When the world faces a major health crisis, why can a vaccine be developed within a year, but a problem lasting for more than 40 years still isn't solved after hundreds of billions of dollars have been spent?
When companies or governments invest in cybersecurity, they expect to be safe from harm. Yet cybercriminals using (mostly) known techniques and marginal budgets can break in easily.
From Failing to Saving
Out of hundreds of thousands of cybercriminals globally, how many leverage "brand-new techniques" and "unseen-before exploits"?
The truth is that mass hacking has little to do with elite cybercriminals. Of course, saying that your company has been compromised because your FTP had a weak password, explaining to your boss that your routers weren't patched for five years, or telling your clients this EternalBlue thing is brand new won't give your career a boost. Saying you've fought "elite hackers" in a desperate attempt to save the company from an unprecedented ransomware attack is more spectacular.
Design Addresses (Real) New Threats
Yes, there are unknown vulnerabilities, or sometimes you couldn't patch everything in time. There's no shame in this, but design is a solution here. You can protect your endpoints, have redundancy, protect and externalize your backups. Do you need to give remote access to IP addresses that aren't fixed? Use port knocking. You have a large remote workforce, pay them a security package (tools and training) for their home working environment. You fear your critical data isn't safe, use a cipher and back it up remotely to safe online storage. I won't go over all scenarios, but a thoughtful design can account for the unknown and unexpected.
The truth is that most of those "elite hacker" techniques can be stopped by doing what every CISO has been yelling about for years: Invest in cybersecurity. Not just money to stack products. Make sure you have time to design and test to create robust procedures and fail-safe mechanisms, and the energy to train teams.
In recent security disasters, zero-days weren't leveraged most of the time. Just the same old scan, credential brute force, XSS and SQL injection, plus, occasionally, a few weeks- or months-old vulnerabilities. So much for "elite." Back to basics: reliable architectures, tests, strong passwords, anti-brute force efforts, training, and protection against Web-oriented vulnerabilities. Once these are covered, we can install all the fancy stuff, use AI, spend zillions, and be happy about it. But the plain truth is that the basics aren't yet covered, and they remain the main gateway to your data for most cybercriminals.
What’s New and What Isn’t?
Assigning blame isn't the point here. Some critical factors have changed, making the battle more difficult than ever. First, the perimeter expanded exponentially. From a single garden wall (called "DMZ" by then) with a set number of servers, we're are now sitting on top of microservices, containers, cloud drives, VMs, bare metal, public cloud instances, SaaS products, etc. Your data is everywhere, and we had to spawn tons of VPN connections in months to allow remote access during the COVID crisis, usually skipping on the good old pen test.
The organizational skills and infrastructures of the bad guys also changed. When a stash that big is available to loot (we speak here of the GDP of a country that would rank in third position in the world), you can bet you aren't facing a bunch of students. They're cybercriminals, organized, well trained, well financed, and extremely motivated.
But the rise of cryptocurrency is what made a real difference in this war because it made the bad guys' job much simpler. No direct contact, no cash to carry or SWIFT fund transfers, just an almost instantaneous, untraceable transaction.
Ransomware is not a new hacking technique. It's a new monetization technique that makes you pay your cybersecurity debt at the highest possible price.
The Super-Soldier Approach Is Doomed
Businesses are acting like superheroes, going alone in a large battle against an army: laser eyes, atomic bomb-proof shields, jetpacks, all guns blazing, before realizing they've put their Y-front briefs over their pants... I call this attitude the "Captain America Syndrome."
Except, only in Hollywood has a single soldier ever beaten an army. Real life doesn't work that way. In real life, you shouldn't go for the captain's approach but for the sergeant's wisdom. And when some aggressors besiege his barracks, the sergeant isn't telling his men, "Go out one by one." He organizes so that the mass of them overwhelms the enemy.
Studies show that cybercriminals are teaming, exchanging information, specializing their efforts. They're cooperating. But demographically speaking, there are more good guys than bad ones. By teaming together and sharing information, we're stronger. The time has come for collaborative security, for a crowd approach to the problem. The time has come to overwhelm the bad guys.
The theory of gravity is an example of a complicated problem. Like most complicated problems, it was solved by one brilliant person. But sending people to the moon is an example of a complex problem. Complex problems require large-scale collaboration to solve them.
During the last four decades, we've probably mistaken cybersecurity for a complicated problem instead of recognizing it for what it really is: a complex one where teaming makes a difference.
For more information on how to harness the power of the crowd and benefit from one of the largest cyber-threat intelligence networks on Earth (leveraging tens of thousands of machines and tagging half a million IP addresses to date), you can check out CrowdSec's website or our project's GitHub repository.
About the Author
Philippe Humeau, CEO and Co-founder of CrowdSec, graduated as an IT security engineer in 1999 in cybersecurity. He then created his first company dedicated to red-team penetration testing and high-security hosting. After selling his first company, his interest in cybersecurity led him to create CrowdSec in 2020. This open source editor creates a participative IPS that generates a global, crowd-powered CTI.