How small security teams can benefit from simple attack detection and response
Article by Attivo Networks A/NZ regional director Jim Cook.
Many Australian organisations rely on a small security team to protect a comparatively large number of employees. A recent report by McAfee suggests employing an average of 9.7 cybersecurity personnel in organisations of up to 500 employees in Australia. Extrapolating from this ratio, that’s 0.3 FTE in a small company of up to 20 staff, up to a team of 3-4 security professionals looking after a mid-sized Australian organisation (which, by official definition, has 20-199 staff).
That seems about right. From experience, most organisations get by with low levels of internal security resourcing, due in no small part to how expensive it is to assemble and maintain a proper security team. Unemployment among cybersecurity professionals is zero per cent and anticipated to stay that way through at least 2021, providing some indication of the demand for skills and cost to have them in-house.
One thing the McAfee report nails is that an average cybersecurity team in a small or medium-sized business is “expected to multitask more and be able to manage a broader range of cybersecurity activities” than they would in a larger environment.
For better or worse, and out of necessity, they become a team of ‘cyber generalists’.
When you have a small, expensive, generalist security team, it is an inefficient use of their time to be chasing down ghosts and false positives. In the past, this has often meant calling in third-party resources for additional support. Deloitte estimates that third-parties pick up work in almost all cybersecurity operations. In 14 per cent of cases, organisations outsource over half of cybersecurity workloads, while up to 65 per cent of security chiefs outsource up to one-third of all work.
The emergence of new, more efficient ways to augment internal capacity and capability has security teams re-evaluating outsourced arrangements once more. Deception technology, in particular, is helping ease the defensive burden on small security teams.
Tipping the balance back in favour of defenders
Deception technology is already widely adopted around the world, though is not as well understood in Australia. It uses in network traps and decoys - mirroring genuine files, systems and even credentials, as well as “sleight-of-hand” misdirections - to fool attackers into thinking they are progressing their attack, whereas in reality they are expending their time and resources in the security team’s decoy environment. With machine learning techniques, a deception solution efficiently manages the environment, keeping it attractive to derail attackers with very low administrative overhead.
The majority of organisations adopt deception technology because it delivers alerts that matter. This ability can be critical for small security teams that either don’t have the capacity or skills to sift through massive amounts of data or alerts to find the critical one. Notably, even the slightest engagement with these decoys triggers an alert that enables security teams to begin monitoring and recording the attackers’ behaviour, safely within a deception sandbox. That intelligence might show what attackers are looking for and how they’re going about it, helping inform the organisation’s security strategy and guide the strengthening of defences.
Keeping attackers occupied investigating the traps and lures one has laid gives them less time to spend attempting to infiltrate the real assets those instruments of deception are protecting. Bait and misdirections can also disrupt attackers by providing altered data that nulls the value of their automated tools.
It’s also possible that attackers will abandon their attack and look for a softer target, once they realise that decoys and deceptions have made their activity increasingly complex. They can no longer trust in what they see or the tools that they use.
In that way, Deception Technology is the augmentation and assistance that many one-person and otherwise small security teams need to tip the scales back in their favour. It allows small teams to prioritise their efforts by removing false positives and nuisance alerts, and by providing easy-to-understand early detection with actionable results, reducing the time spent on analysis and response.
Dealing with ransomware
With ransomware rising year after year, organisations face another threat – data destruction. Ransomware differs from other types of attacks in that the object is immediate notification of infection to extract monetary payment. Attackers are not interested in remaining hidden for extended periods but with infecting a large number of systems and backups to obtain the highest possible ransom payments. The organisation must decide between paying the ransom or risking permanent data loss.
Deception technology provides a way to detect the spread of Ransomware early and gives security teams a means of fighting back which reduces the effectiveness and reach of a ransomware attack. One of the functions of decoys is to act as file servers. The deception platform can map hidden shares from production systems to these fake file servers. Regular users would not see these network shares, but ransomware and automated scans that attackers use will reveal them. As the ransomware spreads to the fake share, it encrypts useless decoy files while the security team receives an alert of the activity.
As the ransomware encrypts the fake share, the deception platform can slow its activity by limiting its connection speed and by feeding it additional fake files to stall the attack. This delay gives small security teams time to isolate the infection, identify the infected endpoint, and eradicate the malware before it damages something valuable.
Why this matters
Successful attacks often have devastating consequences for victims. High profile attacks on Australian organisations recently have taken months to recover from properly.
Attackers are often after credentials. Getting them allows attackers to escalate privilege and move laterally within a computer network, gain administrative access to systems, or perform account takeovers and identity theft. Recent breach numbers from the Office of the Australian Information Commissioner (OAIC) link the majority of reportable cyber incidents in the latter half of 2019 (121 of 230) to the compromise of credentials.
“In many of these incidents, the malicious actor gained access to personal information
stored in email accounts. However, in a significant number of cyber incidents (74) the entity experiencing the breach was unable to identify how the malicious actor obtained the compromised credentials,” the OAIC found.
Organisations using deception technology are better-prepared to avoid this situation because they have a front-row seat to all the attacker’s activities, feeding fake credentials to them while keeping the real ones secure. Early detection also means small teams can act quickly and limit any potential fallout.
The average time to identify and contain a breach is 279 days, according to IBM. There is some variation in this number across studies, but it’s almost uniformly at least six months. With deception technology, detection is up to 12X faster. Organisations can detect and repudiate attacks in days.
Every second counts in incident detection and response, so it is critical to make the most efficient use of the teams, technologies, and knowledge available.