Nietzsche, Lockbit and Darwin...
"What does not kill me, makes me stronger” When Nietzsche penned this phrase in 1888 in his book Twilight of the Idols, he was referring to recurring physical pain that haunted him. Little did the philosopher know that this idea would be used extensively in many fields, including personal development, to illustrate the notion of resilience.
Taken at face value, this maxim obviously applies to cybersecurity. Any crisis or cyber-attack that is not fatal to a company is a source of learning. This is what we call return on experience (RETEX, REX, ROE): what went well, and what do we need to improve for next time? Some speak of cyber-resilience, a particularly fashionable concept in these days of ransomware.
Yes, but...
But there's more to this sentence than meets the eye. In a cyberattack, there are always two players: the attacker and the victim. While the victim may come out the better for it, the attacker also gains experience. What doesn't kill the attacker, also makes him stronger.
This is exactly what LockBitSupp, leader of the Lockbit cybercrime group, said at the end of February, when part of its infrastructure was seized during the "Cronos" operation led by police forces from eleven countries (including the FBI, Europol and the C3N of the French Gendarmerie):
“I am on the right track, that even if I make mistakes, it doesn’t stop me and I correct my mistakes and keep making money. This shows that no hack from the FBI can stop a business from thriving, because what doesn’t kill me makes me stronger.”
A biological metaphor that goes even further...
In biology, this maxim has been known for a long time, in a much more subtle and realistic variant: "what doesn't kill you, mutates and tries again".
Consider the COVID19 virus and its many variants that have evolved through mutation. Natural selection has favored new variants that are resistant to existing immunities.
Consider the flu vaccine, whose new seasonal strain of the virus is merely the expression of a new annual attempt to infect its hosts.
Understand why it's dangerous not to finish your course of antibiotics: the most resistant bacteria will survive and reproduce. What doesn't kill you will mutate and get stronger.
An endless race
Let's stay with the metaphor of the living world, with its iterations: try, fail, mutate, try again, becoming a veritable race between attack and defense.
One example is the sophistication of sandboxes, a veritable petri dish in which malware is unmasked by its suspicious behavior. On the one hand, computer viruses try to guess when they are not running in a real environment (for example, by not detecting mouse movements). On the other hand, sandbox solutions will compete in ingenuity to simulate credible activity and avoid attracting the malware's suspicion (slowing down, moving the mouse, emulating external connections...).
Another telling example is the evolution of phishing over the last twenty years. Every time the industry introduces new protection solutions, the world of cybercrime mutates and evolves. We've all seen how spelling has improved. Beyond that, it's all the underlying technicality and social engineering efforts that will entice you to click on malicious links: multiple redirects, fake portals, not to mention bypassing multi-factor authentication.
Cyber risk, like a biological virus, is a living threat, very different from a static risk like a storm or a fire. Opposite us, we have an intelligence that thinks, that responds to our actions, that learns and improves with every blow. We need to take this into account in the short term of crisis management, but also in the long term cycle of cyber-attacks.
Cyber-resilience is not enough
"That which doesn't kill us makes us stronger": the interpretation of resilience is no longer enough. Between two failures, the attacker will sharpen his weapons and become smarter, more motivated and more successful. This is essentially what LockBitSupp states in its press release:
“I am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money, it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete. With competitors who will make more money and attack more companies, and with the FBI whether they can catch me or not, and I’m sure they can’t, looking at the way they work.”
Operation Cronos didn't completely destroy his abilities, so Lockbit indicates that he'll be back at it again, aware of his previous weaknesses and better armed. He will have mutated.
If you, too, are not part of this dynamic of continuous progress, you won't survive this stupidly Darwinian logic.