Don’t be an Attacker’s First Option

Published on 17th March 2022 Author: Rob Black

Longtime readers of this blog (thank you!) know that for the past several years, I have been coaching the basketball teams of both of my children.

When the kids were really little, it was mostly about teaching fundamentals and getting them comfortable with the rules of the game. However, now that my son is playing with middle school kids, all of that has changed.

How? One word: puberty.

Some of the players are already above average in height relative to full grown adults! When compared to most of their peers, they are noticeably gigantic.

Such was the case earlier this season when we played a team that had a 5’10” sixth grader, a roughly 20% size advantage over a typical 12-year-old. The first time I saw this kid I assumed he was an assistant coach.

He may as well have been – he scored 30 points against us. Our boys were unable to even slow him down, let alone stop him.

Last week, though, we played his team again and we fared much better.

We did so by applying a simple strategy, something we practiced in the days leading up to the game: Take away his easy shots by double-teaming; make him go to his second or third best options.

They still beat us! But we were able to limit him to just 10 points and we kept it a close game.

Commercial Hackers Want Easy Wins

Like size-advantaged basketball players, commercial hackers are looking for the easy wins. They want to make as much money as possible in the shortest amount of time and with the least amount of effort.

They are not after you in particular. Which means that if you make it harder for them by raising the cost of an attack, you will no longer be their first option and they will simply move down the road to find an easier target.

“Making it harder” means taking the kinds of fundamental steps we have been suggesting for years. Things like…

This list is by no means comprehensive! But the items on it represent some of the basic safeguards and systems that every organization should have in place.

Overall, when it comes to protecting against standard, commercial attacks, you are a player in a security-based arms race. Your goal is to raise the monetary cost of being attacked relative to other potential victims.

State-Sponsored Attacks Are Different

If commercial attackers are like muggers on the street in search of an easy mark, state-sponsored attackers are home invaders that have targeted a particular residence in search of specific resources.

That may include data, money, or anything else of value. It may also involve wreaking havoc for its own sake, by shutting down an electrical grid (for example) or releasing sensitive information into the world at large.

Whatever the specifics, state-sponsored attackers are more highly skilled and, since they are interested in you in particular, have a greater incentive to find a way in.

The challenge here is that you don’t really know if you are a potential target for this kind of attack. You may assume you have nothing of value, but maybe you are a vendor whose client is the target. Or maybe your product is broadly used by a segment of customer that is of interest.

In these cases, all of the typical protection-focused cybersecurity advice mentioned above is necessary, but not sufficient. If you are being targeted, monitoring and notification is the key, so you can at least catch the bad guys in the act and mitigate the damage.

Additional Steps to Consider

You cannot stop what you cannot see, so strong detection tools are paramount. Such as…

Outbound traffic monitoring. There are many ways to keep an eye on what is going out of your organization. Monitoring outbound traffic on your firewalls for your corporate network and cloud services is paramount. The bad guys may already be in, but if you can prevent them from getting out, you can stop a lot of potential damage.

Endpoint Detection and Response (EDR). Rather than simply applying a static approach of looking for detectable malware that matches a known footprint (the way standard Anti-Virus works), EDR looks at behavioral patterns. Once detected, it either blocks or alerts on the activity.

Managed Detection Response (MDR) or a Security Operations Center (SOC). These solutions monitor behavior of your environment, including your EDR solution, your network, and your cloud hosting platforms. The organization is notified if anomalous behavior (e.g., unusual access of privileged resources) is detected.

Know Your Risk Tolerance

As I’ve written previously, there is no one-size-fits-all solution to cybersecurity. While it’s unlikely that foreign adversaries are targeting you specifically, your infrastructure may be attractive in general. Plus, the likelihood of Internet outages or malware attacks continues to increase.

So, you need to make an objective assessment of your risk tolerance: i.e., what are you willing to lose?

If you don’t have mature alerting/monitoring systems in place and you believe that you are operating outside of this tolerance, now is the time to make adjustments. Many of these solutions can be turned on in weeks and even days.

As for me, I am focused on a different threat at the moment: the twins on next week’s opposing team who can shoot the lights out! I may need to ask for birth certificates on those two.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).