During a briefing from the top security analyst at one of the Washington-area cyber centers, I got the idea that resisting targeted attacks from sophisticated adversaries (so-called advanced persistent threats, or APTs) is a bit like playing chess at the grand master level.
Security efforts disproportionately emphasize endpoint anti-malware. But users, desktops and devices are only the pawns on the board (who, unfortunately often hold the crown jewels – your data). Sophisticated attackers adeptly perform the necessary intelligence-gathering to find just the right social vulnerabilities for the person of interest and the right technical vulnerabilities for the device. Once exposed, most useful devices are easily compromised by targeted malware exploits riding on the back of spear phishing or similar attacks.
The rook, or castle, provides a strong defense in a chess game. On the anti-malware chess board we’ve tried to protect our pawns behind the rook’s analogues – firewalls and system hardening. But these technologies seem so 1990s and continue losing effectiveness today. Users and developers got around firewalls long ago while locked down endpoints have become a quaint concept for many in bring your own device (BYOD) era. As I wrote in my Restricted Zones post firewalls still have a crucial job protecting data centers and servers. But in the defense of users and devices you can’t think in terms of a Maginot line.
Instead, work with other IT groups to craft a mix of user capabilities and security mechanisms to suit the business use cases. In IT just as in chess you have to be smart to do this but encrypted information containers, server-hosted desktops, contextual access management, system re-imaging and user profile management are some examples of tools you can use in today’s data center and end user computing environments to control the center of the game, or the data itself.
You can also guards some user interactions outside the firewalls using security components such as secure web gateways (SWGs) and secure email gateway (SEGs) to cover the vectors of infection through which malware is delivered. Like bishops and knights slashing and leaping across the chessboard, SWGs and SEGs extend your protective reach.
Even with all these defenses, remember that sophisticated and persistent groups of adversaries can reconnoiter and work around any static defense. In information security as in chess, the board stays in constant motion. Assume you’re already compromised to greater or lesser degrees and try thinking a few moves ahead. Develop hypotheses about threats, targets and attack paths and use advanced monitoring to confirm or disprove these hypotheses. Also monitor for anomalies that suggest further hypotheses or are worrisome in themselves. Regain some of the home field advantage lost to BYOD through awareness programs and telemetry gathering tools that turn your users and devices into sensors.
Collect logs from networks, endpoints and applications and infuse your security information and event management (SIEM) system with local IT and global threat intelligence context. Use this context and data to correlate events and maintain your alertness throughout the game. Don’t’ underestimate the importance of threat intelligence. Share security information with vendors, law enforcement and peer company contacts to collectively learn more about the threat, or attacker. Only through insight into threats, vulnerabilities, attacks and targets can you hope to stay a few moves ahead of APTs.
One gets the sense that threat intelligence and reputation systems – delivered through cloud assist and security information sharing – could become the kings and queens of cyber-defense. At my cyber-defense briefing, I saw timescale slides depicting kill chains, or attack graphs, based on one of their most prolific attacker’s social engineering, vulnerability exploits, command/control, lateral movement and data exfiltration tradecraft. By studying the adversary’s techniques, the cyber-center was able to shut “him” down for awhile after learning that attack waves always began with an increase in domain registration activity at a certain bullet proof hosting center in China.
Eventually the attacker must have realized he’d been made and changed some of the tradecraft because – ominously – detections further down the kill chain re-appeared to the right of the timescale. But developing threat intelligence on the attacker bought some time, and sharing the information appropriately with security teams at other organizations helped them find ways to shore up defenses against similar exploits.
Finally, in this never-ending cyber-conflict we’re starting to realize that – just as in chess, soccer and war – sometimes the best defense is a good offense. Not having an offensive arm to information security is a huge liability against which we still labor while competent attackers operate with virtual impunity. While most organizations understandably don’t want to try and turn their security department into the NSA, some with advanced security programs do deploy threat attribution, legal sanctions, law enforcement contacts and so-called active defense techniques such as deception and information hiding in their networks to deter or confuse attackers. Although such thinking is very early in development outside the defense industry, keep your mind open to learning about the capabilities mentioned because – if you’re targeted – you may soon need the extra edge.