Defend forward, which we have written about in previous blog posts, could very well be the future of enterprise cybersecurity. A posture that seeks to gain early understanding and warnings of attacker activity instead of waiting for a breach to happen and then dealing with the consequences, it’s the clearest way to prevent huge data losses and catch experienced attackers off guard.
We think it summarizes the importance and effectiveness of active defense in cybersecurity. You can read more here.
In the original Cyber Strategy, the U.S. DoD associates defending forward with “shaping the day-to-day competition”. This phraseology directly correlates with the advanced deception technique of using deception environments to shape adversarial behavior mid-attack.
By nature, defending forward requires a new, shared battlefield space—the entire concept rests on the idea that the enemy has not yet invaded the home turf. Defending forward means catching the attackers before they infiltrate a network, which necessitates a new battleground.
Enter—the deception environment.
Deception and Defend Forward
Deception technology plays a key role in a defend forward stance. The deception environment should enable active cyber deception operations through campaigns designed to produce custom environments to redirect threats away from production networks and elicit actionable intelligence responses.
Deploying externally beyond your network perimeter allows you to detect attackers before they compromise your internal network. With the deception environment deployed in this configuration, you can collect real-time intelligence that will include both the indicators of compromise (IOC) and tactics, technique and procedures (TTP). This kind of targeted real-time intelligence can then be used immediately to initiate real-time threat hunting on the internal network and can also be used to identify potential weakness in your current security toolset deployment, real-time monitoring reveals threat actors strengths, weaknesses, dispositions, and intentions.
How to Build a Defend Forward Stance
So how does one operationalize Defend Forward? It is important to build a cohesive strategy in order to incorporate defend forward thinking into your current security program. Here we will outline the steps in the process:
1 - Define outcomes and deliverables.
It is important to decide how you are going to measure the outcome of defend forward. Often, engagement is a fantastic way to measure outcomes. The amount of engagement you make with the threat actor in an environment and the length of time they spend in that environment are key metrics when it comes to defending forward. Did the attacker modify their behavior after interacting with your deception environment? Catalogue these outcomes:
- – number of entry attempts
- – amt of time spent in the system
- – number or tools or techniques the adversary deployed (to gain intelligence)
2 - Build a team.
Ask yourself: do you have the right training to stand this up? Perhaps you can take easy steps without investing in technology. Invest in the team you need to carry out the strategy. If you don’t have a dedicated team, when choosing a vendor, look for a company that can provide deception as a service.
3 - Build capabilities within your organization.
Locate people with threat intel expertise in your organization and hone their skill set with deception-based training. SANS has just released a deception workshop. The UK National Cyber Deception Lab is another great resource. Artifice offers training on how to implement strategy.
4 - Buy the appropriate tooling.
There are many options when it comes to using deception. From simple honeypot management systems to free breadcrumbs, simple tools are often available at little to no cost. With a full system, however, you can build multiple campaigns focusing on many different use cases, using deception to focus on all security areas and issues in the company. Deception is especially apt for:
- – Insider threat
- – Post breach lateral detection
- – Pre breach recon
- – Ransomware
5 - Execute and monitor the strategy.
With these things in place, you can now see how much of an advantage your defend forward posture gives you. By investing in tooling you enable your very expensive assets, your people, to do their job with maximum efficiency.
The Importance of Adopting Defend Forward
Enterprise security and risk leaders must expand beyond traditional IT and network firewalls or risk becoming a victim of cyber attack consistently. Observing adversaries’ maneuvers, enterprise security teams can understand their capabilities and techniques. This will enable the security teams to tailor and adapt their security strategy.
We have seen deception to truly work when deployed with a defend forward paradigm. One client was being investigated by attackers, who encountered our deception environments and used appropriate tooling to further investigate our environments. They spent around three hours going through the environments, trying to figure out how large they were. We got them to deploy certain criminal tooling into the environments because they believe they’re in a real environment, giving our client valuable insight into how to protect themselves.
Deploying deception in your enterprise can help organizations detect, disrupt and contain sophisticated cyber adversaries. Deception is one of the best ways to defend forward, as it allows an enterprise to get access to an attacker’s blueprint, giving the enterprise’s security team the advantage.
- – Read the introduction to defend forward at part I in this series >
- – Learn more about the business case for defend forward, at part II in this series >
Luke Wilson is VP of Operations and Partnerships at CounterCraft, with extensive experience in cyber threat intelligence and cryptocurrency investigations, and is on LinkedIn.