The writer is a hacker and head of IBM X-Force
For more than 20 years, businesses around the world have been hiring hackers. They want us to find exploitable loopholes in their “armour” and break in as far as we can before they’re able to figure out we’re there. “Are we impenetrable?” is the universal question. You may well be asking the same about your organisation. And I can answer with confidence that you most certainly are not. There is always a way in. Always.
The best security advice for government and business leaders is to simply “give up” on trying to keep me out. Assume I’m already in, finding my way to your most prized possessions. What you actually need to trouble yourself with is, what can you do to stop me?
The Biden administration’s recent cyber security executive order provides guidance to federal agencies, namely to establish a “zero trust” relationship with their supply chains to protect data. Zero trust is not just a buzz phrase, single action or tool the industry is marketing. It is a set of principles upon which to build a security strategy, and it’s largely founded on the assumption of compromise. Last year, the US was the number one target of cyber attacks while Europe also experienced an onslaught of ransomware attacks. We need a radical new defence.
There is a misconceived notion that the security arena is a battlefield. It is not. It is a chess board and requires foresight and calculated pawn placement to protect the king — your data. If your main focus lies on keeping me out of your environment, then it’s already check mate. Your mission should be to buy time, slow me down and ultimately contain my attack.
Businesses must therefore make it as hard as possible for adversaries to exploit the relationships that allow them to move laterally through the corporate network. They can do this by distrusting anyone within their data’s environment and repeatedly corroborating that all users are who they say they are, and that they act like it too. That last part is crucial, because while identities are easy to compromise and imitate, behaviours are not.
The real red light is the unchecked privileged access that governments and companies grant their supply-chain partners via passwords. Think of this as an identity badge that lets third parties enter a company’s building, except the building is the corporate system. In the past year, in nearly 99 per cent of the cloud networks that my team were hired to hack, password attacks got us initial access.
Why not double down on hardening these systems and better detection strategies? Because relying on stronger authentication and better prevention tools is what got us to the current state. Adversaries have found their ammunition in the complexity maze that businesses have built around them. This is how Russian threat actors were able to remain undetected on government networks for nearly nine months during the 2020 SolarWinds breach.
The mindset that I’m advocating is strategic, not defeatist. Business must realise there is no constant state of security, but they can be prepared. This will look different for each organisation, but it starts with knowing precisely what your most critical data is and where it lies. Who has access to it, who could get access to it and who really needs access to it — how much and for how long. It’s about cutting off unnecessary pathways that an adversary could exploit.
Government agencies such as the National Security Agency and Department of Homeland Security in the US or the National Cyber Security Centre in the UK already realise that the game has changed. Leaders across industry and government who commit to a culture shift in which trust becomes just as much of a currency as data will gain a strategic advantage — limiting the moves an adversary can make, forcing them to make more noise and ultimately leaving them less room to execute their attack.