Cybersecurity Needs to Be as Offensive as It Is Defensive

The adage “the best defense is a good offense” is often attributed to Knute Rockne, the legendary football coach who roamed the sidelines at the University of Notre Dame early in the last century. But that might be incorrect.

In 1799, George Washington — who led the Continental Army during the Revolutionary War — said that ”offensive operations, often times, is (sic) the surest, if not the only (in some cases) means of defense.” A couple thousand years before that, the ancient Chinese military strategist Sun Tsu wrote in his seminal book, The Art of War, "Attack is the secret of defense; defense is the planning of an attack."

Regardless of the adage’s origin, the concept it expresses can and should be applied by public-sector organizations to cybersecurity, which is a battleground featuring an enemy, cyberattackers, that gets better and stronger by the day, if not the hour.

Most efforts that we have seen thus far focus on defense, which is perfectly understandable. Common defensive tactics include the following:

• Monitoring and detecting
• Security infrastructure, e.g., firewall, antivirus, and endpoint protection
• Vulnerability management, e.g., ensuring that patches are applied promptly, especially in the immediate aftermath of a threat advisory
• Incident response
• Policy and compliance
• Awareness and training

These all are effective, especially in a comprehensive cybersecurity strategic plan. But thinking has evolved to the point where many believe it is time to take the battle to the enemy. Offensive tactics are as follows:

• Penetration testing
• Vulnerability scans
• Threat hunting
• Advanced persistent threat (APT) simulations
• Risk assessments
• Security auditing

Of these, penetration testing and vulnerability scans, which work hand in hand, are the most important. I’ve written about the tactics many times. While these terms might seem to be synonyms, they are not. Penetration tests simulate how a cyberattacker might gain access to the network environment and then what will happen to systems and devices afterward. Such tests are done manually and should be conducted quarterly, annually at a minimum. In contrast, vulnerability scans are automated processes that dive more deeply into the identified vulnerabilities to better understand why they exist — such understanding is the key to eliminating each vulnerability. These should be conducted weekly.

The following two offensive tactics are threat hunting and APT simulations. These tactics go a long way toward maintaining an effective cybersecurity posture. In the latter, the sophisticated techniques and tactics used by advanced and persistent adversaries are simulated. The primary goal is to assess the effectiveness of an organization's security measures in detecting and responding to sophisticated cybersecurity threats. In its simplest form, you can think of this as a next-level penetration test. Threat hunting is a proactive and continuous process of searching for signs of malicious activity or security threats within an organization's network or systems. The goal is to identify and eliminate potential threats that may have evaded traditional security measures.

MCP’s cybersecurity team would welcome the opportunity to help you develop a cybersecurity strategic plan that contains both offensive and defensive elements — please reach out.

Jason Franks is an MCP cybersecurity specialist. Email him at JasonFranks@MissionCriticalPartners.com.