Attackers are thinking outside the box

How to predict what the next attack will look like

In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.

In our efforts to secure our organizations, how do we predict what the next attack will look like? All too often, the focus is on matching defenses to specific types of attacks -- the Anti-X approach. When instead attack "Y" comes along, we don't question our strategy, we simply add Anti-Y to our purchasing list.

The attempt to predict classes of attacks, aka the Anti-X strategy, is always reactive and highly susceptible to the asymmetric nature of security. Namely, following the Anti-X strategy, we have to correctly predict all types of attack, while attackers have to only invent one attack that is "unexpected." This asymmetric struggle means enormous corporate expenditure for those defending security and only a small amount of innovation on the attacker's side. If you've been in this industry for a while, you're probably used to feeling awed by the sheer ingenuity and breadth of attacks that cybercriminals can dream up.

The basic problem with a strategy of threat prediction is this asymmetry. Imagine an abstract attack surface -- a two-dimensional space where each point is a possible attack. If you consider technology hacking and social engineering attacks, the attack space stretches out to infinity in all directions. It is only constrained by human imagination, so not really constrained at all! Now imagine all of the known or expected threats that you can predict as the surface bounded by a square. This is the security specialist, trying to predict attacks by thinking inside the box. No matter how imaginative the security professional and how large the organization's budget, the "box" is finite. It takes enormous effort and expense to define an area broad enough to even cover most of the known threats, as is evident by the hundreds of small, specialized vendors in our industry. But all an attacker has to do is take a small step outside the box. Even a small variation of an existing attack can stump security controls that are focused on the known and on the predicted. In the Anti-X strategy, we always have a finite and known box, and outside that box the attacker has an infinite space for innovation.

Note that I'm not claiming that we can't successfully predict and defend against some attacks. Only that we can't predict and defend against all attacks, especially when our actions are known and the attackers just have to step outside the realm of our prediction. Next time, I'll be looking at a strategy to overcome this problem -- namely how generic security preparedness trumps specific threat prediction.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Andreas M. Antonopoulos

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?