Moran Zavdi
Today, all businesses are trying to achieve cyber resilience, or in layman’s terms, an organization’s ability to prepare for, respond to and recover from cyber attacks. Cyber resilience emerged as a practice over the last few years when traditional cyber security measures stopped being enough to protect organizations from threats.
In order for organizations to handle unknown cyber events, they need to be able to quickly detect and categorize threats before they hit the network. This article will focus on how organizations can utilize deception-based cyber intelligence in order to block adversaries and cyber attacks before that.
Using Deception To Defend Against Adversaries
When trying to build a resilient network, it’s critical to have relevant, specific cyber intelligence ahead of time that is actionable and trustworthy in order to identify cyber attacks in a timely manner and be able to deal properly. If the organization is impacted by a cyber attack, deception-based cyber intelligence products can even automate the process and make the organization defense system work autonomously.
Adversaries and threats can vary from home hackers to highly organized hacker groups sponsored by states to commercial entities with vast amounts of resources. Deception has been used for thousands of years in ancient warfare, and it is still being used today in modern warfare as well as in cyber virtual warfare fields.
The Art of War, a book written by the famous Chinese military general and strategist Sun Tzu many years ago (roughly 5th century B.C.), explains the principles needed in order to win a battle. The book’s teachings are still valid today and can be used to defend against cyber attacks. For example, Tzu explains the strategic importance of deception: “All warfare is based on deception. Therefore, when capable, feign incapacity; when active, inactivity. When near, make it appear that you are far away; when far away, that you are near.”
Tzu’s strategies are still being studied and implemented today. U.S. officials claim that Chinese warfare has been based on deception since ancient times — and still is. In addition, the KGB in Russia and other armies around the world are known to have been using different tactics that are discussed in the The Art Of War.
These days, every computer getting connected to the internet is joining a virtual cyber field being targeted by different malicious actors, and The Art Of War is as relevant as ever.
When considering integrating deception technologies, follow one of the book’s principles: “Know what you are capable of – and what you are not capable of. Know the same of those around you. Strategy is the result of this knowledge. Tactics are your ability to act in coordination to make use of this knowledge.”
This quote shows the benefits of using deception in order to gain intelligence about adversaries and threats in the cyber world. Knowing who is aiming at you allows you to plan a strategy to defend against cyber attacks better. You’ll also be able to defend better against those that aren't known and attacks that haven't happened yet.
By using deception, organizations can cause adversaries to waste time and resources while exposing themselves and their tactics, techniques and procedures (TTPs.) It enables organizations to focus on defending the most critical threats instead of wasting time and money processing and dealing with internet noise and other low stakes hackers.
Implementing a successful cyber security strategy doesn’t happen overnight. To identify the most important threats, you should be reaching these important milestones.
1. Map the critical assets of the organization. Identify the most important assets in the organization that are potentially exposed to unauthorized users who might try to exploit weaknesses and vulnerabilities. This enables the organization to gain and maintain control and knowledge about its cyber assets that might be under attack and understand the different vectors cyber attacks might use.
2. Design a deception strategy based on understanding and prioritizing the exposed assets to draw a network map that indicates which are the assets that need to be protected and what is the goal of using the deception at each point.
3. Implement a deception plan based on the strategy that will enable the organization to deploy and maintain a deception based cyber intelligence program that will work autonomously and help the network to defend against new and unknown cyber threats.
What Does Good Deception Look Like?
When deception is implemented successfully, the organization’s digital assets will be “surrounded” by several other strategically-placed deception sensors to lead unauthorized users to remote places, which are not the core servers of the organization.
Once an attacker starts to interact with the decoy sensors, actionable intelligence will be immediately sent to corresponding cyber security tools, and the necessary personnel will be alerted. A good deception-based cyber intelligence implementation will be connected to security tools like security orchestration, automation, and response (SOAR) or security information and event management (SIEM) in the organization's security operations center.
What happens when an attacker targets a network protected by deception technology? While the hacker spends time trying to figure out why the network isn’t acting correctly and whether or not the network is real, information about how the hacker is working and the tools he is using are being monitored and analyzed. This data is then sent along with useful other intelligence of actionable indicators to the different systems in the organization to block and also provide mapping to other popular frameworks such as the MITRE ATT&CK.
In this post, we saw that just as deception has been (and still is) used in real world warfare, it also exists in the cyber security world. By using deception, organizations can free up their network analysts to deal with critical work while also keeping an eye on relevant, real threats.
The Art of War teaches us to rely, “not on the likelihood of the enemy not coming, but on our readiness to receive him.” That's the same with using deception-based cyber intelligence. By analyzing the local threats in real time and extracting specific and unique indicators, organizations can have an autonomous cyber defending system that proactively alerts and mitigates new threats.
No comments:
Post a Comment