The value of impediments
How to be more trouble than you’re worth
Effective deterrents prevent unwanted activity by threatening negative consequences; the threat of being caught, arrested, and sentenced is generally the best deterrence against crime. Unfortunately, effective deterrents do not exist in the world of cyber security.
Organizations (and regulatory bodies and law enforcement agencies) have very few ways of punishing or otherwise harming cyber attackers. The likelihood of catching cyber criminals is very low, and it is also very difficult to prosecute them because they often operate globally.
Concepts like ‘hacking back’ (legalized intrusive action against cyber criminals by private organizations) are regularly discussed, but they have so far always been rejected due to concerns around transparency, the potential for misattribution, and the potential for collateral damage.
What can we do?
Where deterring attackers is impossible or impractical, organizations can turn to impediments.
You cannot expect to actively punish threat actors who target you. But you can design your defenses so that you are more trouble than you are worth, making yourself an unattractive cost/benefit equation in the eyes of an opportunistic threat actor.
Impediments are designed to waste attackers’ time and money. Effective impediments buy time so that defenders can detect and contain the attacker and may frustrate the attacker so that they abandon their activities.
Examples of types of impediments include simple layers of defense, which an attacker must spend resources to penetrate; withholding information that would make an attack easier; and collaborating with other organizations and individuals to share knowledge and reduce the effectiveness of known attack paths.
Imagine your organization is a castle surrounded by a tall stone wall. The wall is old and has many places where the stone has broken or the mortar has fallen away. Its surface is so uneven that an attacker could easily climb over and sneak into your castle.
In this scenario, a deterrent would be armed guards stationed on the top of the wall, ready to capture any attacker who reached the top.
But that attacker could also be impeded by improvements to the wall. If you filled in the cracks and holes, the wall would be much harder for the attacker to climb. It may even become so difficult that the attacker gives up and goes away
Get the basics right
Some of the most important impediments to a cyber attack are also some of the easiest and cheapest to implement - within the reach of every organization. Practical policies that follow current best practice around passwords, authentication, restrictions, education, and physical security are the foundation of cyber security, and although most people understand these basics, they are still often neglected.
The best way to defeat security controls is to simply step around them. Forcing the attacker to interact will make it harder for them to progress and make it easier for the defenders to detect and contain the attack.
The two main elements of increasing friction are:
- control access
- separate elements of the network.
Aside from designing your network to increase friction, it is important to manage your assets properly to impede attackers.
Patch known vulnerabilities
Make attackers’ jobs more difficult by patching known vulnerabilities in all your assets. Doing so will deny attackers of an easy foothold into your environment.
A vulnerability patching process is useless without a thorough understanding of the assets in your environment (both on and within the attack surface). At a minimum, you should have a complete list of assets. Ideally, these would also be prioritized in order of patching urgency, should a vulnerability become known.
Minimize attack surface
An 'attack surface' refers to an organization’s externally facing assets that could be targeted by an attacker aiming to gain unauthorized access to resources or to exfiltrate sensitive data. Common elements of a modern attack surface include externally facing websites and services, cloud hosting providers, third parties, and content delivery networks, as well as information assets such as source code, configurations, and databases stored in buckets or code repositories.
Threat actors targeting a specific organization will map the attack surface to determine the easiest routes into the environment. The larger the attack surface, the easier it is for the threat actor to find an entry point. Threat actors choosing which of two target organizations to attack will choose the one with the largest attack surface, all else being equal.
Minimizing your attack surface as far as possible is therefore an effective impediment against attackers, who may need to spend expend much more effort to breach a well-managed attack surface then they would for a larger, uncontrolled one.
It is vital that you remember to secure or protect any assets that remain in the attack surface, as minimizing the attack surface is ineffective if the resulting assets are easy targets for attackers. Attack surface management shouldn't be relied upon as a complete solution: much more should be considered when assessing perimeter risks, such as understanding how the organization might be targeted by particular threat actors, as well as which assets are considered critical and most at risk.
Read this for more information about attack surfaces and to learn about our external attack surface management service.
Control open-source intelligence
Every organization generates publicly accessible information, which is often uncontrolled. It comes from sources like the organization’s website, marketing campaigns, social media, independent news reports, job adverts, public reviews of the company from former employees, and so on. This type of information is known as open-source intelligence (OSINT)
Threat actors can learn a surprising amount about an organization and how it might be successfully attacked through OSINT. For example, the job adverts for the security team in a specific organization can give attackers huge insight into how security is managed there; if the advert specifies that a candidate must be proficient in a specific endpoint detection and response technology, the threat actor then knows that it is an element of that organization’s cyber security.
Controlling OSINT is therefore a valuable, if difficult, task. If you can limit or control how much OSINT is available, threat actors have to work harder to understand your environment and defenses and, if they do attack, will be more likely to get caught by defenses that they did not know to prepare for.
Unlike with attack surface management, you should not necessarily aim to reduce OSINT to a minimum. Effective OSINT control is about making conscious, informed choices about what information will be valuable to threat actors.
For example, an organization that has won a cloud security award may want to publicize that information, but they should consider that some threat actors will see it and want to test their skills against their top-tier security system.
It is worth defining policies around the types of information that should be shared publicly and educating employees about the dangers of uncontrolled OSINT.
Story from an incident responder
“I remember an attack by a state actor. We found that they were monitoring certain users’ email boxes. We googled these users and immediately found their profiles on the company webpage, with a little bio that explained what projects they were working on. That public information put a giant target on the back of those employees.
~ WithSecureTM incident responder
Gather and share information about attackers
Threat actors are innovative. New attack techniques are constantly emerging, which makes it difficult for defenders to prevent and mitigate damage.
However, sharing information about these techniques—whenever possible—is a significant nuisance to threat actors. When this happens, their techniques become much less effective as organizations work out how to defend against them. Threat actors must then spend time developing new techniques, which is time that cannot be spent in more lucrative adversarial activity.
You can share information about attackers and attacks online, such as on the VirusTotal site. Remember, though, that these sites are often monitored by attackers. Uploading information about a new technique as it is being used in your environment can alert attackers to the fact that they have been discovered. It is better to wait to share information until after the attacker has been contained or ejected.
Some organizations share details about attacks in private channels, which has the advantage of not alerting the attackers that they have been detected.
A honeypot is a trap designed to lure in attackers. It is essentially a decoy, and in cyber security often takes the form of an entire computer system, including realistic activity and data.
The honeypot will often be ‘baited’ so it becomes tempting target, either by loading it with fake but appealing assets (like billing information) or by worsening its security posture slightly (such as by securing it with weak passwords). You can also create honeypot accounts, which are cheaper and easier to deploy, maintain, and monitor.
Honeypots are useful for many reasons, not least because they can prevent attackers from acting on your legitimate systems. They can also enable the detection of attackers who are using legitimate credentials and masking their activity by using as little malware as possible, because any activity in a honeypot is suspicious.
Critically, though, when hackers attack the honeypot, the organization gets valuable information about how attacks may be conducted, what triggers to monitor, what cyber criminals are most interested in, and so on.
Build a reputation
You can build a reputation as an organization that regularly or consistently shares information about attackers and attack paths, which may make threat actors think twice about spending their resources on you.
Summary of recommendations
You can take many actions, even in smaller organizations, to impede attackers. These include, but are not limited to:
Remember that these techniques, although effective and useful, cannot replace a complete cyber security solution. You aways need to be prepared to mitigate attacks that penetrate the outer layers of your defense.
Visit our website to learn more about holistic cyber security.