The Art of Attack vs. the Science of Resilience

The Art of Attack vs. the Science of Resilience

From personal experience I can definitively say that there is no such thing as 100% cyber security. As we can see from the ever growing number of cyber attacks , every organization has some weaknesses that cyber attackers can exploit. It is just a question of whether attackers can find them.


Cyber attackers think holistically in graphs, not lists. Attacks are not single shot straight-forward activities, attackers look for any weakness that can give them a foothold, or the ability to advance. They don’t care if the weakness is caused by a missed patch, a misconfiguration, or a weak password. It is all fair game. They don’t care if the initial breach is on the target device, or some other system. What sometimes looks to the untrained eye like random activity can be attackers moving about looking for a foothold that brings them a step closer towards obtaining their target – something they can exploit or steal. In the adversarial cyber defense world, the best you can do is to make your systems and network as resilient to cyber-attacks as possible.


Resilience relies on the ability to anticipate and withstand cyber risk, so the path to resilience is through detailed cyber risk assessment and actionable, timely cyber risk management. I am going to make another strong, unequivocal statement – cyber risk analysis and management is completely dependent on an understanding of how attackers attack in general, and specifically how attack techniques and methods can be used to threaten your organization. That understanding then needs to be translated into an operational resilience roadmap of the most cost-effective actions to lower your cyber risk. Just like attackers, this can’t be a one-time quick fix – it needs to be an on-going effort of continuous improvement.


Even if you have an army of cyber analysts and defenders at your disposal – you’ll need tools and processes to make the most of your existing cyber controls or find the most effective new controls. I’ll make another unequivocal statement here – the only effective tools are those that provide a scenario based, adversarial, risk management based on threat intelligence. Cyber security management is shifting to a risk management discipline – i.e. optimizing cyber security by minimizing risk and maximizing resilience in line with business’ risk appetite.


In following posts we at Orchestra will describe how a digital cyber twin (and its associated AI reasoning) combines the art of attack, the science of defense and the business of IT to provide organizations with unparalleled holistic cyber risk and resilience operational insights and roadmaps.






One Response

  1. I think the term maturity and resilience is counter intuitive as you cannot be resilient while you have low level of threat prevention and detection capability. What’s really missing is an evolutionary model to system control design , development and management which focuses on resistance against a dynamic threat. Some control will act better in withstanding an attack and some might fail like your hundred thousand next gen firewall. The maturity cannot be left to be defined by vendors thus but something which needs collective insight into operational security aspects of your organization. This wholesome experience can never be fulfilled without a framework that defines how they controls from static risk profile can be designed to track and be self aware of it’s own security state. Risk assessment are best passive excercise and for ” as is” security architecture we need to have controls that can fight these adversaries on our network as single unit.

Leave a Reply

Your email address will not be published. Required fields are marked *