“You are competing not to be chosen by cybercriminals” | #cybercrime | #infosec

Audience at Security Leaders Summit advised by Threatlocker on how to make themselves a tougher target

Organisations can make themselves tougher targets for cybercriminals by adopting proactive, default-deny security framework, says Threatlocker VP

Seamus Lennon, VP Operations at Threatlocker opened his presentation to the Computing Security Leaders Summit with a stark message:

“You are competing to NOT be chosen.”

As cybersecurity strategy has shifted away from prevention, the audience of security leaders were reminded that the most effective defences are not limited to stopping attackers at the perimeter but limiting what they can do once inside. In short: make your business a hard target.

The Reality of Modern Cybercrime

Cybercrime has evolved into a highly industrialised, revenue-driven ecosystem. Attackers are not hacking their way into sophisticated targets; they are picking off the easiest ones. Speed and return on investment drive their decisions.

One of the most overlooked realities is that attackers often dwell within environments before acting. In some high-profile cases, adversaries remained undetected for weeks, observing systems and planning their attack.

This is exactly what happened in the cyberattack on the Health Service Executive (HSE) of Ireland in 2021. Lennon explained:

“When they investigated afterwards, it turned out that the hacking group had gained access eight weeks before they initialised the ransomware attack. They sat in there for eight weeks just monitoring before they carried out the attack.”

It is in the dwell phase of attacks that “living off the land” techniques are utilised. These weaponise legitimate tools like PowerShell or built-in Windows utilities. Because these actions mimic normal behaviour, they blend in and evade traditional detection systems and can be missed by cybersecurity teams suffering from alert fatigue.

How do attackers choose targets?

According to Lennon, cybercriminals typically evaluate marks based on factors such as:

• Internet exposure – Are systems easily accessible?
• Credential availability – Are compromised credentials circulating?
• Default configurations – Are systems poorly hardened?
• Endpoint controls – Is there visibility and control over devices?

Soft targets tend to allow unrestricted software execution, grant widespread administrative privileges, and rely heavily on tools such as EDR or MDR which Lennon categorised as reactive. These solutions detect and respond, but only after compromise.

“Here is the hard truth,” said Lennon, “If it can run, it can be abused.”

Zero Trust flips the model

A Zero Trust or default-deny architecture flips this model on its head and makes a much harder target for cybercriminals.

“A hard target,” said Lennon, “is one where actions are only explicitly allowed.”

Not breach-proof as such but b breach-resilient. Key characteristics include:

• Default deny execution: Only explicitly approved applications can run.
• Least privilege access: Users and applications receive only the access they need, and only temporarily.
• Application and behaviour control: Software is restricted in what it can do, where it can connect, and what data it can access.
• Data protection: Controls prevent unauthorised exfiltration and misuse.
• Network segmentation: Limits lateral movement across systems.

This approach shifts security from detection to control. If malicious code cannot execute, attacks cannot progress.

Less noise, more action

Many organisations are overwhelmed by alerts yet lack meaningful protection. Detection without control leads to delayed response and increased risk. Zero Trust flips this model by reducing the number of executable actions in the environment. This means fewer scripts, fewer privileges and fewer opportunities for attackers.

You don’t need to outrun the bear

Lennon concluded that cybersecurity is no longer just a technical concern. Downtime, operational disruption, and reputational damage all carry significant business impact. Prevention, via strong control frameworks, consistently proves more cost-effective than recovery.

For security and IT leaders, the strategic imperative is clear: In today’s threat landscape, the organisations that survive are not the ones that never get attacked – they are the ones attackers choose to avoid.

You don’t have to outrun the bear, just be faster than any other people in the vicinity.