In the adversarial environment of information security, new types of attacks emerge constantly. Just recently, a very highly targeted phishing attack against CEOs used the pretext of a federal grand jury subpoena to lure executives to a site hosting malware. Let's face it: Most of the innovation in this industry is on the other side, the "dark" side. We are unfortunately forced to keep reacting to new ingenious attacks every few years.
In our efforts to secure our organizations, how do we predict what the next attack will look like? All too often, the focus is on matching defenses to specific types of attacks -- the Anti-X approach. When instead attack "Y" comes along, we don't question our strategy, we simply add Anti-Y to our purchasing list.
The attempt to predict classes of attacks, aka the Anti-X strategy, is always reactive and highly susceptible to the asymmetric nature of security. Namely, following the Anti-X strategy, we have to correctly predict all types of attack, while attackers have to only invent one attack that is "unexpected." This asymmetric struggle means enormous corporate expenditure for those defending security and only a small amount of innovation on the attacker's side. If you've been in this industry for a while, you're probably used to feeling awed by the sheer ingenuity and breadth of attacks that cybercriminals can dream up.
The basic problem with a strategy of threat prediction is this asymmetry. Imagine an abstract attack surface -- a two-dimensional space where each point is a possible attack. If you consider technology hacking and social engineering attacks, the attack space stretches out to infinity in all directions. It is only constrained by human imagination, so not really constrained at all! Now imagine all of the known or expected threats that you can predict as the surface bounded by a square. This is the security specialist, trying to predict attacks by thinking inside the box. No matter how imaginative the security professional and how large the organization's budget, the "box" is finite. It takes enormous effort and expense to define an area broad enough to even cover most of the known threats, as is evident by the hundreds of small, specialized vendors in our industry. But all an attacker has to do is take a small step outside the box. Even a small variation of an existing attack can stump security controls that are focused on the known and on the predicted. In the Anti-X strategy, we always have a finite and known box, and outside that box the attacker has an infinite space for innovation.
Note that I'm not claiming that we can't successfully predict and defend against some attacks. Only that we can't predict and defend against all attacks, especially when our actions are known and the attackers just have to step outside the realm of our prediction. Next time, I'll be looking at a strategy to overcome this problem -- namely how generic security preparedness trumps specific threat prediction.