Standoff in cyberspace

Standoff in cyberspace
Stewart K. Bertram
Read More From Stewart K. Bertram
June 17, 2016 | 3 Min Read

In physical security terminology, standoff is the term used to refer to the physical distance between a defender and a threat. For example, concrete barriers placed in front of a building create a standoff distance from ground-based threats such as vehicle bourn suicide bombers (Arsenal’s Emirates Stadium is a great example). Standoff distances can range from a few meters (small arms) to thousands of miles (intercontinental ballistic missiles), but the important point to note about the concept is that different defensive systems create different standoff ranges in relation to different threats.

Arsenal Emirates

It struck me that, given the importance of standoff distance in physical security strategies, it was unusual that the concept has had little consideration within the field of cybersecurity. While there are a number of conceptual areas to explore when applying the concept to the digital estate, given that cybersecurity is fundamentally about the relationship between an aggressor (hacker) and a defender (cybersecurity professional), an obvious first point of analysis seems to be finding the equivalent of physical distance within a cyber context.

After considering a number of prominent historic and ongoing case studies, it seems to me that the cyber equivalent of the physical distance element of standoff is actor attribution. That is, standoff is reduced, or closed, between the aggressor and the defender, the better the defender is able to attribute a cyber-attack to a defined actor.  

This assertion is based on observations around the use of cyber proxy forces and false flag operations by various nation states. Fictitious groups, such as the Guardians of Peace as a cover for the Sony hack of 2014, as well as the use of South Korean criminals to distribute malicious software that conducted DOS attacks against South Korean airport infrastructure, are both examples of attempts to create a digital standoff. In response forensic capabilities are often focused on attribution, closing the standoff distance between victim and target.

Apart from a novel way to visualize the relationship between defender and aggressor, the concept of cyber standoff can be more productively applied to considering the application of security to multiple systems enclosed within a single network. Many large modern networks have uneven security applied to them. For example, within a banking institution, externally facing email systems are inherently less secure than SWIFT system that would be naturally layered in more security protocols. Hence the maximum possible cyber standoff distance between an emails system is always going to be less than the standoff that can be achieved with a deeply nested internal system. At its core the concept of cyber standoff is a useful for measuring the appropriateness of deployed defences commensurate with the level of threat that they face.

A logical question to ask is ‘why is the concept of cyber standoff any different from other more established methods of measuring cybersecurity maturity level?’ The essential goal of the concept of standoff is to consider both the defences deployed and the capability that the threat possesses in a more holistic way that maturity and risk assessment currently do on their own.

Although not explicitly using standoff as a concept, schemes such as the UK CBEST initiative accredited by CREST and backed by the Bank of England, seek to capture the same interaction of aggressor and defender within their testing framework. These schemes are in their relative infancy and I think there is a place for more granular concepts, such cyber standoff, that could be used as more substantive elements to these initiatives.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Azure AD: Auto Validate Exposed Credentials

Azure AD: Auto Validate Exposed Credentials

January 19, 2021 | 3 Min Read

SearchLight customers can now automatically...
ShadowTalk Update: Sunburst, Sunspot, and more on SolarWinds!

ShadowTalk Update: Sunburst, Sunspot, and more on SolarWinds!

January 18, 2021 | 3 Min Read

ShadowTalk hosts Alec, Charles, Austin, and...
Targets and Predictions for the COVID-19 Threat Landscape

Targets and Predictions for the COVID-19 Threat Landscape

January 14, 2021 | 7 Min Read

Note: This blog is part of our ongoing...
Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

Tracing the Rise and Fall of Dark Web Marketplaces and Cybercriminal Forums

January 13, 2021 | 9 Min Read

It’s often the case that a sequel to a...