Deterrence in cybersecurity is no longer enough. Here’s why
A new study from MIT argues that modern organizations require a more proactive approach to cybersecurity.
When we think of cybersecurity in our organizations, it’s quite probable that we think overwhelmingly of defensive tactics. Hackers would attempt to break into systems and businesses would try to keep them out. It's a relationship that is gradually changing, and we are likely to see a growing number of cases of organizations taking a more proactive approach to cyber defense by actively trying to disrupt the activities of hackers before they have a chance to strike. This could involve, for instance, the use of fake high-attraction systems to divert hackers or leaving fake credentials as a sort of honeypot to send hackers down a blind alley.
It’s an approach echoed in a new paper from MIT which argues that modern cybersecurity requires a more active combination of deterrence and retaliation. The paper argues that unlike in more traditional warfare, retaliatory strikes against attackers are more difficult, not least because accurately identifying just who the attackers are is neither easy nor straightforward.
This relatively limited amount of information can make retaliation foolhardy, especially if attackers are spoofing their IP address to hide their tracks. The last thing companies want is the reputational damage of retaliating against the wrong target entirely. Equally, it does no one any good to engage in an aggressive Mexican stand-off with companies retaliating at will.
The MIT paper argues for a more judicious and well-informed form of selective retaliation that leans heavily on game theory to guide behaviors. The research was born out of analyses used during the cold war, with the nuclear deterrence deployed to prevent mutual obliteration. Obviously, cyber deterrence is very different, but the researchers wanted to understand precisely how it’s different.
One clear and evident area is one of attribution, as while a missile tends to come from a clearly identifiable source, a virus generally does not.
Indeed, many cyberattacks can occur without the knowledge of the hack having taken place. When Stuxnet infected various strategic facilities in Iran, for instance, detection only occurred a few years after the worm had been happily going about its work.
The researchers explored various scenarios where countries were aware that some form of cyberattack had taken place, but were far from clear about the nature of the attack or the attackers themselves. They modeled a range of these scenarios to identify precisely how cybersecurity differs from more traditional security.
With cyberattacks, there is a much greater chance that a range of actors and conditions are involved, which can increase the likelihood that retaliation can backfire and actually result in additional attacks from a wider range of sources.
"You don't necessarily want to commit to being more aggressive after every signal,"the researchers explain.
A more effective approach is to simultaneously improve your ability to detect attacks as they happen while also being able to gather a lot more information about the identity of attacks. This allows you to make more strategic and accurate retaliations against cyber criminals.
This in itself is not an easy process, however, as when you’re able to detect attacks on your organization but are unable to pinpoint the people doing the attacking, it does little to clarify any subsequent decision making. Similarly having excessive certainty in terms of the source of the attack can result in lashing out against the first group you identify and potentially leaving others to go about their business as normal.
As such, the best approach is only to commit to any retaliatory actions when you have the clearest signals available to you.
If you commit to offensive actions after every attack then you run the risk of becoming an even greater target for future cyberattacks.
"The business-hacker relationship has largely always been one way, with cyber criminals attempting to break in and businesses reacting to this," Dr Alex Tarter, Chief Cyber Consultant and CTO at Thales UK, told me recently. "However, 2021 will see that relationship change as businesses go on the offensive and attempt to throw hackers off their game."
While attack may be the best source of defence, the MIT team reminds us that we have to be careful in the form and nature of our attack to ensure we don’t make the situation worse than it was to begin with.
"People thought the possibility of failing to detect or attribute a cyberattack mattered, but there hadn't [necessarily] been a recognition of the multilateral implications of this," they conclude. "I do think there is interest in thinking about the applications of that."