SAN FRANCISCO – Disrupting hackers on your own network has become sort of a parlor trick for enterprises with enough resources and desire to dive into those waters.
Today at RSA Conference, one expert explained how most organizations can leverage networking tools they’ve already invested in to put up enough barriers to not only automate responses but also frustrate attackers onto other targets.
“We’re talking about small remediated responses that pause the threat,” said Jason Bird, head of CSG Invotas. “When we see an email come in with a suspicious URL path, put it in the proxy. A thousand users got the email, but can’t click on the link in it; you’ve immediately stopped how active that threat can be with one physical action.”
The point, Bird said, is to free up internal networking and security analysts from response duties and allow them to be analysts. Automation, in this case, stops one malicious URL path and can be turned into an automated workflow that takes that temporary block and makes it a permanent one that’s then sent out via Group Policy to all the Windows firewalls.
“It’s no longer required for the analyst to be part of the process,” Bird said.
The notion of active defense is not a new one. Experts have been talking about the need to raise attack costs for a hacker by setting up honeypots inside the firewall, for example, that mimic the real network infrastructure. Simple things like changing network conditions, creating false directories, and folders filled with phony data allow enterprises to employ their own version of deception, without crossing any lines that could constitute hacking back, for example. It might help too, Bird said, if you don’t name your global MySQL credit card database just that.
“You don’t want to be an economically viable target,” Bird said. “We know the majority of cybercrime is driven by profit. The more troublesome you can be, the more expensive an attack you are and the less likely you are to be that economically viable target. Attacker groups use terms like ROI; they calculate the ROI for the three to four hours they spent attacking you.”
In the meantime, a defender should at the same time also learn how to glean intelligence about who is attacking the network, Bird said.
“The interesting thing that a lot of people don’t think about is there’s a huge amount of data the attacker transmits in what they’re actually sending every time they post a request,” Bird said, pointing to data that includes the IP frame, Web application header, language, geolocation. “There’s a wealth of data most people have any time to do anything with. They all know what the trigger points are, and they all know what to look for, but there’s too much data and information in the SIM, no one’s got any time to do this. We run around and we fight fires.”