Active Defense and the Quest to Outsmart Hackers

Imagine you helped to roll out a comprehensive enterprise IoT-based network, and after, your firm became a victim of a string of cyberattacks. But more troubling, you detected a sizable presence of unauthorized individuals who breached your firm’s IoT devices. They are now lurking throughout your network, but you don’t yet know who they are and how long they’ve been there. Are they disgruntled employees? Competitors looking to steal intellectual property? Elite and possibly state-sponsored black hats doing reconnaissance or prepping for an attack? A combination of all of the above? Whatever the case may be, IBM-sponsored research from the Ponemon Institute indicates that organizations that have sizable IoT deployments tend to suffer more financially-damaging breaches than those that don’t.

But instead of panicking, what if you responded to this situation with a little bit of schadenfreude, gleefully telling yourself: ‘I’m going hacker hunting!’ You’re not going to do something potentially illegal like hack back, attempting to break into the computers hackers used to attack your network. But you’re going to deceive them, and you are going to set traps and lures for them. In the end, you vow to get a more precise sense of what they are after, and their possible stage of attack. Most importantly, you have a plan for finding them and getting them off your network — much more quickly than you would have otherwise.

Welcome to the world of active defense, which EY defines as “a deliberately planned and continuously executed campaign to identify and eradicate hidden attackers and defeat likely threat scenarios targeting your most critical assets.”

The idea of active defense is gaining traction in the enterprise, with the exception of so-called “hacking back,” which remains controversial. Gartner, in its Continuous Adaptive Risk and Trust Assessment model, recommends deceiving intruders and leveraging machine learning to help spot the bad guys and the data they are looking for. McKinsey has embraced the idea of active defense as essential in the era of advanced cyberthreats. And the Department of Homeland Security is offering active defense tools to the private sector.

Carolyn Crandall, whose defacto title at Attivo Networks is chief deception officer, is also a fan of the concept. “One of the things that I love about deception technologies is that you’re using some of the attackers’ own tactics against them,” she said. “Their whole thing is to come in and act like an employee, using employees’ credentials to navigate. Well, what if you turn that against them, and you make it so they can’t tell what’s real and what’s fake? And they get caught in their own web of lies?”

Such strategies have long been a staple of military and intelligence agency training. It’s only logical that, as cyberattacks become at once easier to deploy and more damaging, that the same principle would gain ground in the digital realm. The fact is: Organizations could spend potentially unlimited sums of money on cyber-hygiene technologies and still be breached. And once an attacker is in a network, most organizations fail to detect them for months. And once they do, it can take months to address the problem. The aforementioned Ponemon Institute research finds that U.S. organizations need an average of 197 days to identify attackers and 69 days to contain them.

A big part of that delay, Crandall said, is that organizations are so focused on external defense they don’t tend to have solid processes in place for getting rid of intruders already on the network. The intent to build a cybersecurity “castle” with the “tallest walls” and “deepest moats” with the hope no intruders will get in amounts to wishful thinking. “The shift in paradigm is that, in today’s connected society, you just don’t [keep the bad guys out],” Crandall said. “You have to think about the world as a perimeter-less organization.”

There are several reasons to arrive at this conclusion. There is a proliferation of hacking tools including hacking-as-a-service that allow minimally trained individuals to inflict sizable damage. The Internet of Things is increasing the attack surface to include devices as diverse as thermostats, fish tanks, video cameras, lab microscopes and beyond. And then there is a rise in nation-state backed hackers. Then there is the fact that, even if an organization had the most elite cyber defenses available, insiders, suppliers or a merger with another company could leave them vulnerable.

Crandall said that, while the industry average to detect a breach may be multiple months, it is reasonable to detect cybercriminals mere minutes after they enter the network, and then remediate the problem. “The question becomes: How do you locate that compromise quickly, so it doesn’t become a full breach?” Crandall said. “If you can detect the threats early, you can remove a lot of the hassle of having to do clean up long afterward.”