I read a really good article today, summarizing remarks that Paul Kurtz made at the Cloud Security Alliance Congress in Orlando last week. I couldn't agree more. I am really against the idea of "hack backs" or otherwise taking aggressive actions against hackers. First and foremost, I think you lose that fight every time, unless you are asecurity company filled with elite hacker types who actively monitor and defend your own network. If you are a responsible business enterprise, you have better things to do then get into a war with hackers. This is classic asymmetrical warfare and they only have to be right one time for you to suffer the consequences. Look at the APT threat or even Anonymous to give yourself an idea of what a determined attacker can do with enough time. More importantly, if you have a General Counsel worth a salt, they will crack down on any attempts by the security team to conduct any activities that might land you or anyone from the senior or executive management of the company in a prison in the Ukraine.
Paul's point is well taken. We'd be much better served by creating an environment that contains decoy network segments, servers, and even administrator accounts and booby-trapping those. Previously, these types of operations were prohibitively resource intensive. The advent of virtualization has made it more feasible to create these types of decoy environments without being too much of a financial burden. Of course, it will still take some time to thoughtfully "prepare the battleground" as we used to say in the Marines. However, I could envision a scenario where you take images of all of your "true" assets, remove the valuable IP and replace it with information that is modified enough to make it realistic, but removes your company's "special sauce." You could then use that to populate your decoy environment.
You can see the advantages of this approach from an incident detection standpoint. The "booby-trapping" I referred to above is the creation of a robust monitoring solution that is logging everything going on in those decoy segments. The nice bit is that your correlation logic requirements almost disappear. If anyone touches the bogus "Special Plans" file or the "SECRET_strategicfile.docx" it is an immediate escalation and investigation from the CSIRT. Good, good stuff. At that point, your monitoring then becomes a matter of watching the attacker and documenting their activities. This has incredible value when it comes to attribution as the Tactics, Techniques and Procedures (TTPs) can be very revealing if enough data is collected over a long enough time period.
Tuesday, November 20, 2012
Monday, November 5, 2012
Why Logos?
The ancient Greek term "Logos" has a number of meanings, depending on the context in which it is used. Signficantly, it was the term chosen by the Greeks when they were describing the creation event in the Bible, and even used to describe God.
Now, I am of a decidedly scientific bent, and a Zen Buddhist to boot - so to me, it has always had a more gnostic connotation. The creation of Something from the Void. The Greek philosophers also thought of Logos as the underlying rationality from which the order of the Universe sprung.
What does this have to do with the field of Information Security? I feel that Information Security Professionals are currently embarked on the same journey - perched on the edge of trying to bring some order out of the chaos. This blog is my attempt to add to the discussion.
Now, I am of a decidedly scientific bent, and a Zen Buddhist to boot - so to me, it has always had a more gnostic connotation. The creation of Something from the Void. The Greek philosophers also thought of Logos as the underlying rationality from which the order of the Universe sprung.
Subscribe to:
Comments (Atom)