ra2 studio - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Can thinking like cyberattackers improve organizations' security?

Getting in the minds of cyberattackers can help organizations mount better defenses against attacks. Here are some ways to accomplish this.

It's becoming increasingly important for security leaders to think like cyberattackers, which lends to new defenses and security techniques for enterprises. And while enterprises may never fully be ahead of attackers, they can at least be better prepared. Clearly it's important to secure company data from multiple attack vectors, but beyond this, what specific steps can security leaders take to provide better attacker-minded defenses?

Hackers attack for a variety of reasons, including for fun, financial gain, retribution, espionage or for no particular reason at all. Regardless of the reason, enterprises need to know their attackers and the techniques they use to exfiltrate valuable data.

In The Art of War, Sun Tzu states, "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."

The major difference between Sun Tzu's message and today is that cybersecurity is predominantly defensive. Enterprises do not go after hackers or cyberattackers. They are too busy running a business and maintaining a productive, secure IT environment to support that effort. But are there better attacker-minded defenses we need to consider and deploy to strengthen cybersecurity protections? Having an attacker-minded defense is a good defense.

Know the enemy: Who are the attackers? What is their motive for targeting your organization? What techniques do they use to gain unauthorized access or launch destructive attempts, such as denial of service attacks? The attacker landscape for enterprises consists predominantly of criminals, underground hackers, insiders and state-backed hacking groups.

The 2015 PWC Global State of Information Security Survey states the "total number of security incidents detected by respondents climbed to 42.8 million" in 2014 -- a 48% increase over 2013. Not surprisingly, the report also finds, "insider crimes are the most costly or damaging than incidents perpetrated by outsiders." Insiders have time, access and knowledge to their favor, but outsiders clearly get the most press. In spite of the insider threat, the 2015 ISACA Cybersecurity Status Report stated that 55% of respondents expressed concern over corporate reputation.

Know yourself: What do attackers want from your organization? The obvious targets are large corporations, especially in the government, financial and retail industries, but many fail to realize that others, such as SMB's with less critical enterprises, are targets for use of their resources to attack others. Some specific steps to help protect your organization include:

  • Implement protection measures to secure critical assets commensurate to enterprise risks.
  • Correlate log data, their sources and types of attacks to identify where to strengthen controls.
  • Join other enterprises and participate in threat intelligence groups to share and learn how to identify attack vectors and protect your environment.
  • Establish a strong and well-vetted incident response program to restore capably to normalcy in the event of a major incident or attack.
  • Implement a continuous monitoring process that alerts you to unusual activity externally and internally.
  • Develop a security awareness program that trains employees, including executives, on a periodic basis.
  • Report to management the state of security on a recurring basis.

Cyberattacks are unrelenting. The PWC Information Security Study stated that in 2014, the 42.8 million incidents translated to 117,339 incoming attacks every day. In comparison, this same study reported 3.4 million incidents in 2009. But, as Sun Tzu said, "You need not fear the result of a hundred battles." Attacks can be, and for the most part are, thwarted with existing protection systems, such as next-generation firewalls and intrusion prevention systems (IPS). However, they must not be neglected or overly relied on for continuous protection.

Perhaps your organization has not experienced a breach and believes existing controls are sufficient, but these cyberattacks evolve and become more sophisticated every day.

"If you know neither the enemy nor yourself, you will succumb in every battle," Sun Tzu said. Expect to be a target. Implement protection schemes based on the business model, risks and value of critical data. Review attacks experience from your log analysis tools -- SIEM and IPS -- and determine how your company is being attacked. These will help organizations understand how to deploy the proper protection scheme. There is no such thing as absolute security, but if you don't think like cyberattackers or know your pain points, the results will undoubtedly be unfavorable.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn when enterprises need to deploy DLP products and how footprinting can help predict attacks.

This was last published in July 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments