I’m proud to say my wife is a zombiephile. She’s a huge fan of the whole zombie genre. For many years, she’s read the books, watched all the movies, filled the DVR with the TV shows and dressed our kids up for Halloween as, among other characters, Shaun, fromShaun of the Dead. She’s also a devoutly religious fan of the AMC television series, The Walking Dead.
Her preoccupying fandom pretty much makes me a fan too and, over time, I myself have become a student of all things zombie and even the whole broader, post-apocalyptic milieu in comics, books, film and TV. In fact, some of the better books I’ve read recently have been in and around the subject, such as Max Brooks’ World War Z and The Zombie Survival Guide: Complete Protection from the Living Dead.
This past week, while watching a new episode of the The Walking Dead, the thought struck me to juxtapose the in-your-face, brain-munching zombie threat with that of cybercrime and cybercriminals.
As I began to overlay the zombie threat on top of the real-life, pandemic menace to the business world that is cybercrime today, the similarities began popping out. And fast.
Cybercrime is infectious, affecting every industry. It comes on quick and spreads faster. Threats are everywhere, often lurking in the darkest corners of a business and often undetected until they bite you. And, for most enterprise supply chains, a single cybercrime bite can turn one business and then the next into a perfect victim and vector for the disease. And, of course, there’s the lingering suspicion we all caused the outbreak ourselves somewhere along the way (Bad code, anyone?).
Heck, there’s even a specific type of botnet called a “Zombie Botnet,” where infected computers are used to unknowingly spread disease in the form of things like Distributed Denial of Service (DDOS) attacks. Life imitating art. Sort of.
Let’s just say the similarities were easy to see.
Most easy to see of all, like trying to avoid zombies, cybercrime is a plague that requires a dedicated, focused strategy and efficient tactics to avoid. If not, your business can become an “undead” victim, losing your life’s blood in the form of lost customers, partners, lawsuits and profits.
In the end, it quickly became clear to me that businesses too can benefit from looking at their cyber strategy the same way one might navigate the zombie apocalypse.
In Max Brook’s The Zombie Survival Guide: Complete Protection from the Living Dead, he outlines the top ten lessons for surviving a zombie attack:
1. Organize before they rise!
2. They feel no fear, why should you?
3. Use your head: cut off theirs.
4. Blades don’t need reloading.
5. Ideal protection = tight clothes, short hair.
6. Get up the staircase, then destroy it.
7. Get out of the car, get onto the bike.
8. Keep moving, keep low, keep quiet, keep alert! 9. No place is safe, only safer.
10. The zombie may be gone, but the threat lives on.
Now, while the above lessons might not immediately seem to translate, when you dig a bit deeper, most of the lessons actually do.
For example, with lesson #9, “No place is safe, only safer,” easily applies in that businesses should never assume that anything they’re currently doing is a strategy to rest on. Sadly, most large businesses these days still think to themselves “I’m good, I’ve got the best tools money can buy and people to employ them, so I’m as safe as I can be for now.” Sadly, that makes for quick zombie, uh, cybercrime bait.
Or what about #10, “The zombie may be gone, but the threat lives on?” After a cyber hit, when the dust has settled, what else is still vulnerable? What got bit that you don’t know about? Is there another way in? Did the cybercriminal get in other than how you think? Is there more than one in there? Did someone else in your group get infected? How can you prevent infection in the future? How do you justifiably repel the potential class-action lawsuits??? Now that’s a real zombie horde.
In fact, without much of stretch, most of Brooks’ lessons can be of use in the cyber domain.
Personally, I think lesson #8 is the most important when applied to enterprise cyber defense:
“Keep moving, keep low, keep quiet, keep alert!”
When you think about cyber defense in terms of strategy (and the budget to drive it and the people to execute it), we’re now living in a day and time that might be labeled cyber “post-apocalypse in-progress.”
Cyber defense strategies are now survival strategies.
With the mammoth breaches of the last few years being repeated seemingly almost every week, businesses are reeling. And the landscape is starting to look more like a real-life zombie movie every day.
Almost nothing, and I mean nothing, from our past “way of cyber defense life” is still working well against the new diseases. Embodiments of the cyber defense establishment such anti-virus, anti-malware, logging & auditing, sandboxing, whitelisting, IDS/IPS and signature-based firewalling systems are becoming smoldering ruins ready to fall in on themselves. The days of “set it-forget it-react” that is the safety fence of methodologies such as “Defense in Depth” no longer have electricity.
Amidst these ruins, businesses are faced with a brave new world where approaches must be built again from the ground up - approaches based on re-learning things we’ve forgotten, re-analyzing a new threat landscape with fresh eyes (and data) and re-engineering new solutions to new problems.
Most of all, enterprises now must act like small groups of survivors moving from one very specific goal-oriented survival task to another, all the while keeping a low-profile and being vigilantly aware in ways long since abandoned for the perceived comfort of established security practices and modern defense solutions.
Are you an eCommerce company that’s invested heavily in securing your web front end? What do you know about your closest partners? The ones already inside your camp? Don’t look now, but your main supplier’s been infected at your back door. He’s coming in and he’s brought friends. Sleep, even for a moment, on your new environment and it’s over.
Long-term, plodding strategy and planning has become a luxury that’s made us all fat, slow and disengaged.
Day-to-day survival requires day-to-day focus. In the cyber world we live in now, assumptions must be thrown out the window. The security world is new, requiring more top-down emphasis and engaged leadership, more focused resources, a heavy questioning of conventional wisdom, commitment to instant adaptability and a willingness to take things as they come in small pieces that add up to a safer whole and, in general, a more instinctive approach to security.
A survival instinct.
Now, businesses must do continuous risk assessment. Every day. Info and intelligence must be gathered on unexpected threats and matrixed into a constant assessment of a group’s individual strengths and weaknesses. Change must be expected, embraced and made part of processes.
Your employees, partners, customers and suppliers are your “survival group” battle-buddies now and it’s important not only to know how the zombies behave and where they hide, but to continually conduct triage on your group to identify what parts of your team are most at risk of becoming infected (and who may infect you in the process). Continuously aligning threat info with risk data and your business’ own context in a process of “risk intelligence.”
Seeing a threat coming at the earliest possible moment = staying alive.
In short, your cyber strategy must adapt or die. It’s survival of the fittest now, in the truest sense. There’s the quick and there’s the (un) dead.