To strengthen defenses after a cyber-attack, where you’re not looking is as important as where you are, writes CSO and author, Nick Shevelyov.
June 6, 1944 will forever go down in history as D-Day. That was the day the Allied forces sent B-17 planes to carpet bomb Normandy, France. These planes had a high mortality rate—they were shot out of the sky at a much higher frequency than the Allies had expected. As the B-17s landed in the English airfields, the United States Army Air Corps (USAAC) analyzed the damage.
They noticed that a disproportionate number of the returning planes had their noses blown off. Their initial reaction to this finding was to take precautionary measures to harden the nose of the plane...which they began doing on both new and existing planes.
Then a mathematician named Abraham Wald performed another analysis and discovered that the nose of the plane was not the weak area that needed to be hardened. The USAAC was only sampling a subset of the total population—in this case, the survivors of the battles that returned. In doing so, they made an error in their decision-making process about where to harden the plane.
Wald realized that if the USAAC were to measure the full population of planes that were flying into battle, they would notice the untouched portions of the returning planes were actually the weakest and most fragile areas. And to cut down on losses, they needed to turn their attention to protecting those weak, fragile areas—not the plane’s far-stronger nose. That urge to only examine the returning planes, then make adaptations based on them, is “survivor bias” in action.
Today, 77 years later, we still struggle with survivor bias—and, just like it did for the USAAC, it can cause us to focus on the wrong things, and miss the real weaknesses. That’s particularly true in today’s digital defense realm, especially when it comes to ransomware attacks. And so, if you’re the victim of a cyber attack, I’m encouraging you to go beyond the sample size of machines that were impacted but survived, so you can find the fragile, weak areas that need to be shored up to protect your digital assets.
Look at Your Broader Environment
It is not an exaggeration to say there is some form of cyber attack taking place at any given location and at any given time. Some of the most common are ransomware attacks. In these instances, an attacker targets the victim using a trusted email source or website.
They purchase advertisements on sites you know and trust, and when you click on said advertisement, it downloads malicious software onto your computer. From there, a vicious cycle is created, with that software building itself up on your endpoint in a program that will commit some sort of malicious action.
For example, it will encrypt your laptop or desktop and write itself on any resources to which you have access. Many organizations have had numerous resources locked up for ransom by these types of attacks.
When a ransomware attack happens, an organization’s common course of action is to respond to the asset population that was impacted by the attack. Unfortunately, when they do that, they don’t take into consideration the broader environment. As a result, they can’t accurately determine which of their existing controls worked to prevent the attack, and which ones didn’t.
By Nick Shevelyov
Become Aware of Your Survivor Bias
Imagine your company is attacked by malware that infects a number of machines. What would you do? If you are like most people, you would focus on the infected machines. But doing so will blind you to the subset of laptops and desktops that were not impacted.
That is why it’s so important to be aware of your survivor bias. If you pause to ask why some assets were affected by the malware while others were not, you can dig deeper and find the core problem.
Perhaps the malware was so sophisticated that it was operating-system aware. Or, perhaps your end point—your laptop or desktop—wasn’t patched. Perhaps there was bad hygiene that led to a broader issue.
No matter what the case is, by using Wald’s mental model, you can approach a malware outbreak using behavioral analysis. You can broaden your sample size and get a better understanding of your layers of defense and resilience. In other words, you can create your own immunization to the threats you face.
Always Dig Deeper
Survivor bias is tricky. When we identify a problem—whether it’s a B-17 bomber that got shot down or a computer that got infected because of a cyber attack—our first tendency is to try and figure out why. And that’s a good instinct: it just needs to be coupled with digging as deeply as possible.
We need to think holistically. The answer isn’t just slapping a harder nose on the airplane. We must take the time to think through what other aspects of our hygiene are failing. The symptom might be an infected system, but the root cause might be a step missing in your security process, or a people problem.
When bad things are happening, sample beyond the specific outcomes. Think more broadly and holistically about your layers of defense and your overall resilience. Then, use that information to do a root cause analysis. That way, you can avoid falling victim to survivor bias, and instead, ensure that you find and address the true core of the problem rather than just a symptom.