I read a really good article today, summarizing remarks that Paul Kurtz made at the Cloud Security Alliance Congress in Orlando last week. I couldn't agree more. I am really against the idea of "hack backs" or otherwise taking aggressive actions against hackers. First and foremost, I think you lose that fight every time, unless you are asecurity company filled with elite hacker types who actively monitor and defend your own network. If you are a responsible business enterprise, you have better things to do then get into a war with hackers. This is classic asymmetrical warfare and they only have to be right one time for you to suffer the consequences. Look at the APT threat or even Anonymous to give yourself an idea of what a determined attacker can do with enough time. More importantly, if you have a General Counsel worth a salt, they will crack down on any attempts by the security team to conduct any activities that might land you or anyone from the senior or executive management of the company in a prison in the Ukraine.
Paul's point is well taken. We'd be much better served by creating an environment that contains decoy network segments, servers, and even administrator accounts and booby-trapping those. Previously, these types of operations were prohibitively resource intensive. The advent of virtualization has made it more feasible to create these types of decoy environments without being too much of a financial burden. Of course, it will still take some time to thoughtfully "prepare the battleground" as we used to say in the Marines. However, I could envision a scenario where you take images of all of your "true" assets, remove the valuable IP and replace it with information that is modified enough to make it realistic, but removes your company's "special sauce." You could then use that to populate your decoy environment.
You can see the advantages of this approach from an incident detection standpoint. The "booby-trapping" I referred to above is the creation of a robust monitoring solution that is logging everything going on in those decoy segments. The nice bit is that your correlation logic requirements almost disappear. If anyone touches the bogus "Special Plans" file or the "SECRET_strategicfile.docx" it is an immediate escalation and investigation from the CSIRT. Good, good stuff. At that point, your monitoring then becomes a matter of watching the attacker and documenting their activities. This has incredible value when it comes to attribution as the Tactics, Techniques and Procedures (TTPs) can be very revealing if enough data is collected over a long enough time period.
No comments:
Post a Comment