In the third quarter of Super Bowl LI, the New England Patriots trailed the Atlanta Falcons by a score of 28-3. History was against the Patriots’ chances of rallying for a comeback win. No team had ever overcome such a large deficit — especially so late in the game — to capture the NFL championship. And yet, against the odds, the Patriots stormed back to earn an improbable victory and their fifth Lombardi Trophy. Their win was the embodiment of Yogi Berra’s famous saying, “it ain’t over ‘til it’s over.” It also stands as an example for organizations fighting the good fight against hackers.
You see, hackers are persistent and patient. They know they’ll lose more often than they win, but the payoff when they do win — predicted to reach $6 trillion annually by 2021 — keeps them going. Unfortunately, we are too often blinded by short-term perspective when it comes to cyberdefense. We think that if a hacker succeeds in getting past our perimeter, we’re done for and we go into damage control mode. When we understand the way our opponent operates, however, we can shift our strategy to the long game because, as we’ve learned, there are numerous steps involved in a successful attack, and each gives us an opportunity to stop the hacker’s progress and win the game.
In football, advance scouting is key to knowing an opponent’s strengths and weaknesses. Coaches closely examine game film to understand tendencies. They organize scrimmages against a practice squad intended to mimic the opponent by using their own playbook. They test schemes that are designed to succeed against whatever the opponent is likely to do, both offensively and defensively. When the team has gone through such drills, they can take the field with confidence, knowing that they are prepared to win — even if things don’t always go their way.
Your enterprise can have that same confidence if you understand the life cycle of an attack and the steps that must take place in order for an attack to be successful. While there may be many components in a hacking campaign, at its simplest level every successful attack has four phases. To maintain the metaphor, let’s think of them as quarters in a game:
• First Quarter/Spread
The initial campaign during which malware is distributed to the target.
• Second Quarter/Drop To Disk
The malware is transferred to the target’s machine.
• Third Quarter/Execution
The malware takes action consistent with its mission.
• Fourth Quarter/Beacon
Also known as command-and-control (C2) — the malware attempts to complete its mission by contacting an outside entity.
Clearly, the most effective way to stop a hacker from winning is with a stout first-quarter defense. If you can keep malware from getting past your firewall, you’ve prevented the attack. But it is extremely difficult to maintain a strong network boundary in the age of mobile and cloud computing, when road warrior employees may spend more time outside of an enterprise’s traditional perimeter. Careless people and clever hackers may well manage to get illicit code behind your outer defenses — but don’t lose heart. The game has three quarters remaining before the final score is tallied.
If the game enters the second quarter and a hacker campaign succeeds in getting a malicious file onto an unsuspecting person’s laptop or another device, it is still possible to detect the file and remove it from the device or network before it has a chance to execute and perform its intended task. And if the third quarter arrives, the action taken by that file to do what it was designed to do — find valuable data and bundle it for exfiltration, intercept sensitive files or user credentials. hijack legitimate application functions for misuse or some other unauthorized deed — that action can expose the breach and give the enterprise time to interdict, isolate and eliminate the threat.
And, finally, for the hacker to win at the close of the fourth quarter, they must somehow connect the code inside the enterprise to an entity on the outside that can receive whatever information they want to exfiltrate, or carry out whatever damaging action is required to finish the job.
This is where game simulation and understanding the opponent comes into play. By mimicking the plans and strategies hackers employ, you can identify the weaknesses in your own approach to cybersecurity. Whether the threat is a new wrinkle in the adversary’s playbook, one that is designed for your industry or certain systems in your IT environment, or a tried and true garden variety attack that is often recycled, testing the efficacy of your security controls — and adjusting accordingly — must be a continuous process. That allows you to not only close the gaps in your defenses, but it also informs your team how best to respond in the event of a breakdown. Can your halfback pick up the blitz if a linebacker is bearing down on your quarterback from the blindside? Do you have an option for a short outlet pass if your receivers are covered downfield? Practicing each scenario with real-time simulation will test assumptions and not only help you to refine a security plan in advance of game-time implementation, but it will also make it easier to call in-game audibles should things go off-script.
In Super Bowl LI, things didn’t go well for the Patriots for the first forty minutes, but they knew they had the stamina to outlast the Falcons — and the talent to score when Atlanta’s defense got tired. The mantra on the sidelines that day was “do your job,” and even though it took them into overtime, they got the job done. With good coaching, good preparation, game-time simulation, and a thorough understanding of your opponent’s playbook, you and your team can acquire the knowledge needed to do your job — and win the game, too.