Recently, we introduced an idea that we think summarizes the importance and effectiveness of active defense in cybersecurity: defend forward. Defend forward is a posture that seeks to gain early understanding and warnings of attacker activity, instead of waiting for a breach to happen and then dealing with the consequences. In short, it means stopping cyberattacks before they become reality (you can read more here).
Defend forward is the future of enterprise cybersecurity. This posture is the clearest way to prevent huge data losses and catch experienced attackers off guard. According to Kevin Rapuano, assistant Secretary of Defense for Homeland Defense and Global Security, the defend forward strategy “reinforces the need to prevent or degrade threats before they harm national interests.”1 When applied to private enterprise, this becomes an economic mandate. Defend forward gives organizations a way to halt or mitigate risks before a data breach, PR disaster, or network downtime harms the business’s bottom line.
Getting Left of Boom
Left of boom is a terminology with roots in the fight against terrorism, but in this case it perfectly sums up the defend forward stance. The military idiom originally was born to refer to the U.S. military’s effort to disrupt insurgent terrorist cells before they could build bombs, plant them, and carry out attacks.
However, when it comes to cybersecurity, left of boom is used to refer to the implementation of proactive security measures that can prevent and limit the consequences of attacks. This way of thinking helps to separate security strategies into those that help prevent and those that are in place to mitigate. To get left of boom, it is essential that organizations create a multi-layer defense, to prevent any direct paths into an internal network and to increase the likelihood that an adversary will trip up or be caught.
So, the central question when it comes to defend forward in enterprises: Can organizations positively change adversary behavior in cyberspace or during a breach to produce a more favorable security posture and prevent damage from occurring?2
The answer is yes, and there are concrete steps that businesses can take.
What Enterprises Should Be Doing
Enterprises should focus on the end state first—changing adversary behavior to make attacks less effective. One way to do so is by altering the adversary’s decision regarding the perceived benefits, costs and risks of conducting malicious activities.
From a defend forward perspective, organizations simply can’t rely solely on passive collection of intel or generic reports. They must observe adversary behavior in real time. In order to do so, enterprises will need to become proactive and implement a strategy to engage adversaries outside of their networks.
An organization can do this by:
- Developing a program which allows enterprises to proactively observe adversaries
- Collecting actionable intelligence in real time
- Countering an adversary’s persistent operations
- Using intel to raise the cost of an adversary’s actions and seemingly lower the likelihood of success
By taking steps to proactively collect intelligence on threat actors and vulnerabilities, enterprises can improve the decision-making process in their organization. They will also have the tools in hand needed to decrease the effectiveness of the adversary’s operation.
Why Defend Forward is a Good Idea
According to Cybersecurity Ventures, global cybercrime costs will grow by 15% per year over the next five years, reaching $10.5 trillion USD annually by 2025 (up from $3 trillion USD in 2015). It is clear that the new tactics of threat actors are not being well countered by traditional defense techniques. The only option is to evolve along with the adversary.
Defend forward is a natural step in the evolution of cybersecurity. Applying the appropriate elements of the defend forward strategy will assist in disrupting adversaries’ operations and improving decision making. It will also work to drive up the cost up for continuing operations without success. Cyber criminals are driving an illicit economy with minimal economic impact to them or their associates. The defend forward strategy allows enterprises to proactively observe adversaries, defend and deter malicious cyber-attacks while making it more expensive and less appetizing to become a target of cybercrime.
Stay tuned for part three in our Defend Forward series, where we will dive deeper in making defend forward work in today’s cybersecurity landscape. If you missed part one, check it out here.
- Read the introduction to defend forward at part I in this series >
- Find out how to take defend forward operational here, at part III in this series >
Luke Wilson is VP of Operations and Partnerships at CounterCraft, with extensive experience in cyber threat intelligence and cryptocurrency investigations, and is on LinkedIn.