I will admit that I was upset when a fellow Marine woke me up one hour before my shift began. It was Afghanistan, after all, and every minute of sleep was gold.
"The base is under attack. Grab your weapons and muster in the fallout shelters," he said calmly.
So calm was this statement that I figured it was "just" a rocket attack, like the ones we had in Kandahar in 2009. I begrudgingly donned my helmet, flak jacket, grabbed my weapon, and made my way nonchalantly to the bathroom.
Then, a ripple of machine-gun fire shattered the silence as a 50-foot column of fire roared above a fuel bladder. I looked around with utter shock on my face.
"Whoa – we really ARE under attack!"
And so began the Battle of Bastion.
Reactive Defenses vs. Agile Adversaries Defending is challenging because the adversary has the ability to set the engagement's tempo, time, and place. This is especially true in cybersecurity.
Defenders only know what they can see, yet adversaries see things from entirely different perspectives. This creates a perception gap that can put defenders at a disadvantage. It is like playing poker where you can see your cards, but your opponent gets to take a peek at what you draw. Over the long run, it will be a losing proposition.
Experts will say that defense should be proactive, and they are right. Be it a military or cybersecurity perspective, bad actors are actively testing defenses for weaknesses. Defenders need to be doing the same. Because no matter how well your defense is designed and implemented, unless you have a current understanding of its weak points, a future real-world attack may not end the way you expect it.
From The Battle of Bastion to Log4j Every defense has its weaknesses. Camp Bastion in September 2012 was one of the largest, most well-defended bases in Afghanistan. Prince Harry slept less than a mile from where the attack began after all.
Bastion had all the trappings of defense-in-depth, or at least it appeared so to the defenders. In fact, a close call attack earlier that year forced base leadership to review the base defense plan, and multiple changes were made to improve its security.
Despite those changes, six months later, 15 Taliban fighters successfully penetrated the exterior of the base, killed two Marines, wounded 17 others, and severely damaged or destroyed nine aircraft.
The reasons for the Taliban's success are beyond the scope of this article. In short, these fighters saw an opportunity, identified weaknesses the defenders failed to anticipate, and diligently planned a successful attack against the heart of British and American troops at the peak of the Afghan war.
Staying apprised of defensive weak points in cybersecurity, while different and often not life and death, can be significantly more complex. This is due to the constantly evolving nature of organizations’ attack surfaces. Whether it is a new software release, fresh employees to train, or sunsetting legacy systems, new gaps in security are created daily. Enter third-party/supply-chain vulnerabilities from partners and vendors, and the nature of cyber defenses can become overwhelming.
On the other side of the map, well-resourced adversaries are busy planning, probing, and innovating. Whether it was SolarWinds, Microsoft Exchange, PetitPotam, Print Nightmare, Log4j, or hosts of other attacks that never made the news in the last 12+ months, it is clear that the pace of cyber-attacks isn't slowing down.
And why would they when criminal cyber gangs like REvil raked in a reported $123 million in ransomware payouts in 2020? With little repercussion and a mountain of fresh opportunities, cybercriminal groups are operating lucrative businesses. They are not retiring any time soon.
What to do? Companies need to make sure that their cyber defenses are up to snuff. And not just on paper. What is a way for that to be done? Allow me to grab my pedestal for a moment.
Get aggressive about external, internal, and web application penetration testing with a modular/unit test approach. Your company's digital attack surface is in constant flux. Getting an annual pen test should be considered the bare minimum, but we caution that testing your defenses once a year increases the gap between what you know of your defense and what an adversary does. Why play poker with someone that has more up-to-date information on the cards you hold? With this in mind, we recommend that testing be iterative and tied to software release cycles, integration of new systems, or the disclosure of a new public threat (e.g., Log4j).
Immediately address a low-hanging fruit security initiative by optimizing your cloud email security settings (M365, Google Workspace, etc.). Since we launched Pathfynder, 100% of the cloud email security audits we have done came back with sub-optimal security settings that left those clients unnecessarily exposed to common attacks such as business email compromise. Given the ROI, these audits are a no-brainer, effectively protecting your business from 99.9% of the BEC attacks out in the wild. At Pathfynder, we use a 12-step approach to ensure the most vulnerable part of your attack surface (your people) has an extra layer of protection when operating these business-critical environments.
Develop, test, and reinforce your plan for when (not if) the barbarians break through the gates. I wish I could say it differently, but if you own a business that has a digital footprint, the odds are more likely than not that you will experience a cyber incident in the next five years. When that happens, what your team does can make the difference between a minor interruption and having to shell out Bitcoin to Russian mobsters to operate your business again. We have some of the top talent in the incident response space and routinely help companies sharpen their capabilities when an incident occurs. The time to prepare for a cyber incident isn't when you first realize there could be a problem.
Cybersecurity is hard, and for good reason. The digital landscape is in constant flux, and the enemy never sleeps. But much can be done in preparation for the inevitable future attacks against your business.