A short time ago in exploring the area of information security defense, I took a step back and wondered, what is the science of defense? How do military strategists think? I’m reminded of one of my favorite Star Trek episodes (TOS) titled “Balance of Terror.” This is the one where the Enterprise ship first encounters the Romulans, and where Captain Kirk and the Romulan commander are engaged in an intelligent “chess-like” move for a set of actions as the Enterprise strives to make it back from the neutral zone while being followed silently by a cloaked Romulan Bird of Prey ship. But I digress.
In exploring this, we note that theoretical military strategy teaches that the defender has the advantage. Among other reasons, the defender knows their own territory and typically has a stronghold, such as a castle or a fort, which the attacker must overcome. Because of this advantage, the attacker typically requires more resources (soldiers, technology, weapons) to attack than the defender needs to defend, all else being equal. However, this does not seem to be the case in the cyber world where it is generally accepted that the attacker has the upper hand. I found several other cool blogs which cover this, including a recent post by Dr. Anton Chuvakin, as well as a recent article published in SecurityWeek by Tai Be'ery. Tai’s article covers the theoretical concepts which explain why the attacker typically has an advantage in cyberspace, as well as the theoretical concept on how we can regain the advantage. I won’t cover these theoretical warfare concepts. Instead, in noting that the defender controls the territory, I offer two tactical defense ideas for Information Generals to consider.
One way the defender can use their territorial advantage is by misleading the attacker through the placement of decoy IT systems within their operations. - These systems appear to contain highly valuable information but in actuality do not. For example, to employ this strategy, an organization could set up various honeypots within their network architecture. When the attacker arrives at one of the front doors, they are then drawn to the decoys and spend their valuable time in the wrong areas (wrong with respect to the attacker viewpoint). This has the effect of buying time for the defender, and with this “bought” time, the detection technologies and processes allow the defender to take action and kill the attack chain.
A second tactical method that uses a similar deceptive technique is described in an article published in the MIT Technology Review. In addition to many other information protection mechanisms, valuable data is often protected by way of encrypting it. In a case where an attacker succeeds in compromising a system and gains access to valuable encrypted data, such as a database containing user credentials, the attacker will often exfiltrate the data and then proceed to guess the passwords using a software tool. With existing conventional cryptographic systems, a bad guess would result in the tool returning garbled data. With this technique, referred to as Honey Encryption, any password guess would return a result which resembles true data but in fact is often fake data. The result is such that the attacker has nuggets of valuable data contained within a large haystack of fake data. The time required to find the value is so vast that by the time the true value is located, users have already changed their passwords.
To conclude, though the attacker appears to have the advantage in cyberspace by hiding and using guerrilla war tactics, we defenders control our territory and can use this to our advantage. With that, I invite you to explore and share similar devious tactics here in this forum.