Noted military deception author Barton Whaley, Ph. D. stated, in his book Practice to Deceive: Learning Curves of Military Deception Planners, “In combat, deception strengthens the weaker side. When all other factors are equal, the more deceptive player or team will always win.” Make no mistake, the world of information security is combat. It is a combat featuring bits and bytes instead of bombs and bullets, but it is a form of combat, nonetheless. Script kiddies sitting in their basement drinking Red Bull and nation state sponsored threat groups share a common battlefield that should, theoretically, be weighted heavily on the side of defense. Defenders have advantages in terms of numbers, budget, and technology. There are far more defenders than attackers in the world. Defenders have budget to buy security technology, train users, and hire or contract with defensive security experts. Why, then, does it feel like the attackers are winning?
According to the 2021 Ponemon Institute Cost of a Data Breach study, it takes organizations an average of 287 days, or over 9 months, to identify and contain a data breach. Of that, it takes organizations 212 days to identify the breach and another 75 days to contain. As bad as these numbers are, the situation is worse when looking at previous Cost of a Data Breach studies. Both the average time to identify and average time to contain are the highest recorded with both increasing steadily since 2017. Making things even worse, the same Cost of a Data Breach study has found, year after year, a direct correlation between the amount of time it takes to identify and contain a breach and the cost of that breach. Not only are attackers living unidentified on our networks for months, but our inability also to effectively detect and respond is increasing the cost of the breach by nearly 35%.
Having identified a problem, the reasonable response is to ask a simple question; why?
The answer, at least in part, goes back to the Barton Whaley mentioned previously. Noted computer security consultant, author, and convicted hacker Kevin Mitnick was perhaps most skilled in social engineering. Social engineering is defined by the Oxford dictionary as, “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” Kevin’s most high-profile arrest came nearly three decades ago, in 1995, and he was not the first to make use of this tactic. While defenders have significant advantages, attackers use deception against us and have done so for decades. Today social engineering, phishing, spear phishing, watering hole attacks, techniques to evade endpoint security, and techniques to evade intrusion detection all can be considered “offensive deception” and they work remarkably well.
Instead of attempting to detect “evil” the focus can be shifted to attempting to detect abnormal. Typical computing environments are predictable. Users perform the same actions, they interact with the same servers, and they use the same applications day after day. Attackers, on the other hand, do not behave like typical users and these differences in behavior can be used to detect adversarial action in our networks. For the most part, users know how to interact with their work environment. They don’t need to explore or investigate. They use a fixed set of applications and interact with a fixed set of servers and devices. When an attacker gains access to the network, the situation is quite different. They do not understand the environment and are thus forced to explore and investigate. This leads to behavior that is abnormal for the environment and it is this abnormality that can be detected.
Detecting abnormal is nothing new. According to FireEye, UEBA or user and entity behavioral analysis “uses large datasets to model typical and atypical behavior of humans and machines within a network.” The problem with UEBA centers around complexity. Network environments are extremely complex when taking into consideration the full set of user and machine activity. Attempting to normalize the entire network is both challenging and subject to significant change as a result of business, mission or technological changes. UEBA technologies can be focused on one aspect of network activity, logins for example, which is much simpler but would leave the organization with significant “blind spots”. Fortunately, there is another solution; redefining normal.
Over the next weeks we will discuss other benefits including distraction, attack disruption, delay, deterrence, intelligence collection, threat hunting, and active attacker engagement.