Anticipating attacks, responding to them in real time, setting traps to contain them, and protecting assets according to their value can help companies stop sophisticated cybercriminals.
For all the resources devoted to improving cybersecurity, threat levels continue to rise faster than defense capabilities. The WannaCry ransomware attack in May 2017 and the NotPetya attack in June 2017 offer cases in point. In each, hackers helped themselves to tools stolen from intelligence agencies and others and created havoc around the world, forcing systems off-line at the Chernobyl nuclear power station, affecting several parts of Britain’s National Health Service, and interrupting scores of computer systems. The relatively unsophisticated nature of the attack limited the overall take. Yet, it reveals just how vulnerable organizations are to even rudimentary hacks done at scale. Imagine if the attackers actually had their acts together.
Some do. Several of the world’s best-protected organizations have been attacked over the past few years, including a number of preeminent government agencies and technology companies. Hackers who may once have been groping around in the dark are acquiring a deeper understanding of who they’re targeting and how to get inside. Thanks to a proliferation of botnets1 and the easy sharing of tools on the dark web, the expense of mounting cyberattacks is also plunging. Put it all together, and criminals, some of whom are state sponsored, have ready access to cash, technologies, and resources. Over the coming years, crimes in the cyberrealm are predicted to cost the global economy $445 billion annually.2
Perversely, the high-profile hacks may have done us a favor. For a long time, cybersecurity experts have proselytized about the evolving threat landscape. But like doctors who caution their patients to avoid sedentary lifestyles, the risks these experts describe seem important but distant. The WannaCry attack—its brazenness, the speed at which it scaled, and how effortlessly it derailed business as usual—took cyberthreat activity from a slow-moving abstraction and made it real.
Businesses must consider themselves warned. Rather than continue in a passive stance, organizations must adopt an “active defense” model: they should assume their firewalls will be penetrated. They should assume that encryption keys will be compromised, and that hackers will stay a step ahead of them in deploying malware in their infrastructure. Active defense requires organizations to anticipate attacks before they happen, detect and respond in real time, establish traps and alarms to contain attacks, and adopt a tiered approach to protecting critical assets.3
The threat environment is constantly changing, but how businesses have responded to those threats has remained largely the same. That’s not going to work anymore. Here’s why:
Active defense allows organizations to engage and deflect attackers in real time by combining threat intelligence and analytics resources within the IT function. The approach draws upon lessons the military community learned in defending itself in fluid attack environments like Afghanistan and Iraq. To ferret out and respond to risks faster, commanders began positioning operators, planners, and intelligence analysts in the same tent where they could feed special operations teams with ongoing, real-time information. Integrated and more accurate intelligence made it easier for units to track chatter, identify targets, and increase the number of missions they could conduct over the course of an evening.
In recent years, some large organizations have applied that thinking to bolster their own defenses. A major financial-services institution, for instance, greatly enhanced its cybersecurity capabilities by convening a team dedicated to providing active defense. The team established state-of-the-art threat-monitoring capabilities so it could continually scan the company’s ecosystem—its own network as well as the broader supply chain—for unusual patterns and activity, sniff out potential threats, and thwart attacks, often within minutes of detection. It has impeded thousands of attacks as a result.
Few organizations have the budget to build dedicated centers of this scale. But there are other ways to access needed capabilities. By realigning the existing budget, engaging outside resources, and forging information-sharing partnerships, businesses can still mount a strong active defense. Success in doing so starts with understanding what’s involved. Here are the central elements of an active defense posture:
Knowing the core elements of an active-defense model can help organizations realign their cybersecurity spending, integrate analytics with intelligence-gathering processes, and provide tighter ongoing coordination. By pinpointing the critical holes in their defense structures, businesses can then determine where it makes sense to acquire needed skills, tools, and expertise and where they can partner with others to fill those voids.
As with any new approach, making the case for change is critical. Shifting to an active-defense posture requires leaders to recognize that cybersecurity requires top-level oversight and commitment, backed with the right budget, authority, and performance incentives to make it real. Organizations looking to implement an active-defense model must also recognize that changes in traditional working practices are required. Some of those changes may be uncomfortable. Given the sophisticated nature of some attacks and the prospect of state-sponsored intervention, companies accustomed to keeping intrusion activity closely guarded may need to open up and work more collaboratively with peers within and across their industries to share notes, best practices, and resources. Such collaboration can take place within industry associations like the Financial Services Information Sharing and Analysis Center, which shares threat intelligence and incident information across nearly 7,000 financial-services institutions.
Changes across the broader security ecosystem are also necessary. The best partnerships will bring together a mix of government, technology, and business leaders to create an open and ongoing exchange of information. The vendor community also must adapt. They need to evolve their offerings from chasing down alerts to providing a range of sophisticated services similar to those that major banks and telecommunications companies have built for themselves. Collectively, better intelligence, smarter analytics, and stronger collaboration can help organizations build the active-defense capabilities they need to respond more effectively to pervasive, advanced cyberthreats.
Brad Brown is a director emeritus in McKinsey’s Boston office and an ongoing adviser to BlueVoyant, Daniel Ennis is the head of threat intelligence and operations at BlueVoyant and the former director of the National Security Agency’s Threat Operations Center, James Kaplan is a partner in McKinsey’s New York office, and Jim Rosenthal is the cofounder and chief executive officer of BlueVoyant.