Rethinking Your Security Strategy to be More Effective in Responding to Cyber Attacks

by: Smith and Howard

January 15, 2021

Back to Resources

As discussed in a previous article, it’s no surprise that large as well as small- and medium-sized businesses (SMBs) are struggling to protect their digital assets from cybercriminals. Since the beginning of the COVID-19 pandemic, we have seen a significant increase in cyberattacks and intrusions. According to a University of Maryland study, a hacker attack is attempted on average every 39 seconds, which equates to 2244 attack attempts each day. Damage due to cybercrime is estimated to exceed $6 trillion annually in 2021 (Cybersecurity Ventures). Businesses are buying security technologies at a record pace, with the information security market expected to reach $170.4 billion by 2022.

The key question we need to ask is: Why are things not improving and what should we being doing that we are not doing now?

To answer this question, we need to understand the various factors that are converging to create the situation businesses find themselves in today.

  • Technology advancements with mobile devices, cloud services, software as a service, remote computing and the increase of third-party service providers have forced businesses to rethink their IT and security strategies, from securing a central information technology infrastructure to focusing on distributed data.
  • Many businesses still do not clearly understand their cyber risks and the financial impact of each risk on their organization. This prevents them from effectively prioritizing which risk needs to be mitigated, which can be transferred to insurance or a third party and what their risk tolerance really is.
  • Cybercriminals are significant more advanced and utilize more advanced technologies than many of the businesses they attack. They are also better at communicating with their networks and other criminal groups.
  • Most organizations still only employ a defensive security strategy.

Digital Transformation and Implementing Advanced Technology to Optimize the Business

Businesses, large and small, are looking to climb out of the COVID-19 lockdown and many are turning their attention to advanced technologies to improve productivity and potentially reduce their personnel costs through the elimination of redundant activities. Every change to a piece of hardware, software or network potentially adds vulnerabilities and risk to the organization. IT/Security management should ensure a detailed risk assessment is performed and the financial impact of any new additional risk is accurately identified. This needs to be balanced against the overall business justification for the changes.

Implementation of a Comprehensive Governance, Risk and Compliance Strategy

In this article, I detailed how to build a comprehensive GRC strategy. This includes a security program based on an industry-accepted security framework such as ISO 27001 or NIST CSF. It also includes a compliance program to address and monitor the contractual and regulatory standards and controls. The final piece of the GRC framework is your risk management program, which continually monitors and manages the existing and new risks in addition to measuring the financial impact of each risk to the business.

Train and Educate Employees, Management, Contractors and Third Parties

More than 80% of all breaches include human error. An educated and aware staff is the best way to protect your digital assets. Since most attacks begin with a phishing attempt via email or by phone, it is essential they understand how to recognize potential phishing attacks and not to click on a link or attachment from anyone they do not know. Phone phishing is a social engineering tactic that is being used to get additional personal information. Employees and end users should be suspicious of any callers asking for personal information or asking them to go to a specific website to enter that information. Whether you create your own training or purchase a security awareness software product, you will need to monitor and confirm all users have taken the training. Don’t forget to include your customers and partners in your security awareness program through newsletters or security tips on your customer-facing websites.

Who is Watching What is Coming In and Going Out of Your Network?

No matter how good your security program and infrastructure are or how well you train your staff, human error (intentional or unintentional) can result in an intruder gaining access to your network and systems. Not having continuous monitoring of your network for threats will make it almost impossible to determine that you have been breached. According to IBM, the average amount of time it takes to detect a breach is 206 days. The damage a cybercriminal can do in that time can be devastating to a business.

Consider Including Additional Strategies to Your Security Defenses

Companies have typically utilized a defensive-only strategy as the foundation of their security program.  This approach is destined to fail and eventually the attacker will find a vulnerability they can exploit. If you think in terms of military strategy, a defensive-only strategy will be overwhelmed by a frontal attack unless it is combined with other strategies such as flanking, fragment or feign. Companies must combine multiple strategies if they are to mitigate or stop a threat. Taking the words from Sun Tzu’s The Art of War, “You must know yourself, your enemy and know the battlefield.” Make sure you have a detailed understanding of the strengths and weakness of your security program and infrastructure. You must also understand how bad actors and cybercriminals think in order to defend against them.

As I mentioned above, the average amount of time in 2019 to identify a breach was 206 days. Since many of the malicious attacks can move laterally in seconds, utilizing manual efforts to respond to and mitigate the attack is a losing battle. Leveraging automation and reducing human interactions should be a priority. You can’t eliminate human interaction completely as there are still too many false positives being created and some decisions regarding actions still need to be made by humans.

How to Slow Down the Bad Guy

There are many ways a breach or an intrusion can occur; if it does, there are some common things to look for. Once an attacker finds a vulnerability to exploit and gets access to a node on your network, they will typically go into reconnaissance mode, looking for valuable data, what users are going in and out of that node and scanning for other nodes connected to that one. Once other nodes are detected they can move very quickly through the network – this is called “lateral movement.” Many intruders will wait for weeks or months just watching and looking for something of value before the launch. Identifying these intrusions as early as possible is critical.

Another Sun Tzu quote that is very applicable is, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

Incorporating a feign or deception strategy by utilizing deception technology as part of your technology infrastructure makes sense. This does not mean replacing your existing perimeter security infrastructure but enhancing it. This also does not replace security best practices like network segmentation and multi-factor authentication. The purpose of deception technology is to be able to identify a potential threat inside the infrastructure before the actual attack occurs and damage is done. In addition, some of these technologies will slow down the attacker by making it more difficult to identify real targets within the network. In many situations, this delay will allow the Security Operations Center (SOC) team enough time to respond to the attack and potentially mitigate it. Lateral movement of the malicious software moves in seconds which makes it impossible to defend against it with just human resources.  Slowing down the attacker before they can deploy malicious content and early identification of the intruder are key to evening the playing field. There are several promising deception technologies now in the marketing that can help.  Unlike the first-generation deception technologies such as Honey Pots, the new technologies do not try to attract attackers to a specific node or location but instead create the illusion of thousands of fake or phantom nodes around each real node in the network. Once the attacker touches a phantom node/sensor, your team is immediately alerted of the presence of the attacker.  I encourage you to research technologies like these and how they can improve your ability to respond to threats.

Types of Deception Technologies

  • First Generation Deception Products
    “Honey Pots” were the first type of deception technology to be deployed. The premise was to add to the network a fake node that looks too good for the attacker to resist. Once the intruder touches the Honey Pot, the security team is alerted and can respond.
  • Evolution of Honey Pots
    Some vendors have improved the Honey Pot approach by allowing security teams to easily deploy multiple decoys into the network, which improves the chance of attracting and identifying an intruder. One of the drawbacks of this kind of approach is that once an intruder is caught or identified, the information regarding the profile of the decoy is communicated to other cyberintruders to avoid them. The effectiveness is dependent on how many decoys are deployed. Increasing the number of decoys also increases the effort needed to configure and manage them.
  • Implementing an Active and Adaptive Asymmetrical Defense
    The introduction of adaptive asymmetrical defensive technology has enabled businesses to identify an intrusion quickly and slow down the attack, giving security operations team the ability to respond, mitigate and expel the threat.

Instead of attracting intruders to a specific location or locations, these newer technologies are placing an umbrella of deception or phantom nodes around real nodes in your networks that act like sensors when they are touch. Once the intruder touches one of these sensors, it alerts the SOC of a potential threat. Decisions can be made to monitor, isolate or expel the threat. In some products, these decisions can be automated. Authorized users do not see these nodes since they are only visible to unauthorized intruders that are scanning and probing for connected server nodes. I recently came across a relatively new technology from Ridgeback Network Defense that provides increased network visibility and alerts the security team quickly when an intruder trips one of the sensors. Products like this do a very good job of eliminating false positives, reducing the security operation team’s need to investigate potential events, allowing them more time to focus on real events. Differences in the various products in this category are more around cost, how much effort is needed to set up the product and ongoing management. There are also differences in the ability to automate mitigation capabilities, such as isolating a compromised node or expelling an attacker.

These types technologies do not replace your firewalls, intrusion detection and prevention(IDS/IPS) or endpoint detection and response (EDR) solutions. Adding adaptive asymmetrical defense technologies to your existing security infrastructure enhances your ability to identify the threats faster and slow down the attacker, allowing your team to respond more effectively.

Sun Tzu’s quote, “All war is based on deception,” applies to cyber war as well. Cyberintruders try to disguise their identity and activity to make you think they are legitimate users. The SOC team must deceive the intruders so they look in the wrong places; this will expose them and make them vulnerable.

Until we have advanced AI solutions that can detect real threats from false positives and shut them down without the need for human intervention, incorporating deception capabilities into our security strategy and infrastructure may be the best approach for the near future.

If you have questions about these steps or anything else covered in this article, please contact the author, Jeff Brown.

How can we help?

If you have any questions and would like to connect with a team member please call 404-874-6244 or contact an advisor below.