It’s been some time since the first honeypots were developed and the concept of deception contemplated as a potential mechanism to detect, slow down and counter-attack the opponent. We are looking at 15 to 20 years of attempts to embrace cyber deception, almost in parallel in the same amount of time the threat has evolved very fast to reach today’s complexity.
Honeypots were envisioned in a time of history in which the attacker and attacks were not that sophisticated as they are today. This technology never got the traction needed it to be considered as part of the cyber defensive operations architecture but this is changing.
As a result of the complexity of cyber threats today and the potential nefarious effects of attacks against critical infrastructure such as financial systems, energy, water, aviation etc, etc. cyber deception theory and solutions are getting traction and subtly gaining its place in a modern enterprise defensive operations. In order to understand fully the concept and the need for cyber deception, we need to understand the challenges posed by the current cyber threat scenario.
Some of these challenges are the following:
- Agility of the adversary, adversaries change very rapidly their TTP’s
- Our current defensive controls are mostly static
- While many technologies can inform of an ongoing attack (IPS – IDS- FW) very few can provide information on the modus operandi
- Adversary gets hold of our network information to make inform decisions and progress the attack
- Lack of knowledge about your adversaries
- There are limited opportunities to engage the adversary during their operations
- The adversary is dynamic and follows a modus operandi and a decision loop we do not understand, have access to or can influence
- We only get post-incident forensic intelligence which has a limited life shelf
- Detection often happens in the best case after initial compromise
- There are not options today to take the fight back to the attacker, and legally the term hack-back is taboo
Many of these challenges we are facing today were also inherited by technologies and security operation practices thus reaching a “stagnation” point in terms of improvement for threat detection and response.
To overcome these limitations, new disciplines have been incorporated into the cyber defensive operations such as intelligence and threat hunting and all of them are part of the concept called “Active Cyber Defence”.
According to the following white paper published by SANS “The sliding scale of Cyber security” active cyber defence is a maturity stage in which an organization is considered to be adaptable and dynamic against the threats that it faces, from left to right each stage leverages and builds on previous investments and successes.
Chart extracted from “The Sliding scale of cybersecurity “by Rob M Lee.
What is the definition of Active Cyber Defence?
“Active cyber defences are direct actions taken against specific threats”
“ACD is direct defensive action taken to destroy, nullify, or reduce the effectiveness of cyber threats against friendly forces and assets.”
“Synchronised, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities…”
“The concept of active defence is to wear down the attacker by confronting him successively and continuously with strong combined arms teams and task forces fighting from mutually supported battle positions in depth throughout the battle area.”
There are multiple definitions for the term Active Defence, however, all of them have a common themed which is to actively engage the threat but to define ACD from a cyber angle we need to consider threat engagement without hacking back as that violates international laws and in most cases is technically challenging. So if we are not going to hack back the threat, what sort of actions can we take against the threat?
On a high level we have the following example actions against an adversary:
- Target their infrastructure and capabilities (blocking their c2 or malware)
- Deceive the attacker (cyber deception, lure the attacker to act or to not act)
- Threat hunt (detect and disrupt an ongoing attack)
- Feed them with counterintelligence ( induce them to act or to believe something)
- Pre-emptively neutralized and disable their capability or infrastructure ( threat infrastructure tracking and denial)
- Collect intelligence about the threat’s modus operandi, motivation, and intent (threat research and operational intelligence)
- Manipulate the environment to our advantage (patching, control improvement and or update)
These are just some ways to apply active cyber defence and all of them rely heavily on external and internal intelligence creation and consumption.
To get to this level of sophistication in which an organization takes an active approach and engages the threat in a process led by intelligence, the organization needs to consider the following elements:
- Adoption of the Kill Chain model
- Right maturity and investment in your internal network security controls and endpoint
- Understand what are the threats that have capability, motivation, and intent to target your organization
- Adopt a model such as ATT & CK
- Defenders must use intelligence to drive defensive actions in the environment
- Integrate security operations and Intelligence (example, F3EAD model)
The most critical piece about implementing ACD in the organization is the piece of work related to integration – orchestration between the different technologies and teams such as security operations and intelligence, however, there are some models such as F3EAD that can support this objective.
This post focused on recent developments, origins and need for an active defence approach. In the next post, I will go through the cyber deception concept, its benefits within the ACD model, and its place in modern security architecture.