Written by: Tony Bradley, Senior Manager of Content Marketing for Alert Logic and Editor-in-Chief of TechSpective – Traditional cybersecurity is almost entirely reactive. You follow established best practices and implement security tools and processes and then you wait. You wait for an attacker you hope won’t come, and you hope you can detect and respond fast enough to avoid or minimize damage. The problem is that the attacker always gets the first move, and in most cases the best you can do is put out fires as quickly as possible. Organizations need to shift to a new strategy—a more proactive defense.
Best Defense Is Good Offense
The concept that the best defense is a strong offense is a fundamental strategy of both sports and combat. Military strategists and philosophers from Sun Tzu, to Machiavelli, to George Washington and Mao Zedong have all professed some variation of the theme that a good offense—or active defense—is the key to success.
When it comes to cybersecurity, an active defense means implementing a proactive security strategy that gives you the advantage over attackers. Attacks are virtually constant, and it is essentially unavoidable that an attacker will eventually succeed in penetrating your defenses and gaining access to your network or data. Instead of just reacting and scrambling to put out fires, though, you should have infrastructure in place that allows you to conduct surveillance of the attacks and gather as much intelligence as possible on the attackers and the tools, techniques, and procedures (TTPs) used. This intelligence on the adversary can then be actively applied to strengthen your defenses, make certain that the attack has been completely removed, and better prepare for the next attack.
Advantages of Deception Technology
Deception technology is uniquely suited for the task of implementing an active defense strategy. There is a common perception that deception technology is nothing more than decoys—an early warning system that hopefully enables you to react sooner to suspicious or malicious activity. That is true, however, deception technology also provides a variety of capabilities that enable organizations to gather the intelligence necessary to gain an advantage over attackers.
Deception technology provides security teams with the ability to create a proactive defense against attackers—setting decoy landmines lying in wait for the attacker, and strategically placed lures designed to reveal attackers inside your network. Additionally, unlike other methods of detection, deception technology doesn’t stop with identifying an intruder in the network. With the Attivo solution, you can safely monitor the attacker’s movement to gain a better understanding of how they are attacking and what they are seeking. This knowledge is tremendously useful, but all too often lost, when an attack is simply blocked or when an attacker is using polymorphic or other advanced forms of attack. Application deception can also be a useful resource in providing insight into credentials and user systems that have been compromised.
Attivo DecoyDocs are another approach being used to gather counterintelligence on what the attacker is seeking to steal. When an attacker exfiltrates a DecoyDoc, it yields valuable information about the types of assets or data are being targeted by the attackers. When the attacker opens the file, it reveals geolocation tracking information that pinpoints where the file was opened so you can identify where the attack originated.
Bullseye on Your Back
Another strategic advantage of deception technology is that it gives you the information you need to mitigate against returning attackers. Once you’ve been successfully attacked, the odds go up significantly that you will be attacked again. It’s like your network has a bullseye painted on its back, making it a more attractive target to adversaries.
The Mandiant M-Trends 2018 Report from FireEye states, “Global data from the past 19 months found that 56 percent of all FireEye managed detection and response customers which received incident response support were targeted again by the same or a similarly motivated attack group. Findings also show that 49 percent of customers with at least one significant attack were successfully attacked again within one year.”
If an attacker that has already compromised your network once returns, they will have a jumpstart when it comes to network reconnaissance and lateral movement through your network. They will already have some idea of the layout of your network and the assets you have available. Deception technology changes the balance of power and enables you to collect information about attacker TTPs, IOCs (indicators of compromise) and valuable counterintelligence that shed light on attacker capabilities, goals and the information they are targeting, so you can anticipate returning attackers and use the intelligence you’ve gathered to bait and trap future attacks.
Raise the Bar with Proactive Defense
Responding quickly when an attack occurs is crucial. Deception technology is instrumental as an early warning system that enables you to detect suspicious or malicious activity sooner and minimize your reaction time, but it also plays a critical role in elevating your security posture and giving you a strategic advantage.
Having a proactive defense makes it harder for attackers by making it unclear what is real and what is fake, by increasing their costs as they are forced to move slower, and by derailing their attacks. The ability to conduct reconnaissance of an attacker’s tools and techniques, gather intel on what attackers are after, and determine where an attack originated from arms your organization with the information it needs to strengthen defenses. An active defense rooted in deception technology is the type of “strong offense” that provides the best defense because it simultaneously improves your ability to identify and thwart attacks while acting as a deterrent for future attacks.