There is a line of thinking that pervades and pollutes the discussions of many sporting events, and it goes something like this: “You can’t let LeBron James/Derek Jeter/Lionel Messi beat you. You have to force someone else to beat you.” It’s a flawed strategy for a number of reasons, but it’s even more problematic when you realize that this same mentality could be applied to information security.
Let’s look at this line of thinking bit by bit. The general reasoning behind this premise is that in order to give yourself the best chance of winning a given contest–especially if you’re at either a real or perceived disadvantage–you need to take away your opponent’s greatest strength. In the sports world, this means putting your best defender on the other team’s most dangerous scorer and trying to take him out of the game. Think of LeBron James deciding that he was going to check Russell Westbrook or Paul Pierce man-to-man and that his man just wasn’t going to score, period.
But there are a couple of problems with that plan. For one, even though James is one of the premier defenders in the league, devoting that kind of mental and physical energy to locking down one player for 48 minutes could have a detrimental effect on his offensive output, putting his team at a disadvantage. And, if James only is guarding one player, that means that there are likely lesser defenders checking other players who may benefit from the lack of attention from James and have a big offensive game.
Coaches who employ this game plan essentially are betting that the other players on the opponent’s team, collectively, aren’t good enough to make up the difference if the star is taken out of the game. Sometimes it works, and sometimes it doesn’t. But when it doesn’t, the coach can simply say, “Listen, we shut down their best player, but Player X just got hot. It happens. But I’ll take my chances that Player X won’t go 14-for-18 again.”
TV sports analysts love this strategy because it sounds logical and it gives them the opportunity to talk about how Player X is really underrated and his Player Efficiency Rating is in the top 10 percent of all power forwards drafted in the third round or later from Big 10 schools since 1992.
Sure, but you still lost and there aren’t any points for losing with the right strategy or losing while four out of five Tim Leglers agree with your decision.
Now apply this line of thinking to security, where you’re focused on defending against the LeBron James of attackers: the state-sponsored hacker. Defeating targeted attacks from groups in China, Iran, Syria and other hostile nations is a priority for many organizations right now, government agencies and private-sector companies alike. Stories about foreign hacking crews making off with invaluable IP or state secrets abound. Just as coaches review game tape of upcoming opponents, security teams devote considerable time and resources to understanding the tactics and tools that these groups are using and how they’re employing them.
“Are we vulnerable to the kind of browser-based attacks that this Chinese group is using?” they ask. “Can we stop our users from opening malicious PDFs? Are there persistent attackers inside our network right now and how can we find them if they’re here?”
The number of organizations that truly are at risk from high-level state-sponsored attackers is likely relatively small, but, like arm-chair sports analysts, I have heard some analysts suggest that virtually every organization needs to act as if it’s a target for these crews and defend accordingly. The thinking here, apparently, is that if you employ the kind of defenses and policies necessary to defeat the best and most advanced attackers, you’ll prevent the other team’s best player from beating you, and perhaps, stop some of the lesser players in the process.
In both cases, sports and security, this strategy assumes that the defender actually has the ability to stop the star player. That’s not always true in sports, and it’s certainly not a given in security, either. Just because you know what play the other team is going to run doesn’t mean you can prevent it from succeeding. Everyone on earth knew that John Stockton and Karl Malone were going to run the pick-and-roll 35 times a night, and yet no one could stop it. Stockton and Malone went to the Hall of Fame on that play.
Right now, state-sponsored attackers are the Stockton and Malone of hacking. They seem to win at will, even when the defenders know what play is coming. (Although, unlike in sports, we never hear about the attackers’ losses; just their wins.) Studying their tactics and tools certainly is worthwhile, given that many of those same techniques are used by lower-level hackers.
But focusing on the all-powerful Chinese hacker at the expense of defending against more commonplace, yet still effective, threats such as phishing, malicious email attachments and drive-by downloads that often compromise even sophisticated organizations can be a mistake.
A loss is a loss, regardless of who beats you and how they do it.