There is a very active discussion going on in security circles about understanding adversaries and how that impacts security strategy. I have taken a contrarian position in this argument and have stated that, in the scheme of things, I do not believe that you need to waste time understanding your enemy.
What I think matters most is what needs to be secured and how it needs to be secured. This post is to discuss my rationale for this approach and relies on my prior post regarding The Fort Knox Approach to Security.
Sun Tzu famously said it was important to, “Keep your friends close and your enemies closer.” The biggest difference with cyber-attacks is that the enemy are true mercenaries in that they come together because of an interest in a target, an interest in achieving their own particular goal, such as proving they are the best hacker or social engineer, or just because.
As a result, when your enemies can number in the hundreds or even thousands and have their own potentially unique motives for why they are attacking, it is near to impossible to do an analysis of the enemy, such as Sun Tzu suggests, that provides you with any sort of significant defensive advantage.
But what about advanced persistent threat (APT) attacks? There is usually a common actor in APT, either a competitor, organized crime or a government. However these sponsors usually hire the technical “muscle” for the actual attack. The backer of the APT attack provides these mercenaries with a list of information they wish to be retrieved from the target organization(s).
So while APT can provide you with a traditional enemy, that enemy is obscured by the mercenaries actually conducting the attack. Again, an analysis of the enemy provides limited to no advantage in your defense because you only see the mercenaries, not the sponsor.
But I think the biggest nail in the coffin for enemy analysis is related to attack strategies. When reports from Verizon, Trustwave and other forensic examination firms consistently report that the same basic attack strategies are successful, it does not matter who the enemy is and why they are attacking when anyone from a neophyte to expert can break into your systems because of the same stupid mistakes or human errors. By the time you have the enemy analysis done, your organization’s information is long gone.
In my opinion, ‘WHAT’ is more important in that organizations understand ‘WHAT’ information they need to protect and then go about appropriately protecting it. If that sounds familiar, it should because that was the basis of my Fort Knox post. If you think about it, a Fort Knox strategy does not worry about ‘WHO’ is trying to get the gold, it is all about protecting the gold regardless of ‘WHO’.
The bottom line is that in a cyber-attack, ‘WHO’ is attacking you is irrelevant. You do not need to waste your time figuring out ‘WHO’ the attacker is and what are their motives. It is all about your information that they wish to obtain.
So stop wasting time on enemy analysis and start properly protecting your organization’s critical, sensitive information. I think you will find that the Fort Knox strategy will make your security efforts much more easy to implement and maintain.
UPDATE: In a brief moment of clarity on my part, I realized after making this post that the Fort Knox security approach is just another way of looking at the ‘Zero Trust’ security model that was proposed by John Kindervag of Forrester a while back. See my earlier posts on the Zero Trust security approach for more information.
Cross-posted from PCI Guru