Written by: Carolyn Crandall – Chief Deception Officer – Over 6 billion people regularly rely on access to some form of energy, and by 2030 there is a goal to have universal access to modern services to facilitate electricity, plumbing, heat, telecommunications, and the internet. Additionally, hundreds of millions will drive their cars, use public transit, or fly aboard airliners as part of their livelihood. People expect ongoing operations of the nation’s infrastructure, as it plays a foundational role in most of our everyday lives. Unfortunately, it is also an attractive target for cyberattacks. As transportation hubs, power grids, and communications networks become increasingly digitized, the likelihood of attack rises exponentially. In some cases, attackers do so simply to see if they can and in others, for the intent of disruption or harm to human safety.
Unsurprisingly, this is a topic that has attracted considerable public attention, resulting in the US government, creating a Cybersecurity and Infrastructure Security Agency (CISA) just last year. And while recognition of the problem is a step in the right direction, the rapid digitization that industries like energy and transportation have undergone further complicates the task of securing their networks as new attack surfaces emerge for attackers to exploit. As smart grids, traffic management systems, and more become widely deployed, they add to the attack surface that security professionals must address. With such systems commonly having limited built-in security, attackers are finding more ways to penetrate or circumvent perimeter defenses. In-network security solutions that give visibility and early detection are becoming an increasingly essential part of the infrastructure security control stack. Given the inherent inability to run anti-virus, collect typical logs to identify anomalies, or to stop using admin – admin for login, organizations have turned to deception technology as a means to efficiently detect and derail attacks on energy facilities and critical infrastructure.
A Wide Range of Potential Threats
A nation’s infrastructure faces many types of threats that range from common credit card theft to the disruption of power grids or air traffic management systems, making the potential consequences of an infrastructure-based cyberattack severe. Accessing CCTV systems intended for wide-variety of surveillance programs may not seem as critical on the surface, but it can have material consequences on a person or child’s privacy or physical safety. Many OT devices can also be used for compromise and then leveraged in unison for a broader denial of service attack. Whatever the motivation, the opportunity for harm can escalate quickly and have dire consequences.
These potential attackers include not just small-scale hacktivists or cyber criminals, but in some cases, terrorists and hostile nation-states. While Russian election hackers have made quite a few headlines over the past few years, they aren’t the only ones with the motive or means to target infrastructure—civil or otherwise. The 2015 attack that disrupted Ukraine’s power grid was the first known attack of its kind, but other attacks have done varying degrees of damage throughout the world—including in the US. Just this year a “cyber event” affected grid networks in California, Utah, and Wyoming, and while there were no recorded blackouts, it was a sobering reminder that American infrastructure is not immune to attack, and traditional approaches to security are not necessarily sufficient or effective in today’s interconnected world.
The Battleground Has Shifted to Inside the Network
Security professionals agree that having a strong perimeter defense is essential—but it is equally important to have a plan for early detection of adversaries who manage to bypass them. Assuming that attackers have already compromised the network and adopting controls to detect and respond to them has become a necessary security strategy, especially when it pertains to sizeable infrastructure systems.
Once an attacker has gained a foothold in the network, they typically have the freedom to quietly run reconnaissance, harvest credentials, and gather a “blueprint“ of the network to escalate their attack. Deception technology is designed to detect all forms of attempted lateral movement, essentially locking down the endpoints to reveal any attacker movement immediately. This is done by setting attractive decoys, credentials, drive shares, services, and other forms of lures on the endpoint and throughout the network to deceive the attacker into engaging. The smallest engagement with any deception asset immediately results in a high-fidelity alert backed by rich attacker information. As a result, organizations employing deception technology have reported a 90%+ reduction in dwell time, the time an attacker can remain undetected within the network. These same security professionals also state a high rate of confidence in detecting threats compared to the substantially lower confidence of non-users of deception technology.
As the potential for harm caused by attacks on critical infrastructure continues to increase, the ability to gather detailed adversary intelligence becomes even more significant. Deception technology has proven particularly adept at collecting and correlating threat and adversary intelligence, which is extremely valuable in generating substantiated alerts and customized intelligence, helping defenders reduce their response time to verified threats. Security professionals commonly recognize deception for the fidelity of its “signal to noise” ratio, based on the accuracy of each alert. Native integrations also made available so that blocking, isolation, and threat hunting can be automated to response times improved. By further automating and accelerating the detection and remediation processes, deception technology adds greater value to existing security controls and reduces the risk of a successful attack on industrial control and business infrastructure.
Deception Technology Represents a Path Forward
The US government has taken the unusual step of “de-digitizing” some aspects of the country’s core infrastructure, replacing connected systems with analog ones to isolate them from potential attack. While this approach has its merits, it is a step backwards and does not align with where global connected economies and infrastructure are going.” Rather than trying to isolate these systems, the government needs to focus on in-network protections capable of detecting intruders and alerting defenders early, before those intruders can achieve their goals. One of the more progressive measures proposed relates to NIST. The standards organization released a draft version with new guidance on June 19 that lays out 31 new recommendations for contractors to harden their defenses and protect unclassified (but still sensitive) government data that resides on their networks from advanced persistent threats (APT) or government-sponsored attackers. Such data can range from Social Security numbers and other personally identifiable information to critical defense program details. The recommendations include processes like implementing dual-authorization access controls for critical or sensitive operations, employing network segmentation where appropriate, deploying deception technologies, establishing or employing threat-hunting teams, and running a security operations center to monitor system and network activity continuously.
Deception technology is clearly a missing piece to the security stack “puzzle.” Adding this to both upstream and downstream security controls reduces risk related to design and operational gaps in security as well as improves a security teams understanding of how an attacker got in, how they are attacking, and potentially what they are after. All, without disruption to operations or the need for agents or monitoring.