Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/18/2017
02:00 PM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Intrusion Suppression:' Transforming Castles into Prisons

How building cybersecurity structures that decrease adversaries' dwell time can reduce the damage from a cyberattack.

Winter is coming in 2017 and, as in Westeros in the Game of Thrones, geopolitical tension continues to serve as the harbinger for destructive attacks. In the real world, we’re talking about cyberattacks, and the threats aren’t from dragons and Wights, but cyber campaigns like Pawnstorm against NATO over the security of the Baltics, the ISIS and AQAP quagmire in the Mideast, and, closer to home, increasingly disillusioned American voters turning toward organized hacktivism to unleash their fury and frustration.

Given these harsh realities, it’s imperative that we as an industry build up our cybersecurity architectures based on a deeper understanding of how attackers attack, and what they do once they are inside the castle walls. As the recent Verizon Data Breach Report noted, most breaches are not discovered for at least 100 days. This damning reality necessitates a paradigm shift. According to the same report, 81.9% of compromises are caused by breaches that took minutes to accomplish, while 67.8% of compromises took days to reach the exfiltration stage. The survey noted that it took months for a victim organization to respond to a cyber intrusion.

Given the fact that the cybercriminal has a footprint within a company network for an extended period, organizations must alter their security posture accordingly; the metric by which we should assess the potency of a cyber-countermeasure is how effectively it can decrease an adversary’s dwell time. Decreasing dwell time is the measurable metric by which we can value a return on investment for an enterprise. Diving down into what decreasing dwell time affords the enterprise requires an examination of what the costs are to the enterprise when exfiltration of their data occurs.

SuperMax Prisons & Cybersecurity Architectures
In 1933, the United States Department of Justice opened Alcatraz Prison in San Francisco Bay. The purpose was to incarcerate a certain caliber of prisoner described as “desperate or irredeemable” in   response to the hardened organized criminals arrested by the FBI. In recent years, there was a recognition that the older architectures like Alcatraz were insufficient to house the contemporary criminal and terrorist. Thus, in 1994 the Federal Bureau of Prisons opened the Administrative Maximum Facility (ADX) in Florence, Colorado, housing the likes of Ted Kaczynski, Timothy McVeigh, and Robert Hanson.

Image credit: Lightspring via Shutterstock
Image credit: Lightspring via Shutterstock

These SuperMax "control-unit" prisons, or units within prisons, represent the most secure levels of custody. The objective is to provide long term, segregated housing for inmates classified as the highest security risks in the prison system. The facility was constructed to permanently keep criminal masterminds imprisoned. The prison as a whole contains a multitude of motion detectors and cameras, and more than a thousand remote-controlled steel doors. Pressure pads and 12-foot-tall (3.7 m) razor wire fences surround the perimeter. The early detection of lateral movement is paramount as the prisoners attempt to tunnel out.

An Alcatraz for your Network
The same construct should be applied to your hybrid network environment. The importance of early detection is that the more dwell time the adversary has in the environment, the longer it takes to detect and contain a data breach, the more costly it becomes to resolve, and the harder a brand’s reputation is hit.

To thwart a virtual jailbreak with your intellectual property and credentials that could cause irreparable damage to a brand, cybersecurity leaders must embrace the concept of "intrusion suppression" by altering their architecture to emulate the "SuperMax" prison. Intrusion suppression requires clandestine detection, deception, diversion and eventual containment of a cyber adversary. It involves four steps that aim to detect cybercriminals by decreasing their dwell time and lateral movements:

Step 1:  Deploy a deception grid to enhance situational awareness per the latest techniques to deceive and divert the adversary unbeknownst to them.

Step 2:  Deploy user entity behavior analytics, which provides contextual analysis on the activity and lateral movement of the adversary.

Step 3: Deploy adaptive authentication with contextual verification to eliminate an access an adversary has to your network.

Step 4.  Embrace memory augmentation to hunt the adversary in the wild.

These investments are fundamental to turn the tables on the cybercriminal of 2017. Enterprises must consider investing in complementary technologies that specifically aim to diminish adversary dwell time through intrusion suppression. Not only will they help keep costs down in the event of a breach by stifling the adversary’s exfiltration of meaningful data, but they will also help protect the reputation of the enterprise that has been breached.

As a community of white hats, we must respect our adversaries and spin the chessboard. The proper strategy for your organization is to build a structure that inhibits the free movement of the adversary once they penetrate your system. We must transform our castles into prisons.  

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...