Tactics for Cyber Escape and Evasion
It has become a common occurrence to hear about companies, governments and individuals being compromised by hackers.
Thanks to Anonymous, “the Chinese” and a bunch of kids from a country no one can pronounce, security has become a household word.
Seemingly overnight, information security has moved from a cottage industry to one that finds its sordid tales on the cover of every major periodical and leading every major newscast. It’s no secret that this condition exists because our adversaries have been and continue to be successful, to the tune of billions of dollars in intellectual property, bank accounts and defaced reputations.
Things have gotten sideways.
Many continue to ask why this situation persists, or from some perspectives, worsens. The answer is simply Newtonian – An object that is in motion will not change its velocity unless an unbalanced force acts upon it.
It’s time for an unbalanced force.
The US Military has developed tactics for when things get really sideways. For those life-or-death situations when you’re injured, surrounded by enemies and cut off from your support network. These tactics are called Escape and Evasion, and their applications aren’t limited to military survival.
As you read this, your critical assets sit unprotected. Not because you haven’t deployed firewalls, access controls and network segmentation, but because when those security controls are compromised (and they will be) those critical assets will be unable to protect themselves. They are inherently vulnerable, which is why they need compensating controls.
Enter Cyber Escape and Evasion.
For decades security professionals have been hardening perimeters, blacklisting bad actors and “locking things down”. These practices emerged when cyberwarfare was symmetric, when adversaries were [better] known and when cyberassets were few[er]. Sadly, these practices remain the foundation for many organizations, despite dramatic changes in attacks and attackers.
There are, however, some new concepts emerging regarding the protection of critical assets.
Imagine that your confidential data was camouflaged such that an unauthorized intruder couldn’t tell the data from the container. Imagine that your sensitive information assets were stored so randomly that hackers couldn’t make sense of them, even if they were discovered. Imagine that you deployed information decoys in such a way that it was difficult or massively time-consuming to tell which was the real source. Imagine that your sensitive data, once removed from its authorized container, could poison itself, much like the ink canister that is thrown into a bag of stolen cash.
What if the next time you were attacked, you could flood your attacker with false-positives and false-negatives, effectively disabling their ability penetrate your network?
These are just a few of the security tactics that are starting to get real attention. Each of these concepts moves security controls closer to the asset and emphasizes intelligence over building walls.
If you trust statistics, an intruder has already compromised the networks of 1 out of every 10 people reading this blog post. 6 more of those 10 will be hit sometime later this year. A recent study showed that most security professionals expected their security program to fail when it was truly tested.
I’ll save you the angst of asking the same question.
If there was ever time to inventory your assets, pack a “go” bag and assess your capabilities, it’s now. Things have gotten sideways and your firewall can’t save you. Your critical assets are either going to keep calm, signal the rescue chopper and be exfiltrated by their Security Officer, or their going to apply a tourniquet and die quietly as they’re dragged off to a POW camp.
What are your orders, sir?