Rethinking Your Security Strategy to be more Effective in Responding to Cyber Attacks

“All warfare is based on deception."― Sun tzu, The Art of War

It’s no surprise that large and SMB businesses are struggling to protect their digital assets from Cyber criminals. Just since the beginning of the Covid-19 lockdown, we are seeing a significant increase in cyber-related attacks and intrusions.  According to a recent University of Maryland study, a hacker attack is attempted on average every 39 seconds, which equates to 2244 attack attempts each day. Damage due to Cybercrimes is estimated to exceed $6 trillion annually by 2021 (Cybersecurity Ventures). To address this business are buying security technologies at a record pace with the Information Security market to reach $170.4 billion by 2022. 

The key question we need to ask is: Why are things not improving and what should we being doing that we are not doing now?

To answer this question, we need to understand the various factors that are converging to create the situation businesses find themselves into today.

• Technology advancements with mobile devices, cloud services, software as a service, remote computing and the increase of third-party service providers have forced business to rethink their IT and Security strategies from securing a central Information technology infrastructure to a distributed data focus.
• Many businesses still do not clearly understand their Cyber risks and what the financial impact of each risk is to their organization. This prevents them from effectively prioritize which risk needs to be mitigated, which can be transferred to insurance or a third party and what their Risk Tolerance really is.
• Cyber Criminals are significant more advanced and utilize more advanced technologies than many of the businesses they attack. They are also better at communicating with their networks and other criminal groups.
• Most organizations still only utilize a defensive only security strategy

Digital Transformation and Implementing Advanced Technology to Optimize the Business

Businesses, large and small are looking to climb out of the COVID-19 lockdown and many are looking to advanced technologies to improve the productivity and potentially reduce their personnel costs through the elimination of redundant activities. Every change to a piece of hardware, software or network, potential adds additional vulnerabilities and risk to the organization. IT/Security management should ensure a detailed risk assessment performed and financial impact of any new additional risk is accurately identified. This needs to be balanced against the overall business justification for the changes.

Implementation of a Comprehensive Governance, Risk and Compliance Strategy

In a previous article I detailed out how to build a comprehensive GRC strategy. This includes a Security program based on an industry accepted Security Framework such as ISO 27001 or NIST CSF. It also includes a Compliance Program to address and monitor the contractual and regulatory standards and controls. The final piece of the GRC framework is your Risk Management Program, which continually monitors and manages the existing and new risks as well as measuring the financial impact of each risk to the business. 

Train and Educate Employees, Management, Contractors and Third Parties

More than 80% of all breaches include human error. An educated and aware staff is the best way to protect your digital assets.  Since most attacks begin with a Phishing attack via email or by phone, it is essential they understand how to recognize potential phishing attacks and not to click on a link or attachment from anyone they do not know. Phone Phishing is a social engineering tactic that is being used to get additional personal information. Employees and end users should be suspicious of any callers asking for personal information or asking them to go to a specific website and enter the information. Whether you create your own training or purchase a Security Awareness software product you will need to monitor and confirm all users have taken the training. Don’t forget to include your customers and partners in your Security Awareness Program through newsletters or security tips on your customer facing websites.

Who is Watching What is Coming In and Going Out of your Network?

No matter how good your Security Program and Infrastructure is or how well you train your staff, human error (intentional or unintentional) can result in an intruder gaining access to your network and systems. Not having continuous monitoring of your network for threats will make it almost impossible to determine that you have been breached. According to IBM, the average amount of time to detect a breach is 206 days. The damage a cyber criminal can do in that time can be devastating to a business. 

Consider including Additional Strategies to your Security Defenses

Companies have typically utilized a defensive-only strategy as the foundation of their security program. This approach is destined to fail and eventually the attacker will find a vulnerability they can exploit. If you think in terms of a military strategy, a defensive only strategy will be overwhelmed by a frontal attack unless it is combined with other strategies such as Flanking, Fragment or Feign. Companies must combine multiple strategies if they are to mitigate or stop a threat. Taking the words from Sun Tsu, “You must know yourself, your enemy and know the battlefield”. Make sure you have a detailed understanding of the strengths and weakness of your Security Program and Infrastructure. You must also understand how bad actors and Cyber criminals think in order to defend against them. 

As I mentioned above, the average time in 2019 to identify a breach was 206 days. Since many of the malicious attacks can move laterally in seconds, utilizing manual efforts to respond and mitigate the attack is a losing battle. Leveraging automation and reducing human interactions should be a priority. You can’t eliminate human interaction completely as there are still too many false positives being created and some decisions regarding actions still need to be made by humans. 

How to Slow Down the Bad Guy

There are many ways a breach or an intrusion can occur but if it occurs, there are some common things to look for. Once an attacker finds a vulnerability to exploit and gets access to a node on your network, they will typically go into reconnaissance mode, looking for valuable data, what users are going in and out of that node and scanning for other nodes connected to that node. Once other nodes are detected they can move very quickly through the network, this is called “Lateral Movement”. Many intruders will wait for weeks or months just watching and looking for something of value before the launch. Identifying these intrusions as early as possible is critical.

Another Sun Tsu quote that is very applicable is, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

Incorporating a Feign or deception strategy by utilizing deception technology as part of your technology infrastructure makes sense. This does not mean replacing your existing perimeter security infrastructure but enhancing it. This does also does not replace good security best practices like network segmentation and multi-factor authentication. The purpose of deception technology is to be able to identify a potential threat inside the infrastructure before the actual attack occurs and damage is done. In addition, some of these technologies will slow down the attacker by making it more difficult to identify real targets within the network. In many situations this delay will allow the Security Operations Center (SOC) team enough time to respond to the attack and potentially mitigate it. Lateral movement of the malicious software moves in seconds which makes it impossible to defend against it with just human resources. Slowing down the attacker before they can deploy malicious content and early identification of the intruder are key to evening the playing field. There are several promising deception technologies now in the marketing that can help. Unlike the first-generation deception technologies such as Honey Pots, the new technologies do not try to attract attackers to a specific node or location but instead create the illusion of thousands of fake or phantom nodes around each real node in the network. Once the attacker touches a phantom node/sensor, your team is immediately alerted of the presence of the attacker. I encourage you to research technologies like these and how they can improve your ability to respond to threats.

First Generation Deception Products

“Honey Pots” were the first type Deception technology to be deployed. The premise was to add to the network a fake node that looks too good for the attacker to resist. Once the intruder touches the Honey Pot the security team is alerted and can respond.

Evolution of Honey Pots

Some vendors have improved the Honey Pot approach by allowing the Security Teams to easily deploy multiple decoys into the network which improves the chance of attracting and identifying an intruder. One of the drawbacks that result from this kind of approach is that once an intruder is caught or identified the information regarding the profile of the decoy is communicated to other Cyber Intruders to avoid them. The effectiveness is dependent on how many decoys are deployed and increasing decoys also increases the effort needed to configure and manage them. 

Implementing an Active and Adaptive Asymmetrical Defense

With the introduction of adaptive asymmetrical defensive technology has enabled business to identify the intrusion quickly and slow down the attack to allow security operations team the ability to respond, mitigate and expel the threat.

These newer technologies instead of attracting intruders to a specific location or locations, are placing an umbrella of deceptions or phantom nodes around real nodes in your networks, that act like sensors when they are touch. Once the intruder touches one of these sensors it alerts the SOC of a potential threat. Decisions can be made to monitor, isolate or expel the threat. In some products these decisions can be automated. Authorized users do not see these nodes since they are only visible to unauthorized intruders that are scanning and probing for connected server nodes. I have recently come across a relatively new technology from Ridgeback Network Defense, that provides increased network visibility and alerting the Security team needs quickly when an intruder trips one of the sensors. Products like this do a very good job of eliminating false positives, reducing the Security Operation Team’s effort in investigating potential events, allowing them more time to focus on real events. Differences in the various products in this category are more around cost, how much effort is needed to setup the product as well as ongoing management. There are also differences in the ability to automate mitigation capabilities such as isolating a compromised node or expelling an attacker. 

Just to clarify these types technologies do not replace your firewalls, intrusion detection and prevention(IDS/IPS) or endpoint detection and response(EDR) solutions. Adding Adaptive Asymmetrical Defense technologies to your existing Security infrastructure enhances your ability to identify the threats faster and slow down the attacker, allowing your team to respond more effectively. 

Sun Tsu’s quote, “All war is based on deception”, applies to cyber war as well. Cyber intruders try to disguise their identity and activity to make you think they are legitimate users and the SOC team must deceive the intruders to look in the wrong places that will expose them and make them vulnerable.

Until we have advanced AI solutions that can detect real threats from false positives and shut them down without the need for human intervention, incorporating deception capabilities into our security strategy and infrastructure may be the best approach for the near future. 

For questions or feedback regarding this article, please contact me at

            Jeff Brown – [email protected]