Beyond Zero Trust: a Modern Defense Approach

The author John Steinbeck famously said, “If you find yourself in a fair fight, your tactics suck.” This is true whether your threat landscape is real or digital. When  you look at the cyberthreat landscape, it is clear our adversaries have foisted an unfair fight on us, and it is only getting worse.

Cybersecurity spending has gone up from $75 billion in 2015, to $150 billion in 2021 and is expected to hit $1.75 trillion in 2025. Across the globe, people are spending an average of seven hours a day online, a statistic likely to rise in a post-COVID world. Increasingly more of our lives are spent online as we rely on our networked devices and digital access for everything from entertainment, work, living, and even healthcare. Yet despite our dependence on devices, our confidence in their safety and security has not been bolstered, in fact quite the contrary. Why? Because cybercrime is growing at an exponential rate. It is estimated that cybercrime will cost about $10.5 trillion globally, driven in part by technology trends such as the prevalence of bad bots in overall internet traffic, the rise of IoT devices with poor security hygiene, as well as external Black Swan events such as the COVID-19 pandemic, which is credited with a 600% increase in malicious emails

Every day is a steady beat of revelations about data breaches, ransomware, hacks, and automated cybercrimes. Bots are a favored tool of cybercriminals, used for everything from DDoS attacks and account theft to amplifying disinformation. In fact, 77% of all digital attacks are bot-based. In response, we have adopted new paradigms such as “zero trust” or “assumption of breach.” Despite these models and increased investment in cybersecurity, there remains a fundamental asymmetry between defenders and attackers. 

The tools and infrastructure to commit cybercrime are cheap and readily accessible while the repercussions for the attackers are few and far in between. And while we have gotten better at attribution, less than ⅓ of 1% of cybercrime is ever prosecuted. For the defenders, combating cybercrime requires triumph over hurdles such as cybersecurity talent  shortages, expanding attack surfaces and costly tools. The cost of being wrong just once is catastrophic, while for the attackers, the cost of being wrong most of the time is negligible. Case in point: it took just one single leaked password for the Colonial Gas pipeline hack which had people in long queues for gas not seen since the 1970’s.

The stats and the numbers tell us what we already know: the increased spending and resources has not led to diminished cybercrime. In fact, attackers have become bolder and more menacing, threatening everything from key critical infrastructures such as oil and gas pipelines and water utilities to the very institutions of our democracy.

Continuing with our current strategy will only yield more of the same. Something has to change.

The Future of Defense

Multiple voices from both private and public sectors have acknowledged that increased spending has not led to diminished cybercrime. Chris Inglis, the National Cyber Director has called for a “cyber social contract” or a collective and collaborative defense strategy to replace “atomized and divided efforts.” Increasingly, private enterprises are collaborating to defend better against sophisticated operations. Most recently Mandiant and Crowdstrike vowed to collaborate more closely, citing “’s complex threat environment” as the impetus for a more collaborative approach. 

This is all welcome news, but it is not enough. Collaboration, whether public/private or private/private is still the exception and will not be scalable if it only happens in small trusted circles. More importantly, we need a new strategy in defense, one that increases the cost and complexity for the attacker while reducing the same for the defenders. 

This is what we at HUMAN call a modern defense strategy. Modern defense strategy has three core tenets: network effect, internet visibility, and disruptions and takedowns.

           1.  Internet visibility

Internet visibility is more than just sharing threat intel data, it’s having the scale and information to defend in the smartest and most efficient way. HUMAN verifies the humanity of more than 15 trillion internet interactions a week. Each interaction is a node that helps inform our defensive tactics. Additionally, we observe 3 billion unique devices a month, giving us an unparalleled view of the internet. All of this data makes it easier to integrate, collaborate, share data, and coordinate defense. 

We can find out if identities seen in different places across multiple tech partners or even ecosystems are actually the same underlying entities. Then, if shown to be fraudulent, enforcement benefits everyone in the ecosystem (network effect again). We can advocate for reasonable relief from regulation and privacy carve-outs for defenders, so that we may collectively act with speed, accuracy, and efficiency. Internet visibility uses the knowledge gained across private/private, public/private, and public/public collaboration to have greater visibility into the threat landscape to anticipate possible future moves of the bad actors and act to thwart them.

         2. Network effect 

We need to change our mindset from focusing on protecting our data, device, network, or entity to protecting our ecosystems. In a sense, we have operated to secure our house without admitting that the security of our house is highly dependent on how secure the neighborhood is. At HUMAN, we adopted the collective protection concept with our Human Collective initiative. Collective protections means fraudsters can’t simply move on from one unsuccessful target to another, because the entire ecosystem is protected from that particular attack.

When there are fewer targets available for an attack, that attack becomes less lucrative for the fraudsters. And when so much of the ecosystem is being overseen by this framework, the amount of time an attack has to monetize between deployment and discovery shrinks dramatically. Adding dramatic consequences—like imprisonment—puts even more risk into the equation for fraudsters. It is also the idea that an attack on one partner becomes a defense for all; forming a bundle of partners that grows stronger with each new member. 

Collective protection demands collaboration. Although as stated before, there have been pockets of public/private and private/private collaboration.  A great example is the public/public collaboration we have witnessed in the allies’ response to the cyber threats emanating from the Russo-Ukrainian conflict. And so far that collaboration has proven successful in staving off the most dreaded attacks by Russian hackers predicted early on in the conflict. 

Earlier this year, the Biden administration acknowledged the need for formalizing public/public collaboration and set up the Bureau of Digital Space and Cyber Policy at the State Department. The bureau will be led by a first-ever cyber ambassador, Nathaniel Fink confirmed last week.

          3. Disruptions & takedowns 

The third tenet of a modern defense strategy is about righting the imbalance of cost and effort for attackers versus defenders with disruption and/or deception. Disruptions are led by actionable threat intelligence and collaboration. We can identify and disrupt cybercriminals through takedowns across the private sector and/or through prosecution by working with the DOJ, FBI, Interpol, etc. Disruptions can take many forms, from hampering the infrastructure that enables and propagates attacks, to disrupting the money trail and negating the economic incentives that fund attacks. It can also be done by clever deception so that the attackers’ resources and focus are misdirected in a way to frustrate their aims and whittle away their resources. 

Over time, it will become more expensive and time-consuming for attackers to develop ever more complex mechanisms to go after their targets, and the window of opportunity continues to shrink as collective protection and clever disruptions narrow the attack vectors. At some point, the see-saw flips, and the costs and risks of an attack are too high to make it worthwhile to try. 

In the “Art of War”, Sun-Tzu writes that “...the supreme art of war is to subdue the enemy without fighting.” Modern defense strategy is about trouncing the enemy without having to resort to war. This is how we can tip the scales.