Analytics // Security Monitoring
12/12/2013
11:06 AM
Tom Bowers
Tom Bowers
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Time For An 'Active Defense' Against Security Attacks

Today's threat landscape and the mobility of our data demand much more than a castle wall approach to keep hackers at bay.

Since the first Internet attack made headlines, IT security professionals have based our defenses on a reactive model: If we make the walls higher and thicker, we will prevent attackers from storming the ramparts. History has proven that cyberattackers are far too agile for such brute force to work. When combined with the mobility of our data, the castle wall theory is no longer sufficient; to protect our core assets effectively, we need a far more active defense.

In short, we need to think more about our attackers and how we can frustrate the offensive model they use.

Let's start with active intelligence. This is a growing vertical within the security marketplace. These vendors have offerings that cover everything from general threats and trends to highly specific threats against individual organizations. Imagine having nearly real-time intelligence that relates to your business alone -- and being able to feed that information into your firewall, intrusion prevention system, or security event and incident management system. Such services are available today, and companies are beginning to realize their value.

The growth of the advanced persistent threat market demonstrates why we need to be concerned about intelligence. Targeted attacks (in which attackers conduct intelligence operations against a specific organization) are rising at a blistering pace. The attackers review job sites to find out what technologies you deploy. They scan SEC financial filings to determine your corporate leadership and how much you spend on IT and security initiatives. Finally, they read the presentations your people give to find out about your risk appetite and security stance. The challenge is to frustrate their ability to conduct this research.

False trails and bad intelligence
Intelligence professionals have long used the concept of false trails to feed bad intelligence to their opponents. We can do the same without creating any ethical or legal concerns. Imagine posting a job that lists older software versions than you're actually using, publishing a web page on information security initiatives that don't exist, or posting comments on an Internet discussion board about your CoBIT implementation (when you're actually implementing ISO 27000). This may seem a bit outlandish, but the competitive intelligence field has been using similar techniques for decades.

Lastly, there are the technology-based mechanisms for active defense. Some organizations run scripts that detect remote scans and return fictitious files or URLs to the scanning tool. Simply changing the banner broadcast by your web servers from Linux/Apache to LISP/Hiawatha will derail many automated scanners. Many other technological means are available to place roadblocks in the attacker's path, and there is an active community of security professionals discussing them.

The idea here is a new way of thinking about the defense of your critical assets. Plan methods that disrupt attackers' research methodology. Get them to start doubting the research they've conducted, and they may move on to easier targets. Admittedly, this is a time-consuming and tedious process, but perhaps we can slow the rate at which our attackers seem to be winning now.

Tom Bowers is the principal security strategist at ePlus Technologies. He has 30 years of experience in computer technology and information systems, and he has served as the chief architect for information security structures and protections in numerous industries.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:54:28 AM
Re: Lowest hanging fruit -- bounties
Yes, I've read about Microsoft's bug bounty program -- also Facebook. All good programs but unlikely to have the broad reach that will be necessary to defeat the hackers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:44:17 AM
Re: It's not about the walls, it's about the moat...
@Stratustician, I love your analogy about a moat versus a wall to as an active perimeter defense strategy. Also some very practical advice about whitelisting and WAFs. Anybody else have some suggestions to add to the list? 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
12/15/2013 | 9:54:10 PM
It's not about the walls, it's about the moat...
When it comes to protecting ever moving data, I personally think there is benefit to implementing 2 main schools of thought: whitelisting and WAF.  Whitelisting data at the file level with permissions will help ensure that no matter where your data moves, it knows how it can be used.  This is particularly helpful in cloud environments, or for data that moves across geographic regions (think load balancing).

WAFs are a great way to basically dig a moat around your databases, or anything else connected to the internet.  While it's not necessarily the only means of security required, it's going to help filter most of the bad stuff and give you a lot less to worry about off the bat.  DDoS is also a much reduced headache with the help of a WAF.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:47:18 PM
Re: Lowest hanging fruit
Marilyn large companies are already doing this. Microsoft, Google to name just two. It seems to be helping a bit but merely a trickle as compared to how many exploits are written each day.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:44:31 PM
Re: Lowest hanging fruit
We have to start somewhere. It would seem to me that listing an older version of your database in a job listing than what you really have to lay a false trail simply makes sense...and you can always ask the job candidate if they are familiar with newer versions during the interview. Of course this takes time and requires planning, but the staus quo simply won't cut it anymore.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 2:34:50 PM
Re: Lowest hanging fruit
Interesting idea, Whoopty, about bounties for breach discovery. Are you suggesting that business offer incentives internally to IT staff or a broader outreach?
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
12/12/2013 | 11:44:30 AM
Lowest hanging fruit
These methods do sound a bit outlandish like you say, but I'd have thought as long as you make it so you're not the lowest hanging fruit, you'll be able to skate most of the time. 

Offering bounties for security breach discovery is also a pretty good plan. That's worked well for Facebook, Mega and countless other sites. Maybe it's time more businesses tried that more active defensive action? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.