"The best offense is a good defense.”
It’s an adage I heard growing up as an American football fan. Maybe it was the clever use of irony in the phrase or my admiration for Mike Ditka and the 1985 Chicago Bears. And though I have never tracked down who the saying is attributed to, it resonated with me as a fan of the sport.
Of course, on the other side of the coin, any student of military history would reference Sun Tzu’s ideologically opposed strategic statement: “Attack is the secret of defense; defense is planning of an attack.”
So, when it comes to cybersecurity, what does it take to build a great defense? Is Ditka right, or does Sun Tzu have skin in the game here?
“Knowing Yourself Enables You to Stand on the Defense.”
If we took Coach Ditka’s advice, he’d probably suggest investing everything possible to build a robust and impenetrable defense. Grab every best-of-breed tool and make it work for you.
I am not saying he’d be wrong. This makes sense since corporate-world cybersecurity is a defensive-led endeavor. Perhaps it is confirmation bias, but in the cybersecurity industry, this is typically where most of the money flows: build the wall, reinforce it, and set up your digital sentries so that any would-be attacker would be quickly identified and summarily thwarted from breaking down the gates.
The problem is that it is just not how cybersecurity works. Taking a purely defensive perspective—one that abstains from getting the attacker's viewpoint—almost assuredly means your defenses will have big gaping holes from which the ghost of Sun Tzu would have a field day.
A few years ago, Pathfynder moved away from our defensive roots to become an offensive-led cybersecurity firm. The decision to pivot was not made lightly, as our early day’s bread-and-butter was helping companies build better defenses.
And while we did that with outstanding “blue team” (defensive) services, the truth is, we realized that the best path to help companies build better cyber defenses was to assess their defenses with rigorous penetration testing and show our customer’s how we defeated them. No matter how good at defensive consulting we had been, defenses that don’t incorporate the insights that only a “red team” attacker can bring are inevitably flawed.
Much of this is predicated on the idea that cybersecurity is difficult, and the nature of the defense can feel like an unwinnable position. That’s because the cyber attacker has all the advantages the defender doesn’t, namely the ability to set the time and place of the attack.
To this end, it is unwise to build a defense that doesn’t have an attacker’s perspective foundationally built into it. Attackers see your cyber defenses from a completely different perspective. And that perspective must be a part of your defensive strategy.
This is probably why Chang Yu – a contemporary of Sun Tzu — said, “Knowing the enemy enables you to take the offensive. Knowing yourself enables you to stand on the defensive.”
Maybe these ancient Chinese philosopher-warriors were on to something.
Let us Be Your Sunday
This is why we tell our clients, “Let us be your Sunday.” Harkening back to the football analogy, we see the best way to build a great defense is to attack it with an elite offense. That is the only way to know if your cyber defenses are up to snuff.
Investing in expensive tooling, building a robust and well-tuned SOC, and hiring the best defensive-minded CISO are all great moves in building a resilient defense. But no number of policies, tabletop exercises, or defensive simulations can truly prepare your company for game day. When the attacker establishes a foothold and makes their move, how confident are you that your defenses are ready?
The only way to truly know is to determine how the team performs on the field. And that’s no disrespect to the Coach Ditka’s of the world. Even the defense-oriented coach still lined up Refrigerator Perry in the backfield during the Super Bowl to exploit a weakness in the Patriot's defense. Coach Ditka knew the value of making his team as game ready as possible.
Bottom line: Building a great cyber defense requires attacking it with an elite offense.
What to do?
A strong case can be made that the cybersecurity industry is still in a nascent maturity state. So, if you are unsure how to incorporate offensive cyber services into your company’s defenses, you are not alone.
The truth is great offensive cybersecurity providers are not easy to find and are typically not cheap. This is because there is a huge gap in available offensive cybersecurity expertise. That isn’t to say there is a lack of training opportunities or that a growing number of young, talented professionals are pivoting towards cybersecurity careers.
The reality, though, is it takes years of honing high-level offensive security testing skills to be a “red teamer.” It is NOT a prescriptive, checklist driven “I do this, and this happens” job. It is a highly nuanced tradecraft that requires an equal balance of creativity and old-fashioned stubbornness to produce elite cyber operators.
There are other confounding issues—like compliance requirements—that can poison the well at times. As well-intentioned as industry regulations may be, sometimes they lend themselves to satisfying the requirement and little more. This can lead companies down the trap of meeting the minimum standards, eventually leading to the procurement of lower-cost providers who typically leverage high levels of automation or junior penetration testers.
These efforts, unfortunately, miss the boat when it comes to ensuring your defenses are ready for game day. Carrying these analogies forward, it would be like the Dallas Cowboys scrimmaging the University of Houston (no offense, Cougars!). Undoubtedly, the Cowboys would look elite—perhaps even Super Bowl bound—but that insight couldn’t be further from the truth (sorry, Cowboys!).
At the end of the day, it is worth every penny to invest in red team services regularly. I realize not everyone will have the budget to do so fully, but this is why finding a true partnership in cybersecurity makes all the difference in the world. At Pathfynder, we care greatly about our customers’ security, and we are always finding creative ways to improve a company’s defensive posture, even when budgets might not entirely line up with what we can offer.
All this is to say: as your company builds out its defenses, keep considering what it takes to ensure your defenses are game-day ready.
Until then, let us be your Sunday and find out if you are ready for the opening kickoff.