The best defense is offense: Applying an offensive approach to a defensive strategy

Author: Ulrich Swart, Training Manager & Security Analyst, Orange Cyberdefense

Most organisations have accepted that it is no longer a question if they will be attacked, but rather when. A defensive strategy should therefore be in place with regards to your organization’s security. Unfortunately, we still see many organizations fall victim to cyberattacks.  

“I would like to challenge your thinking, stir the standard and share some information to assist with your future journey of applying a more robust defensive strategy.” Ulrich Swart, Training Manager & Security Analyst, Orange Cyberdefense 

Before we begin, let’s do a quick assessment on security. How would you answer the following questions for your organization? 

• Is your organization prepared for an attack? 

• Do you know what the key issues/services/solutions attackers will target are? 

• Who is responsible for patching, and are your systems and software up to date? 

• Are passwords across all your systems properly secured using industry standards? 

• Do your developer teams or network architects implement security as part of your design processes? 

• Does every employee understand their role in the organizational security process?

The answers to these questions should give you some insights into your current security situation and whether it is time to apply a more defensive method to your strategy. 

The true purpose of defense is the active or reactive protection of assets. An organization has data, intellectual property, and operational processes to protect. Although most organizations have defensive measurements in place, traditional defense is reactive and only applied to the known or predictable outcomes. 

Additionally, attackers usually have the upper hand as they have the time and element of surprise in their corner. Furthermore, managing and protecting everything within an organization is complex, if not merely impossible. 

To change your defense strategy, it is key to change one important misconception about the security of your company. The protection of your company should not be limited to the security engineers or your blue team members.  

Security should be applied daily by everyone involved in the organization. That includes developers, architects, managers, executives, administrative workers, and general office workers. 

To get security top of mind for all employees within your company, they need to be aware of the three elements that can be affected by an attack, also called the CIA Triad: 

• Confidentiality: whether the information is protected 

• Integrity: whether information remains whole, complete, and untainted 

• Availability: whether systems/services/solutions operate without interference or obstruction 

The CIA Triad can help with creating awareness, clarification of why certain roles are restricted, or certain processes are put in place. 

An attacker will try to find your weakest spot and try to exploit it. The concept of applying an offender's mindset is to find your weakest defense link before an attacker does and reinforce it. 

The best strategy will be the combination of defense-in-depth along with an active offensive approach. 

Utilise your existing teams to identify weaknesses and think proactively about potential security flaws. Train your employees on standard attacker methodologies and empower them to identify the potential problem areas every day rather than waiting for an attack to happen. 

This is a story from the trenches found in the Security Navigator. More stories and other interesting stuff including accounts of emergency response operations and a criminal scientist's view on cyber extortion, as well as tons of facts and figures on the security landscape in general can be found there as well. The full report is available for download, so have a look. It's worth it!