Defenders and attackers – economic asymmetry in cybersecurity
Even before they start, the odds are stacked against the defenders. Modern infrastructures must support a large number of internal and external connections, to support business objectives such as partner interconnectivity, mobile workforce efficiency and productivity and the interaction with the client base. But, this increased connectivity significantly broadens the organisation’s attack surface. Furthermore, many of these connections are from “the Internet of Things”, typically light-weight, feature-rich devices which are, as we have seen in recent news stories, often not designed with security in mind – and thus easy targets, in many cases being recruited in botnets. However, one constant in the defender/attacker dynamic is that it always costs significantly more for the defender in this interaction. Netswitch estimates that launching attacks cost $1.2 billion in 2015, whilst the cost of defence plus costs associated with breaches was £395 billion. In this defender/attacker arms race, the defenders’ costs are almost four-fold higher than the attackers. As long as this cost asymmetry exists between attackers and defenders, the impetus for further cyber attacks will continue.
Despite a large number of high profile ransomware attacks, the 2017 global review by IBM and Ponemon shows that the costs of data breach events on average reduced by 10% over the last year. This is accompanied by a significant reduction in the costs associated with lost or damaged records with confidential information, from $151 to $141 per record. Thus, the cyber-defence community is successfully reducing their cost base. Actions shown to contribute to reducing the costs of cyber breaches include encryption of records, threat information sharing, use of security analytics, well-designed incident response, staff training, and well-designed business continuity management.
The effects of the recent Wannacry and NotPetya attacks have demonstrated that a proper patch management policy can significantly reduce the organisational attack surface. Technology operations teams have their work cut out, though; company growth, mergers and acquisitions, spin-offs, & re-organisations mean that the technology teams may not have complete or up-to-date information on their corporate estate, which could include legacy systems which are expensive and often difficult to protect. Information technology estates are, however, undergoing a major transformation, with new technology developments and migrations of services to virtualised computing environments, whether on-premise or in the cloud. These transformations will re-align the technology operations estates, and enable more timely patch/update testing & roll-out cycles, and so providing prompter protection against the likes of Petya and its ilk. “Zero-day” or unpublished vulnerability information, whether in the hands of cybercriminals or nation-state actors, remains the critical area of weakness for every organisation – a known unknown. Thus timely response to publication of new security threat and vulnerability information, mitigation guidance and (when released) software updates and should be considered a key business objective (not just technology objective) of all organisations.
Given the effectiveness of offence for attackers, there is increasing debate on its inclusion in the defender’s arsenal. Deploying an attacker tactic in defence could reduce the cost asymmetry between attackers and defenders. Additionally, the threat of cyber or kinetic retaliation (the latter a strategy used as a key tenet of military defence strategies and campaigns), could provide an effective deterrent to cyber-attack. However, care must be taken with cyber retaliation; such action may only take out an intermediate staging point such as some compromised servers in another country from either attacker or defender. Indeed, the effect of such “misinformation” is exactly the same for cyber retaliation as for kinetic retaliation – imagine the collateral damage caused by drone-based guided missile attack against the location of a physical aggressor, who is found to be using “human shields” to increase the cost of any physical retaliation to their actions. Furthermore, an aggressive reaction against cyber attackers could lead to an escalation in the attack intensity – perhaps to a major DDoS attack from what was “only” previously a network penetration and data extrusion attack. On the other hand, given the scale of the issue, modifications to our current defence strategy may be necessary to address, and re-balance, the micro and macroeconomic asymmetry in the attacker-defender interaction.
Dr Wendy Ng, CISSP, CCNP; 31st July 2017