Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Rob Gurzeev
Rob Gurzeev
Connect Directly
E-Mail vvv

Defending the Castle: How World History Can Teach Cybersecurity a Lesson

Cybersecurity attackers follow the same principles practiced in warfare for millennia. They show up in unexpected places, seeking out portions of an organization's attack surface that are largely unmonitored and undefended.

Attackers strike where defenders least expect it — in cybersecurity, certainly, but in the world of physical warfare as well. As a former military officer, I think it's particularly instructive to look at military battles from the cybersecurity defender's perspective. Military battles bring direct lessons and, I find, often serve as a reminder that attack surface blind spots have been an Achilles' heel for defenders for a long time. They remind us that we have to rethink our assumptions, habits, and biases to operate at our best.  

Related Content:

7 Modern-Day Cybersecurity Realities

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How to Move Beyond Passwords and Basic MFA

One notable example occurred in 1204 at Château Gaillard. The château provided the English a seemingly impenetrable stronghold from which to defend their claim in the Normandy countryside. The base of the keep was built out of natural rock, and all possible approaches were guarded by impressive towers and walls. Undaunted, the French laid siege, and for eight months, continued their constant frontal attack, despite the heavy toll to their forces.

Everything they tried failed to topple the English — until finally they decided to attack the castle's weakest point, one that was completely unmonitored and protected: the latrines. By climbing through the sewer, the French were able to sneak into the chapel in the inner castle. A medieval special-ops team snuck through this opening and set fire to the inner castle.

Cybersecurity attackers follow this same principle today. While most are not diving through sewers, they do show up in unexpected places, seeking out portions of an organization's attack surface that are largely unmonitored and undefended. Companies typically have a sizable number of IT assets within their external attack surface they neither monitor nor defend and probably do not know about in the first place. These are externally accessible assets, resources, or infrastructure components that may process or use a company's data or be connected in some way such as exposed production databases, sensitive Git servers, accidentally exposed Internet of Things and industrial control systems, third-party payment mechanisms, etc.

Chateau Gaillard. Credit: Telly via Adobe Stock
Chateau Gaillard. Credit: Telly via Adobe Stock

Many of these are set up without the knowledge or involvement of security, sometimes even without the knowledge of IT. Some are things once known but later forgotten. Even test or temporary resources intended for short-term use often remain an active conduit into a company's ecosystem without ever getting decommissioned. Assets and applications are constantly created or changed, and the pace of change is fast and dynamic. It is a monumental task for any security organization to stay apprised of all of them.

Unknown and Undefended
Attackers understand this tendency and often use it to their advantage. They seek out the parts of an organization's attack surface that may be largely unknown and undefended. Attackers have access to numerous tools, techniques, and even services that can help find the unknown portion of an organization's attack surface. Most attackers are pragmatic and mission oriented, and they have a goal to find a path of least resistance that will provide the greatest payoff. Often this means focusing on the least monitored and least protected part of an organization's attack surface.

Targeting an organization's unknown attack surface generally means faster and easier penetration and the ability to mount a "low and slow" attack that will keep them reliably undiscovered until after they accomplish their mission. Similar to the 13th century French attackers of Château Gaillard, but with the appeal of lower casualties and lower cost with a greater likelihood of success, pragmatic attackers seek out an organization's externally accessible attack surface.

Of course, fully protecting an organization's cyberattack surface has historically been exceedingly difficult, if not impossible. Part of the problem is that the attack surface is dynamic, and that fast pace of change introduces elements unknown to security or IT teams. Conventional tools are plagued by something I mentioned at the start: assumptions, habits, and biases. These tools all focus only where they are pointed, leaving organizations with unaddressed blind spots that lead to breaches. Periodic penetration tests and vulnerability management tools, for instance, stick to what is known rather than unknown, and do not systematically set out to discover the previously unknown attack surface.   

Assessing and protecting only the known portions of the attack surface virtually guarantees that attackers will find unguarded network infrastructure, applications, or data that can provide unimpeded access to valuable resources. Instead, organizations need to devote more resources to discovering and addressing the unknowns in their external attack surface. 

It's time to consider your approach to defense and whether your organization has a significant "shadow" conduit that would be attractive to attackers for mounting an attack. Perhaps the walls and flanks of your organization are carefully protected while a largely open, unmonitored passage exists right under your feet.

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies. Prior to founding CyCognito, he was Director of Offensive Security and head of R&D at C4 Security (acquired by Elbit ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file