The best cyberdefence: Think like an attacker

If you want to ensure your organisation has the best chance of staying secure, you'll want people with experience of going on the cyber offence.
Written by Danny Palmer, Senior Writer

It's a game of cat and mouse; in the ongoing battle between cyber criminals and cybersecurity professionals, it can sometimes be difficult to know what tactics attackers will employ next.

Cyberattack techniques such as malware, phishing, ransomware, and botnets are always evolving, especially now that cybercriminals are using underground forums to overcome geographical barriers to cooperate on building even more dangerous cyberattack tools and techniques.

So perhaps cybersecurity professionals could be forgiven if they were to believe that they're always going to be on the back foot, repeatedly forced to respond to the latest tactics of online criminals as they emerge.

But in fact cybersecurity professionals don't always have to be playing catch-up, especially if they can get into the mindset of their opposition. This skill is making staff with experience working in IT security for the military particularly attractive to businesses.

"They have real operative experience, dirt under their fingernails. They've seen what it's like to try in the fight and it's hard to have that experience," says Brian Kelly, who led teams involved in satellite surveillance and cybersecurity as a lieutenant colonel in the US Air Force during the 1990s, and is now chief security officer at Rackspace.

"It's hard to find security people in general. You might have some very good technical people who might have dealt with one or two incidents -- it might be a little DDoS or something like that -- but they've never really been in a targeted, sustained attack like we've seen in the military and the government," he says.

Another trait which separates military security types from your average cybersecurity pros is the ability to go on the offensive -- because it makes them more effective defenders.

"If you consider offensive information warfare, it's a part of that mission. To have people who have actually spent time thinking about if they had to take down a foreign government or foreign military force, what tactics would they would use, that changes your thinking quite a bit, which makes you a better defender," he says.

"We can think more asymmetrically about what people are going to do and then be able to build our processes and defences around that," Kelly adds.

Kelly isn't alone in thinking former government or military personnel make excellent cybersecurity specialists. Ben Johnson, formerly employed by the NSA's cyber division, believes that some of the most innovative people in security come from this arena.

"I've seen a lot of great people come out of the offensive side and really have success in defending, or creating cybersecurity companies focusing on defence. That's why you see a lot of startups and growing cybersecurity companies coming out of the Israeli military, the NSA, GCHQ, and others," he explains.

The reason for this, says Johnson, is because these people have hands-on experience with real-life cyber attacks -- often in an offensive, as well as a defensive capability -- and have thus developed a deeper understanding of how an attacker thinks; and crucially, how to combat that.

"You have to look at the whole picture across all the different assets and the whole environment, then start figuring out where the holes are, how to get to that data, how might you surpass existing defences, or how might you hide from the humans," he says.

"As an attacker, you've really got to look at the whole environment; you've really got to be creative," he continues, "You're just so much more aware of what's possible, rather than being on the defensive side the whole time and being reliant on how things currently work."

For Johnson, who since leaving the NSA has co-founded cyber protection company Carbon Black -- where he is chief security strategist -- these types of security experts tend to have deep technical knowledge, which can then be applied to defence.

"To be an attacker, you have to get more technical, you have to really understand how exploits work, how you can install a persistent rootkit, know all about different attack tools and techniques. And so when you're doing defence and start seeing something suspicious, you have knowledge of what type of attack might be going on. It really helps," he says.

However, there are only a limited number of cybersecurity professionals who have worked in government information warfare -- and even fewer who have carried out offensive attacks -- so the pool of potential employees with this experience is limited. But this can be overcome, Johnson suggests, by engaging in cyberwar games within an organisation, and taking turns to attack and defend.

"You can enrol your teammates into a wargame scenario or red-teaming where one day a week you challenge them to break into your environment or see what you can do with a certain level of insider access without being detected," he explained, arguing that this sort of activity can help cybersecurity professionals think like a hacker and understand the sort of tactics they could be up against.

"It's really about opening people's eyes and unlocking their minds. It can be a tabletop exercise where it's a thought exercise to start with, but then you can throw people on keyboards and ask them to break in to get some skills," Johnson says. "War games scenarios, these competitions and free events; there's a whole bunch of stuff to do and it's really up to the practitioner to get out there and do it."

Rackspace's Kelly also believes that cyberwar games provide a good way of learning how a hacker thinks.

"It's helpful for you to be on the attacker's side and think a bit asymmetrically: 'how am I going to get to the crown jewels?', if you will," he says, and cites the importance of schemes such as CyberPatriot, the US Air Force Association's youth cyber education programme, in which participants play the roles of both the defenders and the attackers.

But surely, if you really want insider knowledge about how to perform cyberattacks, then the best person to hire is a former hacker? Not a chance, says Kelly.

"I don't think that's necessary. I've never believed in that. For one, I'm just not comfortable with it, can you have tarnished integrity one day then be a good guy the next?," he says, going on to argue that military, government, and security personnel coming through universities are capable of beating hackers at their own game.

"I'll put our White Hat people up against Black Hats any day. I'm not fearful that the Black Hats are any better than us; they may catch us unprepared, or at a bad moment in time -- I don't trivialise them -- but I don't feel in any way, shape, or form that they're any better than the White Hat hackers. So I'd never stoop to hiring them," Kelly says.

Johnson, however, takes a different view: "I've seen people with that kind of background grow up and still have that curiosity, that innovation mindset where they don't just approach the problem in one way, they're thinking in new ways. That's hacking, trying to get systems to do things they weren't designed to do, so if you start applying that to companies, that mindset is really valuable," he says.

Read more on cybersecurity

Editorial standards