As ransomware attacks continue to increase and cybercriminals are becoming more sophisticated, the federal government has implemented a more proactive approach when it comes to cybersecurity. As evidenced by its stated strategy to adopt a zero trust architecture, the federal government is taking measures to reduce the risk of cyberattacks against its digital infrastructure, and setting specific security goals for agencies to quickly detect, isolate and respond to threats. This approach is also exemplified by the extension of its Industrial Control Systems Cybersecurity Initiative, which is aimed at facilitating the deployment of technologies and systems that provide cyber-related threat visibility, indicators, detections and warnings to the water infrastructure.
An offensive mindset is key to ensuring the best cyber defense. To ensure success, there are three main components for organizations to consider when developing a defensive strategy based on an offensive cyber model: re-envisioning recruitment, thinking like a hacker, and promoting offensive training in tangent with defensive training.
According to ISACA’s State of Cybersecurity 2022 report, 63% of respondents have unfilled cybersecurity positions, up eight percentage points from 2021. Yet, the cyber skills gap is widening with each passing year. This demand for talent calls for organizations to take advantage of those who are looking for more growth and a career change, especially in the cyber industry. Ultimately, cybersecurity is a creative field with ever-evolving problems and solutions, so hiring people with new ways of looking at problems and an eagerness to learn is much more valuable than a specific degree or tenure.
This means companies should consider building programs that help recruit individuals that may not exactly meet the usual cyber standards and help them develop the skills they are looking for in employees. There is also an opportunity to further train those job candidates who interview, but just miss the mark of what the role requires to succeed – again, helping to build the skills they are looking for in such positions. It is also important to offer new opportunities for current employees, advocating transferable skills from one department to the next. Entice cyber employees, who are considering giving their notice, with these new opportunities, providing confidence that there is still growth to be had. Such efforts take a proactive approach to addressing the current threat landscape.
Thinking like a hacker
Threat intelligence is a key component to developing an offensive mindset. That’s why proactive cybersecurity auditing can be one of the best courses of action in stopping cyberattacks before they can impact an organization. To implement the right changes to cybersecurity strategy, an organization needs to understand fully existing network vulnerabilities.
This can be accomplished through a few different tactics, including penetration testing and vulnerability scanning. Penetration testing involves a person purposefully hacking into a network to identify weaknesses to an organization’s system, while vulnerability scanning consists of an automated test that looks for potential security vulnerabilities. Both tactics enable organizations to better grasp the mind of a hacker and understand the “how” behind a potential attack. Something else to be considered – under the right circumstances – is the possibility of hiring a former hacker. Their insight could prove to be extremely helpful, as aptitude in identifying weaknesses can be a useful asset. Many former hackers find roles as a penetration tester / red team member fulfills their desire to expose system flaws while doing so legally, for the betterment of security.
Promoting offensive training in tangent with defensive training
While we’re seeing changes on a national level to better protect our way of life through the push for zero trust frameworks, there also needs to be better recognition of honing offensive capabilities across all sectors, ensuring they are being taught right next to defensive approaches.
Those who operate in cybersecurity roles for the private sector or critical infrastructure companies are performing cyber defense, but there’s the notion of active defense – more proactively identifying and containing threats before they have a chance to breach systems. That takes an understanding of how hackers think to know how to find the threats before they’re inside, since the zero trust principle of “assume breach” acknowledges that attackers will get in.
However, those seeking legitimate, ethical careers in cyber are generally taught how to defend networks. But unless one knows how to penetrate various security layers, they’re not thinking like an attacker. Giving employees offensive cyber training in a setting where they have permission to try to break in can be liberating and help them develop the instincts and know-how they need to be the best possible cyber defenders. Moving forward, this must be a standard practice, ensuring offensive training is promoted in unison with defensive training.
That experience of how to break into something using offensive cyber tactics is what sparks original thinking on ways to defend, which is just as valuable as understanding an attackers’ methods and motivations.
The threat environment is continuously evolving due to current events and the rise of more sophisticated cybercrimes. As such, an offensive mindset is crucial to defend organizations fully against attacks on the enterprise and national level. For success, organizations need to act now by changing how they recruit and train employees, understanding the motivations of a hacker, and ensuring offensive strategies are being deployed alongside defensive ones.