ORLANDO, Fla. -- Large enterprises frustrated by repeated attempts by cybercriminals to penetrate their networks don't have the authority to go on the offensive, but they can make matters much more difficult for attackers by establishing proactive defenses, according to a noted cybersecurity expert.
I'm not advocating punching back, but there are a lot of large enterprises that are tired of taking it on the chin.
managing director, CyberPoint International
Counter adversary techniques, including deception, can have a tremendous impact on cybercriminals, said Paul Kurtz, managing director of the international practice at security engineering company CyberPoint International. Kurtz spoke recently at the 2012 Cloud Security Alliance Congress on a panel about how to better protect intellectual property and critical infrastructure. SearchSecurity.com spoke to him about the feasibility of deploying deceptive techniques, and what such an environment would look like.
"This is not a panacea, but it is adjusting our posture to being up on our toes, having a good sense of self-awareness, but also being willing to engage in deceptive practice to throw off the adversary," Kurtz said. "I'm not advocating punching back, but there are a lot of large enterprises that are tired of taking it on the chin."
Kurtz, an advocate of proactive defense tactics, has a long history in national defense and intelligence gathering. He served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush. He was a special assistant to the president and senior director for critical infrastructure protection on the White House's Homeland Security Council (HSC), where he was responsible for both physical and cybersecurity.
He served on the White House’s National Security Council (NSC) as senior director for national security of the Office of Cyberspace Security, and was a member of the president's Critical Infrastructure Protection Board. He was also responsible for developing the international component of the National Strategy to Secure Cyberspace. Previously, he was a director for counterterrorism in the NSC’s Office of Transnational Threats.
Some experts are calling for new technologies that create deceptive environments to trick the adversary and make it difficult to break into sensitive systems and steal data. Is it a practical solution?
Paul Kurtz: It's a very interesting space that technologists in enterprises need to think about. The way I like to talk about it is operations-based defense. The premise is that every enterprise is a living, breathing thing. It has new users and old users that need to come on and off the system. It has new technologies, BYOD [bring your own device], cloud. It's not static, it's always changing. Likewise, the threat is always evolving and always changing. As we integrate our technology inside the enterprise, we need to do so in a secure way. We need to create better insight tools and capabilities to have a situational awareness of what is happening in our environment. The third area is counter adversary techniques, including deception. When you have lots of people out there that know how to break into systems, we also need to think that if we are securely integrated and have better insight, we still need to accept that there is a level of pain management here that we need to go through. Creating an environment where the adversary is uncertain as to whether or not they really have gotten the goods or own the network can be exceptionally interesting, and drives up the cost for the adversary. Naturally, this is better done by large businesses and government than small- and medium-sized businesses. What I like about the idea is that it creates some pause in the system. It makes the adversary think, 'Am I really there? Have I really got it?' This will really help with the protection of the infrastructure and protection of intellectual property. This is not a panacea, but it is adjusting our posture to being up on our toes, having a good sense of self-awareness, but also being willing to engage in deceptive practice to throw off the adversary. I'm not advocating throwing the punch. If the punch is to be thrown, it ought to be done by the government, but even then, there are some large questions there.
Can you give an example of what a deceptive environment would look like?
Kurtz: It's beyond setting up a honeypot. A honeypot is kind of like watching. I think it's more about setting up bogus data and letting them think they have something, and then pulling on it. I think it can help with attribution. Right now, chances are pretty high that if I get into a network, I'm in a network. Let's make people pause and actually ask the question: Is this a false flag? Do I really have something or have I been set up here? I think there is a way of operating networks so you can run operations inside your own network to detect the bad guys. I think there can be a really interesting relationship with the government to address these sorts of issues, but right now I'm not advocating to do this and share all the information with the government. I'm saying to think creatively as a large enterprise. There are lots of interesting people out there with interesting experience, who can think like the bad guys. So think about what is going to throw the bad guys off. I'm not advocating punching back, but there are a lot of large enterprises that are tired of taking it on the chin. They want to shoot back and I don't want to advocate for shooting back, but there is a lot of space before you actually pull the trigger and shoot back.
This sounds a bit like moving target defense.
Kurtz: There was a lot of discussion a few years ago about moving target defense. This is a step beyond that. I like to come down to the idea of operationalizing things. My philosophy is that the threats to enterprises, government and vendors themselves are all greater than they can currently manage. We need to create the tools, insight and techniques together to better manage the threats. When I think of moving target defense, it's about adjusting my posture, but part of it also about creating an environment where the bad guy thinks he is in, but is really not there. I think it's worthy of exploring and creating some capabilities in that area.
How big of a problem is attribution?
Kurtz: Title 50 authority, or the ability of NSA to see what is going on outside networks outside the United States, enable them to witness a lot. But then the question becomes, what are they witnessing? Are they witnessing content or malware? We know through antivirus and all the engines that are out there that there are ways to pick up malware. The federal government, and specifically the national security entities, have a better capability to understand what is happening on the global networks. The civil government agencies are more challenged. I think that by being creative about techniques, insights, procedures and tactics, we can make this environment more complex for the adversary and we don't necessarily need to wait for government to do that.
Will federal legislation have a major impact on cybersecurity in the near-term?
Kurtz: I'm not down on government, but I don't think we can count on government doing anything in the near future. I also am concerned that if government acts in a macro way and tries to solve lots of problems at once, it won't go well. An omnibus bill [that tries] to solve every big problem out there is probably not the way to go. We need to dissect the problem. While that is worked out, we need to think about defense in a different way.
Will the issue of critical infrastructure protection and securing critical networks ever be truly solved?
Kurtz: Cybersecurity poses the greatest intellectual challenge of our time that we've ever seen because it's just so complicated and so multilayered. I think we keep on searching for the ultimate panacea, but really this is going to come down to pain management. It's going to come down to creating an environment to manage the pain. Let's stop talking about stopping attacks and preventing attacks as a black/white discussion. I have to accept that there are going to be issues on my network and I need to collect as much intelligence as possible to help me manage these issues very quickly. It's not as in the old FISMA environment where I get certified once a year and I am secure. Those days are long gone.