The key on the cyber battlefield, like on the traditional military battlefield, is understanding that there will indeed be many battles
By Shmulik Yehezkel (Colonel, res), Chief Critical Cyber Operations Officer at CYE Security
As a cybersecurity professional and a reserve field officer in the Israeli military, I have found many valuable insights on the pages of The Art of War, written by the fifth century Chinese military general Sun Tzu. One particular but often overlooked passage titled “Attack by Stratagem” is particularly relevant today as we face an infinite number of cyber threats and ever-growing lists of vulnerabilities. More than ever, we need to prioritize—both what we need to protect in order to keep businesses and organizations running, and what attackers are likely to target–and this powerful passage that has been guiding warriors for centuries holds important wisdom on how to do that, and why it is so important:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Let’s fast forward 3,000 years and break this down in terms of cybersecurity, where we are indeed facing hundreds of battles everyday.
“Know your enemy”
In our line of work, it is crucial to define and locate potential threats. For example, I have worked in organizations that did not take the time to understand the impending threat and instead spent their time building an elaborate defense system to fend off only general and vague persistent threats. Conversely, I have worked with some of the most sensitive of security teams that were so focused on one particular threat that they did not dedicate enough resources towards building a comprehensive defense system. Both examples did not take these simple three words into account.
The key to an effective defense strategy is defining who the threat actor is and what threats they are making. In cyber terms, this means tracking the threat actors’ TTP, or tactics, threats and procedures, to learn more about them. But that is not all; organizations must act on the intelligence they have, including using it to help them hire appropriate cybersecurity professionals. For example, if organizations determine they are facing threats from state-backed actors, they need to make sure they have cybersecurity professionals on their team with experience in military or government IT or cyber divisions.
When you can understand the mindset of your enemy, you remain one step ahead in many ways.
Immediately following the awareness of the enemy, Sun Tzu tells us to know ourselves.
In our experience in the industry, we have seen organizations totally unaware of their assets or which of them required protection. For example, as thousands of organizations, from Apple to Belgium’s defense ministry, continue to deal with the ongoing global Log4J vulnerability, millions more are likely not even aware that they use this open-source library, and are thus exposed to what the top U.S. government cyber security official has called one the most serious vulnerabilities ever. In general, in more than 75% of the cases in which we have handled an attack over the years, the victimized organization did not even know the layout of its networks. In fact, attackers knew and understood the networks and assets better than these organizations.
In addition, organizations need to quantify risk, to understand what attacking each of their digital assets ultimately means for the business. Depending on what they hit, cyberattacks have different effects on an organization or business, from shutting down its website to obtaining proprietary information like customer details or intellectual property to sell on the Dark Web, to disabling essential services like gas pipelines.
“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”
Cybersecurity today is a combination of knowing yourself and the enem. Even if a company has carried out thorough security testing and prioritized all of its assets in relation to overall business risk from cyber attacks, but still doesn’t fully understand the most likely enemies or potential attackers–and respond accordingly– it will not only still suffer defeat many times, but will be unprepared in case an attack does happen.
Understanding the enemy and what they may want helps companies make appropriate and effective contingency plans in case attacks happen. For example, if organizations know that attackers are likely to ask for ransom, they can seek legal advice on the matter and understand the ramifications of paying, which often does not actually lead to recovering all data. Or, if they know that attacks are likely to come via the software supply chain, they can plan accordingly, including offering extra training on cyber hygiene to their entire workforce. Today, responding to a cyber attack is no longer just about dealing with data recovery, but it has far-reaching legal, financial and even physical consequences, like interrupted utility services or frozen assembly lines.
”If you know neither the enemy nor yourself, you will succumb in every battle.”
After the above discussion, this last sentence is obvious in its meaning. But it also serves as a warning, as many organizations remain woefully unprepared. Blindly investing in more and more technology and tools or basing security on compliance with regulations is not enough.
The key on the cyber battlefield, like on the traditional military battlefield, is understanding, as Sun Tzu writes, that there will indeed be many battles. And businesses must prepare for those battles by understanding and quantifying their cyber risk continuously, and constantly monitoring who may attack them and by what means.
Cyber incidents are widespread; businesses must be proactive, to act as a hunter and not a fisherman waiting for something to bite the line. They must execute “find evil” operations, have continuous intelligence activity for threat discovery, and practice their Cyber Response Plan because there will be many battles.
About the Author
Colonel (res.) Shmulik Yehezkel, Chief Critical Operations Officer at CYE, has over 26 years of experience in the Israeli Defense Special Forces of the IDF. Shmulik is a software engineer and a cybersecurity professional with extensive strategic and hands-on experience. Shmulik brings years worth of knowledge leading operations, information security, and emergency and risk management in the IDF, the Ministry of Defense, and the Office of the Prime Minister of Israel. As CYE’s Chief Critical Operations Officer, Shmulik leads the data forensics and incident response (DFIR), threat hunting, and computer threats intelligence (CTI) activities. His team consists of national-level security experts and senior intelligence officers. The team is tasked with bringing CYE’s ability to predict and anticipate cyber threats and provide commercial companies with the support and expertise they need to respond to cyber incidents.