<aside> 🧠 A mental model is simply a representation of how something works. We cannot keep all the details of the world in our brains, so we use models to simplify the complex into understandable and organizable chunks. - https://fs.blog/mental-models/
</aside>
What is Cyber Defense? How is it different from Cyber Security? Cyber Defense is about the strategy (of what matters & why) employed to disrupt attacks, while Cyber Security focuses on how (tactically) to protect your network from threats. Strategies & Tactics are two sides of the same coin. Let’s dissect Cyber Defense with a First Principle mentality.
<aside> 🔥 Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat - Sun Tze
</aside>
There is no shortage of models & guides related to “HOW” you should implement products, controls & compliance with checklists. For instance, NIST’s “Identify, Protect, Detect, Respond & Recover” functions, controls for “Authentication, Authorization & Accounting”, Information Security requirements of “Confidentiality, Integrity & Availability”.
From Attack by Stratagem (謀攻) chapter:
<aside> 🧠 故曰:知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必敗。
</aside>
Translates (by Lionel Giles) to:
<aside> 📢 Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
</aside>
Most high-level frameworks & controls help with “knowing yourself” (indirectly) in terms of networks & assets. Many companies (& even government agencies) appeared in headlines for the wrong reasons related to breaches are pretty well-equipped with compliance checklists & controls.
Mistranslation of this stratagem assumes “victory when we know our enemy & ourselves”, which it is never the case for Cyber Defense since most organisations do not retaliate. We can at best work to remain “undefeated”, which is what “不殆” means. Unenviable job because no one remembers defenders’ “victories”, but everyone remembers the breaches.
Sadly, many are in the category of “know neither the enemy nor themselves”. They have poor network visibility & situation awareness that attackers can literally take their own sweet time to explore the victim’s network.
With these in mind, let’s examine the problem at its roots.
Fire fighters & law enforcers don’t start off learning about fire engines, water pumps, patrol cars & fire-arms. Instead, every FireFighter needs to internalise the Combustion Triangle & for Law Enforcers, they learn Motivation, Means & Opportunity when evaluating suspects. So why should Cyber Defenders start off with assuming “prescriptions of HOW to ...” (largely in form of buying products & ticking checkboxes) would assure safety & security?