Hitting Hackers Where it Hurts
“Hacking back” is all the rage right now in angst-fueled discussions. But, hacking back is a horrible idea (unless you are a nation state, and even then, maybe check with the Commander-in-Chief first). Hacking back will simply land you in jail and won’t do any good – do you even know how to appreciably affect the operations of the various hacking groups out there? Which one would you go after? How do you even know it was the one that got you?
But, that doesn’t mean giving up, nor does it mean buying yet another next-generation prevention or protection gizmo or service.
Instead, it is time to make the hackers life difficult AFTER they get inside your network. Sure, it sounds counter-intuitive, but it’s time to recognize that security solutions can’t stop 100% of network intrusions. Someone will click on the wrong link, something won’t get patched, someone will insert the wrong USB, and the list goes on.
So, instead of burying our heads in the sand and pretending this won’t happen, let’s prepare for it.
Today, once an attacker gets inside, they (and it is often a group with different specialties rather than just an individual) essentially have free reign. The statistics back this up: months of unfettered access before they are detected, the fact that more often than not it isn’t the victim that detects the attack, but some outside entity (banks via fraud analysis, or law enforcement).
It doesn’t have to be this way. When the attacker arrives on the target network, they don’t know anything about the environment. They don’t know what services run where, what the network topology looks like, what users normally do, etc. And in order to achieve an objective (whether theft, destruction, or other), attackers need to go about a very active process of learning what is what (reconnaissance) and ultimately figure out how to gain access to what they want (lateral movement).
Despite the glamour attached to stories of autonomous propagating code perpetrating an attack without human supervision—like Stuxnet—99.9% of the time attacks are time-consuming and manual operations. And they are anomalous when compared to the normal (even if chaotic) day-to-day operations of your users and devices.
So, rather than trying to catch attackers by looking for malware and packet signatures or sandbox activities (i.e., the same techniques they’ve already evaded when intruding), a defender would be wise to instead leverage their natural advantage in owning and being able to monitor and learn about their own environment.
Learn your network, and detect the anomalies that an attack by-necessity introduces during the course of recon and lateral movement. Or, more realistically, find an Behavioral Attack Detection product that can use machine learning to do that for you automatically. Also read my white paper on a new perspective on fighting targeted attacks, “Flip the Odds: Using Behavioral Attack Detection Against Advanced Attackers”.