Data with Instinct + Cyber-Defence with Attitude

“Of course attackers can do that, but I’ve only ever seen it once, so it’s not a risk I’d worry about until we see data that shows it happening regularly in the wild…” – anon

Recently, whilst enjoying a pint of craft beer at a local Brisbane brewery (Sea Legs Brewing Co., right near the Story Bridge in Kangaroo Point; I highly recommend it!), a fellow cyber-professional uttered words to the effect of the quote above. The beer was excellent, the food was fantastic, and the conversation was even better, but this remarkably common statement points at a far more fundamental question for the cyber industry:

How do cyber-defenders keep missing attack trends until after they have already happened?

In the early 2000’s, during intelligence analyst training at a military base just inland of the Gold Coast, my fellow students and I learnt an important lesson that might help to answer this question.

“Your role is to think like the adversary and make sure your leadership understands what the red team’s most likely and most dangerous courses of action might be”

The logic is that if we know what the bad guys will probably do, and what the worst they could possibly do, and if we defend against both, then we’ll probably keep everyone in our organisation safe. This logic is as critical for cyber-defenders as it is for defence operations.

In the relentless pursuit of data driven cyber-operations, I wonder if our industry has tended towards lag-indicators of the most likely course of action, and in doing so, lost sight of some lead indicators, and of ‘what might be’ around the most dangerous course of action?

Here’s an example. Web Application Attacks Grow Reliant on Automated Tools (darkreading.com). This trend, the move toward automated attacks (application based DDoS in this case) is hardly new, but as recently as a year ago, there were a number of suggestions that predictions around automated attacks from reports such as Recorded Future's report on Combating the Underground Economy's Automation Revolution (recordedfuture.com) and NTT’s 2020 Global Threat Intelligence Report and (among many others!) were unwarranted as there weren’t ‘many such attacks in the wild’ yet. Clearly, history has already proven that automation is indeed a rapidly growing feature of cyber attacks!

At what point does something become a trend?

In cyber-security, if we wait until something has become frequent before we call it a trend, then by definition, it’s already too late for the many organisations that have already fallen victim to it. And yet, many cyber-decision makers have been conditioned to dismiss forecasts until there is enough actual data to show a trend. Data is important, but our interpretation of it is even more critical.

Data with instinct

Dashboards are great, but when we analyse them, we must do so from the bottom up. The frequency of a particular IOC is interesting, but irrelevant in and of itself. We must look deeper; a single instance of an attack that worked, where the reasons why it worked apply to a broad industry vertical or technology type, and where it made the attacker a great deal of profit is far more likely to re-occur than an attack type that has been seen 1,000 times but has yet to deliver any profit to the threat group that perpetrated the attacks. As cyber professionals, our instincts should be attuned to where history is likely repeat itself; we don’t need more data to call this the most likely course of action, we’ve got all the lead indicators we need and we shouldn’t look at lag indicators, like how often something has occurred to date, in isolation to drive our assessments on tomorrow’s risk.

Cyber-defence with attitude

As cyber professionals, thinking like an attacker is critical… What is the most dangerous course of action? if you were the threat actor and wanted to maximise your profit, how would you use the assets at your disposal against those of the defender? What would you do? And I don’t mean what could you do, I mean what would you do – how would you break into the bank? Or the insurer, the school, the hospital or other organisation that needs to be defended? This top down approach to threat-analysis requires imagination, but it helps a defender to ensure that they aren’t just defending against the highest volume threats, but also the ones that could generate the maximum harm to their business.

With all of this in mind, the question of ‘what is the biggest cyber-threat of tomorrow?’ is still not an easy one to answer. Indeed, the landscape is changing so quickly that there really isn’t an all-encompassing answer that would be remotely accurate for more than a few moments. However, as long as we don’t rule anything out because it’s not yet prevalent, and as long as we think about the most likely and most dangerous courses of action for the bad guys each and every day, as cyber-defenders, we should be able to keep those we defend safe. And, if you ever hear a fellow cyber professional talk about lag indicators as gospel, make sure you ask them some very difficult questions!