Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/18/2017
02:00 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Intrusion Suppression:' Transforming Castles into Prisons

How building cybersecurity structures that decrease adversaries' dwell time can reduce the damage from a cyberattack.

Winter is coming in 2017 and, as in Westeros in the Game of Thrones, geopolitical tension continues to serve as the harbinger for destructive attacks. In the real world, we’re talking about cyberattacks, and the threats aren’t from dragons and Wights, but cyber campaigns like Pawnstorm against NATO over the security of the Baltics, the ISIS and AQAP quagmire in the Mideast, and, closer to home, increasingly disillusioned American voters turning toward organized hacktivism to unleash their fury and frustration.

Given these harsh realities, it’s imperative that we as an industry build up our cybersecurity architectures based on a deeper understanding of how attackers attack, and what they do once they are inside the castle walls. As the recent Verizon Data Breach Report noted, most breaches are not discovered for at least 100 days. This damning reality necessitates a paradigm shift. According to the same report, 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The survey noted that it took months for a victim organization to respond to a cyber intrusion.

Given the fact that the cybercriminal has a footprint within a company network for an extended period, organizations must alter their security posture accordingly; the metric by which we should assess the potency of a cyber-countermeasure is how effectively it can decrease an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise. Diving down into what decreasing dwell time affords the enterprise requires an examination of what the costs are to the enterprise when exfiltration of their data occurs.

SuperMax Prisons & Cybersecurity Architectures
In 1933, the United States Department of Justice opened Alcatraz Prison in San Francisco Bay. The purpose was to incarcerate a certain caliber of prisoner described as “desperate or irredeemable” in   response to the hardened organized criminals arrested by the FBI. In recent years, there was a recognition that the older architectures like Alcatraz were insufficient to house the contemporary criminal and terrorist. Thus, in 1994 the Federal Bureau of Prisons opened the Administrative Maximum Facility (ADX) in Florence, Colorado, housing the likes of Ted Kaczynski, Timothy McVeigh, and Robert Hanson.

Image credit: Lightspring via Shutterstock
Image credit: Lightspring via Shutterstock

These SuperMax "control-unit" prisons, or units within prisons, represent the most secure levels of custody. The objective is to provide long term, segregated housing for inmates classified as the highest security risks in the prison system. The facility was constructed to permanently keep criminal masterminds imprisoned. The prison as a whole contains a multitude of motion detectors and cameras, and more than a thousand remote-controlled steel doors. Pressure pads and 12-foot-tall (3.7 m) razor wire fences surround the perimeter. The early detection of lateral movement is paramount as the prisoners attempt to tunnel out.

An Alcatraz for your Network
The same construct should be applied to your hybrid network environment. The importance of early detection is that the more dwell time the adversary has in the environment, the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit.

To thwart a virtual jailbreak with your intellectual property and credentials that could cause irreparable damage to a brand, cybersecurity leaders must embrace the concept of "intrusion suppression" by altering their architecture to emulate the "SuperMax" prison. Intrusion suppression requires clandestine detection, deception, diversion and eventual containment of a cyber adversary. It involves four steps that aim to detect cybercriminals by decreasing their dwell time and lateral movements:

Step 1:  Deploy a deception grid to enhance situational awareness per the latest techniques to deceive and divert the adversary unbeknownst to them.

Step 2:  Deploy user entity behavior analytics, which provides contextual analysis on the activity and lateral movement of the adversary.

Step 3: Deploy adaptive authentication with contextual verification to eliminate an access an adversary has to your network.

Step 4.  Embrace memory augmentation to hunt the adversary in the wild.

These investments are fundamental to turn the tables on the cybercriminal of 2017. Enterprises must consider investing in complementary technologies that specifically aim to diminish adversary dwell time through intrusion suppression. Not only will they help keep costs down in the event of a breach by stifling the adversary’s exfiltration of meaningful data, but they will also help protect the reputation of the enterprise that has been breached.

As a community of white hats, we must respect our adversaries and spin the chessboard. The proper strategy for your organization is to build a structure that inhibits the free movement of the adversary once they penetrate your system. We must transform our castles into prisons.  

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13623
PUBLISHED: 2019-07-17
In NSA Ghidra through 9.0.4, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis r...
CVE-2019-13624
PUBLISHED: 2019-07-17
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
CVE-2019-13625
PUBLISHED: 2019-07-17
NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.