Why Hacker Logic Should Matter to the Defender

Security is not a problem to be solved, it’s a practice to be performed. It’s a chess match against a hacker, and a stalemate is your objective.

Hackers always start from the assumption that they can break in — it is a question of how, not if. Most defenders (aka blue teamers) believe they can design something to be secure. But hackers know nothing is ever completely secure.

So if the defender and the hacker play by a different set of universal, immutable laws, how can the defender prevail?

The only common ground is a monetary one. Dollars. Cash. How much to spend, when and if it’s worth it. All a defender can do is make it more expensive for an attacker to get in, and once in, harder to get to the crown jewels.

A common approach to security is to chase the latest bug or implement the hottest new tech on the market. But when technology changes faster than we do, focusing on finding and fixing is an exhaustive, thankless, and ineffective approach to security.

Know your opponent

It’s more valuable to understand your opponents and make things more expensive for them. Defenders need to evolve and start thinking like adversaries in order to identify what’s most likely to be targeted by a hacker. That’s only doable once you get a sense of what’s possible, and only then can you protect what really matters. In order to do this, you need to flip your perspective to recognize where your valuable assets are (aka your crown jewels), anticipate the movements an adversary might make, and know what’s going on in your environment.

Understanding the art of the possible
Understanding the art of the possible

It follows then, that in order to keep the bad guys out, you want your crown jewels to be deeply buried. You want every success for an adversary to require tedious work and to trip some alarm. In order to do so, you need to get comfortable with some risk — know what amount is okay — and plan and prepare for an attack. If you treat security like a game of chess, you can focus on predicting your attacker’s next move(s). You need to be okay with giving up a couple pawns, maybe even a rook, in order to save the king. And in a chess match against a hacker, acknowledging you can’t win is foundational — a stalemate or a draw is your objective.

Your goal is to prevent lasting harm and keep your business running. And unlike chess, your only focus is to keep your king safe, not capture theirs. Winning isn’t having the fewest weaknesses, it’s stopping your king from getting captured. It’s preventing what you can and disrupting your opponent before damage is done.

You can’t stop an attacker from attacking, but you can stop some attacks from working. And if you stress and test your program before the adversary does, and take those learnings to build a more responsive defense, you can almost always interrupt an adversary before real harm is done.

The strategy

So how do you win — achieve a draw? The best security teams are not those with the fewest flaws, or that use the most buzzworthy security products. The toughest are teams that anticipate a hacker’s next move and are maniacally fixated on:

1. Protecting what matters. They know what’s most important to protect, and no, everything isn’t the right answer. They know what their “king” is.

2. Prioritizing the way attackers do. They anticipate what an attacker is going to go after, and have moves prepared to thwart the attempts.

3. Mastering the fundamentals. Their networks are segmented, they have visibility and monitoring in place, and have implemented the Center for Internet Security (CIS) Top 20 critical security controls. They know what controls to have in place and where.

4. Scrimmaging over and over. The best teams have stressed their systems, learned from it, hardened them, and gone at it again. Every tool they deploy is one they can confidently use under pressure.

5. Putting fail safes in place. Attackers will attack. It’s not about stopping them from attacking, but thinking through the art of the possible — thinking ten moves ahead — and having the right defense and depth set up.

Resistance is not futile, it is, in fact, the entire point. But building a resilient security program isn’t easy — it takes work and practice. How many games of chess does a master play to become a pro? You can’t get security from a book, buy it from a vendor, or simulate it on a cyber range — if you could, someone would have invented it already. Resilience is built through experience and dedication, which must be maintained. If you want to break the vicious threat cycle, you have to recognize that in an adversary focused world, experience may just be the best defense.

This blog breaks down what the industry can do to gain the edge over attackers — because they aren’t going away. By providing insights into hacker logic: their thinking, their risk calculus before making a move, their strategy for identifying tempting targets, etc., you’ll see that sacrificing a couple of pawns in order to protect your king is the best strategy.

moose. co-founder @randori. red-teamer. security can’t be fixed. practice how you fight. www.randori.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store