04 - How to succeed by thinking like the enemy

In order to know how to defend you must know how to attack

Posted by on 14th Jul 2025

Screenshot from 2025-07-03 08-49-33.png

In the previous article we looked at the frameworks that can be used to manage Cyber Security Risk. These frameworks provide security controls that can be used to prevent or stop attacks.

However, we need to understand is that what frameworks offer recommended actions that should be taken. They they are not a sure way to way to stop the adversary, especially determined attackers. You will very easily find a situation where an organization is implementing an Information Security Controls, these controls have been audited but they are still getting attacked. Examples of such organizations that I have witnessed are Sysmex Japan and Kenya Urban Roads Authority (information from data leaked by ransomware attackers).

In addition, the frameworks have got very many controls, for example NIST SP 800-53 Revision 5 has a total of 1,190 controls. For a newly appointed CISO where do they start from this long list and what do they prioritize.

The solution, you have to adopt the mindset of the attacker in order to succeed. You have to understand which actions they take in order to achieve their objectives.

Take an example of Ransomware, this makes Cyber Security a boxing match, on one side of the ring is the threat actor (whom we are defending against), has experience in what they do, they have trained for years in what they do, they have way much better skills then there is you....

How can you make sure that you do not get a beating?

ANS: Understand his process, his techniques and tools they use.

The point is do not focus very much on the details of the frameworks, think about the attacker, what would they do and what do you do to defend it. The compliance will come as you add on Cyber Defense controls when you take. Demonstrate your cyber defense initiatives through documentation, this is what will give you compliance.

There is cyber security for the sake of regulators and there is cyber security to protect the assets of a company.

However it is good to keep in mind, there is no 100% security, there are companies that have a Cyber Security Team, with a good budget and they are still hacked.

To be able to defend well, you have to have an attackers mindset.

Read this article to be gin understanding your enemy, Who we are defending against, think of your organization in a ransomware situation, what do you think will happen if you lose access to all your files and systems?

References