Attackers are entering networks in a bid to find the organization’s sweet spot. What can organizations do to turn the tables?
While preventive techniques are necessary, they are not always enough. Additionally, with cyber attacks, time is of essence. Honey traps are nothing new, but their use in IT security to date has been limited. Designed to purposely engage and deceive hackers, while identifying malicious activities, they can combine effective deterrence, timely detection, and dynamic deflection to help mitigate and analyze today’s advanced threats. How can organizations do this safely?
Cyber criminals look for the easiest available path when determining where their exploits will succeed. The now infamous Target data breach from 2013 is a prime example of this behavior – writes Anoop Kartha, Sr. Technical Marketing Engineer, Illumio.
Rather than go after the main target in the first instance, the hackers instead focused their efforts on the simplest way in – they stole the credentials from the refrigeration and HVAC (heating, ventilation and air conditioning) system contractor for several of Target’s stores to compromise the system. From this point the hackers pivoted efforts to tunnel across into Target and gained access to the point-of-sale (POS) terminals.
Having done so, they installed malware designed to steal every credit card used at the company’s 1,797 U.S. stores. At the point that the card was swiped, the malware took over capturing the shopper’s credit card number ready to send back to the thieves.
The lack of effective policy governing the network meant they could lie undetected as they stole 40million peoples’ credit card data and 70 million addresses, phone numbers, and other pieces of personal information.
There are clear ways to stop people employing this tactic.
Reducing the attack surface begins with an adaptive security model. To do this requires understanding of the contextual information for endpoints, workloads, servers or virtual machines within the infrastructure.
Having captured this information you can create a picture of everything that’s going on – the applications running, the complete network of machines, it could even be the entire data centre and, because you’re looking at everything they’re doing, an administrator can then employ security policies that dictate what each can do.
For example, a policy could stipulate that the web tier, and only the web tier of machines or servers, can speak to the application processing tier of servers or machines; and only the application processing tier should ever speak to the database tier. Having achieved that level of policy control can then provide enforcement.
This allows the organization to communicate the necessary rules that are adaptive down to the workload and even down to the instrument enforcement at individual processes that are running on that workload, providing granular segmentation.
How would this have worked at Target? Ultimately, the HVAC systems that were compromised had no business talking to the POS systems. Their ‘behavior’ should only have allowed them to talk to the air conditioning systems to turn them on or off, to take humidity readings, and control the pumps that were cooling the area. As soon as they started to talk to the POS system it should have been detected and the communication cut off.
Granular policies, tied to individual workloads, ensure that those workloads are only allowed to access resources necessary for the application’s legitimate purpose. The underlying principle here is to move from a blacklist model of “blocking the bad and implicitly allowing everything else” to a whitelist model that “explicitly permits the good and denies everything else.”
This containment approach applied at a fine-grained level effectively reduces the attack surface from the entire network behind the perimeter down to a specific workload.
Detect and deflect to a sticky trap
At the moment, its fair to say that it takes organizations far too long to detect cyberattacks. In fact, most companies take more than six months to detect a data breach.
A granular, whitelist approach to enforcing policies on individual workloads means potential attacks are immediately detected since there is a precise sense of what a valid transaction is. Any deviations from prescribed behavior can immediately trigger a series of mitigating actions, including dynamically rerouting the connections to strategically placed honey traps – a honeypot if you like.
Honeypots can be used to attract and then trap hackers, allowing the organization time to gather intelligence on their methods. By deflecting a hacker to a controlled environment – a small part of the network that can be compromised, where no useful or valuable data is stored – an organization is able to study and analyze the methods they use to poke around, giving them a head start on what the attackers will try next time. A great source of knowledge – so long as the hacker is unaware they’re being watched.
Making Honeypots More Effective with Adaptive Security
One reason why honeypots aren’t deployed more extensively is that there is no opportunity for analysis if they are not in the path of an attack. At the same time, placing them in the open can generate excessive “noise” from hackers probing anything with connectivity.
Instead, rather than passively waiting for the honeypots to be attacked, an adaptive security strategy can redirect attacks to the honeypots.
However, one major concern for honeypot designers is that once a honeypot is compromised, it can be used as a platform to attack and infiltrate other systems or organizations.
Adaptive security, which takes security down to an individual workload level as described above can isolate and safeguard these honeypots.
Risk can never be 100 percent removed. While prevention is ideal, timely detection and mitigation is an absolute must. Developing effective mitigation controls to minimize the impact while gaining deep insight is an important step we should consider as an industry to better prepare us for the sophistication of future attacks.