U.S. Departments of Commerce, Homeland Security Release on Action Threats: A Deception Company’s Perspective
By: Carolyn Crandall
On January 5th, 2018 the U.S. Department of Commerce and the U.S. Department of Homeland Security released a draft report in response to President Trump’s May 11, 2017, Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and in an effort to strengthen defenses against automated cyberattacks.
The report focuses on addressing automated botnets and other automated threats as the next major security threats that organizations need to be prepared to defend against, particularly in the infrastructure, Operational Technology, and IoT space. Created in conjunction with both government and input from the private sector, the report has compiled five complementary goals that would improve the resilience of the ecosystem and 6 principle themes for organizations to focus on to combat these threats. Under each goal and theme, I have added my perspectives on the role that deception can play in improving these security defenses.
1. Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace
• Deception technology is a natural complement to existing prevention security infrastructure and adds early detection of in-network threats that have managed to bypass other security controls. The paper also calls on Industry to expedite the development and deployment of innovative technologies for prevention and mitigation of distributed threats, of which deception is one such technology.
2. Promote innovation in the infrastructure for dynamic adaptation to evolving threats
• Unlike signature-based solutions, deception uses engagement vs. database look up to identify threats. This is key in catching human and automated attackers as they use new variants or zero-day attacks to penetrate an organization. Regardless of how an attacker breaches a network, Deception technology is positioned to detect them once they attempt to progress their attack.
• As enterprises migrate towards cloud to provide more comprehensive offerings to their customers and users there presents a new risk which is securing both environments in transition. Attivo Networks provides such flexibility ensuring constant monitoring for compromise to your most critical assets within the enterprise and cloud environments alike.
3. Promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior
• In addition to network-based detection, Attivo deception also provides detection at the endpoint with agentless deployment designed to detect attempts at credential theft. Attivo can also model potential attack paths to further strengthen security defenses. Deception technology easily deploys across any type of network, whether it be enterprise IT or OT (IoT/SCADA). The paper recommends that Enterprises should migrate to a network architecture that facilitates detection, disruption, and mitigation of automated, distributed threats. Attivo Deception can enhance detection, disrupt attacks, and help mitigate automated attacks such as ransomware.
• Attivo helps to not only identify adversaries within the enterprise we also provide organizations a very mature sandbox to become their own malware forensics and threat intelligence source. Expanding upon today’s thinking of Threat Intelligence being received from external organizations, enterprises are working to build out their own internal capabilities for threat intelligence aggregation and analysis. Attivo Networks specifically helps develop knowledge from within your own enterprise which is most critical to the incident reponse process.
4. Build coalitions between the security, infrastructure, and operational technology communities domestically and around the world
• Attivo Networks is active in FS-ISAC, NH-ISAC, R-CISC, ISAOs, ISACs, and other communities and actively works to educate the communities and share threat defense strategies and information. Additionally, Attivo Networks presents educational webinars and other events for industry-specific security topics, such as SCADA, medical device, point-of-sale, to name a few.
5. Increase awareness and education across the ecosystem
• In addition to being active with community associations, Attivo participates in Cybersecurity month, tradeshows, seminars, events, and works with industry analysts on research for improving threat detection and reducing attacker in-network dwell time.
1. Automated, distributed attacks are a global problem.
• Attivo sees an increase in automated attacks and the rise of sophisticated human attackers.
2. Effective tools exist but are not widely used.
• There has been a shift from a heavily prevention-based security control mentality to one that includes more attention to detection and improvement of incident response. We saw a dramatic increase in customers adopting deception technology due to its efficiency and accuracy in early threat detection and its ability to improve incident response.
• Mature players in areas of security innovation must prove their capabilities incorporate security controls to further enhance security compliance within the enterprise. Attivo Networks is proud to have DOD UC APL and FIPS 140-2 certifications building confidence in the industry.
3. Products should be secured during all stages of the lifecycle.
• Deception technology can increase security for systems that are inherently vulnerable at the time of deployment and lack the ability to be patched or are end-of-life with patches no longer being made available. Customers have deployed Attivo Deception in energy, medical, and building infrastructure environments to reliably gain visibility when an attacker attempts to compromise them.
• Additionally, understanding the actions of an attack throughout all attack phases is critical for stopping a successful breach. Deception technology plays throughout the entire kill chain and closes critical gaps with detection of credential harvesting and lateral movement. Moreover, with its 3rd party integrations, it plays a powerful role in quarantining infected systems, blocking exfiltration, and threat hunting for other forensic artifacts.
4. Education and awareness are needed.
• There are a lot of beliefs that delay organizations from adopting detection technology. Some myths that are addressed by deception technology include:
• Too many false positives: Deception is engagement-based and as such will only alert when decoys are hit, use of deception credentials is attempted or data deceptions are attempted.
• Too many logs and not enough resources to get through them: Attivo alerts are substantiated with information that contains the infected endpoint, full TTP, IOCs, and other forensic reporting required to quickly and efficiently shut down the attack.
• I don’t have the bandwidth to add detection: Deception is an extremely efficient method of detecting attackers. Decoys and lures are placed throughout the network to attract and reveal attackers. Deployment is easy: deception is deployed out of band, decoys are projected, endpoint deceptions are agentless AND, with the addition of deception campaigns and adaptive deployment, updating deceptions is automated and can be done at the simple push of a button. No additional headcount is needed to operate deception. Time savings from the solution’s value more than offset any operational overhead.
5. Market incentives are misaligned.
• Hmmm, not sure how much more is needed for motivation vs. having your name unfavorably in the news headlines, fines, and the loss of customers. Yes, of course, the new bill to send people to jail for inadequate disclosure ups the ante.
6. Automated, distributed attacks are an ecosystem-wide challenge.
• The report is correct, and no one will be able to solve this in a silo. Government and commercial organizations all need to work together to close security gaps, share information, and facilitate automation to streamline incident response. Attivo Networks is deeply committed to this belief and as such has an extensive list of 3rd party integrations that automate incident response, and we actively collaborate with these partners to educate the market on the benefits of an adaptive defense as outlined in the Gartner, Inc. security model.
The Department of Commerce is requesting comment on the report, seeking a response to the issues raised and goals it identifies, as well as the proposed approach, current initiatives, and next steps. We encourage all interested parties to contribute, similar to what Attivo Networks is doing in outlining the value of deception in this plan.
Following the comment period, the Department of Commerce will host a two-day workshop to discuss a way forward. The workshop will be held February 28 and March 1 at the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence in Rockville, Md. A final report, incorporating comments and other feedback received, is due to the President on May 11, 2018.
All interested stakeholders are encouraged to comment on the draft report. Comments must be received by 5 p.m. Eastern Time on February 12, 2018. Written comments may be submitted by email to Counter_Botnet@list.commerce.gov.