by Avivah Litan | February 6, 2017 | Comments Off on Practicing Offensive Defense; Lessons from Israel
The security industry seems to feed on itself.
Most security doctrines view security from the inside out, essentially turning companies into sitting ducks waiting for the next attack to appear. They try to fend off an attack as soon as it hits with either protection or detection that use point solutions patched together in a blurry expensive and hard-to-maintain maze.
Almost all security resources are spent identifying and evading attacks, but what about identifying the attackers?
Should attribution really be that hard in an era of advanced analytics and artificial intelligence?
From what I can tell, today’s AI applications are still focused on the same old problems – e.g. finding non-apparent indicators of malware behavior rather than identifying the attacker so that he or she can be put out of business altogether.
Even the seven stage Intrusion Kill Chain is inward looking. It starts with Reconnaissance instead of starting with IDENTIFYING the ATTACKER before reconnaissance begins. Such identification requires understanding the hacker’s motivations and intentions, so that the attack can be nullified with pre-emptive analytics.
How can we get out of this no-win unending security cycle that is reminiscent of a hamster wheel? One way may be engaging in Offensive Defense. That’s what a few Israeli companies I met with last week are working on. Here are the some of the pre-emptive security methods I came across:
Identifying Attackers and Extending the Kill Chain
Diskin Advanced Technologies, started by Yuval Diskin, former head of Israel’s internal security agency Shin-Bet, applies advanced analytics to identify an attacker in order to pre-empt future campaigns. DAT applies a similarly structured methodology and discipline to analyzing cyberthreats that Diskin used to successfully pre-empt suicide bomber attacks. DAT brings forward the Intrusion Kill Chain with predecessor stages of; Motivation, Intention, Conspiracy and Assembly – all before Reconnaissance starts.
In these early stages the attackers, accomplices and weapons are identified before the attack is launched. By taking the attacker down, future attacks are pre-empted.
DAT has successfully applied this technique to cybersecurity by connecting the dots to identify the same attackers involved in multiple campaigns. Most times, the ‘dots’ are manifested and collected as profiled weak signals from all layers of cyberspace.
Malicious campaigns conducted by the same actor(s) can be very different in nature, for example targeted advanced attacks against an energy company vs. a widespread ecommerce consumer fraud campaign. By identifying the human attackers, multiple attacks – even those seemingly unrelated – can be pre-empted. DAT produces ‘indicators of attacker behaviour’ rather than just ‘indicators of (attack) compromise’ that they distribute to their customers for incorporation into enterprise security systems to block future attacks.
Discovering attacker intentions
Another start up, empow touts its ability to discover attacker intentions using information already inside the network and also by searching on the web. Interestingly, it parses comments found in malware files in order to understand bad guy intent and behaviour, as well as comments in IPS and other enterprise systems to understand good guy policies. It integrates the results using models that produce ‘strategic rules’ which attempt to pre-empt attacks based on attacker intentions.
Similarly, start up Predictico uses non-traditional HR and people management systems and data to find malicious insiders before they commit harm by using models partly developed by psychologists.
Other Offensive Defense techniques
a) Deception inside the network
Deception technology is an offensive defense technique as it fights back by tricking a hacker or malicious process into falling into traps. Deception technology first emerged at the infrastructure level with vendors like Attivo, Illusive Networks, TopSpin, and Trapx (See Competitive Landscape; Distributed Deception Platforms 2016 ), but is moving deeper into the endpoint level with vendors like Minerva Labs and Deceptive Bytes and data/information level with vendors like ITSMine.
b) Pre-empting attacks using social media information
These solutions do not identify intentions or bad actors but are useful in pre-empting attacks by proactively searching social media posts and activities. For example Cyberint found that almost 2% of social media comments and postings with an embedded URL are actually malicious. By identifying these malicious links ahead of time, attacks can be subverted. This is similar in nature to the rest of the threat intelligence market that produces indicators of compromise and blacklists for its customers. It’s not a change in approach, but represents a useful data source (e.g. social media).
No one wants to be a sitting duck. The security industry is justifiably moving into an offensive defense posture optimally driven by advanced analytics and artificial intelligence. One thing that became very clear on my recent trip – is that very smart humans need to drive the analytics and train the models on what to look for. Otherwise, we will just keep solving yesterday’s problems, albeit faster and more effectively.
Indeed, using the same approach with more advanced analytics will simply move us from sitting to standing ducks that are better prepared, but ducks nonetheless. It’s time to get off the ground and pre-empt attacks that are targeting us.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.