In my previous post (So…you want to be a threat actor?), I’ve mentioned a discussion about a defense strategy I believe in, and in this post I will explain its concept.

I want to start with a very (in)famous saying in cybersecurity: “Attackers only need to win once, defenders needs to win always” - That’s not true. or is it?

I think it is both, both true and not true. How that can be? because it depends on the point in time we are discussing. If we are looking at the start of an operation, where the adversaries are collecting information, preparing a target list, discussing various vectors of entry, sharpening and customizing their tools, and also in the actual initial attacks where they are trying to get the initial foothold, that’s true, they only need to succeed once to get in. And in order to prevent it, the defenders needs to succeed all the time. A bit unbalanced, right?

BUT! What happens once they are inside? A lot is changing. Actually, I claim that the paradigm changes completely, and it is turned in 180 degrees. Looks like balance is back in the picture. Now, the adversaries needs 100% success, where the defenders needs to succeed once. Why?

Once the adversary is inside the network and\or organization, they are operating in an unknown territory. The defenders know the environment much better then their adversaries, they control it (specially at the initial stages of the attack), and once they get the initial alert (the adversaries “mistake”) they have a loose thread to start pulling, they know someone is inside, and they can start hunting and eliminate the operation.

I’ve said that the earlier the stage, the more advantage there is for the defenders, so what can they do to extend that period and improve their chances for winning?

First, there is the need to acknoledge and understand we won’t be able to prevent all attacks. Eventually, someone will get in. Yes, that makes us uncomfortable, but it is inevitiable. Once we understand and embrace that concept, we can move forward and deploy additional, different defenses that are meant to increase the defense chances. Those defenses are divided by what they cause the adversaries:

  • “Dragging” - the things that will slow the adversaries down. It might slow down their tools, it might slow down their decision making, might slow down their entire operation, and might even send back to the drawing board more often than what they planned. It doesn’t only buy the defenders time, but it is also hurting the adversaries operational confidence.
  • “Friction” - Those defenses are meant to increase the adversaries friction. Friction with what? everything possible. Do they need to use more tools? more techniques? touch more files? systems? users? the more actions they carry out (that interact with anything inside the organization) will increase their friction, and that will increase the liklihood of them making a mistake and\or they will be discovered, and of course, more crumbs in the trail, ending up as increasing the defenders chances of identifying the attack and stopping it early. It is important to remember, friction causes heat, and enough friction will burn something, and we want their operation to burn soon as possible.

What are some things we can introduce to have those defenses? At first (and probably not surprising) I believe we should consult with our offensive experts, to hear from them what makes them stop and think, what they hate having in an operation from operational view, what confuses them and what makes them reconsider their initial plans. Have them red team themselves. Some example I’ve came up with so far are:

  • Deception - I’m a big believer in deception strategies, and it can be deployed in multiple ways:

    • Fake users
    • Fake computers
    • Fake documents
    • Fake networks

    You get the concept. The quality of deception is how it’s planned and implemented - and I think you should have everything, exaggarated deception (FakeAdmin as a username, for example) and also not so easy to detect names. and sprinkle that everywhere. Remember, we are not depending only on the adversary touching it, but even if they will stop to think “huh?” or “HAHA”, we got what we wanted, even if it’s less than what we want (and that’s where we should improve). Even leave “boobytrapped” tools - think about leaving a not-really-working copy of PSexec on an IT person machine. or a fake copy of Mimikatz in a folder named “Pentest” - the options are endless. This servs both types of defenses - it makes the adversaries drag because they need to stop and think, is it deception? should I touch it? and it also increases friction, if they touch it they are burned.

Picture by X

Not how many, but where.