• United States




Cybersecurity: Stop the attacker’s offense, don’t do defense

Jul 01, 20164 mins
Internet SecuritySecurity

A strong defense isn't enough to beat today's sophisticated hackers. Companies must adopt a military mindset and stop the attacker's offense.

Enterprises are fighting a cyber war against very sophisticated and highly organized adversaries. Yet companies still approach cybersecurity with a strictly defensive mindset. They operate under the belief that having the best defense will keep them safe from advanced adversaries. But attackers know how to break any defense, guaranteeing they’ll eventually infiltrate a company.

Organizations need to approach security by thinking about how they can stop offense. How is this different from having a strong defense? When you’re stopping offense, you don’t stand on the sidelines waiting for an attacker to breach your network, hoping that the security measures you have in place will be enough to stop them.

To stop offense, you switch your mindset: instead of thinking about your vulnerabilities, you look for the attacker’s weak points and go after them to shut down the operation. In essence, you figure out how the enemy is working and use this to your advantage, a concept I like to call the house of cards approach to attack detection.

This does not mean you launch your own attack against the attackers and hack them back. In pretty much every case, that action is illegal. Instead, consider your IT environment a battlefield that you want to protect and use to your advantage. Hopefully, you know what normal activity looks like on your network and have enough visibility into your environment. With this perspective, you can figure out when things look abnormal and spot the hacker’s actions.

Having full visibility into your IT environment and being able to spot compromised machines is critical for stopping the attacker’s offense. To know their environment better than the attackers, organizations must constantly perform reconnaissance in their environment and collect information and analyze it in real time. With this knowledge, an enterprise can control the situation instead of allowing the hacker to dictate what happens. 

You want to be able to see all the elements at work in the hacking campaign and cut the attacker’s access to your network at once. Remediating security threats one by one won’t do anything to protect a company. If anything, this method tips hackers off that they’ve been discovered and provides them with time to rework their plan and figure out how to evade your defenses. Knocking out all of an attacker’s operations at once provide defenders with the element of surprise.

You need a military mindset

This approach may be new to security, but it includes classic military techniques that I used during my time in the Israel Defense Force. We were taught to win by taking control of a situation and dictating the rules of the game.

So, why aren’t companies approaching cybersecurity with more of a military mindset?

One challenge organizations face is that security operations tend to fall under the IT department’s domain. IT departments aren’t staffed with people who approach security problems with a military mindset. They tend to look at incidents on a case-by-case situation and don’t consider how to use an IT environment to shut down an adversary’s operations.

Security roles need to be filled with workers who have some security background. This includes people who served in the military as well as worked in law enforcement. They approach cybersecurity as a physical problem, a perspective that tends to be missing from current attitudes around how to stop advanced attacks.

For most organizations, cybersecurity stops and ends at computer and servers and isn’t linked to physical security. But, in reality, the boundaries between cyber and physical security are disappearing. The U.S. Department of Justice recently accused seven Iranians of hacking into a computer system that controlled a dam in New York. And, of course, there have been numerous stories about the security around medical devices and how easily they can be hacked. By making this point, I’m trying to present a realistic view of the current security landscape, not spread fear.

Stopping the attacker’s offense will allow companies to control the hack instead of permitting the adversary to call the shots. The battlefield is becoming more digital, but the methods used by the military and law enforcement are still valid in cybersecurity.


Lior Div is the CEO and Co-Founder of Cybereason. Before forming Cybereason, he founded cyber-security company Alfa Tech.

Div also served in the Israeli Defense Forces. While in the IDF, Div was part of the Israeli Intelligence Corps, where he lead an elite cyber-security team in the Corps' 8200 unit. Div's work in the Corps earned him a Medal of Honor.

He is an expert hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion.

The opinions expressed in this blog are those of Lior Div and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.