5 ways to put hackers on the defensive
Black Hat keynote speaker Shawn Henry, the former executive assistant director of the FBI’s Criminal, Cyber, Response and Service Branch, started off the day after opening remarks from Jeff Moss, founder of Blackhat. Moss wondered if now was the time for the cyber-security sector to take a more aggressive/offensive approach. Moss mentioned working for a former employer years back, a firewall manufacturer that had a product that would launch specially crafted code in response to an attacker, sort of an early offensive DoS attack. This was an early attempt by security professionals to cause pain by going on the offensive.
But since DoS attacks aren’t exactly a legal offensive tactic nowadays, what to do? He recommends civil action, a la recent Facebook actions where attackers were sued in civil court. But what happens when attackers are overseas? Mr. Moss is hopeful that responding in a civil manner would “encourage” other countries to implement legal protections to stop current and future attack attempts abroad.
What can we do besides sue? Mr. Henry proposes advancing technologies like deception, network decoys and other trickery, along with heavy network segmentation as a possibility to turn the tide. He also pushes for more legislation that would make tactics more effective at nabbing bad actors. But this sort of legislative pressure is famous for riling up privacy pundits, who are sure to respond with counterpoints to perceived privacy erosion. Still, he argues current laws are archaic and do not allow adequate response to the current threatscape.
Most Attacks Undisclosed
In the meantime, Mr. Henry says today’s headlines reflect only a tiny sliver of what is actually happening, attack-wise. Companies, he said, vastly under-report hacks, and in fact the FBI frequently has the dubious honor of notifying companies that they have been breached after their private data has been found in the public domain during other investigations.
To give an idea of the total size of attacks, Mr. Henry estimates close to 90 percent of the real attack activity is happening in the classified environment, sort of “below the water line” to use an iceberg analogy. This means we are only seeing a tiny slice of an even tinier slice of the real threat, to use his characterization.
He calls the Internet a great attack equalizer, allowing any of the billions of Internet users to plan and possibly launch an attack, and paints this threat theater as one of the top threats faced in the world today, aside from WMD. And Internet threats are far easier to carry out than deploying Weapons of Mass Destruction.
But all attacks aren’t created equal, the motivations vary. If, for example, a company you plan to do business with has conducted network exploits against you, they may already know what kind of financial position you are in, what intellectual property you really have, and would therefore be in a much stronger negotiation position, possibly tilting the tables heavily in their favor. Mr. Henry compares this to taking a test where you already know all the answers, and therefore are heavily favored to win.
What does He Recommend?
First he tries to glean wisdom from more tradition physical attacks and adapt them to the attacker.
1. Denial and deception. Keeping the attackers out of your core network by sending them on wild goose chases using network tricks.
2. Decoys. Serve up fake information, designed to foil attempts to gain intelligence, sort of poisoning their intel, and helping them along with same wild goose chase.
3. Raise the network defense bar. Cause them considerable pain (and the cost of buying more advanced tools), make them spend months of effort trying to get in.
4. Heavy use of defense-in-depth tactics. Don’t put all the “crown jewels” one level deep from the perimeter, but make attackers have to penetrate multiple levels.
5. Log everything you can. This will help greatly when trying to find a “smoking gun” during an investigation. This means both inbound and outbound traffic, and especially watch for abnormal outbound traffic, a telltale sign something bad is happening.
Will it be Enough?
These steps will certainly raise the bar of difficulty for people attacking companies, and therefore raise the cost to the attacker, which is a major factors when an attacker picks a target. If the costs become too high, they may go elsewhere or give up. They may also pick an easier target to exploit, and your company would be out of harm’s way.
But tactics change, and so does the threatscape. And if the last several years are any indication of what’s yet to come, hang on for a wild ride. Also, the old boxing admonition to “protect yourself at all times” certainly still applies.
Reprinted with permission
Cameron Camp is a researcher for global security provider ESET and has played a critical role in building the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in 1987 and eventually becoming an evangelist for Linux and open-source technologies with an emphasis on the security sector. Prior to joining ESET, he founded Logical Web Host in 1998, a data-driven web services company.