Which Is More Important: Offensive or Defensive Cybersecurity?Ha, it’s a trick question! If you answered “both,” congratulations—you are correct. Though the cybersecurity landscape is populated by black-hat hackers (the bad guys) and white-hat hackers (the good guys), the issue itself is by no means black and white. In fact, any analysis of the “offensive cybersecurity vs. defensive cybersecurity” question reveals that both approaches are necessary in the trillion-dollar war on cybercrime and ongoing military efforts to keep citizens and governments safe from high-tech cyber warfare. Today, it’s essential to not only build the strongest possible defenses but also to deploy creative strategies to gain information on your attackers and how they are trying to breach your networks and penetrate your systems. This idea that “the best defense is a good offense” is not just a slogan representing the conventional wisdom of the cybersecurity intelligentsia. It’s also the title of a report on the future of cybersecurity by the global defense, management and IT consulting firm Booz Allen Hamilton. In “The Future of Cybersecurity: The Best Defense Is a Good Offense,” the company speaks directly to all organizations when it waves the following red flag: With the sophisticated techniques threat actors are using to mask their activities, the traditional (defensive) approach of ‘building bigger fences’ will no longer suffice. The only way organizations can protect themselves is by unleashing offensive cyber techniques to uncover advanced adversaries on their networks. As an example of what going on the offensive might look like, one strategy the company uses is to configure fake computers in a phony, intentionally vulnerable network that functions as “a virtual mousetrap” to lure cyber adversaries; when the hackers bust in, they reveal valuable information about their identities, tactics and intentions.
Cyber Security Game Plan: Tenacious Defense, Penetrating OffenseA tenacious defense is obviously essential. Every organization must be sure protocols are in place to address network security, cloud security, application security IoT (Internet of Things) security, etc.—safeguarding against unpatched software, phishing attacks, malware, ransomware, Trojan horses and additional threats both known and unknown. However, the new conventional wisdom is that you can harden your perimeter and your attack surfaces as well as patch perceived vulnerabilities until the proverbial cows come home, but your work will only begin there. Unfortunately, the black hats have the advantage of surprise. You don’t know who they are, and you don’t know when, where or how they will attack next. However, offensive cyber security can diminish this advantage considerably. In addition, cybercrime tactics have advanced, and incidents have escalated so quickly that the black hats enjoy another key advantage—the white hats are currently undermanned. Seriously undermanned, in fact, with well over a million unfilled jobs worldwide (projected to rise as high as 3.5 million unfilled cybersecurity positions by 2021, according to Cybersecurity Ventures). As someone whose work puts me on the front lines of educating the next generation of cybersecurity professionals, I am thoroughly convinced that approaching cybersecurity with a strictly defensive mindset is a recipe for digital disaster. It turns out that pre-cyberspace strategists like George Washington and Vince Lombardi had it right—a strong combination of defensive and offensive strategy is absolutely imperative when it comes to winning the war on cybercrime.
About the Author: Michelle Moore, Ph.D., is academic director and adjunct professor for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cybersecurity policy analyst with over two decades of private-sector and government experience as a cybersecurity expert. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.