Security largely remains an afterthought. It is invariably a retrofit. Product developers focus on tangible attributes – functionality, performance, User Experience etc. Security is intangible and typically comes with a cost – both financial and other QoS-like performance and thus takes a back seat. In the past, it has rarely been considered an essential provable aspect of product development. Security remains something externally imposed.
This perception has been slowly changing, and the importance of security is being taken more seriously. There are still limitations. The product is deployed in a complex environment, and the interaction of many different products may result in unanticipated behavior. As such, even if a product is architected with security as an essential attribute when deployed in an enterprise, additional measures must be put in place.
At the enterprise level, the biggest problem faced by security professionals is justifying the budget for security. Many businesses still treat security as a dispensable expense. The attitude continues to be – “it won’t happen to us” – until it does.
The good news is that this is changing, and the importance of security is being realized. There may be regulatory or market-driven reasons for the change. Organizations are taking measures to ensure that their operating environment is safe. Hygiene, proactive security, security by design, zero-trust architectures, etc, are taking hold. But the industry is in flux.
Muddled Terminologies and Resulting Confusions
It is natural that confusion reigns at this stage of maturity. Industry tends to muddle up terms and use them rather loosely. This, unfortunately, continues to be the case and is causing much confusion.
Starting at the highest level there is confusion as to what is meant by proactive security vs reactive security. Terms such as Prevent, Detect, Defend, Mitigate, Respond, Remediate, etc, are often used out of context and end up causing confusion. As the industry matures, it becomes important to give precise meanings to these terms and use them in a more technically precise sense.
Understanding Cyberattacks: Relevance of Weaknesses
To unravel the meaning of some of the commonly used terms in the field of cybersecurity, let us dive into some of the ways an attack unfolds.
Successful attacks invariably exploit one or more weaknesses in the system. Weaknesses are equivalently called vulnerabilities. Thus, successful attacks typically use vulnerabilities as the entry point to the enterprise.
A system with no vulnerabilities is hard to attack but not impossible. To be specific, a typical vulnerability is a publicly known glitch in a software for which exploits are also publicly available. Using these exploits, an unauthorized user can gain access to the system and wreak havoc. This not only provides access to the system on which the vulnerability exists, but in principle, the perpetrator can gain access to the entire network. This can result in untold damage to the enterprise. This kind of attack is entirely avoidable by paying heed to the known vulnerabilities in the enterprise. This is one of the contributors to the concept of Attack Surface that we will shortly define.
Another weakness that is often exploited to gain access to a system is a weak configuration. When an enterprise does not strictly control the configuration of various sub-systems, it presents attackers an opportunity to gain illegal access to the system and, thereby, to the enterprise network.
As an attack progresses, it is entirely possible that telltale signs of the attack become apparent, and this can be used to thwart the attack and contain the damage it would otherwise cause. This is typical of what many Anti-virus software accomplish. Often, the attack may get past an Anti-virus SW, and an attack might get initiated. At this stage, a good defense will kick in and detect that an attack is ongoing and take appropriate action to contain the spread of the attack. Different terms are used to describe what happens at different stages of an attack.
An attack may be prevented. This term aptly describes the situation when a vulnerability is identified and removed from the system before an attack occurs. Prevention is an act that ensures that the adverse event does not occur in the first place. It cannot be used to describe any other situation. When a vulnerability in the stem is identified and removed, one often uses the term remediated.
If an attack is detected early enough and appropriate action is taken, we can describe it by saying that the attack is defended against. Once the attack progresses enough to cause damage to the enterprise, mitigative action will be taken to minimize the damage.
Proactive and Reactive Defense
In all these stages of an attack, there are two main classes of defense – Proactive and Reactive. There is quite a bit of confusion on how these terms are applied to describe different scenarios. A moment of thought will convince anyone where these terms should apply.
An action that results in preventing an adverse event from happening is what prevention is. We will give a more precise definition of this soon. An action that follows the detection of an attack or a measure taken after an ongoing attack is detected cannot be proactive. It is a reaction to the fact that an attack has been detected. Such a defense is clearly reactive. However, it is not farfetched to describe this scenario to seem like a preventive defense. It is this kind of usage that leads to a lot of confusion in the industry.
What is the Attack Surface?
When thinking about cyber-attacks, the concept of ‘Attack Surface’ plays a crucial role. Broadly, Attack Surface is the window of opportunity available to an attacker to gain unauthorized access to the system.
Digital Attack Surface comprises software vulnerabilities, OS vulnerabilities, weak passwords, firmware vulnerabilities, misconfigurations, assets exposed to the internet, outdated and obsolete applications and data, shared resources such as databases and directories, weak encryption policies, and vulnerabilities in TLS, among others. Note that we are restricting to Digital Attack Surface. There are other contributors to Attack Surface that we are explicitly ignoring. This could be, for example, vulnerabilities to social engineering. In this discussion, we will continue to exclude social engineering, even though it is an important source of attacks.
So, What Exactly is Prevention?
We are now able to define the concept of Prevention in a practical and quantifiable manner. Let us again emphasize the difference between types of cyber defense. The two main types are Proactive and Reactive. Proactive defense is the type of defense where a measure prevents an attack from happening. Thus, the terms proactive and preventive are very closely related. In fact, we argue that proactive and preventive are one and the same. Here, the defensive measures taken result in closing the windows of opportunity that are available to attackers. Any other kind of defensive measure can only be used to detect anomalous behavior or an ongoing attack. Such defensive measures are, by definition, NOT preventive. Formally, any measure that results in the reduction of the attack surface is defined as a preventive measure.
Understanding Preventive Measures:
Let us look at some examples of preventive measures. The digital attack surface data attributable to software vulnerabilities can be obtained by performing a scan. The vendor patches are usually available for many of these vulnerabilities. By applying the vendor patches, these vulnerabilities are removed from the system, thereby reducing the attack surface. Thus, the process of remediation is certainly a preventive measure, as per our definition.
We are certainly not arguing that only preventive measures will suffice. As a matter of fact, zero-day vulnerability, or vulnerabilities for which patches may not be available, will continue to contribute to the attack surface. This makes it necessary that in addition to preventive measures, the organization should have ways of detecting anomalous behavior and a potentially ongoing attack.
Identifying an attack and taking countermeasures to thwart such attempts will limit the damage such attacks can cause. While these are necessary measures from a security perspective, they are most definitely NOT preventive in nature. For example, having an anti-virus SW installed only helps after the virus has invaded the system. It is a response to the presence of a virus or to an anomalous behaviour of a SW. This definition of Preventive measure, or Prevention for short, provides a way to quantify Prevention. The obvious way to quantify prevention is to use the reduction in the Attack Surface as a measure of Prevention. A simple way to look at it is to compute the Attack Surface before the measures are put in place and to determine the Attack Surface after the measures are put in place. The difference between the two would be a way to quantify the preventive measure.
What are the Biggest Preventable Weaknesses?
Easily identifiable preventable weaknesses include SW vulnerabilities, firmware vulnerabilities, misconfigurations (weak passwords, etc.), weak encryption, outdated and obsolete applications, unnecessary services, and unused applications in the system.
It is worthwhile thinking about what does not necessarily qualify as prevention. Using leaked data to extract personal information that can be misused cannot be easily prevented. Data exfiltration with an outbound connection is another example of something that does not qualify as preventable. Spam messages getting through Spam filters would be another example of what may not fall into the category of preventable weakness. Brute force attacks also find a place in the group of not-preventable attacks.
Conclusion
The upshot of all of this is that we can clearly identify two distinct defense strategies against cyber-attacks: Proactive and Reactive. Prevention is the only proactive cyber security strategy, and any other type of defense will necessarily be Reactive. Hitherto the industry is rife with examples of confusion in the sense in which these terms are used. It is very important to ensure consistent usage of the terminology across the industry to minimize confusion. We have presented a natural way of understanding what prevention means and how to measure prevention quantitatively. Prevention plays an important role in protecting the assets of an organization against cyber-attacks; it is by no means a complete guarantee against attacks. This needs to be complemented by having a detection-based security strategy in place.
The approach we presented will help create a platform-based approach to both prevention and detection-based security strategies.