Hostile Strangers: Thinking Through an ‘Assumption of Breach’ Mentality

Threat Detection

To paraphrase essayist Joan Didion: since the entrance of unexpected strangers is a given, maturity chiefly consists of the ability to acknowledge that sometimes those strangers will be hostile. 

Mature security strategy likewise faces this disconcerting truth, borne out by the growing acceptance of the necessity of breach assumption. We’ve begun to understand that to whatever degree perimeter security was possible before, work-from-home has exploded any notion of that feasibility into sheer fantasy. As so many have said, the question is no longer if but when

Consequently, security strategy is pressured to reorganize itself under the premise that bad actors will invariably breach the system, if they have not already/are not currently. This realignment is essentially a philosophical shift. It’s not just that prevention is no longer the main (or only) approach, it’s that we’ve admitted prevention isn’t actually feasible, to any real degree or length of time. 

But instead of a concession to malevolence, this admittance is and ought to be a call to arms. Shifting to a breach assumption mindset can mean adapting from a passive, avoidance posture to one of active, aggressive engagement, anticipating and deploying tactics rather than merely responding. Put simply, it’s upgrading from a siege survival plan to a battle plan––one that doesn’t end when the horde comes over the walls. 

At its most basic level, breach assumption addresses internal and lateral movement rather than going tunnel-vision on the perimeter. It means limiting an attacker’s ability to move freely once inside a network, identifying and purposefully segregating the most crucial elements, and having a proactive, comprehensive, and well-rehearsed response plan. 

In this way, breach assumption necessarily redefines the battlefield. When the perimeter is the only field of engagement, then once the perimeter is breached the battle is over. The attacker can run rampant once inside the walls. As a recent case in point, the scale of impact of the SolarWinds breach was largely due to a lack of attack path mitigation. The attacker used stolen credentials to travel between servers––there were, in a sense, no interior walls. Once inside, the attacker had immense access. 

But if instead an attacker is met at every conceivable turn by resistance, encounters disruption of optimal attack paths, and faces aggressive threat detection, the battle is not so quickly and fully conceded. The damage can be mitigated and controlled by thinking of active protection as a form of offense. Or as Sun Tzu wrote, Attack is the secret of defense; defense is the planning of an attack.

A breach assumption mindset impacts strategy in precisely this way. Viewing protocols through this lens, assuming a breach will or has already occurred, can prompt a shift from defensive to offensive thinking. In much the same way, developing a comprehensive battle plan that treats defense as a form of attack provides an opportunity to think beyond tools and tactics to the driving values underneath. It can challenge us to think past personnel training, which remains ever crucial, to the underlying long-term strategy of cultivating deep institutional memory to foster continuity. It means taking an incident response plan out of the theoretical and actually running simulations. Putting the plan into practice is an opportunity to troubleshoot communication weak spots and see how duty assignments play out: who will notify users, clients, partners, and the general public, when will such notifications occur, and through which channels? 

Effective implementation requires an honest and searching assessment of current security capabilities and vulnerabilities, particularly the contextual awareness needed to balance security best practices with maintaining efficient operational function, and doing so under disruption. In the breach assumption mindset, the elements most necessary for your organization to continue to function during and after an incident are the ‘crown jewels,’ deserving of the most stringently layered protection. 

Threat detection demands a similar degree of self-knowledge to establish an accurate baseline of normal activity under normal conditions, which provides the ability to tell when a threat has been eradicated. The activity history and context provided by quality system visibility allows for identifying cause and scope, leading to a thorough and confident resolution––the ability to truly know whether any hostiles are still lurking behind your lines. 

Operating in a breach assumption mindset means both building and training for disruption, producing systems, personnel, and tactics who are more well-trained warriors than frightened villagers. Developing such a mindset requires shifting from traditional modes of thinking to instead thinking of defense as offense. And this repositioning cultivates the ability to respond smoothly, immediately, and confidently in the crisis moment that inevitably comes.