I’ve come a long way in my view of more traditional security controls. For the longest time, I labored under the misapprehension that endpoint solutions were just signature based and that SIEM solutions’ primary value was in retrospective analysis of breaches, rather than threat hunting as augmented by relatively novel ideas like User Behavior Analytics (UBA). However, one of my opinions remains unchanged – that organizations are not doing enough in advanced detection. The perimeter reinforcements and commodity controls like endpoint antivirus have secured companies to a degree. They’ve even protected against successive generations of commodity malware and even offered a degree of safety against human attackers, but the landscape is changing. Attackers have been using stealth tactics to evade detection, and given that privilege escalation in many modern organizations is a relatively trivial task, then an attacker can vanish into the administrative landscape and ultimately complete his campaign. Add to this the fact that bug bounties offered by legitimate sources are often dwarfed by black market values, then zero days and all the associated access offered to hackers into their targets means that security teams have a tougher job than ever.
The additional backdrop is that pressure to innovate is increasing. Finally the boardroom is waking up to the fact that wise technology investments offer competitive advantage, and so practitioners must focus here too. This presents us with a quandary. How to add value to existing controls, and offer a means of improving on the existing capabilities. In the years I’ve been exposed to Deception as a discipline, I remain convinced that it offers this. Advanced detection of attackers and sophisticated malware on the network and a means to shift the economics of the attack from the defender to the attacker. In other words, make it more time consuming, costly, risky and ultimately less lucrative for attackers to engage protected organizations.
I’ve said this before, but it bears repeating. Putting a fake network of IT assets, customized to look like the real infrastructure, but prevented from offering any meaningful access to the attacker to real properties is the next phase in IT security maturity. We have perimeter controls, end point controls, human controls and yet the only line tracking at the same gradient as IT spend is the number of successful data breaches. It’s astonishing to me why the security industry isn’t questioning why. If we move our focus from ‘impossible perfect prevention’, to a more rational blend of prevention and detection, we immediately focus on attackers already on the network, and those who have already procured detailed knowledge of our infrastructure on the black market. A deceptive infrastructure should have no legitimate user or system talking to it. If something does talk to it, we have a misconfigured system, or a bad guy. The misconfigurations are easy to whitelist, and so as a result we then have improved visibility of the attackers, their targets and their methods. All of this with a high degree of confidence that we’re pursuing material risk to the business, rather than chasing false positives and further succumbing to alert fatigue.
Please don’t misunderstand. I think that the traditional controls espoused by Defense in Depth principles are sound, and are critical for inclusion in 21st Century security strategy. But we’re not standing on the shoulders of giants here, because the attackers are having continual growth spurts, motivated by higher rewards and largely flatlined risk. Deception offers the very best behavioral indicators of wrong doing, because nothing should be talking to a deceptive infrastructure. Similarly, intelligence about how deceptive credentials are being used in the wider security environment offers a means of identifying pre-existing attackers on the network and closing the controls that they exploited to get there.
For my money, it represents the best possible blend of control innovation and detection efficacy currently available.
Written by: Nick Palmer, Attivo Networks Technical Director, Europe