{"id":2456,"date":"2018-11-08T17:47:00","date_gmt":"2018-11-08T17:47:00","guid":{"rendered":"https:\/\/www.clockwork.com\/?p=2456"},"modified":"2022-11-21T22:21:24","modified_gmt":"2022-11-21T22:21:24","slug":"changing-how-we-think-about-cybersecurity-creating-the-attackers-dilemma","status":"publish","type":"post","link":"https:\/\/www.clockwork.com\/insights\/changing-how-we-think-about-cybersecurity-creating-the-attackers-dilemma\/","title":{"rendered":"Changing how we think about cybersecurity: Creating the attacker\u2019s dilemma"},"content":{"rendered":"\n

I was at a conference recently at which Tim Crothers delivered the keynote. Tim has worked as a breach investigator for the better part of his career. He joined Target after their 2013 breach and currently leads their cyber security team. I got to hear him flip an information security paradigm on its head.<\/p>\n\n\n\n

\u201cThe <\/em>defender\u2019s dilemma<\/em><\/a> states that breaches are inevitable because defenders have to be right 100% of the time whereas attackers only have to be right once.\u201d<\/em><\/p>\n\n\n\n

That\u2019s not empowering. As someone that advises clients, that\u2019s not how I want them to approach their security. As a consumer, it\u2019s not how I want organizations to think about securing my own personal data.<\/p>\n\n\n\n

There is another way, and it starts by understanding what a breach means. A breach happens when data, from an individual or organization, is illegally copied. That\u2019s known as exfiltration. It\u2019s only possible when an attacker gets a foothold on a system. And that open window, between the foothold and exfiltration, is where the true failure happens.<\/strong><\/p>\n\n\n\n

Organizations tend to focus their spend on prevention. While prevention can be effective at mitigating known vulnerabilities, it\u2019s the unknown vulnerabilities that should be of most concern. Since 2013, the Carbanak FIN7 syndicate has been connected to almost every major breach in the banking, hospitality, and retail industries. They\u2019re professionals, persistent, and creative \u2013 they use attack vectors that no one has ever thought.<\/p>\n\n\n\n

When an organization is not aware of prevention failures, it\u2019s a sign that there\u2019s a lack of detection capabilities. That\u2019s evident with the time attacker\u2019s have had in the breaches we\u2019re seeing today. Tim said that it\u2019s likely many breaches have gone unreported over the years. And only with the introduction of disclosure laws have we started to understand the wide-scale magnitude of breaches.<\/p>\n\n\n\n

My big takeaway: Prevention protects you from what you know, but not from what you don\u2019t<\/em> know.<\/strong><\/p>\n\n\n\n

Creating the attacker\u2019s dilemma<\/h2>\n\n\n\n

If an organization is to deal with risk and uncertainty, it shouldn\u2019t have to adopt a defeatist mentality. It can start by weaving cyber security awareness into the company culture, earmarking an appropriate budget, striving for continuous improvement, adopting a mindset that emboldens.<\/p>\n\n\n\n

Creating the attacker\u2019s dilemma starts by asking this question: \u201cHow might we quickly detect prevention failures so that we can minimize the window that a foothold can be exploited?\u201c<\/p>\n\n\n\n

The new paradigm:<\/h3>\n\n\n\n

\u201cAttacker’s dilemma forces an attacker to exfiltrate data without tripping a single detection instrument.”<\/em><\/p>\n\n\n\n

What I love about reframing the defender\u2019s dilemma is that it assumes prevention failures will happen. That\u2019s more realistic because it\u2019s already happening. Imagine having a detection net that sends timely alerts on prevention failures. The game turns into response, containment, and engaging attackers head-on.<\/p>\n\n\n\n

The approach to creating the attacker\u2019s dilemma<\/h2>\n\n\n\n