With increasingly sophisticated attacks on targets of opportunity, how can enterprises ensure they are doing everything possible to safeguard against cyber threats? Surprisingly, we can apply techniques used to fend off enemies throughout ancient history by emperors, warriors, and soldiers to our high-tech environments of today.
If we look back at the trials and tribulations throughout history, we’ll discover many parallels between the Medieval world and our own when it comes to strategic invaders, attackers, and threats on vulnerable civilizations. Leaders can use these teachings to create strategies and processes to pinpoint and identify cyber threat attempts; implement unique methods to protect against the evolving threat matrix; and understand how to best protect their intellectual property, financials, and data from attacks.
Below, we’ll examine three civilizations’ decision making and how we can integrate their best practices into modern-day security strategies.
Ancient Egypt 1210 BCE: Convenience over security causes problems
In ancient Egypt, pharaohs had monumental requests and a “just do it” attitude. This “delegation and denial” cycle (which led to coup attempts) is something replicated in executive attitudes towards cybersecurity today.
There is a major convenience over security problem in many businesses, which creates the perfect opportunity for an attacker to enter. For example, there are many excuses including ‘It’s too much hassle to change the password’, ‘We need to have guest account for visitors,’ and ‘It's too hard to change users to protected groups.’ Other bad habits include always logging in with the default admin account, having autologin enabled, and using the server operator account. These bad habits, have, over the years cost those we protect billions of dollars, if not, in some cases an organization’s entire business.
Best practices: Do not choose convenience over security. Organizations must manage AD delegations to follow the principle of least privilege. The logic being that privileged accounts are often easier to hijack. Organizations should ensure that the right user are in the right place, at the right time and therefore only have access to objects they are supposed to. In addition, audit any changes to accounts that have any kind of elevated privileged access.
Shang (Or Yin) Dynasty 1122 BC: People, process, and technology work together - or not at all
The Shang (Yin) Dynasty, known for their advancements in government, writing, and tactics, demonstrate that procedures and controls are just as important as our actions. The key takeaway for organizations today is that they need to ensure that people, process, AND technology work effectively together towards a solution. If we could manage efficiency and clearly communicate with all those around us, we likely wouldn’t have as many cyber-attack issues. In other words, it is not effective to only train users once a year and expect them to remember things. It’s crucial to provide the people protecting an organization’s network with sufficient training and education. If they don’t have the resources, we shouldn’t be surprised when things don’t go the way we expect.
Best practices: Organizations must be mindful of how they execute privilege escalation. Considerations include:
- Changes to default domain policy
- Changes to the default domain controller policy
- Changes to GPO linking
Assassins 1275: Resilience is non-negotiable
The Assassins targeted invasive attacks against strategic targets. From them, we can learn that when using deceptive techniques, typically, a smaller, trained, armed and motivated attacker will succeed against a larger, less mobile foe. Attackers take advantage of hard times, and in order to have digital resilience, organizations need to shine a light in the shadows and have the ability to see these threats before they get in.
Today, data and identities are scattered all over the place and technology is advancing at a pace organizations can’t keep up with. The global average for identifying a breach is upwards of 197 days after someone has entered, rummaged around and likely already long since left. Recovery of a breach after it’s been identified adds an additional 2 months to that timeline, if you are able to retain an incident recovery team in these increasingly busy times. Unfortunately, within that entire timeframe, a huge amount of damage can occur. For example, DC Shadow empowers attackers (with admin rights) to spin up fake Domain Controller that can quickly distribute changes to legitimate DCs using normal replication mechanisms. Without any cyber resilience put in place, organizations won’t have the ability to see this happening, potentially leading to major damage.
Best practices: Organizations should implement effective network separation, segmentation, and admin tiering to constrain access.
With no perimeter or true understanding of how vulnerable our powerful systems are, it shouldn’t come as a surprise when adversaries and attackers obtain access to a company’s sensitive information—yet somehow it still does every time. It’s time for our community to learn from history’s mistakes and adjust our resilience approach before it’s too late.