Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Think Like an Attacker for Better Defensive Capabilities

To Breach Your Organization Hackers Only Need to be Right Once. Make Sure that One Time isn’t on Your Watch by Thinking like a Bad Guy

To Breach Your Organization Hackers Only Need to be Right Once. Make Sure that One Time isn’t on Your Watch by Thinking like a Bad Guy

Whether you subscribe to the theory “defense wins the day” or “the best defense is a good offense,” there is one undeniable fact: in order to be successful, you need a solid understanding of, and appreciation for, both sides of the equation. The best way to anticipate a move by an adversary is to put yourself in their position and ask, what would I do in the same situation? Studying the ways in which you would attack a given situation provides a strategic advantage when planning your defense.

It’s actually a pretty simple approach and one that we all apply in our everyday lives without a great deal of thought or energy. For example, every time you park your car you take a moment to conceal anything of value from sight and lock the doors and hit the alarm. Or how about the process you undergo when leaving the house to go on a vacation? After ensuring nothing has been left behind, if you are at all like me, you take a walk through the house checking that all the windows are locked, the doors secured, nothing of value is visible and there are no other inviting signs to a would-be intruder. When we do these things, we are thinking like an attacker or criminal and viewing our valuables through their lens. However, for whatever reason, when it comes to IT security, we often fail to take this approach. As a result, leave our networks and personal computing devices exposed.

Think Like an Attacker

There is a reason enterprise companies and security consultants spend a great deal of money every year hiring hackers to try and break through their defenses. Going on the offensive and approaching the network from the position of an intruder is the best way to identify any holes or shortcomings in security. There are always going to be gaps in security, better to find them yourselves first rather than risk a hacker happening onto the vulnerability.

Of course, there is a caveat to this approach. Unlike walking around your home and taking stock of an open window or an unlocked door, identifying holes in network security takes a well-trained security professional with a sophisticated tool set. However, that should not change the mentality in which we approach the problem. Evaluate security through the view point of a skilled attacker versus assuming you’ve done enough after shoring up the perimeter.

To make a point about security, I often turn to sports analogies as they offer straightforward examples free from the technology speak (to which many a successful program has fallen victim). In this case, let’s take a look at the NFL, as football offers great examples of pure offense vs. defense. When a brilliant defensive or offensive coach is planning to beat an opponent, they spend a significant amount of time considering how the other side will react to their schemes. To simply roll out a defensive formation and say “try and beat this” without giving serious consideration as to how the offense from the other team will attack is a recipe for certain disaster. The same holds true in the world of network security.

I would advise any of our clients to adopt this mindset as they evaluate their security programs and to hold their security teams accountable. If you are a CISO or director of security within an enterprise organization, don’t simply accept what your team is telling you they are doing. Ask the tough questions, because their answers will enable you to strengthen your security. When a team member provides an update on the installation of a new security system or protocol, ask them how they would attack based on current defenses. What would they look for to signal a potential vulnerability or entry point? Do they foresee a scenario where a hacker could out-duel defenses and find a way into the system? This is the type of information that ultimately closes security gaps and fortifies the defenses.

As anyone in this industry can tell you, there is no such thing as being 100 percent secure. It’s more about the path and the progression, and hoping to stay one step ahead of the opposition. Continually challenging ourselves to think the way the hackers do is one way to make this goal a reality. Don’t spend time congratulating yourself on how well you’ve fortified your defenses, use that time to ask yourself; where the weak points are and how you would go about breaking in?

As we often say in security, we need to be correct 100 percent of the time while a hacker only needs to be right once. Make sure that one time isn’t on your watch by thinking like a bad guy.

Related Reading: Want to Strengthen Defenses? Think like an Attacker

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.