In 2000, a 15-year old from Quebec conducted a successful Distributed Denial of Service (DDoS) attack against Yahoo!, Amazon, CNN, Dell, and several other large websites. For these corporations, this attack came out of nowhere, due to the fact that DDoS was a relatively new threat at the time. Fast forward to 2016, while DDoS attacks still occur, most large organizations have employed layers of protection to help prevent them from happening.
While DDoS is nothing new, modern cyber threats continue to emerge in unexpected ways. Because of this, it is difficult to preemptively defend against them. Traditionally, asymmetric threats are real-world warfare instances where a small, unpredictable force, encounters a weakness within a larger one, and obtains the ability to overcome it through the exploitation of this vulnerability.
As in the example above, asymmetric threats can also be attributed to cyber warfare because of the similarly unpredictable battlefield, targets, and threat actors, as well as the vast utilization of unforeseen attack vectors. At the time, nobody could conceive of an attack such as this one happening—especially at the hands of a 15-year old.
A more current example of an asymmetric threat would be ransomware. Through a bit of social engineering, an unsuspecting group or individual can encrypt entire drives and demand payment for the decryption key. Even if those affected do pay the ransom, there is never a guarantee that the data will be fully restored.
Defending against asymmetric threats is an ongoing challenge regardless of what needs to be protected. The best defense is for security teams to stay vigilant with well-formulated prevention, detection, and mitigation plans. In addition, when it comes to asymmetric threats, more than just networks and systems need to be protected. Security teams should practice distributed defense and multilayer hardening tactics in order to best defend against both standard and asymmetric threats. Organizations must also expand outside of these teams to create a security culture, which will, in turn, create a human-multilayer defense system against asymmetric threats.