Can anyone keep hackers out? Nope, and that’s not a problem
As cyber investigators continue to examine the SolarWinds attack, a more complicated picture of what actually happened has begun to emerge. The Acting Director of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Brandon Wales, said that federal investigators had found Russian intelligence agents alleged to have been behind the SolarWinds hack actually used a variety of techniques well beyond the eponymous compromised software. Wales added that Russian agents creatively used multiple hacking methods, so many in fact that the incidents “should not be thought of as the SolarWinds campaign.”
The myriad ways Russian hackers pursued their victims also reveals a larger truth about cybersecurity in the 21st century, namely this: While thoughtful cyber defenses remain a necessity, no system is impenetrable.
If the U.S. government, which dedicates more time, energy, and funds to cyber defenses than any other regime on the planet, can be so thoroughly penetrated by a determined cyber foe, then American businesses should disabuse themselves of any notion that they can keep motivated hackers out of their systems.
Accepting that, if they want to, hackers will inevitably find their way into IT systems regardless of the level of defensive resources applied — whether public or private — is, however, very different from conceding that entities will inevitably suffer damage in a cyberattack. Far from it, actually.
The ill-named SolarWinds hack actually serves as an excellent reminder that successful cyber defenses involve techniques and protocols well beyond firewalls and other systems designed to prevent bad actors from getting into protected networks. Multiple types of defenses are needed so that when the unavoidable hacker penetration occurs, governments and companies alike are quickly able to spot the intrusion and limit its damage.
Cyber experts regularly speak of the need to maintain “layered defenses” as part of any reasonably successful cybersecurity program. By that they mean not just thick digital castle walls designed to keep out bad software, but also systems designed to quickly detect successful hacks so infiltrators can be expelled as fast as possible.
Quick detection of hackers typically relies on identifying suspicious internal network traffic, euphemistically referred to as “lateral movement” by information security professionals. Just like it sounds, newer, well-designed cybersecurity systems are engineered to include tools that can quickly and precisely detect activities and traffic that signal an intruder has illicitly gained access to a system and is hunting for its intended target.
As the research giant MITRE puts it, hackers must first explore the network they have hacked into before finding their target (e.g. classified information, critical control systems, etc.) and subsequently gaining access to it. Most hackers will be forced to spend significant time and effort surreptitiously moving through internal systems to access their eventual virtual prize.
Numerous tools and techniques have been created to help catch hackers as they creep around internal systems. Examples include “real-time monitoring,” which involves collecting, normalizing, and correlating data across an environment to deliver immediate alerts that highlight suspicious activity. Real-time monitoring can be even more effective when paired with NIST-recommended decoy systems.
This is a newer variation of lateral movement detection which works by turning the tables on hackers, luring them instead into a faux network. Deception or “adversary management” tools work by creating facsimile network environments. These serve the specific purpose of fooling hackers into believing that they have penetrated outer cyber defenses rendering their searches for high-value data and access moot.
Deception environments are about more than being mere cyber-Potemkin villages — they lure hackers into a controlled environment where security specialists can observe their actions. By squirrelling the hackers into a dummy network where they can cause no actual harm to their intended victims, cybersecurity pros are able to catalogue the malicious tools and techniques used by the attackers.
What makes the use of deception environments particularly attractive in the wake of the latest spate of hacks is their proven history of effectiveness. Several years ago, for instance, French President Emmanuel Macron’s campaign was targeted for data theft by, you guessed it, Russian hackers.
During the 2017 presidential campaign, Macron’s staffers received intelligence that they might be subject to a Russian attack. Instead of trying to fend off the hackers, they decided to act first by using deception techniques: in this case, fake campaign accounts populated with phony memos and data.
The deception efforts worked like a charm for Team Macron, and when the Russians leaked the “stolen data,” it landed with gigantic thud. French cybersecurity experts were not only able to quickly show that the stolen data was in fact bogus, but also demonstrate with great certainty the leak was part of a foreign influence effort. Reassured, French voters quickly moved on and Macron rolled to victory.
U.S. government officials have taken this and other lessons to heart. The Commerce Department’s National Institute of Standards and Technology has for instance issued final guidance suggesting the use of deception techniques, and more recently the Defense Department’s cutting edge Defense Innovation Unit announced it had made a significant investment in deception systems in order to better trap and observe hackers. MITRE also wrote a compelling whitepaper for the DOD titled ‘The Cyberspace Advantage: Inviting Them In’ recommending the consideration of deception across the department and its defense industrial base.
Regardless of the specific tools used, the principle remains clear — cyber defense strategies that rely solely on keeping hackers out of a system are bound to fail under enough pressure. Instead, governments and companies alike need to invest in a variety of cyber fortifications, including ones designed to quickly spot intruders, and perhaps even let them roam around for a bit in a controlled environment. Smart investments like that will almost assuredly cut back on successful cyberattacks like SolarWinds (or whatever you want to call it).
Brian Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP in Washington D.C.. Follow him on Twitter @BrianEFinch
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.