Despite major advancements in technology, the global approach to cybersecurity has remained the same for decades: Respond and recover. The same vulnerabilities are repeatedly exploited in similar ways, and this trend shows no signs of slowing because current security tools do not actually address the roots of attacks. Even new artificial intelligence and machine learning techniques have mostly been aimed at improving response efficiency – as though there is nothing we can do but prepare for the worst and recover as quickly as possible. To slow the frequency of dangerous and costly cyberattacks, companies should be shifting their efforts toward focusing on disrupting adversaries.
In May 2000, one unwitting user on a computer in the Philippines used Microsoft Outlook to open an email message with the subject line “ILOVEYOU” and an attached file named “LOVE-LETTER-FOR-YOU.txt.” The attachment contained malicious code – a worm that moved through the user’s computer, overwriting random files and sending an email with a copy of itself to every address in the user’s Windows Address Book. Just 10 days later, the ILOVEYOU worm had spread around the world, infecting over 50 million computers. Far from spreading love, the worm caused more damage than any previous cybersecurity incident: an estimated
$5.5 billion to $8.7 billion worldwide.
See also: Quest for Reliable Cyber Security
Seventeen years later, Microsoft announced a vulnerability within a resource-sharing protocol in widespread use across versions of the ubiquitous Windows XP operating system. The company quickly released a patch to fix the vulnerability, but countless systems had not been patched by the time the WannaCry ransomware attack began two months later. WannaCry eventually affected more than 200,000 computers across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars.
Despite significant changes to the state of technology and the internet between 2000 and 2017, these two cyberattacks were very similar. Both propagated by using relatively simple vulnerabilities in Microsoft operating systems, and both were successful because of a lack of proactive cybersecurity.
Not only do the same kinds of attacks continue to work, responses to cyberattacks have not changed much, either. Despite all our advances in technology, cybersecurity is generally still focused on response and recovery: Identify the infected computers, take them offline, rebuild or replace them, file a data breach disclosure… rinse and repeat.
Is it impossible to defend against these vulnerabilities? Are hackers just too smart? Not necessarily. Response and recovery treats cyberattacks like natural disasters – inevitable, unstoppable and caused by forces outside our control. Meanwhile, adversaries continue to enjoy the fruits of their illicit labors. Popular methods of attack remain consistently successful because cybersecurity has failed to evolve to a posture of true prevention.
A needed evolution
The continued success of these cyberattack methods (and others) hinge on exploiting a limited number of key vulnerabilities that are commonly known to good and malicious actors alike. So, why are they still effective? The answer is that standard cybersecurity methods are designed to respond to incidents but rarely, if ever, actively disrupt the adversary’s attempted attack. For example, cyberattacks or intrusions are generally handled via alerting after a breach has already occurred. The alert triggers a cybersecurity team to go in and clean up the affected systems, then set up or modify a firewall to block future attacks. Afterward, companies are required by law to file a data breach notification.
The most common approach to blocking attacks involves analyzing past and current threats, then distilling the results into indicators of compromise (IoC), such as IP addresses, domain names or hashes of known bad files. These IoCs are fed into available cybersecurity tools, which are wielded like a giant hammer, blocking or denying any traffic associated with them.
This method aims to prevent attacks that are exactly like prior attacks. This perpetuates the problem, however, as hackers know about these protection methods and adjust. Subsequent attacks are designed to differ just enough from prior attacks to elude being blocked and ensure they avoid the new protections. This process is repeated time and time again. The cybersecurity industry is almost entirely locked in this detect-respond-recover approach, with little to no effort being made to actually prevent cyberattacks in the first place.
Embrace a new approach to stem the flow of cyberattacks
Rather than treat the cyber threat like a natural disaster, the cybersecurity industry needs to embrace a fundamentally new approach. Instead of relying solely on insufficient incident response and recovery methods that have been used for many years, a more sophisticated approach is needed to prevent current cyberattacks and to predict and prevent future ones on a meaningful scale.
At Trinity Cyber, for instance, we provide this preventive assurance by invisibly monitoring threats outside a network’s perimeter and adapting to the adversary’s techniques to intercept and neutralize cyberattacks before they get in.
Operational challenges in the cyber realm have been exacerbated by an ever-growing landscape of disparate endpoints, heightened sophistication of cyber-attackers and an increasing number of cybersecurity tools. While these challenges led to the development and implementation of SOAR platforms, which add efficiencies, most tools remain inherently reactive.
See also: Best Practices in Cyber Security
Cyberattacks or attempts at compromising a system are human-made events within a human-made environment. By focusing on disrupting the adversary’s methods, analysts can determine tactics, techniques and procedures (TTP) and then use those to develop solutions that provide truly preventive cybersecurity.