Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Knowing adversary key to good cyberdefense, say experts

John P. Mello | July 10, 2013
Best protection depends on walking a mile in hacker's shoes.

Knowing thy enemy can be as important in defending an organization against cyber intruders as studying their tools and tactics, say security experts interviewed by CSOonline.

While many defenders spend much of their time analyzing tools and tactics of their adversaries, getting into the head of potential intruders and determining how they're motivated can tip defenders off to an attack as surely as a tell will tip off the good hand of a gambler.

"You can't defend against everything," Gidi Cohen, CEO of Skybox Security, said in an interview. "The attack surface is like a balloon and as time goes on, the balloon is getting bigger and bigger because endpoints keep expanding."

"Knowing your adversary allows you to narrow down your focus on the assets which are the likely target of an attack," Cohen added.

In any adversarial situation, getting under an opponents' hat is important to getting the upper hand, maintained Nick Levay, CSO of Bit9. "One of the most misunderstood words in the English language is empathy," Levay said. "When people say it, they're often talking about the warm, fuzzy feelings theirÃ'Â loved ones are feeling."

"In reality," he continued, "empathy is one of the things that's necessary in any adversarial engagement. You have to understand how your adversary thinks so you can figure out how they're going to come at you."

Knowing your adversary is more than knowing what thinking is behind their actions. It's also knowing their technological capabilities. "Is your adversary capable of developing their own malicious code or are they going to use the malicious tool set of others?" said Jim Butterworth, chief security officer for HBGary.

That can determine whether traditional defense tools -- like antivirus and incursion detection programs -- will be adequate to foil an adversary or something more will be needed.

It can also help a company identify what an adversary wants and set about protecting it. "A company must identify its crown jewels and then spend all their efforts protecting those crown jewels," Butterworth said.

Timing can be an important element is identifying the motives of intruders, noted Alex Lanstein, systems architect for the FireEye Network. "By tracking the timing of attackers over months or years, you can start to figure out if they are after quarterly earnings reports, information about M&A you just announced, information about a conference presentation, etc.," Langstein said.

"When you know what they're after you can add more monitoring of data access and general fortification of the systems that protect or access that data," he added.

A report by HP Security Research issued last week also notes that understanding your adversary and their motivations can be a valuable asset for a company.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.