Despite major advancements in technology, the global approach to cybersecurity has remained the same for decades: respond and recover. Even new artificial intelligence and machine learning techniques have mostly been aimed at improving response efficiency — as though there is nothing we can do but prepare for the worst and recover as quickly as possible. To slow the frequency of dangerous and costly cyberattacks, companies should be shifting their efforts toward focusing on adversary disruption.
In May 2000, one unwitting user on a computer in the Philippines used Microsoft Outlook to open an email message with the subject line “ILOVEYOU” and an attached file named “LOVE-LETTER-FOR-YOU.txt.” The attachment contained malicious code — a worm that moved through the user’s computer, overwriting random files, and sending an email with a copy of itself to every address in the user’s Windows Address Book. Just 10 days later, the ILOVEYOU worm had spread around the world, infecting over 50 million computers. Far from spreading love, the worm caused more damage than any previous cybersecurity incident: an estimated
$5.5 billion to $8.7 billion worldwide.
Seventeen years later, Microsoft announced a vulnerability within a resource-sharing protocol in widespread use across versions of the ubiquitous Windows XP operating system. They quickly released a patch to fix the vulnerability, but countless systems had not been patched by the time the WannaCry ransomware attack began two months later. WannaCry eventually affected more than 200,000 computers across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars.
Despite significant changes to the state of technology and the internet between 2000 and 2017, these two cyberattacks were very similar to each other. Both propagated by using relatively simple vulnerabilities in Microsoft operating systems, and both were successful because of a lack of proactive cybersecurity.
Not only do the same kinds of attacks continue to work, responses to cyberattacks have not changed much either. Is the issue that it is impossible to defend against these vulnerabilities? Are hackers just too smart? Not necessarily.
A Needed Evolution
Cyberattacks or intrusions are generally handled after a breach has already occurred. Alerts trigger the cybersecurity team to go in, clean up the system, and then set up or modify a firewall to block future attacks. Companies are then required by law to file a data breach notification.
The most common approach to blocking attacks involves analyzing past and current threats and then distilling the results into indicators of compromise (IoC), such as IP addresses, domain names, or hashes of known bad files. These IoCs are then fed into available cybersecurity tools, which are wielded like a giant hammer, blocking or denying any traffic associated with them.
This method aims to prevent attacks that are exactly like prior attacks, which perpetuates the problem because hackers know about these protection methods. Subsequent attacks are designed to differ just enough from prior attacks to avoid the new protections. This process is repeated time and time again.
Rather than treat the cyber threat like a natural disaster, the industry needs to embrace a fundamentally new approach to prevent cyberattacks before they happen.
Operational challenges in the cyber realm have been exacerbated by an ever-growing landscape of disparate endpoints, heightened sophistication of cyberattackers, and an increasing number of cybersecurity tools. While these challenges led to the development and implementation of security orchestration, automation, and response (SOAR) platforms, which add efficiencies, most tools remain inherently reactive.
Cyberattacks or attempts at compromising a system are man-made events within a man-made environment. By focusing on disrupting the adversary’s methods, analysts can determine tactics, techniques, and procedures (TTP) and then use those to develop solutions that provide a proactive approach to cybersecurity.