BLUF – In our dynamic cyber threat landscape, info/ cybersec personnel engage everyday with enemies who seek to harm those we wish to protect. Few in number against staggering odds, outmanned and outgunned with limited resources, we must be right one-hundred percent of the time, whilst the enemy needs only to be right once. This is the Cypartan Dilemma.
Lapsus$ and Anonymous were both considered significant in the last few weeks for different reasons, tied by a common thread. Whilst I rarely comment on current events, there is an underlying issue at work in the cybersecurity industry – the Cypartan Dilemma.
We are all familiar with the basis of the background story: the marathon to Thermopylae – where Gerard Butler and 299 others with similar fitness requirements went to battle hordes of the Persian army. References and fitness scores aside, in cyber we face similar situations, only worse – especially when the security portion of the organisation is under-established or only partially established.
Anonymous – remember them? Few really paid attention to the hacktivist movements or their relative impact since 2013-ish (likely because the DDoS tolerance thresholds are at ridiculous proportions anymore). Hacktivism returns with Ukraine’s plight, breathing fire into an estimated 400k supporters. Most lack sophistication, though if 1% are skilled we are talking about 4,000 highly driven threat actors after something few organisations can provision to protect.
The other thing at Anonymous’s disposal are targets aplenty. Rather than simply focusing on the Ukraine/ Russia conflict and Russia’s infrastructure, Anonymous started targeting organisations still operating in Russia – with potential attacks anywhere the organisation is located. Flawed as the logic may be, the notion of businesses operating and paying taxes in Russia is seen as these organisations supporting active aggression (never mind the money was already spent well before this). What this does for Anonymous is open the aperture to engaging a wide array of private sector targets – creating opportunity to claim victories in fields far removed from the conflict. Pebble risks for organisations are field days for Anonymous – bringing relevance to the name again after a decade of relative … anonymity.
Lapsus$ – on the other hand, we have the global teen threat group who breached Microsoft/ Nvidia/ Okta etc. Far from being part of the MCU (honestly expected Ryan Reynolds to be introducing them after initially understanding their composition), they made millions in the last few months without tremendous technical proficiency or sleek malware; rather they recruited insiders and pestered as only a teenager can. Parents within cybersecurity collectively groaned – realising what they faced at home followed them to work. Just when you thought there was reprieve to be found in Splunk.
While Lapsus$ is not as well established and may only be a short term threat, they raise a more interesting notion. Anything that works to exploit or manipulate others can be effectively weaponised in cyber crime – with relative success against targets otherwise considered inoculated, if not immune.*
This brings us to:
Cypartan Dilemma – the challenge of engaging every tech/ psych cyber threat from thousands (hundreds of thousands) of actors with limited staff/ tools/ resources. We might run the marathon and engage fully, but they vastly outnumber us. We have to be right 100% of the time, they only need one. We go home after the day’s complete – in many cases, this is their day. Not to mention they can often afford tools we beg, borrow, and steal to obtain.
This raises interesting conversations in the infosec communities regarding areas such as hiring practices and job requirements. The need for education/ credentials versus drive (as the two apparently aren’t mutually found in job applicants). The need for business support without selling them on infosec’s role within the P&L.
It comes down to our collective need to reframe our approach within the private sector (public sector can come along, the more the merrier). Find narrative opportunity. Create a continental ecosystem within our up- and downstream supply chains. Map our internal environments. Create I&W. Bring unified purpose to disparate organisations within your organisation/ region/ sector. Take back the pitch.
Should all this come together, it is possible that when I retire, cyber crime will be no more a risk than its physical counterpart.
We start here.
*Brings me to a conversation I had in 2016 with my CISO at the time, that by only focusing on defenses we are continually at a loss – we haven’t offensive response options, though we can still use information operations principles to our advantage.