Not everyone feels comfortable driving a Hummer for their morning commute, and most people don’t have to wear combat boots to work. But when it comes to the hardware, software and platforms that keep business safe, shouldn’t companies have the same caliber tools and products that the nation’s most elite cyber teams have?
To defend against the evolving threats, far too many companies are still relying on off-the-shelf, consumer-grade solutions. Today’s attackers are using government-level cyber weapons. Either as state-sponsored threat agents or hacker syndicates, the tactics, techniques and procedures that attackers use won’t be stopped by consumer-grade solutions.
Enterprises need military-grade cybersecurity protections that are just as rigorously tested and validated as the armed forces tries its vehicles, weapons and associated delivery platforms on the proving grounds.
Don’t bring a knife to a gun fight
We see more examples of criminal organizations using government-level attack tools to threaten businesses daily. Since its release by the Shadow Brokers, the National Security Agency-developed EternalBlue exploit of Windows Server Message Block protocol has been used in numerous high-profile attacks, including WannaCry and NotPetya. Even Cobalt Strike, originally developed as a penetration testing tool, has been cracked, pirated and widely adopted by malware operations.
On top of that, commercial vendors are starting to create and sell nation-state-level cyber weapons of their own. An analysis of the infamous NSO Groups zero-click attack ForcedEntry by Google’s Project Zero revealed how a determined commercial organization could find obscure but impactful vulnerabilities and build highly sophisticated exploits to serve their customers’ attack goals.
When attackers pick up heavier cyber weapons, commercial organizations should arm themselves with similarly sophisticated defensive technologies.
Get the benefit of the government’s rigorous product testing
Departments of Defense don’t mess around when it comes to their cybersecurity stack. They directly test three characteristics of their products: efficacy, scalability and security, which all benefit commercial organizations as much as they benefit the government.
The last few years have seen a transformation of military development shops. Organizations like the U.S. Air Force’s Kessel Run and the U.S. Army’s Program Executive Office for Simulation, Training and Instrumentation (PEO STRI) are running agile-inspired programs that are a far cry from the old “slow and steady” reputation of government contracting. They require vendors to compete to participate in the program, presenting to a panel of expert cybersecurity professionals to show their value.
But it doesn’t stop there; vendors then need to show ongoing delivery and value to stay in the program. This level of scrutiny means that the commercial products they select have to be exceptional. While you might not have the resources for such intensive evaluations, you can rely on the government’s work to pressure-test these vendors and their products for you.
Cybersecurity products must perform under tough conditions. Government customers regularly test the scalability and availability of the products their vendors provide, meaning that you know a product the government is using will be reliable.
Close partnership with vendors means military grade products are highly usable
Those same new-age military programs that are subjecting the products they select to rigorous evaluations are also working with the vendors in an agile-inspired manner to deliver better features. This close partnership approach means that vendors hear from actual users constantly, providing extra insight into the user experiences their customers need.
Gone are the days when military-grade products were over-engineered and overly complicated. Today, vendors are producing solutions that can handle nuanced government needs while being user-friendly.
One such product is the cyber range, which has been used by several government and military applications in the U.S. and allied nations (including U.S. Cyber Command, the departments of Homeland Security and Energy, and more) to hold joint exercises for teams to practice responses, improve detection techniques and deploy counter-hacking tactics.
Cyber ranges not only provide an environment for the deployment of real malware and attacks without compromising production systems, but exercises that utilize cyber ranges also help to assess public and private sector-wide communications, information sharing mechanisms, crisis management protocols, decision-making and legal and regulatory considerations.
Military-grade cyber tools aren’t just a “nice to have” anymore for critical industries. If the last two years have taught us anything, it’s that attackers are ready to weaponize military-grade cyber resources against any entity, regardless of size. It’s time for organizations to have the tools, training and technologies of equal strength ready to respond, defend and secure their business with confidence.
David Berliner is the director of security strategy for SimSpace Corporation.