As I pointed out in my previous story, "How Deception Technology Can Give Defense the Upper Hand in Cybersecurity," deception-based cybersecurity systems allow defenders to play a much more proactive role when an attack is detected.
In this story, I’ll examine how an active defense strategy can be used to slow down, gather intelligence on, and ultimately outmaneuver an attacker. (For an in-depth explanation of deception-based cybersecurity technology, see “Active Defense: How Deception Has Changed Cybersecurity” on Early Adopter Research.)
But before we proceed, one key note of caution. Active defense is not about attacking adversaries. It is about detecting and derailing attacks early, gathering the intelligence needed to understand the attack, and stopping and preventing similar occurrences in the future.
Here’s what a company that employs an active defense faces when attacked:
- The company uses a deception-based cybersecurity system to put decoy data and attack points all over its IT landscape.
- An attacker gains access inside the perimeter of the network and is lured into accessing one of the decoys or the deception bait.
- At this point, an alert is raised and security analysts can make a choice: Shut down the attack or contain the attack within the deception environment and observe what the attacker does next through forensic analysis.
If the security analyst decides to go down the forensic analysis path, here are five ways to fight back.
1. Control the Scope of Damage
Quarantine the known infected systems and contain the attack in an isolated environment. This is a judgment call, often driven by the depth of expertise of the security team. The analyst may decide to watch the attacker or simply shut down the attack. This option is possible because when a deception-based attack is detected, only decoy systems are at risk. Once the attacker engages with the isolated deception environment, the analyst can safely monitor the attacker’s behavior and collect valuable intelligence about what the attacker is after. This additional adversary intelligence can be instrumental in hunting for other hidden threats within an organization’s infrastructure.
2. Perform Forensic Analysis
Perform forensic analysis to better understand the attack. Once an attack is detected, the learning process can begin. At first, there’s a basic set of information that must be gathered to determine how the attack proceeded so far without being detected by other means, where the attack originated from, and how it’s being executed. These are typically categorized into what is called indicators of compromise or IOCs. Once these things are understood, it’s then possible to observe the attack and try to understand its personality — what does it want to do next based on what it’s done before? What network traffic is it generating? What payloads is it dropping? What processes is it loading? What data is it accessing? This information is invaluable in deepening the protection against similar attacks in the future. These factors are defined as adversary intelligence and can only be understood by deeper attacker engagement and analysis.
3. Execute Standard Countermeasures
Execute playbooks for automated or manual responses. The ability to analyze the nature of an attack can in part be automated and made into playbooks to execute at the time of an attack. This type of automation can take the form of programs that find out everything about the traffic that came from a certain IP address or that crossed boundaries that no normal traffic should. Because information in cybersecurity is often contained in many different siloes, these sorts of automated responses can save a lot of time. Automatically sharing information between different solutions to expedite response can save time and effort. In addition, it’s also possible to create automation or standard playbooks for containing and shutting down an attack — either by putting it in an isolated environment or by denying access and removing the compromised assets from the IT landscape. One of the biggest barriers to automating response has been the concern of action based upon false positives. Deception alerts are all based upon attacker engagement, thereby removing false positives and providing the substantiation required to automate with confidence.
4. Perform Threat Detection and Hunting
Search for evidence of similar attacks. Once you understand how an attack is working and what it wants to do next, you can use that insight to search methodically through your IT landscape to find similar infections that may not have been detected and fully remediated. At the highest level, you can develop meta-patterns that explain the personality of the attack and modify existing monitoring and prevention techniques to find, remove, and prevent those types of attacks in the future.
5. Gather Threat Intelligence
Record and share the nature of the attack with others. Native integrations between vendors actively remove internal information silos and improve productivity. As part of the cybersecurity community, companies often share intelligence about attacks they have detected and understood. Active defense gives an opportunity to provide deeper and richer threat intelligence so that other cybersecurity practitioners can make both their own and industrywide defenses more powerful.
What these five strategies show is that, in essence, active defense is a playbook that puts security analysts in a position they are not often in: playing offense. Some of these techniques can be used outside of active defense, but they are more powerful when used collectively in an active defense context. It is likely that as the power of deception and active defense is well understood, deception will become a standard layer in most cybersecurity portfolios.
“Traditional cybersecurity is built on silos,” said Carolyn Crandall of Attivo Networks, a detection-based cybersecurity company. “But as we look at the model today, security can’t only be based upon prevention. You’ve got prevention, detection, response, and the increasing application of predictive technologies. For these to work together, you need to be able to collect and easily share information, automate processes, and retain information so that it can be reused in repeatable playbooks and processes. Embracing an active defense helps with not only that, but also in creating an advantage in outmaneuvering attackers.”
