The More Cybersecurity Changes, the More It Stays the Same

By Neill Sciarrone, President & Co-Founder, Trinity Cyber, Inc.
Despite major advancements in technology, the global approach to cybersecurity has remained the same for decades: respond and recover. The same vulnerabilities are repeatedly exploited in similar ways, and this trend shows no signs of slowing because current security tools do not actually address the root causes of attacks. Even new artificial intelligence and machine learning techniques have mostly been aimed at improving response efficiency – as though there is nothing we can do but prepare for the worst, and recover as quickly as possible. To slow the frequency of dangerous and costly cyberattacks, companies should be shifting their efforts towards focusing on adversary disruption.
Cyberattacks – and how we respond to them – have not changed in two decades
In May 2000, one unwitting user on a computer in the Philippines used Microsoft Outlook to open an email message with the subject line “ILOVEYOU” and an attached file named “LOVE-LETTER-FOR-YOU.txt.” The attachment contained malicious code – a worm that moved through the user’s computer, overwriting random files and sending an email with a copy of itself to every address in the user’s Windows Address Book. Just ten days later, the ILOVEYOU worm had spread around the world, infecting over 50 million computers. Far from spreading love, the worm caused more damage than any previous cybersecurity incident: an estimated US $5.5-8.7 billion worldwide.[i]
Seventeen years later, Microsoft announced a vulnerability within a resource-sharing protocol in widespread use across versions of the ubiquitous Windows XP operating system. They quickly released a patch to fix the vulnerability, but countless systems had not been patched by the time the WannaCry ransomware attack began two months later. WannaCry eventually affected more than 200,000 computers across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars.[ii]
Despite significant changes to the state of technology and the Internet between 2000 and 2017, these two cyberattacks were very similar to each other. Both propagated by using relatively simple vulnerabilities in Microsoft operating systems, and both were successful because of a lack of proactive cybersecurity.
Not only do the same kinds of attacks continue to work, responses to cyberattacks have not changed much either. With all our advances in technology, cybersecurity is generally still focused on response and recovery: identify the infected computers, take them offline, rebuild or replace them, file a data breach disclosure, rinse, and repeat.
Is the issue that it is impossible to defend against these vulnerabilities? Are hackers just too smart? Not necessarily. Response and recovery treats cyberattacks like natural disasters – inevitable, unstoppable, and caused by forces outside our control. Meanwhile, adversaries continue to enjoy the fruits of their illicit labors. Popular methods of attack remain consistently successful because cybersecurity has failed to evolve to a posture of true prevention.
A needed evolution
The continued success of these cyberattack methods (and others) hinge on exploiting a limited number of key vulnerabilities that are commonly known to good and malicious actors alike. So, why are they still effective? The answer is that current standard cybersecurity methods are designed to respond to incidents but rarely, if ever, actively disrupt the adversary’s attempted attack. For example, cyberattacks or intrusions are generally handled via alerting after a breach has already occurred. The alert triggers a cybersecurity team to go in and clean up the affected systems, and then set up or modify a firewall to block future attacks. Afterwards, companies are required by law to file a data breach notification.
The most common approach to blocking attacks involves analyzing past and current threats, and then distilling the results into indicators of compromise (IoC), such as IP addresses, domain names, or hashes of known bad files. These IoCs are then fed into available cybersecurity tools, which are wielded like a giant hammer, blocking or denying any traffic associated with them.
This method aims to prevent attacks that are exactly like prior attacks. This perpetuates the problem however, as hackers know about these protection methods and adjust. Subsequent attacks are designed to differ just enough from prior attacks to elude being blocked and ensure they avoid the new protections. This process is repeated time and time again. The cybersecurity industry is almost entirely locked in this detect-respond-recover approach, with little to no effort being made to actually prevent cyberattacks in the first place.
Embrace a new approach to stem the flow of cyberattacks
Rather than treat the cyber threat like a natural disaster, the cybersecurity industry needs to embrace a fundamentally new approach. Instead of relying solely on insufficient incident response and recovery methods that have been used for many years, a more sophisticated, proactive approach is needed to successfully prevent current cyberattacks and to predict and prevent future ones on a meaningful scale.
Operational challenges in the cyber realm have been exacerbated by an ever-growing landscape of disparate endpoints, heightened sophistication of cyber-attackers, and an increasing number of cybersecurity tools. While these challenges led to the development and implementation of SOAR platforms, which add efficiencies, most tools remain inherently “reactive.”
Cyberattacks or attempts at compromising a system are human-made events within a human-made environment. By focusing on disrupting the adversary’s methods, analysts can determine tactics, techniques, and procedures (TTP) and then use those to develop solutions that provide truly preventive cybersecurity.
Proactive Threat Interference from Trinity Cyber works to provide this preventive assurance by invisibly monitoring threats outside a network’s perimeter and adapting to the adversary’s techniques to intercept and neutralize cyberattacks before they get in.
[i] https://computer.howstuffworks.com/worst-computer-viruses2.htm
[ii] https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/

Check out our free e-newsletters
to read more great articles.
MORE ARTICLES
-
The Death of the Family Album: Specifying the right cleanroom environment
By Mark Howard, EU Automation
It is vital to understand how cleanrooms truly operate if you are to get the best out of yours. This article... -
Inside the Rise of 5G Industrial Automation Networking
By Bill Lydon, Automation.com
5G is starting to make the goal of wireless industrial automation a reality. Companies are already starting to... -
The Push and Pull of Composite Manufacturing
By Robert Glass, Exel Composites
From window and door manufacturers to the professional tree surgeon, weighing up material options usually comes... -
Augmented Intelligence
By Mark Howard, EU Automation
Augmented intelligence is one of the few technologies named on the Gartner Hype Cycle for Emerging Technologies,... -
PLC Programming Preference Survey: Insights & User Comments
By Bill Lydon, Automation.com
The PLCopen organization and Automation.com conducted a joint survey of PLC programming preferences. Here are some...
RELATED
-
Verizon helps Virginia shipbuilding company implement 5G service
With 5G’s increased bandwidth and ultra-low latency, NNS will be equipped to meet network connectivity demands and will test new ways its...
-
Kinedyne announces John Seliga as Vice President of Finance
A certified public accountant, Seliga holds a master’s degree in business administration from Cleveland State University and a bachelor’s...
-
Senseye partners with ATS Global to accelerate smart factory strategies
ATS will support Senseye's clients with the design, implementation, or integration of automated machine data systems such as historians or...
-
Industrial Internet Consortium and oneM2M release whitepaper on Advancing the Industrial Internet...
The joint whitepaper, “Advancing the Industrial Internet of Things,” written by the IIC and oneM2M, demonstrates how these two IoT...
-
ARC Advisory Group Report: ABB leads DCS market for 20th consecutive year
According to the report, ABB’s presence in many end-user industries was a major factor in this success. The DCS market saw its main growth in oil...