Attackers are thinking outside the box

How to predict what the next attack will look like

In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.

In our efforts to secure our organizations, how do we predict what the next attack will look like? All too often, the focus is on matching defenses to specific types of attacks -- the Anti-X approach. When instead attack "Y" comes along, we don't question our strategy, we simply add Anti-Y to our purchasing list.

The attempt to predict classes of attacks, aka the Anti-X strategy, is always reactive and highly susceptible to the asymmetric nature of security. Namely, following the Anti-X strategy, we have to correctly predict all types of attack, while attackers have to only invent one attack that is "unexpected." This asymmetric struggle means enormous corporate expenditure for those defending security and only a small amount of innovation on the attacker's side. If you've been in this industry for a while, you're probably used to feeling awed by the sheer ingenuity and breadth of attacks that cybercriminals can dream up.

The basic problem with a strategy of threat prediction is this asymmetry. Imagine an abstract attack surface -- a two-dimensional space where each point is a possible attack. If you consider technology hacking and social engineering attacks, the attack space stretches out to infinity in all directions. It is only constrained by human imagination, so not really constrained at all! Now imagine all of the known or expected threats that you can predict as the surface bounded by a square. This is the security specialist, trying to predict attacks by thinking inside the box. No matter how imaginative the security professional and how large the organization's budget, the "box" is finite. It takes enormous effort and expense to define an area broad enough to even cover most of the known threats, as is evident by the hundreds of small, specialized vendors in our industry. But all an attacker has to do is take a small step outside the box. Even a small variation of an existing attack can stump security controls that are focused on the known and on the predicted. In the Anti-X strategy, we always have a finite and known box, and outside that box the attacker has an infinite space for innovation.

Note that I'm not claiming that we can't successfully predict and defend against some attacks. Only that we can't predict and defend against all attacks, especially when our actions are known and the attackers just have to step outside the realm of our prediction. Next time, I'll be looking at a strategy to overcome this problem -- namely how generic security preparedness trumps specific threat prediction.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Andreas M. Antonopoulos

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?