Why letting attackers inside your network is the smartest thing you can do [Q&A]
Organizations waste millions of dollars trying to keep hackers away from sensitive information using outdated perimeter-based security technologies. The result is obvious: it isn’t working.
Percipient Networks’ CTO Todd O’Boyle has counterintuitive advice for businesses when discussing what to do about hackers: let them in your corporate network. I spoke to Todd, and he explained why that advice is more sound that you might think.
BN: Why would I ever leave an attacker inside my network?
TO: Many reasons. We were motivated to perform the research around our technology after watching the same attacker come back a number of times, with the defender reactively putting technical solutions in place after each attack. No matter what we did, the attacker would come up with a technique to counter it.
Through our research we decided to change tactics and focus on watching attackers already inside the network and control what they can do.
If you’re a target of a high-end attacker, they will find a way in. We know this. The going "dwell time" according to the latest FireEye M-Trends report is about 200 days. So when a breach is uncovered, we see a few options:
- Immediately stop the attacker from communicating with their victim. This response is ineffective if the attacker has another access or has built resiliency into their malware.
- Hire incident responders costing hundreds of dollars an hour to "hunt" the attacker and then help you extract them. This seems to work well but does not address the "why" of an attack.
- Leave the attacker in to extract their operational targets. Figure out what they are trying to steal from you and then come up with ways to best protect that part of the organization.
We feel that an important step forward in cybersecurity is linking it closer to the business. Why am I being attacked? What information are they after? What do I think they are going to do with that information? If you can understand the answers to these questions, you can make business-focused security decisions and we think that’s the key.
BN: Isn't that just like a honeypot?
TO: The difference between Strongarm’s patented technology and a honeypot is that Strongarm was designed to operate on a production network, constantly looking for indicators of compromise. The actual commands an attacker is trying to run are exposed to the defender.
In a honeypot, the entire environment is fake. Human attackers tend to see through this quickly and disconnect. You may be able to collect some tools from them, but you will never get any visibility over what they are after.
BN: Doesn't my IDS/IPS/NGFW/NGEP/fancy widget stop these kinds of attacks?
Attackers are an innovative bunch. Every attacker's toolkit contains capabilities to bypass firewalls, anti-virus, IDS, and sandboxes. This is because they use easy-to-change heuristics to find attackers.
We believe that the security community needs to move up the Pyramid of Pain and build defenses that will increase the cost of attacking and persisting. This was one of our goals with Strongarm, to move closer to understanding TTPs and motivations of attackers instead of simply blocking the attack.
BN: Why would I tell anyone I was attacked? Who would do that?
TO: The main reason is to "pay it forward" and to take the shame out of being a victim.
When you take the shame out of being attacked, it opens up a fundamentally different conversation about security. People should be proud to share what they did to respond to a particular attack. Sharing details of the attack can help others in the same boat do better to protect themselves. In these indicator sharing communities, the more you share, the more that is shared with you.
BN: What does Strongarm do?
TO: The Strongarm research prototype was a man-in-the-middle proxy for malware. Using indicators of compromise and the DNS, we would redirect connections to command and control servers over to the MITM proxy. This proxy would open the connections from the malware to the attacker, apply a policy, and forward the connection on to the attacker as if nothing was happening. A policy was also applied to the actions the attacker sent back.
Today’s Strongarm technology is an easy-to-use, easy-to-deploy security solution for SMBs. Through our research around the ability to "speak malware", Strongarm helps automate many of the typical tasks of security operations, delivering low false positive rates and unprecedented visibility over victim systems.