Prevention is often derided as a naïve, outdated notion in information security. Today, the talk in security often centers around the idea of “detection and response.” The thought around this approach is that we must assume attackers will get into our networks – it is not a question of “if” but “when.” Therefore, the only good security is to detect them inside, monitor their actions, and then eventually mount an effective response.
That thinking was centered around the APT threats originating largely from nation states and sophisticated criminal organizations a few years back, when the attacks were “low and slow,” with weeks of reconnaissance, and the goal was long-term persistence of the attack to siphon off intellectual property or PII.
Unfortunately, that thinking fails mightily in the face of the destructive attacks we’re seeing now such as WannaCry and Petya. And it will fail more tragically in the face of the more powerful destructive attacks we’re likely to see in the future.
Why? Well, imagine the detection-and-response approach to a nuclear attack. We monitor the nuclear missile as it enters the atmosphere. We detect the explosion … and then we respond!
Oh wait, we can’t respond; we’re dead already.
The problem with destructive attacks is they fit a totally different profile than the Advanced Persistent Threats that detection-and-response models are designed for. Destructive attacks are neither low, nor slow, nor do they have any desire for persistence and non-detection. They spread fast, are generally non-discriminating in their targets, make huge amounts of noise, and render the systems involved completely unusable. Just look at the impact of these last two attacks. WannaCry was reported to have infected more than 230,000 computers in over 150 countries in a single day.
To defend against these attacks, which should increasingly be the No. 1 priority of organizations, prevention is once again key. These attacks typically utilize basic weaknesses such as vulnerabilities in software, flaws in privileged account protection, and poor basic hygiene around patching and backup processes.
And as motivations change from nuisance attacks for money such as ransomware (WannaCry) to simple destructive motivations (as “Petya” seems to be, targeting the Ukraine economy and those closely connected to it), successful protection against these attacks becomes an existential requirement. Even as I write this, shipping ports are closed, supermarkets are unable to conduct business, and major advertising firms have all but disappeared from the Internet. Response for those companies is now centered around business survival, not avoidance of a fine or offering of credit monitoring services.
So let’s get away from the romantic notion of playing cops and robbers with shadowy nation states inside our networks, and get back to the basic business of building digital systems that are hard to attack, and resilient enough to recover. Let’s get ready for the next attacks, not the last ones. And let’s remember that an ounce of prevention, in this case, is worth a few thousand pounds of response.