Fatalism Is Sexy: Security’s New Mindset of The Inevitable Hack

In my industry reading this week, I came across the following notion a few times: getting hacked is inevitable – therefore, work on mitigating & containing the damage as much you work on border control. I don’t suppose anyone in the security business is getting ready to chuck their firewalls and IPS units out the door on the assumption that they’ve been hacked already, but the larger question raised was still a scary one to me. Are we really giving up hope that we can prevent a breach on our networks?

Most major hacks come from inside the perimeter so to speak (even if sourced externally), and it’s tough to defend against an attack when the attack source enjoys a level of trust. An attack from someone who’s entitled to be there is the ultimate Trojan horse: they look like reasonably contented employees on the outside, but on the inside, there’s treasonous intent. Or more frequently, even when those employees mean the best, they can invite trouble in from the outside, as external agents leverage the insider’s trusted status to gain access through spear phishing, the injudiciously inserted USB stick, and other social engineering hacks. However, there are complex security paradigms that exist to keep the bad guys who’ve established a beachhead from having access to too much. Standards such as HIPAA, SOX, and PCI are all schemes intended (in part) to prevent people from having access to too much information, and thus prevent data loss, privacy breaches, and WikiLeaks. In the new security mindset, complex paradigms, while relevant constructs often with legal ramifications, are implicitly insufficient. And that reminds of my favorite mantra from a former co-worker: compliance does not equal security. But I digress.

While humans are the ones behind the hacking, they have to have some flaw to take advantage of. What neither article mentioned in detail was the root cause of many breaches: bad applications. I’d love for an experienced software developer to come on the Packet Pushers podcast to help us understand why, after all these years, we’re still dealing with buffer overflows, SQL injection attacks and the like, especially on Internet-facing applications. And although certainly a recurring theme, bad applications are far from the only causes of breaches. Bad administrative practices due to human incompetence or lax policies are also contributors. Even the best of us are guilty of leaving a password unchanged now and again.

So upon reflection, I have to agree with this new notion of inevitable hacks…not that I’m resigned to being breached, but I think there’s a tactical advantage in thinking this way. Why? If you’re not actually compromised – but think as though you were – that could drive wiser behavior on the part of we IT security practitioners. Better detection methods. More proactive thinking about “what if” scenarios. Imagining the enemy inside the gate makes one stop looking proudly at the massive walls, alligator-filled moats, and tall watchtowers at our network’s periphery that are supposed to keep the enemy out. The focus widens to include contemplation of what a miscreant might be able to pull off if they were already inside and no one was looking for them.

Hey, it worked for Frodo. Frodo & Sam managed to smuggle the ring all the way to Mount Doom right under Sauron’s watchful eye because he was too busy looking at his splendid gate and the enemies gathered there. It’s time that we do widen our focus beyond the border, assume the worst, and think about what we’re going to do about it.

Yeah, so I made us all Sauron in that analogy. Own it.


Overview of Co3 Systems, Inc. (A startup software firm addressing what to do when a breach happens.)
“Cambridge startup Co3 Systems Inc. is betting that the 3.2 million Massachusetts residents – nearly half – who have been victims of data breaches over the last four years will drive the demand for [John Bruce’s] company’s data breach management software.”

CrowdStrike (A stealth-mode startup.)
Among other services, CrowdStrike will, “Identify unknown compromised systems and data exfiltration channels, determine attribution and motivation of the intruders, and provide cyber counterintelligence strategies to respond to future intrusions.”

Security’s New Reality: Assume the Worst (Part 1 of 2 by Kelly Jackson Higgins.)
“Assuming the attacker is already inside, or soon will be, is a gradual but significant mindset shift under way in the security industry, which has been built on a defensive strategy of firewalls, antivirus, and other tools. There’s now a growing sense of fatalism: It’s no longer if or when you get hacked, but the assumption that you’ve already been hacked, with a focus on minimizing the damage.”

Damage Mitigation As The New Defense (Part 2 of 2 by Kelly Jackson Higgins.)
“Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies…Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.”


  1. says

    Love the Mordor graphic. On of the main points I try to hammer is the fact that firewalls are just screens and filters, not security end all. Applications are where 90% of the vulnerability lives. For example, what protocol uses port 80? The answer: anything you want. We all have to allow port 80 and 443 through the firewall both inbound to front end web servers and outbound from clients to the interwebz.

    With that in mind, as a networking-centric person, I see using proxies both inbound and outbound as a huge potential asset. For example we use ASM on F5. To me a firewall is like a hallway with cameras … if Frodo and Sam dress up as Orcs we may be powerless to stop them from walking in the front door. However a proxy is more like a full security checkpoint and we are more likely to discover the hidden truth about the intruders.

    The other big piece is well disciplined application design and application level security. We as network guys can only do what we can in screening the Orcs as they come in the front door to make sure no double agents or hobbits make their way in. We can also make sure that we close down any back doors that the all seeing eye is not focused on.

  2. Jay Swan says

    Upon what data set are you basing your comment that most major hacks are internal? The Verizon DBIR (which is heavy on PCI cases) is the largest data set I know of that classifies internal vs external; it has shown a marked decrease in internal attacks over time, with only 4% classed as internal in the 2012 report. Their highest was in 2009 at 48%. Reports with smaller sample sizes, such as Mandiant’s M-Trends report, are similar. Is there another data set that shows something different?

    • says

      Not basing that comment on a data set, Jay. That’s simply been normative data for as long as I’ve kept up with general industry comments, i.e. you’re probably going to have better luck with social engineering on an insider to get a beachhead established on the inside as opposed to port scanning from the Internet and seeing what vulnerabilities you can scare up. Maybe I’m behind the times.

      A question though – are the reports you’re discussing about attacks or successful hacks? And do the reports differentiate between attacks that were successful solely on the basis of leveraging vulnerabilities in Internet-facing services and attacks that required inside assistance to be successful? And also…what about the scenarios of internal attacks, where the attack vector was done by an outside, but on an insider machine, i.e. malware infected USB stick someone popped into their laptop, wifi hack, that sort of thing?

      • Jay Swan says

        The two reports I mentioned analyze only successful attacks. They both categorize internal vs. external based on the threat rather than the vulnerability (as it should be, IMO). In other words, an outsider attacking an internal asset by any means would be classified as an external incident.

        They also differentiate between attack types, and it’s really interesting to compare them. Classic attacks against Internet-facing services are pretty rare in those reports, and are mostly application layer (SQL injection and similar). Most of the attacks leverage some combination of spear phishing, malware, remote access trojans, and stolen/shared credentials. Mandiant’s report stated that 100% of the incidents they investigated involved at least some usage of legitimate credentials (obtained through cache dumping, hash passing, packet sniffing, etc).

        Both of those reports have distinct sample populations, though: Verizon covers mostly PCI crime, and Mandiant covers mostly intellectual property theft by national actors. I haven’t seen any reports from say, the financial industry. Maybe there are more cases of straight internal fraud there, that just aren’t getting reported publicly.

        • says

          Got it, and thanks. I updated my paragraph above to better reflect terminology and the state of things. Hope I’m closer. Mrs. Y also set me straight over a Skype chat on this. Much appreciated, Jay.

Leave a Reply

Your email address will not be published. Required fields are marked *