Full Report
The whole of information/cyber security is founded on the idea that we can defend ourselves into security. But in the history of competitive endeavours nobody has won by playing defence alone. We have this idea that we can wrap our users and systems in enough padding to protect them in a world where guns exist. We’ve leaned so hard into this idea that we’re on the floor and it’s time to look up.
Analysis Summary
# Best Practices: Shifting Security Focus from Pure Defense to Adversary Disruption
## Overview
These practices address the core argument that relying solely on defensive measures ("defending harder") yields diminishing returns in security. The recommendations advocate for adopting a complementary strategy that focuses on proactively disrupting criminal operations, often by leveraging external legal and law enforcement capabilities to impact root causes.
## Key Recommendations
### Immediate Actions
1. **Acknowledge Diminishing Returns:** Immediately evaluate current security budget allocation to identify areas where increased defensive spending yields minimal additional risk reduction (diminishing ROI).
2. **Begin Documentation for Disruption:** Start rigorous, legally sound documentation of security incidents (especially those involving clear criminal intent) suitable for handover to external authorities, rather than purely internal auditing.
3. **Conduct Stakeholder Education:** Communicate internally that an exclusive defensive posture is insufficient and introduce the concept that external disruption is a necessary component of a mature security strategy.
### Short-term Improvements (1-3 months)
1. **Establish Communication Channels:** Identify and, where appropriate and legally permissible, establish preliminary, sanitized points of contact or pathways for sharing actionable threat intelligence with relevant law enforcement or regulatory bodies if predicate events occur.
2. **Audit Incident Response for External Invocation:** Review current Incident Response (IR) playbooks to mandate specific criteria (e.g., confirmed unauthorized access, data exfiltration related to organized crime) that automatically trigger the preparation phase for law enforcement notification, separate from standard operational remediation.
3. **Analyze Attack Attribution:** Where possible, enhance threat intelligence gathering processes to move beyond technical Indicators of Compromise (IOCs) to rudimentary attribution or source profiling that could be relevant to criminal investigation (without attempting to conduct investigations personally).
### Long-term Strategy (3+ months)
1. **Integrate Disruptive Strategy:** Formally integrate adversary disruption and legal recourse pathways into the annual cybersecurity risk management framework, treating them as a viable risk treatment option alongside technical controls.
2. **Develop Legal Readiness:** Collaborate with internal legal counsel to understand regulatory reporting requirements, evidence preservation standards, and legal frameworks necessary to support external disruption efforts effectively.
3. **Advocate for Sectoral Coordination:** Participate in relevant industry forums or information-sharing groups specifically aimed at coordinating responses or intelligence sharing that involves cross-organizational adversary tracking or disruption efforts.
## Implementation Guidance
This advice is generally strategic, focusing on *what* to pursue rather than specific technical configurations (as the source material emphasizes strategic/policy shifts over technical "padding").
### For Small Organizations
- **Focus on Reporting:** Designate one senior individual responsible for knowing *who* to call (local cybersecurity police liaison or CERT) in the event of a major crime, ensuring basic required information (what happened, who was affected) is ready.
- **Prioritize Criticality:** Since extensive defense is costly, focus technical defense budgets on the absolute core assets, and rely on external legal pressure as the cost-effective remedy for threats against less-critical systems.
### For Medium Organizations
- **Formalize External Liaison:** Assign the IR lead or CISO to be the designated organizational liaison for external law enforcement/regulatory queries related to cyber incidents.
- **Budget for Legal Consultation:** Allocate a small, dedicated budget line for specialized external counsel experienced in cybercrime laws to advise on proper evidence handling and reporting protocols.
### For Large Enterprises
- **Develop Relationship Management:** Establish formal relationships with sector-specific law enforcement agencies (e.g., FBI Cyber Command, NCA).
- **Simulate Disruption Scenarios:** Include scenarios in tabletop exercises where the mitigation strategy involves immediate external handover (e.g., "The threat actor has been identified as being state-linked/known criminal syndicate; what is our immediate handover procedure?").
## Configuration Examples
*No specific technical configurations were provided in the source material, as the focus is on strategic orientation shift.*
## Compliance Alignment
This strategic shift complements existing frameworks by addressing the resilience aspect:
- **NIST CSF:** Enhances the **Identify** function (understanding threats beyond technical scope) and strengthens the **Respond** function by broadening response mechanisms beyond recovery.
- **ISO 27001/27002:** Supports the Annex A controls by recognizing that mitigating risks related to external threat actors requires engagement outside the organization's direct control (Risk Treatment Plan update).
- **CIS Controls:** While technical controls remain essential, shifting focus supports the overall risk management posture by reducing reliance on the effectiveness of purely preventative controls (Controls 1-18).
## Common Pitfalls to Avoid
- **Mistaking Legal for Technical:** Do not attempt to conduct criminal investigations yourself; this risks contaminating forensic evidence and exceeding organizational legal authority.
- **Premature Disclosure:** Avoid sharing unverified or incomplete information externally without proper legal counsel, as this can compromise ongoing law enforcement efforts or create regulatory liability.
- **Ignoring the "Padding":** Recognize that this shift is **complementary**, not a replacement. If basic technical defenses are non-existent, external action will be futile. The investment in foundational defense must still occur.
## Resources
- **Source Material:** SensePost | Why defend harder won’t work in the long run and what to do instead – arrest criminals (Reference the associated Keynote linked in the original article for detailed exploration).
- **Guidance Focus:** Seek out official documentation from national cybercrime reporting centers or specialized law enforcement units on how to properly submit evidence for criminal investigation.