How to create an offensive cyber security strategy

Common cyber security tools often arrive too late to prevent breaches and can only clean up the crime scene. Offensive cyber security takes a more proactive approach.

While most antivirus software reacts to exploitations and mitigates the damage after an attack, an offensive cyber security strategy models finds holes in your defences so you can patch them up before a strike breaks through.

One of the leading exponents of the method is cyber security expert Gary Miliefsky, who was a founding member of the United States Department of Homeland Security.

He gave his tips on developing an offensive strategy at CLOUDSEC London.

Read next: Most dangerous new cyber security threats 2017

Review your apps and remove any that expose vulnerabilities
iStock

Review your apps and remove any that expose vulnerabilities

All of your software and hardware infrastructure could be vulnerable. Cyber attacks will take advantage of the inherent weaknesses in your infrastructure. Aging PCs, drives, routers, operating systems, browsers, applications, plug-ins often have major vulnerabilities.

Modern technologies will bring new dangers of their own. The internet of things (IoT) and mobile apps such as emoji keyboards are particularly modern targets for data theft.

"The emoji keyboard can run in real-time on your phone all the time," says Miliefsky. "That means that if you've installed an emoji keyboard and you're logging into your Barclays accounts, somebody might be watching you typing that username and password."

To reduce the risk, check the permissions and privacy policies of all the apps you have, and remove any that you can't entirely trust.

Use auditing systems to find vulnerabilities and patch up any holes
iStock

Use auditing systems to find vulnerabilities and patch up any holes

There are 89,768 Common Vulnerabilities and Exposures (CVEs) in the wild today according to Miliefsky, and that number is only growing.

"So go after your vulnerabilities, and if I were you I would get rid of the most critical ones first," he says. "If you don't defend against your vulnerabilities you’re going to be exploited."

Miliefsky recommends that you patch any holes that can be patched and test them on an ongoing basis. When no patch is available, reconfigure the system.

He suggests installing auditing systems from Trend Micro, Qualys, Rapid7 or Tenable to help identify vulnerabilities. Free open source alternatives such as OpenVAS are also available.

Make continuous real-time backups your first line of defence
iStock

Make continuous real-time backups your first line of defence

Ransomware is unlikely to harm you too much if all your data can be restored quickly. Miliefsky suggests investing in a continuous data protection (CDP) solution that backs up your files in real-time. These automatically save a copy of every change a user makes to data.

"Look for a CDP that uses low CPU cycles," advises Miliefsky.

The product you choose should run on all your relevant operating systems. Test the software to ensure that the restore works and meets your needs before deploying it across the organisation.

Use strong encryption across-the-board
iStock

Use strong encryption across-the-board

"Strong encryption with proper key management is so so important," says Miliefsky. "You can solve a lot of problems with that."

Data theft is useless if you always encrypt the information, as it means that cyber criminals will escape with nothing of value.

To be truly effective, encryption needs to be set up across the board, to cover data access both in transit and at rest.

"Can citizens reclaim their privacy?" asks Miliefsky. "If strong encryption is allowed by our governments, there will be less breaches."

Inventory all your organisation's devices and systems, from employees' personal smartphones to company databases, and find encryption tools that can protect all of them. This may entail deploying a mix of different solutions.

Train staff continuously
iStock

Train staff continuously

Effective training is the only way to ensure all your colleagues understand and follow your organisation's security policies. Education is particularly crucial to prevent spear phishing, Remote Access Trojans and Ransomware.

"Don't click anymore, or let's switch to text only," says Miliefsky. "Don't send attachments through email. Simple things we can do to buy us a little more time to be successful and to stop the hackers and get on the offensive because we need to."

To ensure that staff understand the risks and know to avoid them, train them regularly on how to avoid breaches using fun and visual methods to keep them engaged. Send them updates on new threats as they emerge and regularly test them on their knowledge.

Conduct a root cause analysis
iStock

Conduct a root cause analysis

Most breaches could have been stopped before they happened. Get ahead of the exploiters by identifying your vulnerabilities to preventing a cyber attack from breaching gaps in your defences.

"If the holes are closed it's harder to exploit them," explains Miliefsky.

A root cause analysis will help expose your weaknesses. Track down all your CVEs and preempt potential breaches by understanding how they happen and eliminating the cause.

Consider \'time-based security\'
iStock

Consider 'time-based security'

"What could you do to slow down the completion of the exploit such that the completion of it took longer than the prevention of the exploit?" asks Miliefsky. "Is this a crazy idea? It's 'time-based security'."

The strategy was devised by information security expert Winn Schwartau. His concept is that the only true metric of an information security system is the time it took an attacker to breach it.

The time-based security approach quantifies the effectiveness of security by measuring the time it takes to protect, detect and react to a threat. The results can help you understand your weaknesses and fortify your defences.

Copyright © 2018 IDG Communications, Inc.