The inevitability of your organization being breached is well established. Vulnerabilities are intrinsic to any software just as human fallibility assures us that users are only one bad decision or one click away from a malicious link or lost credentials in the face of phishing campaigns. The reality of this brave new world is unlikely to change no matter how many security alert dialogs you may put in place to prevent such maliciousness or carelessness.
But, while most organizations have come to accept the inevitability of an attack, resignation is never an option. The only sensible response beyond the latest and greatest security precautions is resiliency. When it comes to cybersecurity, resiliency represents the capability to respond and recover from attack, while also maintaining a state that is resistant to permanent damage. Resiliency must be thought of not only in terms of the ability to rebuild, but also in terms of playing defense in such a way as to ensure that a successful attack yields little to no value for the attacker in comparison to the resources expended to launch the attack.
While we typically think in terms of raising the cost of the attack, organizations don’t think often enough about lowering the value of the outcome from the attacker’s perspective. This not only disincentivizes the attacker, but also lowers the cost to the defender such that the loss is not irrecoverable – a conceptual strategy that is vital to the survival of any business in our hyper-connected digital age. In this way, resilience must be applied to all elements of attack. Your organization must be resilient to reconnaissance, resilient to exploitation and resilient to persistence.
Perhaps an extreme example is Microsoft’s EMET, the anti-exploitation technology that grants asymmetry to the user by raising the cost of exploit development time to the attack. Most of EMET’s functionality is now baked-in for recent Windows 10 builds, but until recently EMET adoption was sparse. The downfall for many was the difficulty in managing EMET deployments, and its perceived instability.
A far more common and accepted form of defensive resilience is multifactor authentication. This relatively simple practice protects credentials from compromise. For example, when logging in or attempting to perform sensitive account actions, your bank can now send you a text with a unique one-time-password required to complete the requested task. As a result, an attacker must somehow gain access to this one-time-password despite the attacker’s previously successful phishing attack, which gained the original password. This stinks of effort for the attacker, and instantly devalues the result from their previous attack to compromise the password. The tiny cost of a momentary delay in user experience raises the cost for the attack by orders of magnitude, making the service resilient to the compromise of passwords.
There are countless ways that the spirit of this mechanism can be applied to other attack scenarios. In my next post, I’ll explore ways this concept can be extended more deeply into the world of infrastructure and how misinformation, automation and other technical advances are broadening the concept of operational resilience.