There is a very active discussion going on in security circles about understanding adversaries and how that impacts security strategy. I have taken a contrarian position in this argument and have stated that, in the scheme of things, I do not believe that you need to waste time understanding your enemy. What I think matters most is what needs to be secured and how it needs to be secured. This post is to discuss my rationale for this approach and relies on my prior post regarding the Fort Knox approach to security.
Sun Tzu famously said it was important to, “Keep your friends close and your enemies closer.” The biggest difference with cyber-attacks is that the enemy are true mercenaries in that they come together because of an interest in a target, an interest in achieving their own particular goal, such as proving they are the best hacker or social engineer, or just because. As a result, when your enemies can number in the hundreds or even thousands and have their own potentially unique motives for why they are attacking, it is near to impossible to do an analysis of the enemy, such as Sun Tzu suggests, that provides you with any sort of significant defensive advantage.
But what about advanced persistent threat (APT) attacks? There is usually a common actor in APT, either a competitor, organized crime or a government. However these sponsors usually hire the technical “muscle” for the actual attack. The backer of the APT attack provides these mercenaries with a list of information they wish to be retrieved from the target organization(s). So while APT can provide you with a traditional enemy, that enemy is obscured by the mercenaries actually conducting the attack. Again, an analysis of the enemy provides limited to no advantage in your defense because you only see the mercenaries, not the sponsor.
But I think the biggest nail in the coffin for enemy analysis is related to attack strategies. When reports from Verizon, Trustwave and other forensic examination firms consistently report that the same basic attack strategies are successful, it does not matter who the enemy is and why they are attacking when anyone from a neophyte to expert can break into your systems because of the same stupid mistakes or human errors. By the time you have the enemy analysis done, your organization’s information is long gone.
In my opinion, ‘WHAT’ is more important in that organizations understand ‘WHAT’ information they need to protect and then go about appropriately protecting it. If that sounds familiar, it should because that was the basis of my Fort Knox post. If you think about it, a Fort Knox strategy does not worry about ‘WHO’ is trying to get the gold, it is all about protecting the gold regardless of ‘WHO’.
The bottom line is that in a cyber-attack, ‘WHO’ is attacking you is irrelevant. You do not need to waste your time figuring out ‘WHO’ the attacker is and what are their motives. It is all about your information that they wish to obtain. So stop wasting time on enemy analysis and start properly protecting your organization’s critical, sensitive information. I think you will find that the Fort Knox strategy will make your security efforts much more easy to implement and maintain.
UPDATE: In a brief moment of clarity on my part, I realized after making this post that the Fort Knox security approach is just another way of looking at the ‘Zero Trust’ security model that was proposed by John Kindervag of Forrester a while back. See my earlier posts on the Zero Trust security approach for more information.
What to protect depends on what your enemy wants and what is their maximum return with less risk to him. Fort Knox is about to increase risk to an unnaceptable level and do it in a single facility instead of split it to several ones
Exactly my point.
And, oh, by the way, Fort Knox is not the only place that the United States stores its gold. However, Fort Knox proves my point regarding if you are going to be on defense, you need to make it the best defense possible.
Military needs and “national security” planning are much different from corporate data protection needs – When looking at corporate data protection you can easily set the bar for skills, knowledge, resources and authority to evaluate and provide protection for. Why do I need to know who if I can secure my resources to a level where I can be comfortable that only a person or entity with a certain level of skill or knowledge and resources can circumvent my controls? With that approach a company would have a good idea of what residual risks exist and then could elect to accept those risks and monitor for events or add additional layers of control to raise the attributes needed to access the information? In this day and age, companies do not have a finite number of threats to monitor and motives and objectives are a moot discussion – who cares why you want my sensitive data if you are able to get to it.
There are those who believe that the “you don’t need to waste time understanding your enemy” attitude contributed to 9/11 – the lack of “Intelligence”. Sun Tzu talks about that and emphasises the importance of what we call HUMINT.
9/11 is way different than network attacks. If your organization is on the Internet, you will be probed and attacked. The methods used to attack you will be known. Unless you work for the CIA or NSA, you have no business doing attacker analysis, that is why I want people to focus on things they can address.
Another important point is that failure to analyze and anticipate the enemy ignores at least two important control functions, avoidance and deterrence where knowing and understanding SKRAMO (skills, knowledge, resources, authority,motives, and objectives) play necessary roles.
I have used this argument against Jeff Lowder who has the same position as this guy.
Donn Parker
There are plenty of sources of information to tell you why and how. Yet, we continue to waste time trying to figure out why and how and not protect our information.