In cybersecurity, there is no such thing as perfection. If perfection is your goal, you are doing it wrong.
Surface area is the bane of security and today there is more software in more places than ever. People will interact with an average of 3.64 devices per day, all with their own apps and prerogatives from an unknown variety of vendors and third parties who may or may not have the security interests of a person or company on top of their minds. Bugs and vulnerabilities are inevitable.
A new vulnerability pops up, the defenders scrambles to fix it and move on to the next dumpster fire of a problem. Cycle through this routine forever and you have a good understanding of the current state of cyber defense.
Defenders are constantly chasing zeroes—the absence of critical alerts and known security gaps—in an attempt to keep the hackers out of their network.
It doesn’t work. Chasing zeroes is an expensive, resource intensive slog. A quarter of all reported flaws have no patch or other known solutions. The goal of eliminating threats to the network is impractical.
At the end of the day, can you say your perimeter is more secure than when you started? Are companies safer in 2018 than they were in 1998?
Absolutely not. Sony knew for two full years it was under attack before its secrets were dumped to the word. An unauthenticated API let anyone access T-Mobile customer data with just their cell-phone number. The identifications of every person in India were exposed.
If you read through a list of hacks, data breaches and absolute pwnages over the last couple of years, the exploits behind the breaches are often laughable. Lots of times the breaches are not even a company or defenders’ fault but rather the result of a bug found in some third party, like when a Jira bug allowed access to private server keys which effected a major television network and a division within the U.S. Department of Health and Human Services.
Even if a defender has their infrastructure locked down with signature-based malware detection, updated patches to all the software and firmware and a firewall that can be seen from space, all it takes is one new vulnerability and the whole façade will come crashing down. There is no way to predict it and little way to stop it.
The defender mindset of chasing zeroes is wrong. It doesn’t work and never has.
“I don’t know how to reliably secure a complex internet facing service against a state adversary. No one I know does either. The only people I’d trust to try understand this,” said Matt Blaze, noted security researcher and professor, in a tweet about the vulnerability of election websites.
Ultimately, chasing zeroes has become a corporate liability as a strategic defense.
“Most executives that I have known over the last 15 years have defined success in cybersecurity as keeping hackers out,” said David “Moose” Wolpoff, founder and chief technology officer of Randori. “If you can’t find every vulnerability and patch every vulnerability, you will never keep the hackers out. Which means that if your definition of success is keeping them out, then you lose. Pretty much by definition. And that misshapes people’s visions of what security is.”
How Defenders Take the Wrong Approach to Security
Dedicated hackers know one thing that defenders do not: hackers are going to get in.
Hackers have supreme confidence that they can infiltrate your network, one way or another. Will it be a spear-phishing expedition to nab the IT administrator’s login credentials? Or is it a vulnerable Apache instance last patched three years ago? Nation-state level hackers are patient and will scan and footprint an organization’s defenses for weeks or months until they find something that will give them access. Criminals and hacktivists can have success opportunistically.
The wolves are always at the door.
If you can’t keep them out, the question then becomes: what do you do once they are inside your network?
“If you just change the definition and say that winning isn’t keeping them out, winning is keeping the business running. Keeping the lights on. It’s building widgets,” Moose said. “Really, every business should be trying to minimize impact. Minimize downtime. When something goes wrong they should be fixing what is wrong in a responsible and judicious manner. If you can do those things without breaking the bank, then you are winning.”
The difference between the historical mindset of defenders and a new, more modern mentality is that of the “assumed infiltration.” If defenders are focused on the assumption that they can keep the hackers out, but the hackers know that they will inevitably breach an organization’s network, then there is a fundamental disconnect between expectations and reality. The defenders’ strategy is wrong.
The goal, then, should not be to just keep the attackers out, but to understand them and how they see an organizational target. With an attacker’s mindset, a more holistic view of an organization's security strengths and weaknesses becomes more apparent, allowing defenders to focus on strengthening the perimeter and building plans to mitigate damage once an attacker is in the network.
“The best thing you can do, from our standpoint, is to emulate that attacker so that you are keeping up with what they are seeing and how they are viewing your network,” said Eric “McGyver” McIntyre, director of research and development at Randori. “What you need to start doing is looking at this from the standpoint of how attractive am I being to attackers? And keeping up with that mindset as it is evolving.”
Ultimately, security can be done more holistically and efficiently if defenders stop worrying about chasing zero and start being more pragmatic. The idea is to spend security dollars on what matters, not on more expensive toys for the IT administrator to play with.