Advice for a Cybersecurity Leader - Think Like Your Adversary

by Michael F.D. Anaya

How do Cyber adversaries think? Easy, like the rest of us. Well, with a slightly different optic. My advice–Cybersecurity leaders need to access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their company's needs. Easy, right? Well, maybe. Let's take a closer look at my proposal.

The Burglar Analogy

I give a number of presentations, and I like to start off the presentation with an interactive mental exercise. I ask my audience to take on the role of a burglar. I show them four various homes. As a group, we discuss the pros and cons of each from the mindset of a burglar. We talk about topics such as perimeter security, pattern of life, police response time, entry points, egress routes, etc. These topics all lead to the crux of the mental exercise–how the threat adversary (in this case a burglar) works through the cost/benefit analysis process. This is a concept we all understand: Is the risk worth the reward? At the end of the exercise, everyone votes on which home they would target. Each person employs his or her own cost/benefit analysis. I use this exercise because it allows the audience to see the situation from the mind of the threat adversary.

From Theoretical to Practical

Robbing a house or hacking a network, let's remember our focus:

"A Cybersecurity leader needs to place himself or herself in the mindset of their adversary."

If he or she (as the adversary) was trying to target their own company, what would they do? The Cybersecurity leader should focus on the same key topics in our exercise: perimeter security, pattern of life, police response time, entry points, egress routes, etc. with the underlining thought of whether the risk is worth the reward. This exercise will vary from company to company, for each organization possesses different value propositions to the threat adversary. For example, an ice cream manufacturer will have a lower value proposition to most threat adversaries as opposed to a large financial institution. Therein lies the rub. In every presentation I have given, there is always someone that picks at least one of the homes. So in other words, someone will always find value in targeting your company. This is why all Cybersecurity leaders must devise effective defensive countermeasures unique to their needs.

Countermeasures to Consider

Let's turn to some highly effective countermeasures that every Cybersecurity leader should consider:

1. Employee personnel that have first hand experience in addressing the threat. Here are some professions to recruit from: Incident responders, federal law enforcement personnel (with Cyber expertise), threat hunters, US military personnel (with Cyber expertise), and white-hat researchers.
2. Rely on software solutions to assist in identifying threats. This is something most companies do to varying degrees of depth and scope (from anti-virus to advanced IDSs). My recommendation is to refer to my first point and have those individuals create a plan that is right for you and your company.
3. Implementing an effective employee training program. You can always develop an in house solution, but there are some solid off-the-shelf options. I am partial to the stylish, hilarious musings of Curricula, but there are others like KnowBe4.
4. Ensuring partners you work with are reputable and prioritize security. This is easier said than done, but supply chain threats are a major vulnerability. From working with companies that operate in countries whereby their governments own and operate said companies, to companies that are racing to market to solve a problem with little thought on security, Cybersecurity leaders need to focus on partner companies. Here is a good article discussing five large data breaches in 2018 (both British Airways and Ticketmaster data breaches were due to third-party JavaScript vulnerabilities, outside the direct control of either company).

Every company poses a different challenge, but my proposal applies to all of them–All Cybersecurity leaders should access the potential vulnerabilities (from the mindset of the adversary) and devise effective defensive countermeasures unique to their needs. My hope is we can collectively build a safer, more secure Cyber community.

About the Author

Michael F. D. Anaya is the Head of Global Cyber Investigations and Government Relations for DEVCON DETECT, Inc. (DEVCON). Prior to joining DEVCON, he spent approximately 14 years with the Federal Bureau of Investigation (FBI). He began his career as a Special Agent in the FBI’s Los Angeles field office addressing complex cyber matters for eight years, during which time he led numerous, expansive investigations including one that resulted in the first federal conviction of a US person for the use of a peer-to-peer (P2P) botnet. He then was named a Supervisory Special Agent (SSA) for the Leadership Development Program, charged with bringing together disparate divisions of the FBI focused on a workforce development initiative. This resulted in a more balanced and inclusive program. After implementation of the program, SSA Anaya went on to lead a cyber squad in the FBI’s Atlanta field office. There, he led a diverse group of Agents, Intel Analysts, and Computer Scientists in neutralizing nation state and criminal threats. He secured one of the highest performance standards given by the FBI for the entire Atlanta cyber program, and he helped the program achieve a top five ranking amongst the 56 FBI field offices.