Reacting to threats when they happen is easy. Pre-empting a threat and defending against it before it even occurs, when it’s just one potential threat that may or may not occur – that’s hard. It’s also your best chance at staying secure, minimising damage from security incidents, and in some cases, preventing security incidents from occurring entirely.
Understanding the concept of staying “Left of Bang”, outlined in the highly-recommended book of the same name¹, is vital to good security. To understand this concept – imagine a timeline of events – and at some specific point on this timeline, an attack takes place. That is the point where the bang occurs, and everyone starts reacting to the attack. Everything prior to that point, to the attack occurring, is considered left of bang. That’s where we want to be, and that’s where we want to do our best work. Once something goes ‘bang’, damage occurs, sometimes irrevocably so. We’ll be caught off guard, trying desperately to react and prevent further harm. It is much better to identify our threats and stop them before they ever reach this point.
1: “Left of Bang” by Patrick Van Horne and Jason A. Riley is a great book that should be recommended reading for everyone in the security industry.
Understanding the concept of staying “Left of Bang”, outlined in the highly-recommended book of the same name, is vital to good security. To understand this concept – imagine a timeline of events – and at some specific point on this timeline, an attack takes place. That is the point where the bang occurs, and everyone starts reacting to the attack. Everything prior to that point, to the attack occurring, is considered left of bang. That’s where we want to be, and that’s where we want to do our best work. Once something goes ‘bang’, damage occurs, sometimes irrevocably so. We’ll be caught off guard, trying desperately to react and prevent further harm. It is much better to identify our threats and stop them before they ever reach this point.
This principle of proactive security applies across the board, whether you’re protecting your organisation from a cyber-attack, a terrorist attack, or simply from someone breaking and entering secure facilities.
Responding reactively to an attack, no matter how good a team is, will always have consequences. Whether it’s something catastrophic like lives lost, more palpable like operational downtime, data loss, reputational damage, or simply the time-cost of incident response – there is a cost.
“Put yourself in the shoes of the attacker, and answer this – how would you compromise yourself?”
Rather than waiting to detect an attack as it occurs, work to proactively identify it, and address your potential threats before they happen, not after. Search for suspicious activity that might predate an attack. Even earlier, work to identify potential attack pathways that exist towards your organisation. Identify, if you yourself were an adversary, what services would you target? How would you do this? As we’ve discussed before, put yourself in the shoes of the attacker, and answer this – how would you compromise yourself?
So, what are some concrete steps we can proactively take to protect ourselves?
1. Start by considering the adversarial perspective
- How would you attack yourself?
- What weaknesses exist in your system?
- What attack path would you choose to get around your security measures?
As part of this, regularly conduct adversarial activities – consider table-tops, red teams, and other similar simulations. Don’t limit yourself to a specific scope or set of rules – your adversary won’t, so you shouldn’t either.
2. Establish a baseline, and look for anything that deviates
Both short and long term deviations might indicate attempts to compromise your systems. Train your security personnel and staff to do this, and develop a good procedure for reporting and addressing these concerns.
- Is the man waiting in your lobby staying much longer than most people?
- Is the woman waiting for a tram outside your office showing signs of being nervous, and not actually getting on a tram?
- Or have you suddenly seen an increase in phishing emails over the last month?
3. Know what potential intrusions into your system look like
- Understand what behaviour is normal for your users and understand what behaviour is normal for a potential attacker. Finance users don’t poke around in IT shares (which they shouldn’t have access to anyway!) – but attackers definitely do.
- Make sure your attackers can’t hide in what would be standard behaviour elsewhere, but is an anomaly for you. If nobody at your company ever uses a remote desktop, seeing it in the network should be a red flag, and bears investigation.
4. Understand your potential attack surface from the perspective of your adversary
Determine every avenue, no matter how creative, an attacker might use to compromise you – is it physical entry to your building through the loading dock? Social engineering of an accountant, resulting in the installation of malware? Or compromise of that exposed service missing a key security patch?
1. Start by considering the adversarial perspective
- How would you attack yourself?
- What weaknesses exist in your system?
- What attack path would you choose to get around your security measures?
As part of this, regularly conduct adversarial activities – consider table-tops, red teams, and other similar simulations. Don’t limit yourself to a specific scope or set of rules – your adversary won’t, so you shouldn’t either.
2. Establish a baseline, and look for anything that deviates
Both short and long term deviations might indicate attempts to compromise your systems. Train your security personnel and staff to do this, and develop a good procedure for reporting and addressing these concerns.
- Is the man waiting in your lobby staying much longer than most people?
- Is the woman waiting for a tram outside your office showing signs of being nervous, and not actually getting on a tram?
- Or have you suddenly seen an increase in phishing emails over the last month?
3. Know what potential intrusions into your system look like
- Understand what behaviour is normal for your users and understand what behaviour is normal for a potential attacker. Finance users don’t poke around in IT shares (which they shouldn’t have access to anyway!) – but attackers definitely do.
- Make sure your attackers can’t hide in what would be standard behaviour elsewhere, but is an anomaly for you. If nobody at your company ever uses a remote desktop, seeing it in the network should be a red flag, and bears investigation.
4. Understand your potential attack surface from the perspective of your adversary
Determine every avenue, no matter how creative, an attacker might use to compromise you – is it physical entry to your building through the loading dock? Social engineering of an accountant, resulting in the installation of malware? Or compromise of that exposed service missing a key security patch?
Once you’ve got all this information put together, incorporate this into your security strategy. If you identify some weaknesses you’re not protecting, prioritise addressing these. If you notice a suspicious person hanging out in your lobby, go have a chat with them. If you think your staff are vulnerable to social engineering, arrange some security training.
In this way, you’re getting ahead of the curve – you’re not waiting for someone to call security about a guy they found ‘lost’, walking around the building – instead you’re making sure the perpetually open side door is locked, and our attacker is forced to go through the reception area instead.
"The most important aspect that underpins all these ideas – is engaging in the adversarial mindset, understanding how you might be targeted, and acting on that information to increase security before the attack – not after."
Taking the Next Step
If you’re looking to embrace a proactive approach to security, start by integrating adversarial simulation activities into your strategy.
- Conduct your own adversarial review of your security posture, of any new solutions, new processes, and plans. Red team yourselves. Red team your plans. Red team everything. Consider red team exercises and tabletop simulations, to validate your system works, and identify potential weaknesses you’re yet to discover.
- Embrace a culture of security awareness. Encourage everyone to think proactively about potential threats and continuously seek ways to improve your security measures.
In the world of security, staying ahead of potential threats is far more effective than reacting to them. Adopting a proactive approach to security is your best chance at staying secure.
If you’re looking to embrace a proactive approach to security, start by integrating adversarial simulation activities into your strategy.
- Conduct your own adversarial review of your security posture, of any new solutions, new processes, and plans. Red team yourselves. Red team your plans. Red team everything. Consider red team exercises and tabletop simulations, to validate your system works, and identify potential weaknesses you’re yet to discover.
- Embrace a culture of security awareness. Encourage everyone to think proactively about potential threats and continuously seek ways to improve your security measures.
In the world of security, staying ahead of potential threats is far more effective than reacting to them. Adopting a proactive approach to security is your best chance at staying secure.
If you’re looking to embrace a proactive approach to security, start by integrating adversarial simulation activities into your strategy.
- Conduct your own adversarial review of your security posture, of any new solutions, new processes, and plans. Red team yourselves. Red team your plans. Red team everything. Consider red team exercises and tabletop simulations, to validate your system works, and identify potential weaknesses you’re yet to discover.
- Embrace a culture of security awareness. Encourage everyone to think proactively about potential threats and continuously seek ways to improve your security measures.
In the world of security, staying ahead of potential threats is far more effective than reacting to them. Adopting a proactive approach to security is your best chance at staying secure.
