Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12/12/2013
11:06 AM
Tom Bowers
Tom Bowers
Commentary
50%
50%

Time For An 'Active Defense' Against Security Attacks

Today's threat landscape and the mobility of our data demand much more than a castle wall approach to keep hackers at bay.

Since the first Internet attack made headlines, IT security professionals have based our defenses on a reactive model: If we make the walls higher and thicker, we will prevent attackers from storming the ramparts. History has proven that cyberattackers are far too agile for such brute force to work. When combined with the mobility of our data, the castle wall theory is no longer sufficient; to protect our core assets effectively, we need a far more active defense.

In short, we need to think more about our attackers and how we can frustrate the offensive model they use.

Let's start with active intelligence. This is a growing vertical within the security marketplace. These vendors have offerings that cover everything from general threats and trends to highly specific threats against individual organizations. Imagine having nearly real-time intelligence that relates to your business alone -- and being able to feed that information into your firewall, intrusion prevention system, or security event and incident management system. Such services are available today, and companies are beginning to realize their value.

The growth of the advanced persistent threat market demonstrates why we need to be concerned about intelligence. Targeted attacks (in which attackers conduct intelligence operations against a specific organization) are rising at a blistering pace. The attackers review job sites to find out what technologies you deploy. They scan SEC financial filings to determine your corporate leadership and how much you spend on IT and security initiatives. Finally, they read the presentations your people give to find out about your risk appetite and security stance. The challenge is to frustrate their ability to conduct this research.

False trails and bad intelligence
Intelligence professionals have long used the concept of false trails to feed bad intelligence to their opponents. We can do the same without creating any ethical or legal concerns. Imagine posting a job that lists older software versions than you're actually using, publishing a web page on information security initiatives that don't exist, or posting comments on an Internet discussion board about your CoBIT implementation (when you're actually implementing ISO 27000). This may seem a bit outlandish, but the competitive intelligence field has been using similar techniques for decades.

Lastly, there are the technology-based mechanisms for active defense. Some organizations run scripts that detect remote scans and return fictitious files or URLs to the scanning tool. Simply changing the banner broadcast by your web servers from Linux/Apache to LISP/Hiawatha will derail many automated scanners. Many other technological means are available to place roadblocks in the attacker's path, and there is an active community of security professionals discussing them.

The idea here is a new way of thinking about the defense of your critical assets. Plan methods that disrupt attackers' research methodology. Get them to start doubting the research they've conducted, and they may move on to easier targets. Admittedly, this is a time-consuming and tedious process, but perhaps we can slow the rate at which our attackers seem to be winning now.

Tom Bowers is the principal security strategist at ePlus Technologies. He has 30 years of experience in computer technology and information systems, and he has served as the chief architect for information security structures and protections in numerous industries.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:54:28 AM
Re: Lowest hanging fruit -- bounties
Yes, I've read about Microsoft's bug bounty program -- also Facebook. All good programs but unlikely to have the broad reach that will be necessary to defeat the hackers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 9:44:17 AM
Re: It's not about the walls, it's about the moat...
@Stratustician, I love your analogy about a moat versus a wall to as an active perimeter defense strategy. Also some very practical advice about whitelisting and WAFs. Anybody else have some suggestions to add to the list? 
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
12/15/2013 | 9:54:10 PM
It's not about the walls, it's about the moat...
When it comes to protecting ever moving data, I personally think there is benefit to implementing 2 main schools of thought: whitelisting and WAF.  Whitelisting data at the file level with permissions will help ensure that no matter where your data moves, it knows how it can be used.  This is particularly helpful in cloud environments, or for data that moves across geographic regions (think load balancing).

WAFs are a great way to basically dig a moat around your databases, or anything else connected to the internet.  While it's not necessarily the only means of security required, it's going to help filter most of the bad stuff and give you a lot less to worry about off the bat.  DDoS is also a much reduced headache with the help of a WAF.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:47:18 PM
Re: Lowest hanging fruit
Marilyn large companies are already doing this. Microsoft, Google to name just two. It seems to be helping a bit but merely a trickle as compared to how many exploits are written each day.
TBowers
50%
50%
TBowers,
User Rank: Apprentice
12/14/2013 | 4:44:31 PM
Re: Lowest hanging fruit
We have to start somewhere. It would seem to me that listing an older version of your database in a job listing than what you really have to lay a false trail simply makes sense...and you can always ask the job candidate if they are familiar with newer versions during the interview. Of course this takes time and requires planning, but the staus quo simply won't cut it anymore.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 2:34:50 PM
Re: Lowest hanging fruit
Interesting idea, Whoopty, about bounties for breach discovery. Are you suggesting that business offer incentives internally to IT staff or a broader outreach?
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
12/12/2013 | 11:44:30 AM
Lowest hanging fruit
These methods do sound a bit outlandish like you say, but I'd have thought as long as you make it so you're not the lowest hanging fruit, you'll be able to skate most of the time. 

Offering bounties for security breach discovery is also a pretty good plan. That's worked well for Facebook, Mega and countless other sites. Maybe it's time more businesses tried that more active defensive action? 
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.