Endpoint
4/18/2017
02:00 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Intrusion Suppression:' Transforming Castles into Prisons

How building cybersecurity structures that decrease adversaries' dwell time can reduce the damage from a cyberattack.

Winter is coming in 2017 and, as in Westeros in the Game of Thrones, geopolitical tension continues to serve as the harbinger for destructive attacks. In the real world, we’re talking about cyberattacks, and the threats aren’t from dragons and Wights, but cyber campaigns like Pawnstorm against NATO over the security of the Baltics, the ISIS and AQAP quagmire in the Mideast, and, closer to home, increasingly disillusioned American voters turning toward organized hacktivism to unleash their fury and frustration.

Given these harsh realities, it’s imperative that we as an industry build up our cybersecurity architectures based on a deeper understanding of how attackers attack, and what they do once they are inside the castle walls. As the recent Verizon Data Breach Report noted, most breaches are not discovered for at least 100 days. This damning reality necessitates a paradigm shift. According to the same report, 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The survey noted that it took months for a victim organization to respond to a cyber intrusion.

Given the fact that the cybercriminal has a footprint within a company network for an extended period, organizations must alter their security posture accordingly; the metric by which we should assess the potency of a cyber-countermeasure is how effectively it can decrease an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise. Diving down into what decreasing dwell time affords the enterprise requires an examination of what the costs are to the enterprise when exfiltration of their data occurs.

SuperMax Prisons & Cybersecurity Architectures
In 1933, the United States Department of Justice opened Alcatraz Prison in San Francisco Bay. The purpose was to incarcerate a certain caliber of prisoner described as “desperate or irredeemable” in   response to the hardened organized criminals arrested by the FBI. In recent years, there was a recognition that the older architectures like Alcatraz were insufficient to house the contemporary criminal and terrorist. Thus, in 1994 the Federal Bureau of Prisons opened the Administrative Maximum Facility (ADX) in Florence, Colorado, housing the likes of Ted Kaczynski, Timothy McVeigh, and Robert Hanson.

Image credit: Lightspring via Shutterstock
Image credit: Lightspring via Shutterstock

These SuperMax "control-unit" prisons, or units within prisons, represent the most secure levels of custody. The objective is to provide long term, segregated housing for inmates classified as the highest security risks in the prison system. The facility was constructed to permanently keep criminal masterminds imprisoned. The prison as a whole contains a multitude of motion detectors and cameras, and more than a thousand remote-controlled steel doors. Pressure pads and 12-foot-tall (3.7 m) razor wire fences surround the perimeter. The early detection of lateral movement is paramount as the prisoners attempt to tunnel out.

An Alcatraz for your Network
The same construct should be applied to your hybrid network environment. The importance of early detection is that the more dwell time the adversary has in the environment, the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit.

To thwart a virtual jailbreak with your intellectual property and credentials that could cause irreparable damage to a brand, cybersecurity leaders must embrace the concept of "intrusion suppression" by altering their architecture to emulate the "SuperMax" prison. Intrusion suppression requires clandestine detection, deception, diversion and eventual containment of a cyber adversary. It involves four steps that aim to detect cybercriminals by decreasing their dwell time and lateral movements:

Step 1:  Deploy a deception grid to enhance situational awareness per the latest techniques to deceive and divert the adversary unbeknownst to them.

Step 2:  Deploy user entity behavior analytics, which provides contextual analysis on the activity and lateral movement of the adversary.

Step 3: Deploy adaptive authentication with contextual verification to eliminate an access an adversary has to your network.

Step 4.  Embrace memory augmentation to hunt the adversary in the wild.

These investments are fundamental to turn the tables on the cybercriminal of 2017. Enterprises must consider investing in complementary technologies that specifically aim to diminish adversary dwell time through intrusion suppression. Not only will they help keep costs down in the event of a breach by stifling the adversary’s exfiltration of meaningful data, but they will also help protect the reputation of the enterprise that has been breached.

As a community of white hats, we must respect our adversaries and spin the chessboard. The proper strategy for your organization is to build a structure that inhibits the free movement of the adversary once they penetrate your system. We must transform our castles into prisons.  

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Tom is a cyber intelligence expert, author, professor, and leader in the field of cybersecurity.  Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.