By Moshe Ben Simon
From the mid-5th century to the early 13th century, Constantinople was the largest and wealthiest city in Europe and represented the Roman Empire as the most secure and powerful city in the world. Its security architecture was one of the most modern the world had seen to that point, with multiple defensive layers of walls, water canals, and more. Twenty-three attempts made to penetrate the city over hundreds of years all failed. Even the Ottoman army struggled to breach its active defenses. But in the end, all it took was thinking outside of the box to finding a single hole to exploit.
Their boats were unable to break through the great chains and Greek fire boats protecting the city’s Golden Horn harbor. So, instead, they cut and greased hundreds of logs from the nearby forest. Then, while they distracted the city’s defenders with a relentless barrage of cannon fire, they rolled their war boats across the logs, creating a pathway behind Galata—located directly across the harbor from Constantinople—and out of sight of the city. Then, having successfully bypassed the city’s primary water defenses, the Ottomans then relaunched their boats directly into the seaport. Constantinople fell, and all it took was finding and exploiting one tiny chink in the city’s famed defenses.
The point is, attackers have always had a distinct advantage over defenders. In a modern comparison, cyber attackers also seem to have some advantages. They choose the time, place, and manner of engagement. And while defenders must successfully cover every inch of the potential attack surface and repel every attack, attackers can search and search until they find a single weak link in the security chain to exploit.
One way to level the playing field is through a concept known as Active Defense. The U.S. Department of Defense defines active defense as "the employment of limited offensive action and counterattacks to deny a contested area or position to the enemy." From a cybersecurity perspective, this can include a number of strategies, from dynamic data movement and distribution to make it harder to steal, to deception techniques that flood the network with false traffic and servers that lure attackers into tripping alarms and alerting defenders to their presence, to active adversary engagement operations. The strategic combination of these and similar defenses allows an organization to not only counter current attacks but to also learn more about an adversary and better prepare for future attacks.
To help with this strategic approach to security, the MITRE Corporation—a not-for-profit research and development center focused on addressing the cybersecurity challenges directed at the safety, stability, and well-being of the nation—recently released a new active defense knowledge base called MITRE Shield. MITRE Shield is an active defense knowledge base gathered from over 10 years of active defense and adversary engagement experience. It is designed to provide clear guidance to organizations looking to adopt an active defense strategy. Its information spans a wide range of cybersecurity professionals, from high level, CISO/IT Director-ready considerations of opportunities and objectives, to practitioner-friendly discussions of the TTP's available to defenders.
Within the MITRE Shield knowledge base, information about active defense ranges from basic cyber defensive capabilities to cyber deception and adversary engagement operations. MITRE Shield is a significant milestone in cyber defense strategies, and provides well-deserved recognition of the value of deception technology. It also documents the rapid adoption of deception technology by organizations around the world—from Enterprises to SMBs—to improve threat detection by identifying the TTP's used by adversaries.
I highly recommend taking a quick look at the MITRE Shield matrix. You will find that many of the tactics defined in Shield can be achieved using deception technology, such as decoy systems, decoy credentials, decoy networks, decoy content, decoy processes, network manipulation, and more. There are a number of deception technologies on the market today. FortiDeceptor, for example, has the ability to create a fabricated network of decoys and lures across both IT and OT segments, enabling the detection of external and internal threat actors across a broad surface, allowing to cover a big part of the MITRE Shield Tactics & Techniques.
Besides the direct coverage of the MITRE Shield Tactics and Techniques provided by FortiDeceptor, the integration between FortiDeceptor and the Fortinet Fabric allows it to be seamlessly integrated into a comprehensive security platform designed to provide consistent prevention, detection, and response across the distributed network. This broad integration allows it to not only detect a threat, but also automatically trigger a policy action with in-line security controls so containment of the threat is undertaken as part of the threat hunting and response sequence, thereby ensuring complete MITRE Shield Tactics and Techniques coverage.
The benefits of using high-end, full-spectrum deception in the context of today's threat detection challenges include:
For more information on how you can reinforce your defenses with proactive Firewall Security, check out Fortinet's FortiGate technology and utilize purpose-built security processors and threat intelligence security services.