Analytics // Security Monitoring
12/12/2013
11:06 AM
Tom Bowers
Tom Bowers
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Time For An 'Active Defense' Against Security Attacks

Today's threat landscape and the mobility of our data demand much more than a castle wall approach to keep hackers at bay.

Since the first Internet attack made headlines, IT security professionals have based our defenses on a reactive model: If we make the walls higher and thicker, we will prevent attackers from storming the ramparts. History has proven that cyberattackers are far too agile for such brute force to work. When combined with the mobility of our data, the castle wall theory is no longer sufficient; to protect our core assets effectively, we need a far more active defense.

In short, we need to think more about our attackers and how we can frustrate the offensive model they use.

Let's start with active intelligence. This is a growing vertical within the security marketplace. These vendors have offerings that cover everything from general threats and trends to highly specific threats against individual organizations. Imagine having nearly real-time intelligence that relates to your business alone -- and being able to feed that information into your firewall, intrusion prevention system, or security event and incident management system. Such services are available today, and companies are beginning to realize their value.

The growth of the advanced persistent threat market demonstrates why we need to be concerned about intelligence. Targeted attacks (in which attackers conduct intelligence operations against a specific organization) are rising at a blistering pace. The attackers review job sites to find out what technologies you deploy. They scan SEC financial filings to determine your corporate leadership and how much you spend on IT and security initiatives. Finally, they read the presentations your people give to find out about your risk appetite and security stance. The challenge is to frustrate their ability to conduct this research.

False trails and bad intelligence
Intelligence professionals have long used the concept of false trails to feed bad intelligence to their opponents. We can do the same without creating any ethical or legal concerns. Imagine posting a job that lists older software versions than you're actually using, publishing a web page on information security initiatives that don't exist, or posting comments on an Internet discussion board about your CoBIT implementation (when you're actually implementing ISO 27000). This may seem a bit outlandish, but the competitive intelligence field has been using similar techniques for decades.

Lastly, there are the technology-based mechanisms for active defense. Some organizations run scripts that detect remote scans and return fictitious files or URLs to the scanning tool. Simply changing the banner broadcast by your web servers from Linux/Apache to LISP/Hiawatha will derail many automated scanners. Many other technological means are available to place roadblocks in the attacker's path, and there is an active community of security professionals discussing them.

The idea here is a new way of thinking about the defense of your critical assets. Plan methods that disrupt attackers' research methodology. Get them to start doubting the research they've conducted, and they may move on to easier targets. Admittedly, this is a time-consuming and tedious process, but perhaps we can slow the rate at which our attackers seem to be winning now.

Tom Bowers is the principal security strategist at ePlus Technologies. He has 30 years of experience in computer technology and information systems, and he has served as the chief architect for information security structures and protections in numerous industries.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:54:28 AM
Re: Lowest hanging fruit -- bounties
Yes, I've read about Microsoft's bug bounty program -- also Facebook. All good programs but unlikely to have the broad reach that will be necessary to defeat the hackers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:44:17 AM
Re: It's not about the walls, it's about the moat...
@Stratustician, I love your analogy about a moat versus a wall to as an active perimeter defense strategy. Also some very practical advice about whitelisting and WAFs. Anybody else have some suggestions to add to the list? 
Stratustician
100%
0%
Stratustician,
User Rank: Apprentice
12/15/2013 | 9:54:10 PM
It's not about the walls, it's about the moat...
When it comes to protecting ever moving data, I personally think there is benefit to implementing 2 main schools of thought: whitelisting and WAF.  Whitelisting data at the file level with permissions will help ensure that no matter where your data moves, it knows how it can be used.  This is particularly helpful in cloud environments, or for data that moves across geographic regions (think load balancing).

WAFs are a great way to basically dig a moat around your databases, or anything else connected to the internet.  While it's not necessarily the only means of security required, it's going to help filter most of the bad stuff and give you a lot less to worry about off the bat.  DDoS is also a much reduced headache with the help of a WAF.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:47:18 PM
Re: Lowest hanging fruit
Marilyn large companies are already doing this. Microsoft, Google to name just two. It seems to be helping a bit but merely a trickle as compared to how many exploits are written each day.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:44:31 PM
Re: Lowest hanging fruit
We have to start somewhere. It would seem to me that listing an older version of your database in a job listing than what you really have to lay a false trail simply makes sense...and you can always ask the job candidate if they are familiar with newer versions during the interview. Of course this takes time and requires planning, but the staus quo simply won't cut it anymore.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 2:34:50 PM
Re: Lowest hanging fruit
Interesting idea, Whoopty, about bounties for breach discovery. Are you suggesting that business offer incentives internally to IT staff or a broader outreach?
Whoopty
50%
50%
Whoopty,
User Rank: Strategist
12/12/2013 | 11:44:30 AM
Lowest hanging fruit
These methods do sound a bit outlandish like you say, but I'd have thought as long as you make it so you're not the lowest hanging fruit, you'll be able to skate most of the time. 

Offering bounties for security breach discovery is also a pretty good plan. That's worked well for Facebook, Mega and countless other sites. Maybe it's time more businesses tried that more active defensive action? 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.