Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/18/2017
02:00 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

‘Intrusion Suppression:' Transforming Castles into Prisons

How building cybersecurity structures that decrease adversaries' dwell time can reduce the damage from a cyberattack.

Winter is coming in 2017 and, as in Westeros in the Game of Thrones, geopolitical tension continues to serve as the harbinger for destructive attacks. In the real world, we’re talking about cyberattacks, and the threats aren’t from dragons and Wights, but cyber campaigns like Pawnstorm against NATO over the security of the Baltics, the ISIS and AQAP quagmire in the Mideast, and, closer to home, increasingly disillusioned American voters turning toward organized hacktivism to unleash their fury and frustration.

Given these harsh realities, it’s imperative that we as an industry build up our cybersecurity architectures based on a deeper understanding of how attackers attack, and what they do once they are inside the castle walls. As the recent Verizon Data Breach Report noted, most breaches are not discovered for at least 100 days. This damning reality necessitates a paradigm shift. According to the same report, 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The survey noted that it took months for a victim organization to respond to a cyber intrusion.

Given the fact that the cybercriminal has a footprint within a company network for an extended period, organizations must alter their security posture accordingly; the metric by which we should assess the potency of a cyber-countermeasure is how effectively it can decrease an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise. Diving down into what decreasing dwell time affords the enterprise requires an examination of what the costs are to the enterprise when exfiltration of their data occurs.

SuperMax Prisons & Cybersecurity Architectures
In 1933, the United States Department of Justice opened Alcatraz Prison in San Francisco Bay. The purpose was to incarcerate a certain caliber of prisoner described as “desperate or irredeemable” in   response to the hardened organized criminals arrested by the FBI. In recent years, there was a recognition that the older architectures like Alcatraz were insufficient to house the contemporary criminal and terrorist. Thus, in 1994 the Federal Bureau of Prisons opened the Administrative Maximum Facility (ADX) in Florence, Colorado, housing the likes of Ted Kaczynski, Timothy McVeigh, and Robert Hanson.

These SuperMax "control-unit" prisons, or units within prisons, represent the most secure levels of custody. The objective is to provide long term, segregated housing for inmates classified as the highest security risks in the prison system. The facility was constructed to permanently keep criminal masterminds imprisoned. The prison as a whole contains a multitude of motion detectors and cameras, and more than a thousand remote-controlled steel doors. Pressure pads and 12-foot-tall (3.7 m) razor wire fences surround the perimeter. The early detection of lateral movement is paramount as the prisoners attempt to tunnel out.

An Alcatraz for your Network
The same construct should be applied to your hybrid network environment. The importance of early detection is that the more dwell time the adversary has in the environment, the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit.

To thwart a virtual jailbreak with your intellectual property and credentials that could cause irreparable damage to a brand, cybersecurity leaders must embrace the concept of "intrusion suppression" by altering their architecture to emulate the "SuperMax" prison. Intrusion suppression requires clandestine detection, deception, diversion and eventual containment of a cyber adversary. It involves four steps that aim to detect cybercriminals by decreasing their dwell time and lateral movements:

Step 1:  Deploy a deception grid to enhance situational awareness per the latest techniques to deceive and divert the adversary unbeknownst to them.

Step 2:  Deploy user entity behavior analytics, which provides contextual analysis on the activity and lateral movement of the adversary.

Step 3: Deploy adaptive authentication with contextual verification to eliminate an access an adversary has to your network.

Step 4.  Embrace memory augmentation to hunt the adversary in the wild.

These investments are fundamental to turn the tables on the cybercriminal of 2017. Enterprises must consider investing in complementary technologies that specifically aim to diminish adversary dwell time through intrusion suppression. Not only will they help keep costs down in the event of a breach by stifling the adversary’s exfiltration of meaningful data, but they will also help protect the reputation of the enterprise that has been breached.

As a community of white hats, we must respect our adversaries and spin the chessboard. The proper strategy for your organization is to build a structure that inhibits the free movement of the adversary once they penetrate your system. We must transform our castles into prisons.  

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Tom Kellermann is the head cybersecurity strategist at VMware Carbon Black. Prior to joining VMware Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. In January 2017, Tom was appointed the Wilson Center's Global Fellow for Cyber Policy. Tom previously ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13693
PUBLISHED: 2020-05-29
An unauthenticated privilege-escalation issue exists in the bbPress plugin before 2.6.5 for WordPress when New User Registration is enabled.
CVE-2020-13173
PUBLISHED: 2020-05-28
Initialization of the pcoip_credential_provider in Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows versions 19.11.1 and earlier creates an insecure named pipe, which allows an attacker to intercept sensitive information or possibly elevate privileges via pre-installing...
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
CVE-2020-11082
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
CVE-2020-5357
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...