Knowing adversary key to good cyberdefense, say experts

Knowing thy enemy can be as important in defending an organization against cyber intruders as studying their tools and tactics, say security experts interviewed by CSOonline.

While many defenders spend much of their time analyzing tools and tactics of their adversaries, getting into the head of potential intruders and determining how they’re motivated can tip defenders off to an attack as surely as a tell will tip off the good hand of a gambler.

“You can’t defend against everything,” Gidi Cohen, CEO of Skybox Security, said in an interview. “The attack surface is like a balloon and as time goes on, the balloon is getting bigger and bigger because endpoints keep expanding.”

“Knowing your adversary allows you to narrow down your focus on the assets which are the likely target of an attack,” Cohen added.

In any adversarial situation, getting under an opponents’ hat is important to getting the upper hand, maintained Nick Levay, CSO of Bit9. “One of the most misunderstood words in the English language is empathy,” Levay said. “When people say it, they’re often talking about the warm, fuzzy feelings their  loved ones are feeling.”

“In reality,” he continued, “empathy is one of the things that’s necessary in any adversarial engagement. You have to understand how your adversary thinks so you can figure out how they’re going to come at you.”

Knowing your adversary is more than knowing what thinking is behind their actions. It’s also knowing their technological capabilities. “Is your adversary capable of developing their own malicious code or are they going to use the malicious tool set of others?” said Jim Butterworth, chief security officer for HBGary.

That can determine whether traditional defense tools — like antivirus and incursion detection programs — will be adequate to foil an adversary or something more will be needed.

[See also on leadership: 5 cheap security strategies]

It can also help a company identify what an adversary wants and set about protecting it. “A company must identify its crown jewels and then spend all their efforts protecting those crown jewels,” Butterworth said.

Timing can be an important element is identifying the motives of intruders, noted Alex Lanstein, systems architect for the FireEye Network. “By tracking the timing of attackers over months or years, you can start to figure out if they are after quarterly earnings reports, information about M&A you just announced, information about a conference presentation, etc.,” Lanstein said.

“When you know what they’re after you can add more monitoring of data access and general fortification of the systems that protect or access that data,” he added.

A report by HP Security Research issued last week also notes that understanding your adversary and their motivations can be a valuable asset for a company.

“Assessing the theater of operation from their perspective rather than limiting it to your own can provide tremendous insights,” the report said. “How an attack against your organization will materialize is directly related to the attacker’s motivations.”

“An attack can be viewed in different ways based on the motivations of the attacker,” it continued. “If you understand what you are looking for, you will be able to tailor your defenses.”

Tailoring defenses can be very important for budget-conscious security pros. “I have yet to meet anyone with too many resources so allocating these scarce resources in the most efficient way is very important,” HP intelligence analyst Jason Lancaster said.

“Simply making those decisions based on audit findings and compliance requirements may not be enough,” Lancaster added.