Security framework to determine whether defenders are winning

LAS VEGAS -- A session at Black Hat 2024 attempts to answer or move toward an answer to the question, "Are defenders winning?"

The "Is Defense Winning?" session will be held on Wednesday at Black Hat and hosted by Jason Healey, a senior research scholar at Columbia University's School for International and Public Affairs. Healey, a longtime security practitioner who previously founded pioneering cyber initiatives such as the Office of the National Cyber Director, will present a framework he's developing for determining how successful defenders are in the decades-long fight to keep cybercriminals at bay.

In a pre-briefing for the session, Healey told TechTarget Editorial that he discovered the need for such a framework when, during research, he was finding decades-old quotes relating to ideas such as the red team always getting through and that security "cannot be added by retrofit." He realized that the attacker advantage is something security practitioners have been dealing with for 50 years.

"What have we been doing in our field for 50 years, for all of the billions of dollars spent, for all of the work leading to missed kids' birthdays?" he said. "If anything, defenders still feel like we're falling farther behind. And that's what has driven me."

Healey explained that although it is a topic that he has cared about for years, the culture began moving more in the same direction with the release of the White House's National Cybersecurity Strategy in March 2023. This plan brought with it a large-scale initiative to improve national defense.

This is not to say that defenders haven't improved. Healey said some indicators are leaning in the right direction, and there is some reason to feel optimistic. That said, the goal is to move the push and pull of the eternal battle of defenders and adversaries back in favor of the defenders. One piece of that involves improving the data used to determine how defenders and attackers are doing, which is where the framework comes in.

The framework, which did not have a name as of Healey's conversation with TechTarget Editorial, is a series of indicators and data points. Some of these data points are already tracked, such as mean time to detect. He noted Verizon's Data Breach Investigations Report as one that has tracked this data point for over a decade. Lower times to detect mean defenders are getting better at finding adversaries, while higher times mean adversaries are doing a better job at not being detected.

But Healey said other data points should be developed too, such as "mean time between catastrophes." The framework would also look to track zero-day activity as an indicator as well as the impact and severity of cyberattacks.

Healey said he's looking to paint a picture of determining how aggressively threat actors are forced to adapt to defender behavior. It's not as simple as saying that fewer zero-days means attackers are on their backfoot. Quite the opposite, he said.

"In this talk, I'll be talking about a proposition: If you're doing a better job disrupting adversaries, what would you expect to see? More frequent adversary turnover in their tactics, techniques and procedures, or TPPs," he said. "We would expect to see a decrease in their use of the easiest TPPs, a decrease in logging in using valid credentials that they bought or sold and an increase in the more difficult, expensive, costly TTPs that we've forced them to hack -- and not just forced them to hack but forced them to use more and more vulnerabilities as well as higher zero-day prices and more zero days."

Ultimately, the push and pull between adversaries and defenders will likely never end, Healey said. The goal is to create a standard where threat actors are forced to adapt to defenders and exert maximum effort rather than the other way around.

"Sometimes you have to run faster just to stay in place," he said. "In evolutionary biology, between predator and prey, each side continues to evolve against the other. And sometimes, there might be an evolutionary jump where one side really does well for a long time. But we'll never win. Defense will never win. What we want is to get ourselves toward defensive advantage."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.