When it comes to information security defense, Mike Hamilton has a tough job.
As the chief information security officer for the city of Seattle, Hamilton's responsibilities extend to the networks of a variety of other groups, such as the city's police and fire departments. The complexity of securing those networks requires that Hamilton focus not just on defense, but also on causing pain to any attacker.
John PircVice President of Research, NSS Labs
In 2007, Hamilton started working with the U.S. Department of Homeland Security and the University of Washington on creating a system to gather global threat data to find compromises on the networks of the city's hospitals, emergency services and other critical infrastructure as quickly as possible. By denying attackers time to fully exploit any beachheads into his organizations' networks, Hamilton aims to make each attack more likely to fail and the overall campaign more costly. And, because of the city's connections with state and federal law enforcement, shutting down the attackers' infrastructure was also a possibility. (Editor's note: Hamilton moved on from his CISO position for Seattle in late October after this article went to press.)
"If you mess with us, we're coming after you," he says. "And I believe that does make it more expensive for the attackers to go after us."
Like Hamilton, CISOs are taking the costs to the attacker into account when they come up with strategies to defend their networks. Many CISOs recognize that attackers have already found ways to get around the run-of-the-mill defenses that most organizations deploy, so they focus on making the black hat hackers' entire operation more costly, complex and likely to fail.
Recognizing that firewalls, antivirus software on the endpoint and intrusion detection systems can all be bypassed, defenders have to go further, says John Pirc, vice president of research for security consultancy, NSS Labs. "The whole paradigm of defense-in-depth is all good, but companies have to go outside their comfort zone to make the attacker's job harder," he says.
Kill Chain gives firms 7 chances to defend
Aerospace firm Lockheed Martin adopted a military concept known as the kill chain in 2003 because the defense contractor was facing more sophisticated and advanced attacks. The concept was used by Lockheed Martin's Computer Incident Response Team to define a sequence of steps known as the Cyber Kill Chain, which an online attacker has to take to successfully compromise a company.
The seven steps, which must be followed in order, include the following:
- Reconnaissance of the targeted company,
- Create tools to gain access (called weaponization),
- Deliver the payload to the target,
- Exploit the weaknesses in defense,
- Install tools to allow the attacker to operate,
- Communicate with the compromised assets for command and control, and
- Take actions, such as exfiltrating data.
CISOs can develop a strategy to "break the chain" by blocking attackers at any of its seven points, instead of thinking about the problem only in terms of keeping attackers out.
"Stopping an attacker before successful delivery will yield the same results as stopping an attack before successful command-and-control," a Lockheed Martin spokesperson says. "This lets the defender know that they stopped an attack, while not giving an attacker (any knowledge) of what they need to change in order to be successful."
CISOs that perform the Cyber Kill Chain analysis can better understand how to increase the cost to the attackers, and stop attacks before they get into the network or exfiltrate data. Mike Hamilton, CISO for the city of Seattle, for example, focuses on making reconnaissance difficult for the attacker.
"If someone is really serious about attacking, they are going to spend a whole lot of time doing reconnaissance and targeting, and that's when we want to catch them," he says.
Yet, the Cyber Kill Chain relies on CISOs getting good intelligence on the attacker's tools and motives.
"Over time, the more attacks observed, the stronger the corpus of intelligence a defender can gain to correlate and build profiles of the attacker," according to Lockheed Martin.
Attacker cost is mainly measured in time, so defensive strategies that increase the interval attackers need to accomplish their missions also raises the cost. Strategies that delay an attacker may also give the defender time to become aware of the attacks and foil the attacker's plans, says Richard Bejtlich, chief security officer for incident-response firm, Mandiant. Bejtlich coined the term "black hat budgeting" in 2009 when he imagined what a mythical attack group could do with $1 million.
"If you cannot get to the intruder faster than he accomplishes his mission, then he wins," says Bejtlich. "If he cannot accomplish what he was there for, then the defender wins."
Know your networks
Attackers spend the least amount of effort and time when they remain hidden. For that reason, Bejtlich recommends that every company start monitoring and gaining visibility into what is going on in their networks. Finding attackers quickly once they have compromised a system is better than trying to detect them when they access the data:
"You would rather not have to catch them right as they are stealing your data every time," he says.
The infiltration of The New York Times by a group with links to China, for example, took a month before they exfiltrated the data, says Bejtlich, whose firm was hired to investigate some of the attacks. If the publishing company had detected the group before the attackers accomplished their mission, it could have mounted a successful defense, according to Bejtlich.
Once an attack is detected, companies need to put additional defenses in place, or change existing defenses, to force the attackers to adapt. By changing defenses to account for existing attacks, and shutting down known avenues, companies can force attackers to change their approach, which can be expensive for the perpetrators.
"Training their own people is hard," says Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike, a security consultancy and services firm focused on developing intelligence on the attackers. "If you force them to do something unique every time they attack you, then that raises their costs."
Stop using what doesn't work
Metrics are the best way to discover what works and what fails to affect the black hat hackers' bottom lines. One of the main ways that attackers get inside organizations is targeted phishing attacks. Data collected by security education firm ThreatSim shows that each additional email in a campaign generally fools a quarter of employees, resulting in them opening an attachment or clicking on a link. By adjusting the campaign's size, attackers can quickly make it more likely that they get a hit: four email messages deliver a two-thirds chance of compromise, while six messages result in a greater than 80% chance, according to the Verizon 2013 Data Breach Investigations Report.
Education can force the attacker to dial up their attack campaigns, but it doesn't really increase other costs, says Dan Guido, chief technology officer of Trail of Bits, a security consultancy that uses attack data to drive defensive strategies.
"If you want to fail at the black hat budgeting strategy, then training the user is the way to do it," Guido says. Instead, companies should focus on improving their anti-phishing technology and customize it in ways the attackers may not be able to anticipate. "It is better to train one device than your entire workforce," he says.
Companies that continue to rely on old versions of desktop software with out-of-date antivirus protection are failing to take attackers into account. In its latest Security Intelligence Report (Volume 14: July 2012 to December 2012), Microsoft found that computers running its Windows XP and Windows 7 RTM (Release to Manufacturing) operating systems with out-of-date antivirus protection had a 15.6% and a 20.4% chance of being infected (Figure 1). That's compared to the latest version of Windows 7 (Service Pack 1) with updated antivirus software, which had less than 1.5% chance. A protected Windows 8 system had only a 0.2% chance of being infected, according to Microsoft.
"People have to understand what the exploit development lifecycle looks like," says Guido. "There is a huge cost to attackers when a new platform comes out, because it takes time to learn how to exploit it."
Companies should adopt new platforms relatively quickly, he says. Instead, organizations tend to keep up-to-date on the minor patches and wait on the major platform updates.
Naming and shaming
While increasing the cost to the attacker is always a good strategy, some attackers -- such as nation-states -- will not be deterred. While many cyberespionage attacks linked to China have the hallmarks of opportunistic data collection, others -- such as the attacks linked to the Hidden Lynx group and the Stuxnet attack conducted by the U.S. and Israel -- effectively ignore cost.
"If you face the People's Liberation Army or the National Security Agency, the black hat budgeting is not going to have much of an impact," says CrowdStrike's Alperovitch.
Dan GuidoChief Technology Officer, Trail of Bits
Instead, other costs matter to nation-states. Shining light on covert activities can deter nation-states from continuing to attack. Former government contractor Edward Snowden's leaking of classified documents detailing the NSA's activities has put the agency in the spotlight and will likely limit some of its data collection in the future.
Mandiant's report detailing its research on the activities of a PLA intelligence group dubbed "APT-1" has not curtailed the group's activities long term despite a short lull. It has increased the political pressures on China, however.
"Every adversary has some level of risk that they are not willing to ignore," says Alperovitch. "For some, it may need to escalate to military action that results in loss of life."
Deceptively hard to do
As a last-ditch effort -- an acknowledgement of the ongoing problems with keeping attackers out -- researchers have begun looking into different ways to confuse attackers, or identify them, when they exfiltrate data. One method creates a large number of decoy files so that attackers without access to the correct index have more problems finding valuable data.
Other approaches place beacon files -- the equivalent of a canary in the proverbial coal mine -- in places that may look interesting to an attacker. Because these files are not legitimate, any attempt to access the beacon sets off an alert. Other beacons wait until they are opened by the attacker and attempt to phone home.
While the techniques hold promise, companies have to be careful to not pollute their environments, says Trail of Bits' Guido.
"It can be valuable, but only in real special circumstances," he says. Companies cannot just populate databases with decoy data. They have to create a system that monitors the beacon files and analyzes events, Guido says.
In the end, black hat budgeting means focusing on attackers' costs and using defenses that increase them at every point on the Cyber Kill Chain (see "Kill Chain Gives Firms 7 Chances to Defend.") Rather than only focus on keeping attackers out of the network, if CISOs makes each step harder, then they are more likely to win.
About the author:
Robert Lemos is an award-winning technology journalist, who has reported on computer security and cybercrime for 15 years. He currently writes for several publications focused on information security issues.