A guest post by Anoop Kartha, Sr. Technical Marketing Engineer at Illumio
What would it take to gain an upper hand in our efforts to thwart attackers and limit the damage they can cause?
While preventive techniques are necessary, they are not sufficient. Additionally, with cyber attacks, time is of essence. In this article, I discuss a strategy that uses “honeypots” – which are designed to purposely engage and deceive hackers while identifying malicious activities – to combine effective deterrence, timely detection, and dynamic deflection to help mitigate and analyse today’s advanced threats.
Effective Deterrence
Cyber criminals look for the easiest available path when determining where their exploits will succeed. This means organisations that limit their exposure to vulnerabilities are less likely to qualify as targets for these attackers.
The dating industry is host to particularly valuable information which, with the right credentials, could be easily accessed and subsequently stolen. As numerous people are able to gain access to the network infrastructure of such a service — for example IT support staff, admin clerks, security officers and various contractors and developers who need to tweak parts of the online assets held in a company — there needs to be company-wide emphasis on minimising the options available to hackers who can use the information for their lucrative, yet illegal, ends.
Reducing the attack surface begins with an adaptive security model where granular policies tied to individual workloads ensure that those workloads are only allowed to access resources necessary for the application’s legitimate purpose. The underlying principle here is to move from a blacklist model of “blocking the bad and implicitly allowing everything else” to a whitelist model that “explicitly permits the good and denies everything else.”
This containment approach applied at a fine-grained level, effectively reduces the attack surface from the entire network behind the perimeter, down to a specific workload.
If we take the United States Office of Personnel Management (OPM) breach as an example, inquiries have revealed that the malicious actors had lain within the network for four to six months and were only discovered after an upgrade of security detection and monitoring tools. Over this period of time, it would have been possible to spot the activity earlier and direct it to a honeypot. Had this strategy been deployed, the OPM security team could have had a closer look, to understand whether the activity was legitimate or if it was something to be concerned about. As leaked data continued to be uncovered months after the first announcements, the OPM staff missed the opportunity to gather the right intelligence when the first breach came about.
Timely Detection and Dynamic Deflection
It takes organisations far too long to detect cyberattacks. In fact, most companies take more than six months to detect a data breach. Companies need methods to stop malicious actors from hiding in the network, stealthily plundering data. A granular, whitelist approach to enforcing policies on individual workloads means potential attacks are immediately detected since there is a precise sense of what a valid transaction is. Any deviations from prescribed behaviour can immediately trigger a series of mitigating actions, including dynamically rerouting the connections to strategically placed honeypots. This can buy an organisation the time it needs to analyse attacks within a closely monitored environment.
Honeypots can be used to trap hackers and gather intelligence on their methods. By letting a hacker inside a controlled environment — a small part of the network that can be compromised, where no useful or valuable data is stored — an organisation is able to study and analyse the methods they used to poke around, giving them a head start on what the attackers will try next time. The honeypot has become a “honeytrap”, coaxing hackers into deploying their sophisticated tools for security teams to document and dissect. A great source of knowledge — so long as the hacker is unaware they’re being watched.
Making Honeypots More Effective with Adaptive Security
One reason why honeypots aren’t deployed more extensively is that there is no opportunity for analysis if they are not in the path of an attack. At the same time, placing them in the open can generate excessive “noise” from hackers probing anything with connectivity. Rather than passively waiting for the honeypots to be attacked, an adaptive security strategy can redirect attacks to the honeypots.
Another major concern for honeypot designers is that once a honeypot is compromised, it can be used as a platform to attack and infiltrate other systems or organizations. Adaptive security, which takes security down to an individual workload level can isolate and safeguard these honeypots.
So, What’s the Takeaway?
Risk can never be 100% removed. While prevention is ideal, timely detection and mitigation is an absolute must. Developing effective mitigation controls to minimize the impact while gaining deep insight is an important step we should consider as an industry to better prepare us for the sophistication of future attacks.
By Anoop Kartha
Kartha is Senior Technical Marketing Engineer at Illumio