Drop The Refrain
The refrain “make it too expensive for the attackers” needs to be retired from the security professional’s vocabulary. It is not going to happen. Making it “too expensive” is not S.M.A.R.T. It also means absolutely nothing to the attackers. The guidance security professionals need to be pushing is that managed business processes and security controls will reduce the overall cost associated with responding to each attack as they are experienced. It is not a matter of who will do the attacking, when they will do it, or how many resources they have behind them. It is the understanding that attacks are going to occur, most attacks will involve techniques to which an organization can identify and respond, and some attacks will occur using new methodologies and technologies to which the organization can identify and respond.
Cyber criminals: as these people are after big financial gain they understand that there will be cost involved with their efforts. The bigger the pay-out the more time and effort they are willing to spend. However, they just don’t turn away from targets. Hard targets are softened by time. Over time there will be new vulnerabilities, new attack methodologies, new personnel, etc. If something is currently difficult they may roll over to other prey, but they will come back around.
Spammers and adware spreaders: these attackers are generally not concerned with specific targets. However, the way spammers and adware spreaders conduct their business is interesting to other malicious hackers. The research and development of this group can easily be leveraged for other purposes. They try everything in the book and then write new pages when those do not work any more. They are not concerned about how much it costs to get around your controls because they are best at presenting a moving target. Basically making it more expensive for customers to keep up with them.
Advanced persistent threat (APT) agents: these guys are good at getting in. They are also good at being patient. Biding their time for specific opportunities. They try a few things to get in and, if that doesn’t work, they try something else. As they have multiple targets (or so it appears) they move onto the next target on their list. Then, after a time, they roll back to a targeted organization where their tactics have been unsuccessful and they try something else. Security programs and controls are not making it more expensive for them. They know it is a part of the game and they just continue until they are successful.
Corporate spies: well, this attacker is most likely (yes, I’m guessing) expensive to begin with. I have not run into any of these people or cases, nor have I heard much about them. But, I understand the mentality. They could be heavily trained or simply people exploiting an opportunity. These people are usually in a position where they can manipulate the security controls, or feel they can get away with their efforts despite the controls. In other words, the reward already out-weighs the risk.
Hacktivists: this group is probably the most affected by the cost of their efforts. However, they will most likely be associated with the Rogue hacker category and thereby reap the rewards of their efforts. Which, in turn, means that cost does not affect them much as they rely on targets of opportunity that will produce the actions they desire.
Cyber warriors: although military commanders do take into consideration cost of resources, their limits are beyond those of most corporations. Additionally, once the cost reaches a certain point then the tactics for this group changes to kinetic solutions.
Rogue hackers: one word for these guys: “challenge.” If it is a challenge is it really too expensive? To this group time and effort is nothing. Once they set their sights they either work it till they are bored with it or they accomplish their objectives. If a group of these individuals gets their collective heads together, then cost matters even less. Certainly a good security effort will prevent many unmotivated rogue hackers, but those that are motivated have a purpose where cost is of little consequence.
In Need of a New Catchphrase
Therefore I say out with the old refrain and in with something new. Preferably something that is a little more Specific, Measurable, Attainable, Relevant, and Time-bound. I prefer more direct and implementable guidance that helps build cross-functional incident response efforts and teams. However, for those who require those “elevator statements” (don’t we all at some point) maybe try one of my favorites: “reducing the gap between compromise and identification.” Because the old “make it too expensive for the attackers” statement is placing the wrong emphasis on the overall effort and makes people, particularly executives, think that 100% secure is an obtainable goal. When we all know that information security is a sustained effort that will continue as long as the organization exists.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.