Attackers are thinking outside the box

How to predict what the next attack will look like

In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.

In our efforts to secure our organizations, how do we predict what the next attack will look like? All too often, the focus is on matching defenses to specific types of attacks -- the Anti-X approach. When instead attack "Y" comes along, we don't question our strategy, we simply add Anti-Y to our purchasing list.

The attempt to predict classes of attacks, aka the Anti-X strategy, is always reactive and highly susceptible to the asymmetric nature of security. Namely, following the Anti-X strategy, we have to correctly predict all types of attack, while attackers have to only invent one attack that is "unexpected." This asymmetric struggle means enormous corporate expenditure for those defending security and only a small amount of innovation on the attacker's side. If you've been in this industry for a while, you're probably used to feeling awed by the sheer ingenuity and breadth of attacks that cybercriminals can dream up.

The basic problem with a strategy of threat prediction is this asymmetry. Imagine an abstract attack surface -- a two-dimensional space where each point is a possible attack. If you consider technology hacking and social engineering attacks, the attack space stretches out to infinity in all directions. It is only constrained by human imagination, so not really constrained at all! Now imagine all of the known or expected threats that you can predict as the surface bounded by a square. This is the security specialist, trying to predict attacks by thinking inside the box. No matter how imaginative the security professional and how large the organization's budget, the "box" is finite. It takes enormous effort and expense to define an area broad enough to even cover most of the known threats, as is evident by the hundreds of small, specialized vendors in our industry. But all an attacker has to do is take a small step outside the box. Even a small variation of an existing attack can stump security controls that are focused on the known and on the predicted. In the Anti-X strategy, we always have a finite and known box, and outside that box the attacker has an infinite space for innovation.

Note that I'm not claiming that we can't successfully predict and defend against some attacks. Only that we can't predict and defend against all attacks, especially when our actions are known and the attackers just have to step outside the realm of our prediction. Next time, I'll be looking at a strategy to overcome this problem -- namely how generic security preparedness trumps specific threat prediction.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Andreas M. Antonopoulos

Network World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?