There is a certain satisfaction that comes from turning the tables on a seemingly unbeatable adversary. Luke Skywalker exploited a design flaw to destroy the Death Star. Rocky Balboa exploited Ivan Drago’s arrogance to win a boxing round. Sarah Connor exploited a reprogrammed Arnold Schwarzenegger to beat the T-1000 in Terminator 2.
In cyber security, the hacker community often seems as evil as Darth Vader, as cold as Ivan Drago and as relentless as the Terminator. It would be nice if there were a way to turn the tables and beat hackers at their own game.
Whether for financial gain, social activism, mischievous vandalism or other malicious motivation, hackers have been exploiting weaknesses in human nature and network defenses and making life miserable for enterprises for decades. But today, security professionals are starting to turn things to our advantage. By amassing a knowledge of the millions of techniques known to be used by hackers and combining that information with real-time threat intelligence and continuous, automated vulnerability testing, it is possible to beat hackers at their own game.
Imagine, as in The Terminator, that you could see how an adversary attacked you, understand the weaknesses they would exploit, quantify which security defenses were failing and then go back in time to fix the problem before it happens. That is what we are talking about. And it is not a point-in-time assessment that may be valid today and obsolete tomorrow. It is a constant process based on up-to-the-minute analysis and intelligence.
It is important to use breach simulations to “breach your own castle.” It is a process that ensures not only that your investments in cyber security are calibrated to meet the specific needs of your enterprise, but it also creates a sort of incident response muscle memory that ensures a timely, efficient response when an attack does take place.
My recent Journal article goes into detail about my company’s approach, but to improve our industry’s readiness and efficacy, we believe in sharing information and in having a robust dialog that challenges assumptions and improves processes. In that spirit, I look forward to reading and responding to your comments.
Read Danelle Au’s recent Journal article:
“Breach Your Castle for Better Security,” ISACA Journal, volume 3, 2017.