The topic of hacking guarantees exciting Hollywood moments. In the real world, however, we are making little progress on hacking prevention. Both for the same reason: The actions of hackers seem to be mysterious because most people know little about them. For some, this mystery is a thrill; for others, it’s the constant fear of becoming the next victim.
This fear often turns into lethargy for companies: “Hackers always win anyway”. This attitude couldn’t be further away from the truth: Companies record hacking attempts every day, and yet almost all companies are not hacked almost over all time.
“To deal with cyber risks more confidently, we need to replace fiction with facts.“
We have already succeeded in reaching a fact-based perspective in other risk areas, such as the race against biological viruses. While our knowledge of biological organisms is limited, we have made strides in mitigating disease risks through diagnostics, immunization, and treatment.
Technical systems and organizations are highly complex, but nowhere near as complex as biological organisms. Anyone who sees an opportunity to actively influence the risk of disease cannot throw in the towel when it comes to cyber defense. The first step of this journey: Through continuous measurement and decentralized improvement — that is, through cybernetics — we can demystify hacking and reach the necessary level of protection.
Hacking is steeped in myth because we talk a lot about hackers, but rarely with them. The most important step here is to understand hackers and their approach. Large companies do this regularly by inviting security experts to attack simulations. Those are similar to military maneuvers in peacetime: Some of your own troops play the enemy to find weaknesses in your defenses. The name of hacking maneuvers, red-teaming, also comes from the military — symbolically, the enemies wear red uniforms.
In the first step, the red-teamers gain control over a single company computer. This happens, for example, via email malware or vulnerable websites. The initial getaway is typically non-critical but enables hackers to observe the internal company network. Secondly, the red-teamers exploit vulnerabilities they find in internal applications and servers to incrementally expand their access over a period of weeks. In most cases, the hacking journey from the initial foothold to the complete control of corporate IT takes less than a month.
Red-teaming replaces nerve-tingling with facts on how hackers go about penetrating the organization’s systems.
Each red-team exercise exposes the weakest link in the protection chain and what it takes to keep real hackers from breaking through. Red-teaming is not the only way for companies to understand hackers. The alternatives are retrospectives on real security incidents that provide similar insights, but only after the damage has already been done. Based on the red-teaming insights, the organization can focus on making life harder for the next hacker. Regular red-teaming simulations – or real security incidents – enable improving the weakest protection links incrementally.
Continuous improvement raises the next question: When has the company reached a sufficient level of protection?
Companies frequently lack quantification of their hacking protection, leaving the question unanswered regarding fata vulnerability. This must change to enable predictable risk management. Anything you do not measure is hard to manage. Companies need a yardstick benchmark to learn from each other and keep up with hackers.
Quantifying security can escalate into a hyperactivity for many – often measuring dozens of technical metrics and comparing them over time. Like the weather report, the numbers go up and down without the organization knowing how to influence them. Measurements that do not clearly point to opportunities for improvement are thus not useful.
Instead, a sensible metric is: a) accessible, even to security laypeople, b) formulated from the hacker point of view, and c) actionable, i.e., pointing to improvement steps.
Here the Hackability Score as a normalized benchmark that provides these three qualities is very useful. It aggregates a large number of security measurements from regular security scans. This raw data is already available at most organizations. Security scans of large companies regularly find several 100,000 vulnerabilities, but most of them do not help a hacker or a red-teamer. As a result, the scans cause more confusion and condemn security teams to frustrating extra work.
When summarizing the raw scan data into the Hackability Score, one question comes for each measurement point: How much does it bother a hacker if this vulnerability disappears? Thereby, it clearly specifies which suggested actions are prioritized: Those actions that lower hackability the most also make life the hardest for hackers. At the latest, red-team exercise confirms this.
Since the Hackability Score is always calculated in the same way – for each organization, each team, or each network segment – it enables a dialog between peers, for example between national subsidiaries of a group. The score illustrates who can learn the most from whom on which topic. And it is just one example of a standardized metric that enables dialog about cyber risks – even between experts and laypeople. Every company needs such a yardstick and needs the dialog between peers.
An easily accessible metric automatically turns into a race: Who can improve their Hackability Score the fastest and in the most sustainable way?
The challenge is decentralized: Every company, every domain, every team compares itself to its peer group. With a collective aspiration for exceptional hacking resilience, the pursuit of continuous improvement persists. By demystifying hacking and promoting transparency in protection, the company fosters progress and fuels the cycle of improvement.
For the virtuous cycle to thrive, organizational confidence in driving decentralized improvements is crucial. Risk managers should empower decentralized teams by offering a target corridor for their Hackability Score, instead of centrally managing hacking protection. How a team achieves these goals is decided decentrally, often through shared learning in the peer group.
Hacking protection is achieved by:
1. Trust in decentralized self-organization
2. Friendly competition among peers (e.g., to reach a better Hackability Score)
3. Competition with real hackers (red-teaming)
“Decentralized improvement based on a common measurement method, in a word, cybernetics.“
Dr. Karsten Nohl
Autobahn Security GmbH
Dr. Karsten Nohl is a hacking expert and founder of Autobahn Security in Berlin. Karsten creates awareness for cybersecurity through hacking research and consulting. He is particularly fascinated by the trade-off between security and innovation.