We need to focus on the bad guys and their methods instead of playing whack-a-mole with indicators of compromise.
Three years ago, George Tenet — the former US Director of Central Intelligence — and I participated in a fireside chat discussing advances in technology and the fact that not much had changed in cybersecurity between the then-recent WannaCry and NotPetya attacks and the ILoveYou virus 17 years earlier. While the tech world was abuzz with innovation, from self-driving cars to artificial intelligence, devastating cyberattacks still regularly brought nations and corporations to their knees, and the best we could do was pick up the pieces and clean up the mess.
During the 17 years between those two attacks, I ran a team of security developers and operators who deployed and operated one of the most advanced cybersecurity capabilities in the world, defending the largest network on the planet. These were the active defense capabilities deployed to protect the Department of Defense (DoD), and this experience proved to me that a better solution existed. The time has come for the cybersecurity community to embrace this new approach.
A Scalable Solution
While the details of those active capabilities remain classified, the concept around them is not: Rather than chasing millions of indicators of compromise (IoCs — that is, IP addresses, domain names, file hashes, etc.), we identified and neutralized the techniques employed by attackers. Our realization was that since there are far fewer bad guys than systems we want to defend, stopping the bad guys, rather than defending each system, provides a scalable solution. My team, operating this active defense capability, won the DoD CIO award in 2014 for our ability to neutralize Heartbleed for the entiredepartment within hours of the vulnerability’s disclosure.
Here’s how it works: The techniques attackers use differentiate one advanced persistent threat (APT) from another. The techniques are their DNA, if you will. The goal is to find the DNA, excise it from the network sessions, and do that as invisibly as possible. The attacks will fail, and the bad guys won’t even know it (or at least, they won’t know why). New techniques will eventually be developed, but it’s much harder for a bad guy to develop a new attack method than switch out an IoC, which is all that’s required to evade many security systems.
Coming Around Again
Today, many defenders are writing their hot wash reports on their response to the release of the Log4Shell vulnerability. It’s Heartbleed all over again. And ShellShock. And EternalBlue. And a host of others.
I am reminded of that chat with Mr. Tenet as I think about the significant technological advances since then, including quantum computing, digital assistants, and mRNA vaccines. And still, what’s changed in cybersecurity?
Many of you probably answered “zero trust.” However, zero trust isn’t new. It’s a framework to pull together the necessary cybersecurity investments that we’ve all been working on for years. And while I completely support zero-trust efforts, the calculus doesn’t fundamentally change: There are still bad guys out there, and there will always be vulnerabilities in systems for them to attack.
We need to incorporate a new approach to our zero-trust posture. We need to start focusing on the bad guys and the techniques the bad guys employ, instead of playing whack-a-mole with IoCs (even if that game of whack-a-mole is AI-enabled). The most efficient way to scale up and best use ever-scarce talent is to address adversary methods — the DNA.
This approach requires a couple of things that are simple to describe but difficult to execute. If you’re going to look for “adversary DNA,” your false-positive rate must be extremely low; otherwise, the cure will be worse than the disease. Moreover, to find adversary DNA, you’ve got to look deeper into network sessions than ever before and to look for things that are often thought to be unobservable. This accurate and deep detection must also be extremely fast — faster than what’s typical on the market today. Detection must be automatically paired with the right response mechanisms such that the adversary DNA is removed, replaced, or transformed in a way as to render it useless to the adversary and useful to the defender. And this entire process must occur inline — that is, between the adversary and whatever the adversary is going after, whether that’s data, systems, or people.
A Better Way Forward
What if there was a way to stop adversaries with extreme accuracy and speed before they enter or leave your network? This better way is possible — I’ve seen it in action. It requires a fundamentally new approach.
It’s time to stop playing this endless game of IoC whack-a-mole. The bad guys are winning because, while the cybersecurity industry continues to deliver better tools to understand and sometimes respond to threats, we have yet to see much that stops the threat, before it’s too late.