Whether you subscribe to the theory “defense wins the day” or “the best defense is a good offense,” there is one undeniable fact: in order to be successful, you need a solid understanding of, and appreciation for, both sides of the equation. The best way to anticipate a move by an adversary is to put yourself in their position and ask, what would I do in the same situation? Studying the ways in which you would attack a given situation provides a strategic advantage when planning your defense.
It’s actually a pretty simple approach and one that we all apply in our everyday lives without a great deal of thought or energy. For example, every time you park your car you take a moment to conceal anything of value from sight and lock the doors and hit the alarm. Or how about the process you undergo when leaving the house to go on a vacation? After ensuring nothing has been left behind, if you are at all like me, you take a walk through the house checking that all the windows are locked, the doors secured, nothing of value is visible and there are no other inviting signs to a would-be intruder. When we do these things, we are thinking like an attacker or criminal and viewing our valuables through their lens. However, for whatever reason, when it comes to IT security, we often fail to take this approach. As a result, leave our networks and personal computing devices exposed.
Think Like an Attacker
There is a reason enterprise companies and security consultants spend a great deal of money every year hiring hackers to try and break through their defenses. Going on the offensive and approaching the network from the position of an intruder is the best way to identify any holes or shortcomings in security. There are always going to be gaps in security, better to find them yourselves first rather than risk a hacker happening onto the vulnerability.
Of course, there is a caveat to this approach. Unlike walking around your home and taking stock of an open window or an unlocked door, identifying holes in network security takes a well-trained security professional with a sophisticated tool set. However, that should not change the mentality in which we approach the problem. Evaluate security through the view point of a skilled attacker versus assuming you’ve done enough after shoring up the perimeter.
To make a point about security, I often turn to sports analogies as they offer straightforward examples free from the technology speak (to which many a successful program has fallen victim). In this case, let’s take a look at the NFL, as football offers great examples of pure offense vs. defense. When a brilliant defensive or offensive coach is planning to beat an opponent, they spend a significant amount of time considering how the other side will react to their schemes. To simply roll out a defensive formation and say “try and beat this” without giving serious consideration as to how the offense from the other team will attack is a recipe for certain disaster. The same holds true in the world of network security.
I would advise any of our clients to adopt this mindset as they evaluate their security programs and to hold their security teams accountable. If you are a CISO or director of security within an enterprise organization, don’t simply accept what your team is telling you they are doing. Ask the tough questions, because their answers will enable you to strengthen your security. When a team member provides an update on the installation of a new security system or protocol, ask them how they would attack based on current defenses. What would they look for to signal a potential vulnerability or entry point? Do they foresee a scenario where a hacker could out-duel defenses and find a way into the system? This is the type of information that ultimately closes security gaps and fortifies the defenses.
As anyone in this industry can tell you, there is no such thing as being 100 percent secure. It’s more about the path and the progression, and hoping to stay one step ahead of the opposition. Continually challenging ourselves to think the way the hackers do is one way to make this goal a reality. Don’t spend time congratulating yourself on how well you’ve fortified your defenses, use that time to ask yourself; where the weak points are and how you would go about breaking in?
As we often say in security, we need to be correct 100 percent of the time while a hacker only needs to be right once. Make sure that one time isn’t on your watch by thinking like a bad guy.
By Mark Hatton