Lior Div in Network World: Stop the attacker's offense, don’t do defense

Enterprises are fighting a cyber war against very sophisticated and highly organized adversaries. Yet companies still approach cybersecurity with a strictly defensive mindset. They operate under the belief that having the best defense will keep them safe from advanced adversaries. But attackers know how to break any defense, guaranteeing they’ll eventually infiltrate a company.

Organizations need to approach security by thinking about how they can stop offense. How is this different from having a strong defense? When you’re stopping offense, you don’t stand on the sidelines waiting for an attacker to breach your network, hoping that the security measures you have in place will be enough to stop them.

To stop offense, you switch your mindset: instead of thinking about your vulnerabilities, you look for the attacker’s weak points and go after them to shut down the operation. In essence, you figure out how the enemy is working and use this to your advantage, a concept I like to call the house of cards approach to attack detection.

This does not mean you launch your own attack against the attackers and hack them back. In pretty much every case, that action is illegal. Instead, consider your IT environment a battlefield that you want to protect and use to your advantage. Hopefully, you know what normal activity looks like on your network and have enough visibility into your environment. With this perspective, you can figure out when things look abnormal and spot the hacker’s actions.

Having full visibility into your IT environment and being able to spot compromised machines is critical for stopping the attacker’s offense. To know their environment better than the attackers, organizations must constantly perform reconnaissance in their environment and collect information and analyze it in real time. With this knowledge, an enterprise can control the situation instead of allowing the hacker to dictate what happens.

You want to be able to see all the elements at work in the hacking campaign and cut the attacker’s access to your network at once. Remediating security threats one by one won’t do anything to protect a company. If anything, this method tips hackers off that they’ve been discovered and provides them with time to rework their plan and figure out how to evade your defenses. Knocking out all of an attacker’s operations at once provide defenders with the element of surprise.

You need a military mindset

This approach may be new to security, but it includes classic military techniques that I used during my time in the Israel Defense Force. We were taught to win by taking control of a situation and dictating the rules of the game.

So, why aren’t companies approaching cybersecurity with more of a military mindset?

One challenge organizations face is that security operations tend to fall under the IT department’s domain. IT departments aren’t staffed with people who approach security problems with a military mindset. They tend to look at incidents on a case-by-case situation and don't consider how to use an IT environment to shut down an adversary’s operations.

Security roles need to be filled with workers who have some security background. This includes people who served in the military as well as worked in law enforcement. They approach cybersecurity as a physical problem, a perspective that tends to be missing from current attitudes around how to stop advanced attacks.

For most organizations, cybersecurity stops and ends at computer and servers and isn’t linked to physical security. But, in reality, the boundaries between cyber and physical security are disappearing. The U.S. Department of Justice recently accused seven Iranians of hacking into a computer system that controlled a dam in New York. And, of course, there have been numerous stories about the security around medical devices and how easily they can be hacked. By making this point, I’m trying to present a realistic view of the current security landscape, not spread fear.

Stopping the attacker’s offense will allow companies to control the hack instead of permitting the adversary to call the shots. The battlefield is becoming more digital, but the methods used by the military and law enforcement are still valid in cybersecurity.

This column previously appeared in Network World. Lior Div is the CEO and co-founder of Cybereason. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div