It doesn’t take a lot of time to make a difference. But time does make a difference.
All of the paradoxes and conundrums of time are magnified when we consider how time operates in cyberspace. Our tools work away quite happily in infinitesimally small slivers of seconds, yet time seems to stand still when a song (being streamed from a satellite in outer space) takes more than a few seconds to load. But that’s because as humans, we are unique, as far as we know, in our experience of time as relative. As such, we are also creatures who can look at time both backwards, and less successfully, forward. This allows us to learn from our mistakes and to use that knowledge to perhaps avoid similar misadventures in the future.
The phenomenon of preemption — anticipating something bad and taking steps ahead of time to prevent it from happening — is precisely how we’ve survived as long as we have.
We use preemption as a matter of course in our daily lives so often, so pervasively, and so automatically, we don’t even realize it. We look both ways before we cross the street. When we’re in the car, most of us buckle up. We check the label on that pill bottle before popping more than one. We cover our mouths when we sneeze or cough. We cautiously blow on a spoonful of steaming soup. What’s puzzling is how slow we have been to translate our nearly constant preemptive posture from the physical world to the virtual world.
It’s not as though we don’t know we’re being attacked in cyberspace. Nor is it a case of having complete faith in the solutions we’ve already deployed; we know they’re incomplete. This reticence produces even more head-scratching when you consider how effective a little preemption could be. For instance, the actual time from when a phishing e-mail is sent to when a user clicks on a link is less than 90 seconds. But the time paradox here is that it takes a nearly a year or more of planning and probing before that e-mail can be crafted and sent, and another year afterwards before the attack is recognized.
Which gives us plenty of time for preemption to work its magic.
Only action changes outcomes and early action changes outcomes sooner. If we want to have a different outcome from these attacks, we need to stop them before they penetrate and cause damage within our organizations, not after. So how might we go about that?
To begin with, we must think about cybersecurity differently. It is not what is used to be ten, five, or even one year ago. That means we need a different kind of approach — a preemptive one — that deals with the reality of how the world has changed.
First, phishing bypasses the isolate, detect, and respond forensics-oriented defenses we already have in place. Second, our current crop of defenses focus on detecting the payload and insulating the victim from it. But that’s proven to be not very effective when the targeted victim is always different and payloads are enabled by the very targets they’re sent to and the time to detect payloads is too late. Third, phishing really, really works. Studies show that 9 out of 10 people, even those who’ve been trained not to do so, can’t resist clicking on a compelling but phony email. So is it any wonder why upwards of 97% of all attacks are now targeted and socially engineered? Essentially, attackers are using our own trusting human natures against us. And they’re winning. Finally, phishing is economical. Once attackers find something that works, they’ll use it over and over and over, sending the same piece of malicious code to thousands of organizations until it doesn’t work anymore.
All of which presents us with opportunities to change how we look at cybersecurity and reconsider what is effective. If we know that phishing is so effective, we can stop trying to change our human behavior and take advantage of the attackers human patterns.