Five Things Every Cyber Defender Should Know And Do

There are 5 things that every defender…not even just computer defender…but every defender should know and do to best protect themselves.

·????????Use Your Own Attack Data to Drive Defenses – Be Data-Driven

·????????Focus on Root Causes

·????????Rank Root Causes

·????????Mitigate Top Threats First

·????????Monitor Top Threats And Update Mitigations As Needed

These 5 top tasks form the core of my best-selling book, A Data-Driven Computer Defense: A Way to Improve Any Computer Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Should-Using/dp/B0BR9KS3ZF ), which has sold over 50,000 copies over three editions.

This article will cover the main points of the book. Now you don’t even need to buy the book, but of course, the book covers a lot more detail and examples of each task. And personally, I’m OK if you buy my book and put a few more dollars in my pocket. <grin>

I truly believe every defense expert should know, understand, and use the lessons of this book in their daily life. Now, on to the five tasks you should know and be performing to be a great computer defender.

Use Your Own Attack Data to Drive Defenses – Be Data-Driven

Buy and think locally is a great gesture of community spirit and also the way you should be driving your defenses. The best data to determine what is attacking you and your organization is the attack data you collect and review. Most orgs start deciding what to plan based on what they are seeing and hearing in the news and from vendors. Unfortunately, both sources frequently hype “big sounding” threats that may not impact your environment at all.

Whether you know it or not, your devices and logs are collecting attack data. Use that data to drive your defensive mitigations. Then use other people’s data and narratives to drive your defenses. But the further you get away from your own data, the less you should trust the data to reflect what is really going on in your environment. In general, this is how I trust data from inward to outward:

·????????Your local attack data

·????????Your industry peer’s attack data

·????????Your country’s attack data

·????????Global attack data

Essentially, trust the data you have closest to you the most. And what you’re looking for in your local data is the initial root causes of breaches, more than anything else.

Focus on Root Causes

If you’re going to stop someone from breaking into your house, you’re going to have to figure out how criminals could break into your house (e.g., through an unlocked door, window, garage, ceiling, wall, basement, etc.), and figure out which of those potential entry points is the main ones the attackers might most likely use. But you first start with a list of every way that attackers could compromise you. In my Data-Driven Defense book, I come up with these 13 root causes:

·????????Social Engineering

?????????Programming Bug (patch available or not available)

?????????Authentication Attack

?????????Malicious Instructions/Scripting

?????????Data Malformation

?????????Human Error/Misconfiguration

?????????Eavesdropping/MitM

?????????Side Channel/Information Leak

?????????Brute Force/Computational

?????????Network Traffic Malformation

?????????Insider Attack

·????????3rd Party Reliance Issue (supply chain/vendor/partner/etc.)

?????????Physical Attack

Every hacker and malware attack can be traced back to these 13 root cause initial access methods, although not all may be possible in your environment. The key for this step of the process is simply to collect ways hackers and malware could access your devices or networks, and if you don’t have a better list, use this list.

Rank Root Causes

Next, look at all the initial root causes of hacking and malware exploitation and determine, using your own local data, which of those root causes are more likely to occur in your environment than the others If you’re not sure, for most organizations, it is social engineering followed by unpatched software. A distant third is password attacks, where either the attacker already had your password and re-used it or was to guess or crack your password/password hash.

Social engineering is by far the most likely threat in most environments. It’s involved in 70%-90% of successful breaches. Unpatched software is involved in about 20% to 40% (Mandiant said 33% recently) of successful breaches. Your results may vary. So, look at your local attack data, figure out how you’re most likely to be hacked in the near-term future, and document the attack types.

Mitigate Top Threats First

Now that you know what your top root cause threats are, mitigate them using your best defense-in-depth combination of policies, technical controls, and education. I cover this strategy in what I call the 3x3 Security Pillars (https://www.dhirubhai.net/pulse/3-x-security-control-pillars-roger-grimes ).

Most organizations would be far better off doing intense education for their employees about social engineering. There are just a few key educational messages that can drastically reduce the risk of social engineering and phishing in all organizations. I cover it here: https://blog.knowbe4.com/stop-all-scams .

Make sure to patch the software that is used by bad guys to exploit devices and networks. CISA maintains a list of that software and firm here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog . If you have software and firmware on the list, make sure it’s patched. Subscribe to CISA’s Known Exploited Vulnerabilities Catalog to get weekly alerts and updates. Your patch management plan should look something like this: https://www.dhirubhai.net/pulse/patch-like-cisa-pro-roger-grimes .

Regarding defending against password attacks, make sure all users use unique, strong, at least 20-character long passwords/passphrases, preferably perfectly random. They should use phishing-resistant multifactor authentication (MFA) when they can, FIDO passkeys where they can, and then randomly strong passwords where they can’t use the other two forms of authentication. Everyone should use a good password manager to create and use strong, random passwords that are different for every site and service.

Doing these three things well will mitigate up to 90% or more of the risk in most environments. All other defenses added up, in most environments, will mitigate just 1%-10% of the risk. How well you do on the three primary defenses (e.g., fight social engineering, patching, and authentication security) will most likely determine if you get successfully hacked or not.

Monitor Top Threats And Update Mitigations As Needed

Lastly, a data-driven defense is not a static thing that you do once, put out your mitigations and never monitor your local data again. No, a data-driven defense is constantly monitoring root causes and determining what is on the uptrend and what is on the downtrend and constantly updating the defense plan and deployed mitigations.

Here is a picture summary of a Data-Driven Defense lifecycle:

I guarantee you that if you follow these five strategies (or are they tactics) that you will be among the best computer security defenders of your generation.?I’ve had hundreds of people write me to thank them for turning them on to this super easy-to-understand plan.

Go forth and fight the good fight!