Since the first Internet attack made headlines, IT security professionals have based our defenses on a reactive model: If we make the walls higher and thicker, we will prevent attackers from storming the ramparts. History has proven that cyberattackers are far too agile for such brute force to work. When combined with the mobility of our data, the castle wall theory is no longer sufficient; to protect our core assets effectively, we need a far more active defense.
In short, we need to think more about our attackers and how we can frustrate the offensive model they use.
Let's start with active intelligence. This is a growing vertical within the security marketplace. These vendors have offerings that cover everything from general threats and trends to highly specific threats against individual organizations. Imagine having nearly real-time intelligence that relates to your business alone -- and being able to feed that information into your firewall, intrusion prevention system, or security event and incident management system. Such services are available today, and companies are beginning to realize their value.
The growth of the advanced persistent threat market demonstrates why we need to be concerned about intelligence. Targeted attacks (in which attackers conduct intelligence operations against a specific organization) are rising at a blistering pace. The attackers review job sites to find out what technologies you deploy. They scan SEC financial filings to determine your corporate leadership and how much you spend on IT and security initiatives. Finally, they read the presentations your people give to find out about your risk appetite and security stance. The challenge is to frustrate their ability to conduct this research.
False trails and bad intelligence
Intelligence professionals have long used the concept of false trails to feed bad intelligence to their opponents. We can do the same without creating any ethical or legal concerns. Imagine posting a job that lists older software versions than you're actually using, publishing a web page on information security initiatives that don't exist, or posting comments on an Internet discussion board about your CoBIT implementation (when you're actually implementing ISO 27000). This may seem a bit outlandish, but the competitive intelligence field has been using similar techniques for decades.
Lastly, there are the technology-based mechanisms for active defense. Some organizations run scripts that detect remote scans and return fictitious files or URLs to the scanning tool. Simply changing the banner broadcast by your web servers from Linux/Apache to LISP/Hiawatha will derail many automated scanners. Many other technological means are available to place roadblocks in the attacker's path, and there is an active community of security professionals discussing them.
The idea here is a new way of thinking about the defense of your critical assets. Plan methods that disrupt attackers' research methodology. Get them to start doubting the research they've conducted, and they may move on to easier targets. Admittedly, this is a time-consuming and tedious process, but perhaps we can slow the rate at which our attackers seem to be winning now.
Tom Bowers is the principal security strategist at ePlus Technologies. He has 30 years of experience in computer technology and information systems, and he has served as the chief architect for information security structures and protections in numerous industries.