While there has long been much noise about the sophistication of the threat landscape, it is not sophistication that continues to give the adversary the upper hand. In fact, the most destructive events of 2019 involved tactics, techniques and procedures that were trivial in sophistication by any measure.
From an attacker’s point of view, your network, your entire security stack, is much more sophisticated in terms of raw code development, integration, compute power and design. Hackers must face any number of disparate and diverse technologies in order to successfully evade, persist and move about a victim environment.
Pundits argue that hackers only need to be right once to succeed, whereas defenders need to be right 100% of the time to prevent an incident. It is the opposite that is true: A hacker needs to be right 100% of the time to pull off their objective undetected, it is the defender that only needs to be right once, to fully interrupt and halt the attacker’s kill chain.
Speed is the Enemy’s Invisible Advantage
No matter how much visibility, continuous monitoring or data crunching you do, none of it matters if the enemy outpaces that effort. This was incredibly apparent with WannaCry in 2017, when one of the least sophisticated nation state threat actors at the time was able to compromise, persist within, and exfiltrate data from a million-device enterprise.
It was also a painful lesson in the area of web application security. Immense effort went into monitoring the logs of critical web applications, but none successfully prevented the risk impact to the mission from occurring.
It is not the sophistication of the threat that gives the adversary the upper hand, nor is it our inability to detect after-the-fact. By this point it is too late, the adversary has gained security control without authorization. They’ve impacted the organization before the organization even realizes it. They’ve elevated privileges, run queries, grabbed data or even destroyed it. They have won in every sense of the word.
Putting It All Into Perspective
Most organizations realize they are victim to a ransomware event only after the first few machines begin to get encrypted. By this time, the majority of attack kill chains have already played out. Footholds were gained, credentials stolen, lateral movement achieved, spreading via domain credentials and tools accomplished, persistence established and sensitive data already exfiltrated.
No matter how we imagine the next decade to play out, one thing is certain; it will continue to play out faster than ever before. It will continue to overwhelm — by speed, not sophistication — legacy security controls and after-the-fact visibility efforts. It will continue to reward the criminals that are the laziest and the quickest. It will continue to employ as many forms of leverage as an attacker can easily bestow on their victim. It will continue to move at the speed of computing itself when it comes to how fast a given payload can execute, modify, evade, persist and control a target asset.
Until we solve the speed advantage the attacker has had over us, we will remain embattled, in retreat, and at risk. The real threat convergence story revolves around speed, not sophistication.
So What Can We Do?
Thankfully, there are organizations that have already realized this new reality and have adapted their strategies, their staffing goals, their security stack and their understanding of what true risk offset looks like going forward.
Mostly, these are those organizations that have either endured an event like WannaCry or NotPetya two years ago, or they are the ones that have had their production or services directly affected by these more recent ransomware variants like DopplePaymer or Maze.
The takeaway is clear: the role of today's successful CISO is being a proactive steward of risk with a touch of haste. Act like you've been breached when you haven't. Waiting till the problem finds you is the most vulnerable position. Moving faster and more decisively than the adversary is the key to staying ahead of constantly evolving threats.