If you take a step back and look at the state of cybersecurity in the government, it’s evident that there’s a lot of work to be done.
Just within the past six months, the secretary of the Department of Homeland Security (DHS) has been replaced, the White House has eliminated the position of cybersecurity coordinator on the National Security Council, the top three cybersecurity officials at the FBI have departed, several large-scale public sector breaches have occurred – including the City of Atlanta – and the primary elections were off to a rocky start as states and counties grappled with insecure systems and voter distrust.
Data stolen in breaches years ago is still surfacing in financial crimes today, proving that getting over past breaches is hard to do. Simply doing more of the same won’t fix our current challenges.
Strategic government action to improve threat detection and response is critical as the threat landscape continues to evolve at a rapid rate. The need to increase the structure and speed of active defense measures and information sharing platforms is more pertinent than ever. These initiatives should be universally agreed upon and led by our own government.
To better prepare for the evolving threats, it’s simply no longer enough to locate and remove an attacker from a network. We must study our adversary to understand them. This means, that businesses and the government need to have measures in place that empower security teams to safely study an attacker in a “natural” environment without being noticed.
Enter deception technology: An approach that is beginning to gain traction in the government.
Utilizing techniques that spies and the military are already familiar with, deception lures attackers already inside your perimeter to assets that look genuine but are highly-authentic decoys. It accomplishes this by laying traps and lures throughout the network and on the endpoint which appear to be production assets. Once an attacker engages with the deception environment, a high-fidelity alert is raised giving the organization the opportunity to either quickly expel them from the network – or study their methods and movements within a controlled environment.
This real-time forensic analysis and counterintelligence gives security teams a golden opportunity to better understand the motives of an attack, drastically improving their ability to identify who is responsible for it and how to defend against similar attacks in the future.
Beyond that, deception is proven to drastically reduce dwell time, or the duration of time a threat actor has within an environment before they are detected by security controls.
Dwell time is increasingly considered one of the most important metrics to measure the health of a cybersecurity program within an organization. It is especially important to reduce dwell time since data exfiltration times are also decreasing, meaning adversaries are moving more quickly to steal your data once inside your perimeter.
In May, during a panel on cybersecurity at the 2018 CFO/CIO Summit hosted by the Association of Government Accountants and the Association for Federal Information Resources Management, Rod Turk, acting CIO and chief information security officer at the Commerce Department, named dwell time as a metric that can inform all the others.
Dwell time, Turk said, “speaks to everything you’re doing in cybersecurity,” and he suggested officials should actively measure it and use it as a bellwether for their agency’s cybersecurity posture.
Overall, the government’s cybersecurity framework just isn’t evolving as fast as the threat actors are, which is why we need to understand that successful cybersecurity strategies are not “one-size-fits-all.” In cybersecurity, it is essential to have both defensive and offensive strategies. Beyond perimeter security measures that are already widely accepted at the federal level, techniques like deception are crucial to the nation’s security and necessary when implementing an active defense strategy.
Another component of active defense was mentioned by Rob Joyce, former National Security Agency and White House cyber coordinator, when he spoke at the USENIX Enigma conference in San Francisco in 2016 on the topic of keeping out advanced adversaries.
“Another nightmare for the NSA? An ‘out-of-band network tap’ — a device that monitors network activity and produces logs that can record anomalous activity — plus a smart system administrator who actually reads the logs and pays attention to what they say,” he said.
That’s really the sweet spot for deception since any activity on decoy systems is by definition, an anomaly and will provide an alarm. You also shouldn’t have any false positives making it easier to monitor and therefore take action based on the alerts. Shrinking your dwell-time by quickly detecting attackers through this deception layer and minimizing their chance of exfiltrating data.
Often associated with military applications, active defense is the use of offensive actions to outmaneuver an adversary inside the network with the aim of making an attack more difficult to carry out. By implementing active defense measures, we can successfully slow down or derail an attacker so they are unable to complete their attack, thus exposing their presence in the network during the early stages of their attack. Active defense can also mean striking back at an attacker, but this approach should be reserved for those with the forensic resources and legal authority to confirm attribution and take appropriate action. We do not advocate hacking back at the corporate level.
Throughout history, deception has been a critical component of offense and defense in the military. Now that most organizations are continuously targets of cyberattacks, deception should also be widely accepted in the government.
The combination of early threat detection and the deep level of adversarial intelligence gathered through a deceptive layer can be shared with government, law enforcement and industry so that we can understand the threat landscape and ultimately prevent a similar attack from happening in the future.
Agencies at all levels should be looking to build and embrace an active defense that includes the use of deception and other complementary incident response technologies. If we can implement a system where we are quickly and consistently detecting threats early and exposing the motives and methods of bad actors – and sharing that data broadly across government and industry – we can find a way to stay ahead of cyberattacks instead of feeling like we’re always one step behind.