Stealth Attacks Require Stealth Responses
It's time to turn the tables on invisible invaders.
Global, asymmetrical threats now dominate attacks on nations and businesses alike, and the enemy is not always immediately knowable, identifiable or even seen. These realities are forcing leaders to invest more resources into analytics, as well as intelligence, surveillance, reconnaissance and other 21st century responses to cyber bombardments today.
Military leaders also are discovering that their battle against foes in the cyber realm is constantly evolving. With the cloud, mobility and other technological advancements, the traditional perimeter has given way to a complex, worldwide cyber ecosystem with an overwhelming number of endpoints. At the same time, adversaries hide themselves while gaining entry into network systems by deploying an ever-shifting blueprint of attack and deception methods.
According to research from Nuix, 54 percent of surveyed hackers said they can complete an entire breach, including penetrating the perimeter, identifying critical and valued data, and exfiltrating data, in no more than 15 hours. Once they’ve compromised a target, 77 percent of the hackers said the target’s security team rarely or never identified their presence. Nearly nine of 10 said they could cover their tracks in less than 30 minutes after a breach.
With this level of sophisticated aggression, government and military agencies are finding that current solutions and strategies based primarily on passive antivirus and firewall solutions are falling short. The Office of Management and Budget’s Federal Cybersecurity Risk Determination Report and Action Plan estimates that of the 31,000 cyber incidents that impacted federal organizations in fiscal year 2016, the affected agencies could not identify the method of attack or attack vector for more than 11,800 of them.
To adapt, agencies must turn to next-generation cybersecurity approaches and solutions that focus on proactively disrupting attackers’ activity by requiring hackers to overcome a deeper level of visibility and control. Organizations must acquire new levels of deflection, deception and incident monitoring to thwart threats that would otherwise bypass security controls. Most of all, they need stealth cybersecurity capabilities with applications that are invisible to adversaries when they attempt to infiltrate government networks.
This stealth approach is especially important now. For decades, the United States has applied a cybersecurity posture of fighting hackers that’s similar to missile defense. Defenders are pressured to shoot down every incoming attack in the nick of time. But even with the fastest, most agile interceptors, such as threat signatures, attacker dossiers and nimble security teams, the attacker lobbing kinetic or digital missiles always has the advantage against known, visible assets staked out on a conventional or cyber battlefield. Because interception does not easily scale online, a strategy is required that effectively cloaks defense sensors and their applications while developing a cyber environment of deception and countermeasures.
The technique calls for military security professionals to layer their network environments with better camouflage. They must improve visibility while automating threat response at the edge of the network with in-line apps that are virtually invisible because they have no Internet protocol or media access control addresses for adversaries to inspect in real time or in depth to determine network traffic. When network defenders identify malicious traffic, they can redirect, block and otherwise deactivate it. This defense methodology makes the process more frustrating and riskier for hackers because they must spend more time on a network, increasing their chance of being caught.
Stealth defenses also confound the enemy by creating an assortment of bogus doors that appear to lead to data jewels but are actually part of a setup. As hackers attempt to open one fake door after another, they end up confused and exasperated and can no longer wrap up the job in a matter of hours. This delay gives security teams ample opportunity to observe the attackers’ activities and techniques as they fumble and stumble throughout the network.
The approach resembles the use of inflatable tanks, mock troop sounds on wire recorders and other Ghost Army deceptive tactics on the physical battlefield in wartime. By using phony targets, the enemy’s search for real ones is less precise, while giving a cybersecurity team a front-row seat to observe an enemy’s tactics.
As an added advantage, this approach results in minimal or zero disruption to network operations. Designers of next-generation solutions realize that a constant “yin versus yang” conflict exists within an organization that pits the need to protect against the potential for defensive tools to hinder productivity. Because stealth methods work with a minimal footprint, this struggle is avoided, and organizations achieve network security operations. In this optimal state, security is integrated into every cycle of network operations and real-time, intelligence-based analytics exposes hackers at the earliest possible times with the least amount of disruption.
For all of this to come together as a whole, military information technology teams should develop a stealth cybersecurity strategy that incorporates certain essential components. First, to sufficiently safeguard the enterprise, indicator solutions must oversee and support more than 750,000 indicators in most cases. Analytics of threat data is then infused into intrusion detection systems as well as intrusion prevention systems to empower teams to act dynamically instead of passively and protect systems at the speed of incidents.
Second, while stealth tools still see the traffic that affects every endpoint with the capability to manipulate that traffic, they must be able to block or redirect it. The tools also must be able to offload data from logs so agency security teams can audit it in a meaningful way. Without offloading, hackers can simply delete the logs to cover their tracks.
Third, threat intelligence feeds must be integrated into the tools. It’s key to have the ability to conduct analysis from multiple data sources and locations at the speed of activity and swiftly act on the information to launch defensive and/or offensive countermeasures.
Finally, Internet protocol address filtering is required so organizations can shrink information and gain granular control of their attack surface. This capability enables cybersecurity teams to keep suspicious activity away from their critical network infrastructure.
The Ghost Army is credited with saving tens of thousands of soldiers’ lives and supporting several Allied victories during World War II. This slice of history offers lessons for cybersecurity in the current era: Stealth operations and illusions can make a network defense portfolio stronger than its individual parts. They also turn the tables on the adversaries who prefer to be hidden as inside watchers but are now the ones being watched. Stealth technologies that can also take action present even more options for those who must defend nations and preserve the body politic.
The inability to find what they seek combined with the constant blocking or redirecting of their intended traffic movements will cause the adversaries to give up in hopes of finding an easier victim because this particular battle or line of effort is no longer worth the time or effort.
Kyle Aldrich holds a master’s degree in information security from Georgetown University and is the director of Defense Programs at LookingGlass Cyber Solutions.