the case of the modern attacker, the answer to this question is yes. What do I mean by this statement? I’ll elaborate.
Let’s begin by looking at this question from a slightly different perspective — one that as security professionals, most of us can all relate to. For those of us who have worked in security operations and incident response for a while, we’ve seen that an attacker will use whatever means are necessary to accomplish a given end. In other words, to execute the attacker’s objectives, he or she will take whatever path will lead to success.
Although this famous question is traditionally asked in a moral context, that is not my purpose or place here. Rather, if we dissect this question analytically, we find that it provides us a model we can use to improve our respective security postures. To better understand what I’m getting at, let’s abstract security into a different model inspired by this question: the ends and the means.
Unfortunately, in security, we focus almost entirely on the means. Perhaps ironically, it is the ends that we should instead be focused on. What do I mean by this? If we go back to first principles and think about risk mitigation, it should become clearer. Allow me to illustrate through a few examples.
Internet of Things (IoT)
We’ve all been hearing a lot lately about IoT. There is plenty of buzz and hype surrounding IoT, and in fact, infected IoT devices have been blamed for several recent DDoS attacks. There is no question that building security into IoT devices will remain an important topic for years to come.
I’d like to offer a different perspective when it comes to IoT. If you’re a defender, you’re may be struggling to make sense of IoT. You may get drive-by enquiries from management. Or, perhaps you see IoT devices being deployed around the enterprise and are wondering what steps were taken to secure them, if any. Perhaps you are also wondering how to include IoT under the umbrella of your existing security program.
These are all valid concerns, and I believe that, for the defender, the answers lie in focusing on the ends, rather than the means. Compromising IoT devices is a means for an attacker. When we shift to focusing on the ends, the questions we need to ask ourselves evolve. What is the attacker after? What is the risk that poses to the organizations? For example, we may conclude that the attacker is looking to IoT as a launch point for theft of sensitive data, or perhaps for DDoS attacks against others. In either case, focusing on the ends allows us to adapt our security program to mitigate these risks through monitoring and response. This is something that might not have been inherently obvious to us had we remained focused on the means.
In just about every meeting I have these days, organizations are talking about their move to the cloud. Regardless of where a particular organization is in this process, the novelty of the cloud means that there isn’t a lot of prior security experience to build on. That can make securing an enterprise in transition seem like a daunting task. Until we shift our focus to the ends, that is.
When we look at the cloud as a means for an attacker to steal data, disrupt business, commit fraud, or any number of possible outcomes, our perspective shifts. Instead of trying to protect the cloud like we protect a traditional enterprise network, we move to focusing on mitigating the risks that could result from unauthorized access to information or resources in the cloud.
Within this framework, we move to understanding how we can mitigate risk through monitoring and response. We look to collect important telemetry data from our cloud environment and seamlessly integrate it into our existing security analytics capabilities. We look to the endpoint to regain visibility lost in the move away from the traditional enterprise network. We look to understand and monitor our hosted applications even better than we understood and monitored our enterprise applications. All of this towards the goal of focusing on the ends.
It will likely surprise no one that attackers are still leveraging spear phishing as a means into an organization quite regularly. Sometimes, people ask me why this is the case. In my opinion, the answer is quite simple: it’s easy and it works. Spear phishing seems to be one of the favorite ways attackers gain a foothold inside an organization for the purpose of compromising credentials, moving laterally, acquiring information, exfiltrating data, and other types of nefarious activities.
Unfortunately, all too many organizations focus on the means, rather than the ends. This causes them to run around chasing one campaign after the next, burning many valuable analyst cycles in the process. Am I saying we shouldn’t try to prevent or better understand spear phishing attacks? Of course not. By all means, we should. But when campaigns sneak through our defenses, our attention needs to turn to the ends.
When we look at what attackers do after they use spear phishing as a means, we see that they generally use any compromised assets as a launch point to burrow deeper into the organization. From there, they look to execute various different objectives, such as the ones I enumerated above. Examining the problem from the perspective of the ends instructs us to focus more on detecting and eradicating the attackers before they are able to cause grave damage, and less on chasing after the latest campaigns.
There is certainly no limit to the examples we could enumerate here to illustrate the point. No matter what the means, focusing on the ends can help us steadily mitigate risk, even in a dynamic environment. Different types of means come and go as attackers continually adapt their tactics to accomplish their end goals and ensure their success. The trick is to think more broadly about the risk we’re trying to mitigate, rather than getting distracted and instituting one-off policies and solutions to new means that may arise. For an attacker, the ends always justify the means. As defenders, we need to take a lesson from that.