When you examine the sanitized forensic analyses, threat briefings, and aggregated annual reports, there are a two basic facts that emerge:
- There are a lot of different attacker groups with access to the same Internet as baby boomers and short-term contractors.
- Most of them are proficient at user impersonation once on the network to remain undetected for months.
In this reality, our organizations need to do more than just build defenses and sit in waiting until known signatures are identified on our systems.
If we are outnumbered, we should embrace it
While we will never know exactly how many attackers there are, it is fair to assume there are more people, both sophisticated and not, trying to steal from your organization than are currently employed to defend its data. This view gives some security professionals a feeling of misery, but others are embracing it. Recognizing you are defending against a larger force can change the way you think and operate. It gives you the opportunity to align your team mentality to the wolverines from Red Dawn (I only acknowledge the Swayze original), and we should all be looking for more chances to do that. What did the wolverines do? They made life so difficult for the invaders they were forced to go elsewhere.
In this scenario, you need to change the rules
Since attackers are not following any rule book, we should evaluate the process to defend our organizations. Unlike them, we do have rules (and laws) we need to follow, such as ensuring our organizations can effectively meet their own goals, but making our users' lives easier doesn't require us to make intruders' lives easy. If intruders are going to use legitimate tools and systems in a malicious manner, you cannot simply block the tools because that would hinder your organization's ability to conduct important business.
Nowhere in the rules (or laws) does it state that your team has to serve your systems and credentials to all who ask in a pristine condition. Your user population should not know every asset on the network, just the systems they need to accomplish their goals. You can be truthful with your employees and contractors, while also omitting some truths and blatantly lying to outsiders.
When you cannot change legitimate user behavior, find ways to lure the illegitimate
There are some manners in which employees in our companies regularly behave that introduce unwanted risk. Actions like installing unsigned applications or clicking email links without thinking are behaviors we all want to stop in our legitimate users. We can block some of it, but intruders use this unintentional risky behavior to hide their intentional malicious behavior with stolen credentials and compromised systems. Detecting behavioral changes and unnecessary risk are core to what we do, but we can never get overconfident that we can spot 100% of it. We can also trick intruders into exposing themselves.
Since they are deceptively using legitimate accounts and administrative tools to evade detection while exploring our networks, we can use their goals and needs against them. Their goal is to obtain valuable data from your network and sell it to others. To reach this goal undetected, they need to access more credentials and systems to gradually move to the important systems, so you can give them systems and credentials to steal. If only your security team knows of these decoys, only intruders and your unnecessarily curious insiders are going to interact with them.
Traps need to be a tool in your effort to see more
You need to set traps in your organization for both intruders and malicious insiders to trip. You can set all kinds of them, just like the laser beams, pressure plates, and heat sensors the characters in your favorite heist movies have to navigate to reach the valuables without triggering the alarms. Unless you're making the layout of your traps public knowledge, attackers will have to trip them before they can distinguish the decoys from the legitimate, just as spraying aerosol on laser beams would likely trigger them in the real world.
Every InsightIDR customer has the option to deploy an unlimited number of honeypots, honey users, and honey credentials. These traps require so little maintenance that our customers often forget they have them deployed until a legitimate user starts poking around on the network where they shouldn't or a system is improperly configured and starts broadcasting to every system in the company. We plan to continually add more in this area because in combination with the identification of changes in user behavior analytics, these make it extremely difficult to hide on your network, so the intruders will go elsewhere.
Learn more about honeypots, honey users, and honey credentials in our InsightIDR product.
To learn more about these traps and other Rapid7 Incident Detection and Response solutions, check out our new solutions page which includes our Incident Response Services.