Written by: Ryan Lee, Sean Lee, Chua Eng Hock
Despite the billions of dollars invested in cyber security globally, why has the frequency of cyber-attacks continued to increase, with their consequences worsening1?
There is over-reliance on technologies to deal with the problem. However, cybercriminal and espionage activities are driven by human motivations – criminal groups and national intelligence agencies alike at their core. To combat these sinister people effectively, we must return to the essential warfare principles: cyber warfare in this context.
We have decades of combined military experience in the Singapore Armed Forces, with expertise in all facets of cybersecurity. As practitioners in the conventional art of war and now in cybersecurity, we have distilled the essentials of a sound cyber defence strategy based on these five core principles in eastern military philosophy:
Principle 1: “If you know the enemy and know yourself, you need not fear the results of a hundred battles.” – Sun Tzu
You need to understand yourself and your threats well, as a failure to do so usually results in either over or under-investment in cybersecurity. Understanding your company and the threats you face are two sides of the same coin.
First, know yourself thoroughly. Understand your ‘crown jewels’, your assets, strengths and weaknesses, and cyber risk appetite. Next, get to know your ‘enemies’. Understand their motivations, why they would target you, and what tactics, techniques, and procedures (TTPs) they would employ against you. Use threat intelligence sources to keep up to date on the rapidly evolving TTPs. Many threat intelligence software is available free from open-source communities or government sources.
With an understanding of the threats and yourself, perform periodical risk assessments and test your organisation to uncover the vulnerabilities in your company so that you know where to invest most critically in cyber defence.
Principle 2: “Secret operations are essential in war; upon them the army relies to make its every move.” – Sun Tzu
Operational security (OPSEC) is another ever-green aspect of military operations. This refers to the measures you take to protect sensitive information and critical assets from unauthorised access. This can include firewalls, intrusion detection systems, encryption, and secure data backup and recovery procedures.
People are critical vulnerabilities in OPSEC. Insider threats are a serious concern for businesses, just as they are for the military, and can be intentional or unintentional. For example, sexpionage is a well-known insider tactic in national security (James Bond is real!), and the same applies to businesses.
In the military, continuous measures are taken to detect and prevent insider threats. You should also implement personnel background checks and monitoring techniques to detect and nulify insider threats.
Principle 3: “All warfare is based on deception.” – Sun Tzu
Cyber criminals aim for maximum economy of effort in their exploits. They will target the weakest link in your organisation to achieve their sinister aims.
This is akin to asymmetric warfare, where deception and speed exploit an opponent’s weaknesses to achieve military victory. While traditional defence-in-depth cyber security tools such as firewalls and endpoint protection are essential, we must always assume that cybercriminals will use asymmetric tactics to bypass traditional obstacles and exploit other weaknesses. In truth, most weaknesses lie in people. You can implement anti-phishing measures to counter common asymmetric tactics such as phishing attacks, including employee training programs and multi-factor authentication (MFA) across all accounts.
Principle 4: “To be prepared beforehand for any contingency is the greatest of virtues.” – Sun Tzu
Military contingency plans are developed to respond to the most likely enemy’s courses of action. As the saying goes, “No battle plan survives first contact with the enemy.” A successful military campaign will require continuous monitoring of the situation and adaptation to the plans as the battle unfolds, and a dogmatic and static plan will lead to failure.
The same principle applies to cyber defence. You should have contingency plans in your organisation to respond to potential cyber-attacks. These plans can include procedures for incident response, data backup and recovery, and communication with stakeholders. Businesses must have good situational awareness of what’s happening in their environment with real-time monitoring and be prepared to respond to unforeseen scenarios.
Principle 5: “Armies are to be maintained for years but used in a single day.” – Extracted from the classic Chinese novel, Water Margin
“Operation sustainment” is a military term used to describe the continuous efforts and tempo to maintain the readiness of military units. You should also apply the same principle to maintain the readiness of your cybersecurity systems. This can include routine system updates and security patches, employee training programs, and conducting regular security audits. These activities may be routine and boring, but this is the point – being boring in cybersecurity is good! No news means good news.
Finally, red teaming or OPFOR (Opposing Force) exercises are used in military operations to test the effectiveness of defence strategies and tactics. In these exercises, an opposing force is created to simulate realistic threats and attacks. You should consider periodic red teaming exercises to holistically assess the readiness of your organisation’s cyber security posture, including technology, people, physical security, etc., and identify vulnerabilities.
Cybersecurity for All
By being aware of the threats, their strengths and weaknesses, being prepared for the long-term with a high level of readiness, companies from all sectors and of all sizes can minimise cyberattacks’ impact.
We are passionate about helping companies clear the ‘fog of war’, understand cybersecurity and implement the right strategy and tactics. We believe that every company, whether big or small, needs to and can protect itself against the invisible persistent threat to its business.
Founders of Heron Cybersecurity Team (Left to Right): Chua Eng Hock, Ryan Lee, Sean Lee
Contact us today to learn how we can help you strengthen your cyber defence. (email@example.com)
1 Data point taken from: https://dataprot.net/statistics/cyber-warfare-statistics/