It’s a tough time to be a security provider or on an organization’s internal security team. Nefarious actors are getting smarter and more motivated. Staying aware of the myriad threats that are out there poses quite the challenge. On top of that, the culture around security breaches has devolved into a ‘blame and shame’ game with lots of finger pointing at security providers that failed the organizations that trust them.
Blaming and shaming may be an overly simplistic view of security
Looking at security attacks from another perspective, it may be a credit to security providers that they are targeted, as attackers are often targeting those with the most security acumen and skill. Attacks on those organizations provide lots of useful data to attackers regarding the newest security strategies and the profiles of organizations they defend.
The profile of attackers is rapidly changing, rendering finger-pointing unfair and baseless in many situations. Assuming a successful attack means a failure of defense too often ignores that an adversary armed with the following will often find a way in – no matter what the target, how well secured it may be, or how adept the target’s staff is:
Not only may the adversary have the skills and operational ‘chops’ to pull off a successful attack, they also have the resources to obtain the best capabilities in both people and technology.
Everything from achieving a strategic political or military objective to simply having an ax to grind can be enough to motivate an attack. But what drives the attacker is only half of the motivation equation; the other is the value and richness of the target, and this may be more than any single thing. As more serious attacks against supply chains show, the value of those downstream opportunities may be even more sought-after than the primary target itself.
An adversary with ambition and the skills to stay unnoticed will take time and effort to pursue a penetration, and move toward greater objectives.
Cost is the most potent leverage the defender can bring to the fight. Increasing the level of effort, the adversary must invest its resources. Adversaries must be convinced that they can sustain these risks successfully enough to achieve their objectives, even if they incur losses along the way such as the exposure of tactics, or other evidence that may reduce their viability in later attempts.
A 2010 attack on Google illustrates many of these points. Operation Aurora was an attack against Google and other companies by what was asserted to be an advanced persistent threat (APT). Potential goals identified by investigators included the modification of source code, viewing correspondence from parties of interest to the attacker, and the theft of intellectual property.
The attack was considered sophisticated due to tactics such as a zero-day vulnerability in Internet Explorer, but the method of delivering the attack to initial targets was much more routine: a form of phishing using a link sent to targeted personnel.
As with recent attacks, reactions at the time questioned how attackers could breach organizations with strong reputations for technology innovation. Those reactions must consider both the idea that a well-funded adversary may invest significant time in attempting the compromise of a rich target, and that such enterprises, despite their reputation, include non-technical users, and have made tradeoffs in security defense controls, as all enterprises have. Perceived risk from both a probabilistic and impact standpoint will drive security decision making.
Hopefully with a new year comes a new culture around security breaches: no more ‘Monday morning quarterbacking’ – instead, a healthy and realistic respect for the sophistication of the many adversaries out there.
Want to get research insights on information security? Join the 451 Alliance.