We’re only two days into RSA, but I’ve already heard the phrase “think like an attacker” in about a dozen conversations. I understand the appeal of this approach, but I’m also increasingly convinced that there’s a trap here.
Attacker-focused frameworks like the cyber kill chain help expose all the opportunities defenders have to stop attackers from succeeding. And “thinking like an attacker” through red-teaming and pen-testing can be incredibly valuable to identify threats that you might never find if you weren’t testing your security controls.
But thinking like an attacker is largely reactive – we place ourselves in their shoes, and then try to go faster than them. And the problem with this is that defending like an attacker doesn’t scale. No matter how fast your pen testers are, or how quickly you update your security based on new red team insights, it will always take security teams longer to find and close every security hole than it will take an attacker to identify and exploit just one. Savvy teams, accelerant technologies, and crowd-sourced bug-bounties can all help mitigate this disadvantage. But they’re never going to see us get ahead – only try to catch up.
The attacker will always have the advantage once you move into the reactive stage of security, whether it’s trying to pen-test particular systems, or quick detection and response once they show up. This is why reactive thinking should only be part of your strategy. Defenders build up advantage by being proactive: by focusing on taking control of the terrain of their data center, and putting security constraints in place that tip the scales against the attacker once they do show up. In cybersecurity, what we need to do is think like defenders: to integrate attacker-centric thinking into a broader security strategy, that relies first on proactive steps to apply reliable first principles to our security system.
One way I think about this is imagining a defense chain (a more expansive counterpart to the cyber kill chain). Not every step an attacker needs to go through to get in, but all the stages we go through as defenders to counter them. The defense chain is broken into both proactive and reactive parts, and the reactive parts (where you “think like an attacker”) are important – but they’re largely about mitigating disadvantage. The proactive parts are where we build our advantage.
The reactive portions are focused on rapid detection and response – the kill chain. The proactive portion is focused on control: how can you control your environment with tools like segmentation, encryption, access controls and patch management? This proactive work is how you can tip the scales to your advantage – not just mitigating the attacker’s advantage, but also actually building up the defender’s advantage.
I have to run now (RSA is an all-consuming machine), but I will go into more detail on the defense chain in a future post.