Prisoners of cyber war: Employing captured pre-breach intelligence to turn the tide
Dr. Anup Ghosh
Over the last few years, information security practitioners have had little choice but to head in a new but dangerous direction. Faced with an increasingly aggressive and determined set of adversaries ranging from well-funded nation states to highly motivated hacktivists -- and suffering from a lack of innovation on the part of information security vendors -- many have effectively raised the white flag on prevention as a battle strategy.
We’ve evolved, or devolved as this article will suggest, our focus away from roles as network sentries and towards those of crime scene analysts. The dawn of the Advanced Persistent Threat (or at least the use of the moniker) has brought about a somewhat defeatist mentality within our community -- a sort of Humpty Dumpty syndrome in which we represent the “Kings Men,” and our networks the fabled egg. The calculus has gone something like this: If our users are the target and we cannot train away natural human psychology; and our preventative technologies are largely dependent upon signatures to thwart attacks; and our adversaries are using zero-days and polymorphic techniques to make signatures obsolete, then prevention must be a failed strategy.
This mindset has given rise to a new set of technologies focused on deep dive forensic analysis -- i.e., full packet capture, deep packet inspection, log analysis, etc. While these technologies are critical for the core of our defense-in-depth strategies, and help us meet requirements for continuous monitoring, the value they deliver is not protection but rather post-facto identification of a breach.
If we are willing to accept the assertion that we will never be able to keep our adversaries out of our networks, then a wholesale shift to forensic analysis is warranted. However, if we accept this assertion, we have done something that runs counter to our core fabric as Americans…we’ve admitted defeat. If we accept this defeatist mentality, we’re essentially moving away from a policy of driving our enemies into the sea, toward one of rolling street battles in an insurgent like war.
This article is not meant to vilify a focus on forensics. Forensic information is of critical importance as it provides the necessary answers to understanding the threats we face. This deep dive information gives insight into the who (as much as it can be determined), what, when, where and how related to the motives and activities of our adversaries. However, an over emphasis on forensic investigation detracts us from our core mission -- keeping the adversaries out of the network in the first place.
Ask yourself, is our mission to be security guards that prevent the crime from occurring? Or eye-witnesses who describe the actions of the perpetrators after the fact? Our government would answer in the former…and our citizenry would expect nothing less from us. After all, it is their data we are charged with protecting.
So what needs to be done to put us back on the right path? The reality is we have all collectively been too complacent for too long in the face of a determined adversary. We have let our technology stagnate for a decade, using reactive defenses developed in the 20th century against a 21st century threat that produces more than 80,000 new attacks every day. All the while, there is a constant, methodical, silent, systemic hovering of our nation’s secrets and our corporations’ intellectual property, eroding our ability to compete against emerging economies. The intellectual wealth of our nation is being stolen out from underneath us, hastening the flattening of the world faster than even Thomas Friedman has predicted. For the nation that invented the Internet and built billion dollar businesses, such as Google and Facebook, it’s time to reinvent security for the digital economy.
We can turn the tide. There is an emerging mindset focused on retaking the high ground, on making prevention possible once again and understanding the attackers’ intent and approach before they reach the target, leveraging that intelligence to deflect future attacks and fortify our defense posture. Advances in virtualization technology provide us with this pathway.
We know that our users are the target and that training and overly-restrictive policies rarely work. The former provides us with only a modest uptick in awareness and the latter provides us with an environment that is not conducive to productivity. So, what can we do to protect the network from the user and the user from himself?
As a highly respected security and risk analyst recently put it, “Let’s focus on containing the contaminant.” By placing our users in virtualized environments -- segregated from the desktop and network -- any time they come into contact with untrusted content, we get a leg up against the adversary. By moving away from signature-based detection to a focus on behavioral and heuristics-based detection, we can spot zero-days in their tracks. By putting every user in a mini-honeypot of sorts, we can capture forensic detail related to the intent of the adversary, making pre-breach analysis possible and moving us away from ex post facto response.
This is just one suggested pathway, but it is a pathway we can follow today. We have the ability -- as we always have -- to look our adversaries in the face and let them know we mean business about fighting back. Just as they have found innovative ways to attack us, we can and must continue to find innovative ways to fight back.
Dr. Anup Ghosh is founder and CEO of Invincea, and a former senior scientist and program manager at DARPA. He can be reached at:
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|