The Best [Cyber] Defense is a Good [Cyber] Offense

The 2018 NFL season kicks off this week, meaning football fans and fantasy team owners are gearing up for what’s sure to be an exciting season. There are lots of expressions and sayings in football, like there’s no “i” in “Team” or clear eyes, full hearts, can’t lose. But there’s one saying that is particularly applicable to cybersecurity: The Best Defense is a Good Offense.

Yet, many organizations aren’t employing this best practice when it comes to cybersecurity. So in honor of the upcoming season, let’s use football to outline some basic principles companies should leverage to improve their cyber operations.

Passive vs. Active Defense

So what do I mean when I say “The Best Defense is a Good Offense” applies to cybersecurity?

DISCLAIMER: No, I don’t mean companies should start attacking back at hackers.

However, too many organizations are focused on deploying perimeter defenses to protect their corporate assets and data. This is obviously important, but shouldn’t be the only strategy in play. That’s like a football team simply stacking all 11 men at their goal line for every defensive play. You’re going to give up a lot of ground to your opponent, and you’re still leaving room for them to find the endzone.

Instead of waiting back at the goal line, you should be lined up where your opponent is and trying to stop them before they get into your half of the field, your red zone and ultimately, your endzone.

For cybersecurity teams, you need to look beyond “goal line” defenses (i.e. endpoints, firewalls, DNS solutions) to proactively stop your opponent. The further down the field you can stop them, the less likely they are to score.

This can be done with Cyber Threat Intelligence (CTI). The goal of CTI is to monitor hacker activity across the web to anticipate cyberattacks against your organization and your customers. In other words, it’s trying to understand the Who, What, Where, When and Why behind a cyberattack so you can take the appropriate actions to defend against it. It also helps organizations protect against new, less-traditional attack vectors, like customer phishing, cyber fraud and brand impersonation.

In football, you should be reading your opponent and adjusting your strategy based on their formations, tendencies, field position and time of game. Cyber Threat Intelligence helps you do the same thing for hackers, enabling you to anticipate how they might attack and adjusting your defense to give you the best chance of stopping them.

Keys to Success

Here are some football-related best practices to keep in mind that use threat intelligence to proactively defend against your opponents.

  1. Watch Game Film: Football teams don’t just show up on gameday and see what their opponent does. They study them to understand their tendencies, identify their strengths and learn how they like to attack. Security and threat intelligence teams should be doing the same. You need to know your adversaries, how they like to attack and what motivates them. This typically involves HUMINT gathering and threat actor engagement, which can be very valuable, but also quite dangerous.
  2. Anticipate the Play: Depending on how a team lines up at the line of scrimmage, you can get an idea of what play they might run, giving you a better chance of defending against it. The same goes for cyberattacks. Attackers often tip their hands to their intentions based on their web activity, coordination and planning. Knowing what to look for can help you anticipate their play, giving you better chance of defending against it.
  3. Take Away Their Best Weapons: Whenever you’re going against a strong opponent or top player, you always want to reduce their impact on the game. This is called taking away a team’s weapons. Every team has their strengths and weaknesses, and knowing your opponents’ strengths can help you better defend against them. For example, if you know a cybercrime group likes to use phishing to steal employee credentials, then you need to be monitoring for new phishing domains registered that might be used in this kind of attack. Rather than waiting for your DNS or endpoint solution to try to stop a phishing attack, identifying a malicious domain being registered will give you more time to react and mitigate the threat before it’s used against you.
  4. Minimize Turnovers: Turnovers can make the difference between winning and losing, because they give up possession of the ball and usually put your opponent in a position to score. Just like in football, minimizing cyber “turnovers” makes it more difficult for your opponents to score on you. From 2017 to 2018, we saw a 40% increase in bank employee credentials leaked online, making it easier for hackers to access corporate systems. Make sure you’re minimizing data leaks within your organization, and if data is leaked, you have the tools in place to identify the leakage and lockdown any credentials that may have been compromised.
  5. Practice Makes Perfect: While there is no such thing as a perfect security strategy, practicing different security incidents and training employees on best practices can be the difference between stopping an attack and getting breached. No football team shows up to week 1 without going through training camp. Your team should be trained and conditioned on cybersecurity best practices, so you can reduce your risk of attack. Additionally, make sure your threat intelligence and incident response teams practice different attack scenarios, so that when it’s gametime, they know what they should be doing and how to respond appropriately.


No matter who your opponent is, whether it’s a cybercrime group, a lone hacktivist, or the Dallas Cowboys, you need to know their tendencies and anticipate how they might attack. Leveraging Cyber Threat Intelligence enables you to learn about your cyber-adversaries and anticipate attacks, so you can proactively mitigate threats and reduce your overall cyber risk. As we get excited for the upcoming NFL season, remember that cybersecurity and threat intelligence don’t have the luxury of timeouts or an offseason. You need to make sure your strategy is constantly evolving to give you the best chance of defending against threats.

Good luck to all the teams this year and remember, The Best [Cyber] Defense is a Good [Cyber] Offense!

Want to read more about how cybercriminals use the dark web to plan their attacks?

WP-DarkWeb101-Nov 2017-cover3

Download our Dark Web 101 Guide

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.