New Risks Call for a Fresh Cyber Defense Methodology

New Risks Call for a Fresh Cyber Defense Methodology

Leading cyber security experts are fully aware that the worldwide cyber-risk climate has changed dramatically. Legacy measures and methodologies are no longer effective and are not good enough for the new cyberattack sophistication we have witnessed in the past few years. 

Consequently, national cyber defense organizations must evolve and introduce innovative measures and methodologies, the sooner, the better. As I have explained in my papers, the degradation of legacy methods has been expedited by critical factors:
a) The COVID-19 pandemic has changed the way people, including employees, communicate with each other.
b) Hackers have taken advantage of these changes to introduce sophisticated attacks.
c) Organizations must rely on third-party supply chains( include cyber security companies), which entail high cyber risks.

The COVID-19 impact

COVID-19 arrived as a “zero-day” threat worldwide and in a short time accelerated changes in the way people work, communicate, and go about their daily social lives. It also accelerated the pace and broadened the scope of digital transformation in all types of organizations. 

Although cyber defense solutions are often out of reach, such concerns have been overlooked in favor of rapid digital transformation. On the other hand, the closed borders “forced” money-hungry crime organizations to adopt new attacking methods. Cybercrime is an easy way to gain access to a flat and unsafe world economy, and hundreds of new crime organizations are flooding our economies and societies by infiltrating the unprotected cyber arena.

Cybercrime organizations represent a greater threat than rival countries
Rival countries interact with each other in a complicated, often unfriendly, but well-defined diplomatic framework. As part of that model, there are “checks and balances” between rival countries. The risk of an unsuccessful attack is extremely high and might cause severe diplomatic damage. In contrast, it is much easier to operate in a cybercrime arena and hide behind the scenes.

Nations’ stakeholders “steel-strong” in this interaction game. However, they have different motivations than cybercrime organizations, but sometimes they have similar targets that countries can operate cybercrime organization.

The result of “bad guys building capacity” is increased cyber events and cyber crises. We must prepare for crisis management and understand that it is not a matter of “if” but of “when.”

Advanced tools: easy to operate

As attack methods and tools become increasingly sophisticated, they pass through organizational defense systems and cause extensive damage.

We hear about large companies investing in advanced cyber defense technology but still being attacked by cybercriminals. Most of us know someone who has suffered a ransomware attack or blackmail.

These attacks cause financial losses, disrupt business continuity, and damage the reputation of respected organizations. The number of attacks is growing, and the statistics show impressive achievements on the part of bad guys.

Driven by such serious concerns, organizations invest in proactive cyber intelligence, honey traps, SIEM-SOC, automated penetration testing, breach, and attack simulation (BAS), and more. However, most organizations suffer from a lack of operational knowledge, which is necessary for preventing and effectively managing advanced cyberattacks. The conclusion is that organizations must employ a new defense method.

Innovative cyber defense methodology

Tactical positive fraud (TPF) is a new proactive defense method that deploys versatile security layers based on attacker view and operational knowledge. Part of the idea is to build decoys outside an organization. There are many ways to mislead the bad guys and lure them to a supervised zone, thus preventing damage to critical assets.

Most hackers hide behind global servers and gather pre-operation intelligence (POI) about their targets. They expose asset vulnerabilities before choosing their attack method and dropping the selected tools into the victim’s network. This process leaves “traces of digital scratches,” which can be detected. The TPF method leads the attacker to objects that are under supervision.

Misleading an attacker during the reconnaissance stage (first in the kill chain) can help a company disrupt their objectives and force them to seek another victim.

Supply chains are the most vulnerable

While companies strive to build “cyber shields” around their assets, there are many “holes in the wall.”

Unfortunately, hackers also hacked third party suppliers include cyber security vendors.

Organizations must evaluate the risk from their third-party suppliers daily; annual reports are not enough. However, third-party operational risk, based on “zero-trust” understanding between an organization and its suppliers.

This means that organizations need to build risk concepts based on reliable knowledge from the latest large third-party hacking events worldwide. An organization should ask for automatic tool assessment. For example, if there is a new vulnerability, we need to have a “heat map” of risky suppliers immediately.

We need to effectively manage dozens or even thousands of suppliers to keep our assets secure.

The good news is that there are operational solutions. The bad news is that few organizations understand the new third-party operational risks. Therefore, I call the international cyber community to adopt operational supply chain standards.

The threat landscape is shifting


• Red button: old version of cybersecurity efforts
• Green button: new concept of cybersecurity efforts
• Prevent: prevention and old-style proactive cybersecurity
• Event: cyber crisis readiness (assumption: cyber crises will arise)
• Classic: defense layer methodology
• Operation: attacker view – mirroring fraud
• Organization: company assets
• Third-party: company supply chain
• National threat: rival countries
• Cybercrime syndicate: international crime organization

Summary and conclusion

The legacy cyber defense style is no longer effective, and hackers continue to cause outages and damages. Global defenders and the CISO community must develop operational view/attacker view capabilities as part of the skill set. 

We should discuss operational concepts and share ideas and success stories. We should develop a “cyber operational branch.”

The next step is to study the operational methods in the cyber academy as part of advanced CISO training. The global cyber community must support international cyber methodology organizations and encourage them to introduce new and effective methods, as shown in Figure 1.

The author is a former deputy director-general – INCD
All rights reserved – Rafael Franco 2021