Towards Practical Recipes for Active Defense

What I call the militarization of security has raised the bar for defenders. For the last few years I’ve been telling clients to “assume your enterprise is already compromised,” especially if its in government, financial services, high technology, media or other type A industries. The caliber of attacks on these organizations are just too broad.

I’ve strongly advised clients to develop comprehensive security architectures and plans that include a strong element of security data sharing to coordinate all aspects of their security posture, or capabilities to deter, detect, prevent, respond and adapt to cyber-threats and attacks. Enterprises that don’t obtain continuous and actionable information on adversaries’ motivations, capabilities, intents and tradecraft won’t be able to keep up and that – given the 2013 Verizon breach investigations reports’ findings that 66% of breaches go undetected for months – is a real problem.

To an extent, the industry has recognized the value of security data sharing. Endpoint, network and web security vendors all incorporate real-time cloud-based threat or reputation telemetry across their product lines. More threat intelligence offerings are on the market; some, such as Crowdstrike, focus on attribution of the human or organizational threat actors. But attribution is hard to prove. Enterprises must work in communities to gather a preponderance of the evidence and bring political and economic pressure to bear against cyber-attackers and any who harbor or tolerate them. Although this notion of community-based defense is, I believe, crucial in providing protection over the long term, it offers little in the way of short term results.

The concept of “active defense” – or doing something with threat intelligence – faces similar challenges as attribution. “Hacking back” is generally not recommended. But we’re starting to see cases where active defense can work, at least within the borders of an enterprise network. As one can see from the cyber threat taxonomy figure above, as adversaries and attacks get more sophisticated, so too must defenses.

Solutions from vendors such as Hexis and RSA are starting to combine an ability to gather, analyze and share security data across multiple layers of security architecture. Both incorporate security and event management (SIEM) and security analytics to detect cyber-attacks or other indicators of compromise. The Achilles heel of SIEM systems like these can be a large number of false positives comprising too much information for human operators to process efficiently.

However, both Hexis and RSA are notable in their ability to leverage endpoint level forensic analysis of potentially compromised systems to reduce those false positives. For example, it might require both suspicious network activity and signs of compromise on the source or destination endpoints to trigger a high priority alert.

Hexis adds the “active defense” component by enabling customers to use its Hawkeye G appliance to automatically thwart internal bots, rogue network devices, excessive resource consumption and other abuse cases within an enterprise network. Based on rules that take operator preference, the type of suspicious activity and the “cybercon” (or criticality) level of resources into account, Hawkeye G can deploy automated or semi-automated counter-measures.

Obviously, there’s many challenges with taking any kind of automated action involving production resources and this kind of “active defense” is by no means for everyone or every situation. But I had a briefing with Hexis a few months ago and like the way they’re thinking.