A cyberattack takes place somewhere in the world every 39 seconds. Organisations are being forced into shelling out millions in response to financially motivated attacks and the cost to organisations to fix breaches will go into the trillions this year.
So, why are we losing this battle so dramatically? What is it that attackers are doing better than those tasked with protecting us? Most importantly, how will we, as defenders, beat them?
Well, the answer lies in the very nature of what it means to be a hacker.
A hacker is not necessarily a criminal. It’s more of a mindset. Adopting this mindset is the only way defenders will rise against the growing threat of cybercrime, and organisations will effectively ward off attacks. We certainly shouldn’t idolise criminally motivated hackers – but the industry could learn a lot from their strategies.
Invest money where it matters
Companies and defenders need to re-evaluate their approach to cybersecurity technology, systems and processes. We continually reinvest in the same sort of thing, almost indistinguishable from one another, with discounts only available if you buy in bulk or if you invest in the vendor’s technology stack over a longer period.
We also largely ignore open-source technologies as they don’t tick procurement boxes or have good enough UIs, and we tend measure value by version number rather than analysing whether it actually solves the problem we’re facing. Top right doesn’t mean, best fit.
Hackers, on the other hand, have the ability to migrate or change tooling instantaneously. If something doesn’t work today, it’s gone tomorrow. This agility, missed with an attention to what works and what doesn’t is missing in defence strategies. We have become a victim of our own processes and of standardisation in an arena where there are no rules.
Curiosity beats KPIs
Cybersecurity is too often treated like any other office job. The market has made it mundane. Security experts clock in and clock out, collect their salaries, follow their KPIs, and focus on a fixed and defined career progression path. They achieve the growing number of certifications and qualifications to open new doors and there are very high recruitment gates as a result. To put it simply, the field has been genericised.
By doing so, the goals followed by defenders are all wrong. Hackers are driven by natural curiosity, regularly stepping out of their comfort zone and perfecting their art. They don’t have to concern themselves with KPIs. Instead, their key focus is gaining the right knowledge and experience to become better. They will often take months off to do nothing other than hide away and become experts in their field. Companies, on the other hand, are still failing to deliver on a constant learning cycle for cybersecurity departments. In a constantly evolving landscape, not providing regular learning, outside of a silo vendor or domain focus is counterintuitive at best - and dangerous at worst.
It’s also an occupational hazard for a hacker as they experience a very tight feedback loop. If they’re bad at hacking, the company they’re attempting to attack will block them and their tools immediately, and potentially lose months of effort in the process Meanwhile, this kind of feedback is not as clear on the defence side; organisations are trying to tick compliance boxes rather than ensure they have the best possible line of defence against the extremely talented army of attackers.
Instilling a purpose
Recently, a headline read that a ransomware family just secured $5.2 billion. This is an insane amount of money split between perhaps 20/30 people. But contrary to popular belief, the majority of this money will likely be reinvested in perfecting their attacks and tooling. Or in a recent example of FIN7, creating an entire new fake “cybersecurity” company to perpetuate attacks ref https://therecord.media/cybercrime-gang-sets-up-fake-company-to-hire-security-experts-to-aid-in-ransomware-attacks/
Meanwhile, security in enterprises is seen as more of a grudge purchase and defenders receive no reward for how many attacks they were able to stop in any given month.
Of course, financial reward is not the sole motive for attackers, or defenders but the key message is that they are organisations driven by a purpose, whether that’s to make money or make a point.
It’s odd to view these cybercriminals as an organisation – but ‘organised crime’ involves some level of company-style management. Oddly, their company culture is something to learn from too.
Their focus is solely on winning, and that is everyone’s job within the ‘organisation.’ Discrimination is not a thing. Diversity is championed and valued – as long as their focus is on winning.
On the defence side, the focus is on ‘not losing’ which sets a pretty negative precedent right from the start. Unfortunately, the industry lacks diversity which it would benefit from if it became a priority.
Also, the defender’s focus is ‘I am defending an organisation.’ This is quite vague and doesn’t really offer much by way of inspiration. Organisations would do well to instil a more direct purpose, such as ‘I’m defending people across the country, because if this organisation gets hacked, we won’t be able to pay their life insurance policy if their loved one passes away.’ ‘or could not receive medical treatment’ This turns ‘trying not to lose’ into saving lives, which is far more positive, motivational and accurate. This goes beyond FUD of ‘killer ware’ that has gained marketing attention, but the concept is the same.
Company meetings, mandatory training, and zoom "kumbaya" sessions – they have all become distractions from the main mission: defend the organisation. Attackers don’t experience this diversion in attention, and while it’s important to keep the cybersecurity department an integral part of the company, and culture their mission needs to be put above irrelevant distractions.
Attackers have a singular goal: attack an organisation and monetise the attack. Defenders need to follow this too (i.e., defend the organisation from attacks). Instead, their role is to ensure whatever they do takes the company’s missions into account. On a battlefield, this would seem ludicrous; they’re being directed to defend against arrows and swords while filing paperwork!
Banks are often criticised for moving too slowly, and not adapting to the modern times. When it comes to cybersecurity, most organisations are just as leisurely.
Cybersecurity departments are not the same as accounts receivable. Their unique mission compared to other areas of business means they need to be treated in a different fashion. Avoiding this generalisation is the only way to defend against the growing army of cybercriminals.
‘Thinking like a hacker’ is not helping. If you tell a swimmer to think like a fish, you’re unlikely to see much improvement. But adopting the mindset of a hacker, living it each and every day, using more autonomy – that’s how defenders will really rival the growing threat of cyberattacks.