Analytics // Security Monitoring
12/12/2013
11:06 AM
Tom Bowers
Tom Bowers
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Time For An 'Active Defense' Against Security Attacks

Today's threat landscape and the mobility of our data demand much more than a castle wall approach to keep hackers at bay.

Since the first Internet attack made headlines, IT security professionals have based our defenses on a reactive model: If we make the walls higher and thicker, we will prevent attackers from storming the ramparts. History has proven that cyberattackers are far too agile for such brute force to work. When combined with the mobility of our data, the castle wall theory is no longer sufficient; to protect our core assets effectively, we need a far more active defense.

In short, we need to think more about our attackers and how we can frustrate the offensive model they use.

Let's start with active intelligence. This is a growing vertical within the security marketplace. These vendors have offerings that cover everything from general threats and trends to highly specific threats against individual organizations. Imagine having nearly real-time intelligence that relates to your business alone -- and being able to feed that information into your firewall, intrusion prevention system, or security event and incident management system. Such services are available today, and companies are beginning to realize their value.

The growth of the advanced persistent threat market demonstrates why we need to be concerned about intelligence. Targeted attacks (in which attackers conduct intelligence operations against a specific organization) are rising at a blistering pace. The attackers review job sites to find out what technologies you deploy. They scan SEC financial filings to determine your corporate leadership and how much you spend on IT and security initiatives. Finally, they read the presentations your people give to find out about your risk appetite and security stance. The challenge is to frustrate their ability to conduct this research.

False trails and bad intelligence
Intelligence professionals have long used the concept of false trails to feed bad intelligence to their opponents. We can do the same without creating any ethical or legal concerns. Imagine posting a job that lists older software versions than you're actually using, publishing a web page on information security initiatives that don't exist, or posting comments on an Internet discussion board about your CoBIT implementation (when you're actually implementing ISO 27000). This may seem a bit outlandish, but the competitive intelligence field has been using similar techniques for decades.

Lastly, there are the technology-based mechanisms for active defense. Some organizations run scripts that detect remote scans and return fictitious files or URLs to the scanning tool. Simply changing the banner broadcast by your web servers from Linux/Apache to LISP/Hiawatha will derail many automated scanners. Many other technological means are available to place roadblocks in the attacker's path, and there is an active community of security professionals discussing them.

The idea here is a new way of thinking about the defense of your critical assets. Plan methods that disrupt attackers' research methodology. Get them to start doubting the research they've conducted, and they may move on to easier targets. Admittedly, this is a time-consuming and tedious process, but perhaps we can slow the rate at which our attackers seem to be winning now.

Tom Bowers is the principal security strategist at ePlus Technologies. He has 30 years of experience in computer technology and information systems, and he has served as the chief architect for information security structures and protections in numerous industries.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:54:28 AM
Re: Lowest hanging fruit -- bounties
Yes, I've read about Microsoft's bug bounty program -- also Facebook. All good programs but unlikely to have the broad reach that will be necessary to defeat the hackers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:44:17 AM
Re: It's not about the walls, it's about the moat...
@Stratustician, I love your analogy about a moat versus a wall to as an active perimeter defense strategy. Also some very practical advice about whitelisting and WAFs. Anybody else have some suggestions to add to the list? 
Stratustician
100%
0%
Stratustician,
User Rank: Strategist
12/15/2013 | 9:54:10 PM
It's not about the walls, it's about the moat...
When it comes to protecting ever moving data, I personally think there is benefit to implementing 2 main schools of thought: whitelisting and WAF.  Whitelisting data at the file level with permissions will help ensure that no matter where your data moves, it knows how it can be used.  This is particularly helpful in cloud environments, or for data that moves across geographic regions (think load balancing).

WAFs are a great way to basically dig a moat around your databases, or anything else connected to the internet.  While it's not necessarily the only means of security required, it's going to help filter most of the bad stuff and give you a lot less to worry about off the bat.  DDoS is also a much reduced headache with the help of a WAF.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:47:18 PM
Re: Lowest hanging fruit
Marilyn large companies are already doing this. Microsoft, Google to name just two. It seems to be helping a bit but merely a trickle as compared to how many exploits are written each day.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:44:31 PM
Re: Lowest hanging fruit
We have to start somewhere. It would seem to me that listing an older version of your database in a job listing than what you really have to lay a false trail simply makes sense...and you can always ask the job candidate if they are familiar with newer versions during the interview. Of course this takes time and requires planning, but the staus quo simply won't cut it anymore.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 2:34:50 PM
Re: Lowest hanging fruit
Interesting idea, Whoopty, about bounties for breach discovery. Are you suggesting that business offer incentives internally to IT staff or a broader outreach?
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
12/12/2013 | 11:44:30 AM
Lowest hanging fruit
These methods do sound a bit outlandish like you say, but I'd have thought as long as you make it so you're not the lowest hanging fruit, you'll be able to skate most of the time. 

Offering bounties for security breach discovery is also a pretty good plan. That's worked well for Facebook, Mega and countless other sites. Maybe it's time more businesses tried that more active defensive action? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.