Why do we worry about Time.
Time is our worst nightmare.
Time is our worst enemy.
Time you have none, the bad actor – the bad guy owns it all.
How do you gain time?
How do you earn time from them?
What is this? What am I talking about?
In Cybersecurity the defender, the protector and the target have a major disadvantage. The advantage of time belongs to the attacker. We must look at an attack as what it really is. In some cases these are attacks of opportunity and in others they are planned, coordinated and targeted directly at your business or your personal life with tons of preparation.
Why do so many successful attacks seem to be happening these days? Are the defenders getting worse or are the attackers doing more reconnaissance, planning, development and weaponization before the attack? In the cases of these planned attacks, planning means they spent time determining how to best achieve their goals. They’ve spent time being you and learning how to beat you.
Time is the difference, time. Why does time make the difference? It’s simple really when you think about what happens on the playing field. The team that spends the most time practicing. The team that works the hardest getting their skills better. Is usually the team that will win. Sometimes luck has a hand in the game, but normally skill, talent and experience beats luck any day.
In Cybersecurity time has one other disadvantage. The defender never knows when the attack is coming. So the state of alert, the state of defense has to stay high 24 x 7 all year every year. The defender never gets a day off time to relax. This can lead to mistakes being made by the defender so the attacker wins, earns and takes a holiday and starts all over again. The defender never sleeps, never gets that holiday, that day off.
I’m going to keep this simple and utilize the game of darts is an example. You have a player, some darts and the dartboard. As simple as it gets. Just three elements: an attacker, something to attack with, and the target.
The Target Is static, never moving, never changing. Kind of like most business computing systems. It is really easy for the attacker to pick up 5, 10 or 15 or even a billion darts and try to throw them for a bull’s-eye. This is an attack of opportunity. Work to overload the security work to push through it. Don’t care if you’re seen you don’t care if you’re noticed. All you care about is hitting the target.
What if you didn’t want to be seen? What if you wanted to install something, steal something, move something and not have anyone recognized you ever touched the target. Wouldn’t it be just easier to just make a copy of the playing field and practice in privacy? Do it over and over again, so that every time you do it you’re always successful in your practice. You remove all of the opportunity for mistakes. You learn muscle memory for throwing the dart perfectly. You hit the target every time even with your eyes closed. You have all the time in the world to practice before you try for real.
That’s how the attacker wins, practice, practice, and more practice. They learn the playing field, they learn your environment, they learn your behavior as they learn more about YOU. They modify their throwing game, the way they hold the dart, the strength they use. The location they will attack from. Until they never can fail. Time is on their side. They pick and choose the place and time of the attack. The defender never has a say.
But what if the defender can move the target and keeps the target moving? Well if the targets move in a constant repeatable pattern,they just learn the pattern. They update their attacks, they update their model. They figure out your weakest spot, the spot you stop on and hold on. Like the maintenance window or the service time when the user is away but the system is on.
If the movement pattern is random enough and difficult enough, then the attacker has to decide if they have enough time to deal with this defender. Is this worth their effort? Am I going to make enough money to get a return on my investment? This is how the defender wins, by making it harder and harder for the attacker to have enough resources to be able to attack and still earn something from the attack.
For the defender to win,layers of security, layers of barriers that cost the attacker resources and more importantly gains the defender TIME,need to be applied in front of the hackers’ target. Each layer is designed to shift the view from the outside and make the ability to reach the target harder and harder. NEVER expect a single layer of protection to keep an attacker out. That is just a great way to advertise HACK ME.
If you allow the attacker to control the game to control the clock you lose. You must remove the control from the attacker to place control of time back with your defender. Managing your security to enforce the KILL during the first 3 phases of the Cyber Kill Chain (Reconnaissance, Weaponization and Delivery) is always best. Worst case ALWAYS catch them at Exploitation or Installation. Stopping the attacker at the Command & Control or Actions on Objective phases. Meaning while they are modifying your database or Exchange server means the attacker was successful. You are now in clean up mode and trying to reduce the impact of the attack to the minimum. You don’t want to have an attacker that far down into your systems.
Don’t expect a Firewall and maybe a layer of Malware protection to defend you. Those are not enough to stop an attack of opportunity, let alone an planned attack. In my next article I will cover the methods of protections needed today in Indonesia to successfully protect your business and personal life. Just know that what worked in 1995 does not work 95% then, let alone today. Be Safe Out There.
