Thinking Forward Archives

by Dr. Irv Lachow
MITRE Principal Cyber Researcher

Cyber defense is generally viewed as consisting of three separate activities: prevention, detection, and response. Organizations and security vendors typically focus the bulk of their resources on identifying vulnerabilities and preventing intrusions via Internet-facing defenses such as anti-virus software, firewalls, identity and access management solutions, and white and black lists. These tools are important, but it is becoming increasingly evident that they are also insufficient. Sophisticated hackers, criminals, and nation states are breaching corporate defenses at alarming rates.

To put it bluntly: bad guys will breach your perimeter defenses sooner or later. And if you're doing anything interesting, they already have.

While trying to keep adversaries off your networks is ultimately a losing strategy, it's possible to change the rules of the game to your advantage. To gain value from an attack designed to steal information, criminals and spies must do more than simply get into your networks—they must take action. They may map the network, steal credentials, download additional malware, copy documents and exfiltrate them, or leverage your system as a jumping-off point for attacking others.

Each of these actions leaves a trace or gives off a signal, even if only momentarily. These signals give defenders an opportunity. If an enterprise understands its own networks and systems, then it can search for either anomalous behavior or actions associated with an active adversary.

Mixing Automated Tools with Human Analysis

To understand what's happening inside their own perimeters, organizations must be able to gather and analyze data from their own users. To do this, they need to deploy numerous sensors—some on hosts, others on networks, and perhaps others on mobile devices. An enterprise must then be able to analyze the data it gathers to detect cyber adversaries. This aspect of detection may require a mix of both automated tools, which can process huge amounts of data quickly to identify events of interest, and human analysts with the skills and mindset needed to "sniff out" suspicious activities.

The latter point requires special emphasis. Automated tools are incredibly useful, but detecting advanced cyber intruders also depends on skilled and experienced defenders. These defenders are like detectives at the scene of a crime—looking for clues, following leads, making connections, and using intuition as well as hard data to figure out who did what.

After the Click

If an organization can detect a network penetration quickly—before the intruder has a chance to hide, steal information, or take other actions—then it can gain the advantage and alter the entire dynamic of offense and defense. For example, if you know, soon after the fact, that intruders have made it into your system, then you have a wide range of response options, including engaging with them to gather intelligence, providing them with false information, removing them as quickly as possible, or ignoring them and continuing with your mission. You can now dictate what happens next—it's the adversary who's on the defensive. However, to take advantage of this opportunity, you must detect the attacker quickly. Detecting an attack days, weeks, or months after the fact does little good.

Another benefit of focusing on detection is that it enables organizations to both produce and consume threat intelligence. For instance, by detecting an intruder, an enterprise can share information about the intrusion with other organizations. These organizations can then fine-tune their defenses to better protect themselves against this threat.

Cyber threat intelligence gathered via detection methods is more easily shared than information from post-breach analyses, which is often either too sensitive to share or too generic to be useful (and rarely timely). Near-real-time sharing of actionable threat intelligence is most useful to everyone. The exchange of cyber threat indicators is already happening in threat sharing partnerships and commercial services, and we anticipate such efforts to spread widely in the coming years.

Turning the Tables

Detection of cyber intrusions is not a new idea. What is new is the growing realization that detection merits more attention and resources.

For example, a new class of start-up companies is providing products and services based on the assumption that an exploit has already occurred within an enterprise. These start-ups focus on rapid detection and mitigation. Many large companies are also adopting this approach, based on their hard-earned experience of how difficult it is to prevent advanced cyber intruders from getting past perimeter defenses.

These organizations are changing the paradigm of cyber defense by turning that weakness to their advantage. By taking the initiative, they are turning the tables on cyber attackers.

Want to learn more? We invite you to read "Cybersecurity Needs a More Powerful Approach," by Gary Gagnon, MITRE senior vice president and chief security officer.