Hacking protection – a never- ending competition inside of companies?

Hacking protection – a never- ending competition inside of companies?

The topic of hacking guarantees exciting Hollywood moments. In the real world, however, we are making little progress on hacking prevention. Both for the same reason: The actions of hackers seem to be mysterious because most people know little about them. For some, this mystery is a thrill; for others, it’s the constant fear of becoming the next victim.

This fear often turns into lethargy for companies: “Hackers always win anyway”. This attitude couldn’t be further away from the truth: Companies record hacking attempts every day, and yet almost all companies are not hacked almost over all time.

“To deal with cyber risks more confidently, we need to replace fiction with facts.“

We have already succeeded in reaching a fact-based perspective in other risk areas, such as the race against biological viruses. Although our understanding of biological organisms is rudimentary, we have successfully reduced the risk of many diseases through diagnostics, immunization, and treatment.

Technical systems and organizations are highly complex, but nowhere near as complex as biological organisms. Anyone who sees an opportunity to actively influence the risk of disease cannot throw in the towel when it comes to cyber defense. The first step of this journey: Through continuous measurement and decentralized improvement — that is, through cybernetics — we can demystify hacking and reach the necessary level of protection.

Hacking is steeped in myth because we talk a lot about hackers, but rarely with them. The most important step here is to understand hackers and their approach. Large companies do this regularly by inviting security experts to attack simulations. Those are similar to military maneuvers in peacetime: Some of your own troops play the enemy to find weaknesses in your defenses. The name given to the hacking maneuvers, red-teaming, also comes from the military — symbolically, the enemies wear red uniforms.

In the first step, the red-teamers gain control over a single company computer. This happens, for example, via email malware or vulnerable websites. In most cases, the initial gateway is not a critical system, but it allows the hackers to peek around the internal company network. In the second step, the red-teamers exploit vulnerabilities they find in internal applications and servers to incrementally expand their access over a period of weeks. In most cases, the hacking journey from the initial foothold to the complete control of corporate IT takes less than a month.

Red-teaming replaces nerve-tingling with facts on how hackers go about penetrating the organization’s systems.

Each red-team exercise exposes the weakest link in the protection chain and what it takes to keep real hackers from breaking through. Red-teaming is not the only way for companies to understand hackers. The alternatives are retrospectives on real security incidents that provide similar insights, but only after the damage has already been done. Based on the red-teaming insights, the organization can focus on making life harder for the next hacker. Regular red-teaming simulations – or real security incidents – enable improving the weakest protection links incrementally.

Continuous improvement raises the next question: When has the company reached a sufficient level of protection?

Until now, this question has often remained unanswered since companies do not quantify their hacking protection, i.e., they do not know how easy or difficult it is for a hacker to obtain important data. This must change to enable predictable risk management. What is not measured is hard to manage. Companies need a yardstick benchmark to learn from each other and keep up with hackers.

Quantifying security can escalate into a hyperactivity for many – often measuring dozens of technical metrics and comparing them over time. Like the weather report, the numbers go up and down without the organization knowing how to influence them. Measurements that do not clearly point to opportunities for improvement are thus not useful.

Instead, a sensible metric is: a) accessible, even to security laypeople, b) formulated from the hacker point of view, and c) actionable, i.e., pointing to improvement steps.

Here the Hackability Score as a normalized benchmark that provides these three qualities is very useful. It aggregates a large number of security measurements from regular security scans. This raw data is already available at most organizations. Security scans of large companies regularly find several 100,000 vulnerabilities, but most of them do not help a hacker or a red-teamer. As a result, the scans cause more confusion and condemn security teams to frustrating extra work.

When summarizing the raw scan data into the Hackability Score, one question is asked for each measurement point: How much does it bother a hacker if this vulnerability disappears? Thereby, it is clearly specified which suggested actions are prioritized: Those actions that lower hackability the most also make life the hardest for hackers. This is confirmed by the next red-team exercise, at the latest.

Since the Hackability Score is always calculated in the same way – for each organization, each team, or each network segment – it enables a dialog between peers, for example between national subsidiaries of a group. The score illustrates who can learn the most from whom on which topic. And it is just one example of a standardized metric that enables dialog about cyber risks – even between experts and laypeople. Every company needs such a yardstick and needs the dialog between peers.

An easily accessible metric automatically turns into a race: Who can improve their Hackability Score the fastest and in the most sustainable way?

The challenge is decentralized: Every company, every domain, every team compares itself to its peer group. Since no one wants to have below-average protection, and most even strive for well above average hacking resilience, the race goes on and on – a positive cycle of continuous improvement. This way, the company achieves the desired demystification of hacking and makes progress on hacking protection transparent, which further fuels the improvement race.

One last ingredient is necessary to allow the virtuous cycle to run undisturbed: the organization’s confidence to drive decentralized improvements. Instead of managing hacking protection centrally – as is still the case in many companies – the only task of the “risk managers” should be to provide decentralized teams with a target corridor for their Hackability Score. How a team achieves these goals is decided decentrally, often through shared learning in the peer group.

Hacking protection is achieved by:

1. Trust in decentralized self-organization

2. Friendly competition among peers (e.g., to reach a better Hackability Score)

3. Competition with real hackers  (red-teaming)

“Decentralized improvement based on a common measurement method, in a word, cybernetics.“

Dr. Karsten Nohl
Autobahn Security GmbH

‍Dr. Karsten Nohl is a hacking expert and founder of Autobahn Security in Berlin. Karsten creates awareness for cybersecurity through hacking research and consulting. He is particularly fascinated by the trade-off between security and innovation.

Leave a Comment

Your email address will not be published. Required fields are marked *