The days of perimeter defense-based security are now behind us. And they have been for awhile. With the ubiquitous proliferation of smartphones, laptops, and employees working from the road, the traditional concept of a “network border” has evaporated. Yet, even before this started to take place, the black-hats-turned-white-hats and other front-line operators would scream for defense-in-depth.
Anyone who’s ever done a thorough investigation of a widespread network intrusion, generally discovered these three facts:
1) The bad guy got in and moved around a lot inside
2) The bad guy has been inside for a while, on average 99 days*
3) There was no way to have pro-actively closed all holes
This concludes that a network with a solidly defined border cannot abide by border defenses alone. Eventually, someone gets in. And it is the moving around on the inside where the bad guys spend most of their time.
As a system is compromised it becomes a stepping stone.
Intel gathered on the system allows the intruder to move laterally in the network. This intel could be a network layout, common applications, services that the organization uses, or even credentials for other accounts and resources in the organization that allows the attacker to penetrate further.
With each step, more of the network is mapped out and more data is discovered. By understanding what applications are commonly used, the attacker might perform limited scans of the resources, and attempt exploits in a targeted fashion. The days of widespread network scanning are over, as such behavior is way too loud and easily picked up by sensors.
As some attackers become more stealthy and methodical, it has become much harder to successfully and quickly detect them. That is likely the leading reason that time-to-detection has not gone down, despite an explosive growth in the security technology industry. Because of this, the security operator has been forced to adopt a more active role, instead of detect-only.
Good cyber hunters search for patterns of connections, patterns in logs, or connection behaviors that are not expected in the normal course of business. And instead of acting on alerts (which are “positive indicators of compromise”) they take time to map out the extent of the treat in their network. This is borne from the realization that an intruder may have penetrated the network much deeper than the current evidence may support. In other words: if the bad guy is deep inside your network and has their hands into many resources, shutting the attacker down in only one of them, tips your hat. The attacker now knows they are being watched and will change tactics.
Cyber hunting is all about understanding the full extent of the compromise before any action is taken. And this is hard. Because there are many ways in which someone may move laterally through the network. For this, widespread visibility is the key. To stack the deck in the favor of the hunter, we turn to a technique that has been around for decades: decoys.
A decoy can be as simple as an email account without a real user, and as complicated as a server full of resources that are out there “to be discovered”. The latter is also called a “honeypot”.
By leading the attacker astray, you accomplish two important goals:
1) The mere act of an attacker touching these decoys is a red flag
2) The attacker now is chasing fake leads on your network, which takes time, and makes more noise that can be observed
The downside of decoys are myriad, and a commitment must be made to watch them carefully. They are hard to put together realistically, taking significant operator time. And they must be monitored carefully, as they can in themselves become stepping stones or platforms for launching attacks into the world. When placing decoys, it is also very important to ensure your visibility is “out-of-band”. It should not be trivial for the attacker to understand you are closely watching the decoy, or even disable your visibility. In general, it must be hard for an attacker to understand they have hit upon a decoy.
Security remains a cat & mouse game, and it goes without saying that a perfectly secure network does not exist. Using decoys as a trap for the advanced intruder can pay off in spades, but the investment must be carefully and deliberately made. More important still, a comprehensive network of visibility and data gathering must be in place before even attempting the deployment of traps in your network. After all: what good is a tripwire, if you aren’t listening!
Look for next week’s blog on tips on how to successfully build and watch a decoy.
*Source: Gartner, June 2017