Inching Toward Defend Forward

The increase in cyberattacks—and the increase in the cost of cyberattacks—sends a clear signal: Something about the cybersecurity industry needs to change. We live in a world where malicious cyberattack campaigns are persistent and relentless. Even as threat actors like ransomware groups face growing pressure from law enforcement, it is clear that the rule of law will not be enough to stop the scourge, as much as governments try to indict their way out of advanced persistent threats. Organizations must look for other, more proactive ways to fight and prevent this type of attack. The Cyberspace Solarium Commission recommends incorporating a ‘defend forward’ stance as a component of achieving a layered defense.

Defend forward is a security posture that seeks to gain early understanding about and warnings of cyberattacker activity instead of waiting for a breach to happen and then dealing with the consequences.

This posture means stopping cyberattacks before they become reality. It requires monitoring adversaries outside of a network, collecting data on their targets and techniques and, when done correctly, it gives a security team all the information they need to defend against future attacks. Defend forward also aims to impose costs on adversaries with the aim of disrupting their campaigns and deterring future campaigns.

The cybersecurity threat landscape is always evolving, and we must adapt to threats. We can do that by thinking like the adversary. Understand that there are new technologies that allow companies to proactively protect their most precious assets. Reassess the threat intel feeds you are relying upon—are they providing generic intelligence or actual, tailored and actionable intelligence?

Defend Forward in Cybersecurity

Defend forward necessitates a shift from a defensive cybersecurity posture to a proactive one. Most organizations, however, are accustomed to merely reacting. And many of these organizations don’t even get the chance to react until the damage has already been done, as is the case with the ubiquitous ransomware attack.

The only real tool that exists to engage an adversary in your networks is deception technology. By using advanced deception technology (i.e., not just honeypots), you can create a deception environment that looks convincingly like the real thing. This immediately puts the attacker on your terms and gives you the upper hand.

Your goal should be to get them to doubt everything, question anything they see, and have their behavior fully shaped by your engagement with them in the deception environment.

This will drive the cost and resource value up, creating a hostile environment for attackers and keeping you safe.
Defend forward is the future of enterprise cybersecurity. This posture is the clearest way to prevent huge data losses and catch experienced attackers off guard.

What Enterprises Should be Doing

Enterprises should focus on the end state first—changing adversary behavior to make attacks less effective. One way to do so is by altering the adversary’s decision regarding the perceived benefits, costs, and risks of conducting malicious activities.
From a defend forward perspective, organizations simply can’t rely solely on the passive collection of intel or generic reports. They must observe adversary behavior in real time. In order to do so, enterprises will need to become proactive and implement a strategy to engage adversaries outside of their networks.
An organization can do this by:

  • Developing a program that allows enterprises to proactively observe adversaries
  • Collecting actionable intelligence in real-time
  • Countering an adversary’s persistent operations
  • Using intel to raise the cost of an adversary’s actions and seemingly lower the likelihood of success

By taking steps to proactively collect intelligence on threat actors and vulnerabilities, enterprises can improve the decision-making process in their organization. They will also have the tools in hand needed to decrease the effectiveness of the adversary’s operation.

Deception and Defend Forward

Deception technology plays a key role in a defend-forward stance. The deception environment should enable active cyber deception operations through campaigns designed to produce custom environments to redirect threats away from production networks and elicit actionable intelligence responses.

Deploying externally beyond your network perimeter allows you to detect attackers before they compromise your internal network. With the deception environment deployed in this configuration, you can collect real-time intelligence that will include both the indicators of compromise (IoC) and tactics, techniques and procedures (TTP). This kind of targeted real-time intelligence can then be used immediately to initiate real-time threat hunting on the internal network and can also be used to identify potential weaknesses in your current security toolset deployment, real-time monitoring reveals threat actors’ strengths, weaknesses, dispositions, and intentions.

How to Build a Defend Forward Stance

So how does one operationalize defend forward? It is important to build a cohesive strategy in order to incorporate defend forward thinking into your current security program. Here is a breakdown that can be helpful in understanding how to implement and operationalize:

1. Define outcomes and deliverables
It is important to decide how you are going to measure the outcome of defend forward. Often, engagement is a fantastic way to measure outcomes. The amount of engagement you make with the threat actor in an environment and the length of time they spend in that environment are key metrics when it comes to defending forward. Did the attacker modify their behavior after interacting with your deception environment? Catalog these outcomes:

  • Number of entry attempts
  • Amount of time spent in the system
  • Number of tools or techniques the adversary deployed (to gain intelligence)

2. Build a team
Ask yourself: Do you have the right training to stand this up? Perhaps you can take easy steps without investing in technology. Invest in the team you need to carry out the strategy. If you don’t have a dedicated team, look to your cybersecurity vendors for help. When choosing a vendor, look for a company that can provide deception-as-a-service.

3. Build capabilities within your organization.
Locate people with threat intelligence expertise in your organization and hone their skill set with deception-based training. SANS, for example, has just released a deception workshop. The UK National Cyber Deception Lab is another great resource. Artifice also offers training on how to implement a deception strategy. These are just a few examples.

4. Buy the appropriate tooling.
There are many options when it comes to using deception. From simple honeypot management systems to free breadcrumbs, simple tools are often available at little to no cost. With a full system, however, you can build multiple campaigns focusing on many different use cases, using deception to focus on all security areas and issues in the company. Deception is especially apt for:

  • Insider threats
  • Post-breach lateral detection
  • Pre-breach reconnaissance
  • Ransomware

5. Execute and monitor the strategy.
With these elements in place, you can now see the advantage your defend forward posture gives you. By investing in tooling, you enable your most expensive assets—your people—to do their job with maximum efficiency.

The Importance of Adopting Defend Forward

Enterprise security and risk leaders must expand beyond traditional IT and network firewalls or risk becoming a victim of cyberattacks. By observing adversaries’ maneuvers, enterprise security teams can understand their capabilities and techniques. This will enable the security teams to tailor and adapt their security strategy.

I have seen deception truly work when deployed with a defend forward paradigm. It can help organizations detect, disrupt and contain sophisticated cyberadversaries. Deception is one of the best ways to defend forward, as it allows an enterprise to get access to an attacker’s blueprint, giving the enterprise’s security team the advantage.

Avatar photo

Luke Wilson

Luke Wilson, VP of Operations and Partnerships at CounterCraft, is a law enforcement and intelligence professional with over 17 years working within federal law enforcement, the Department of Defense, and the United States Intelligence Community. Luke began his career in the U.S. Air Force as a Special Agent for the Air Force Office of Special Investigations. He was considered an operations expert in the areas of Counterterrorism and CounterIntelligence. Luke received the commander's excellence award while deployed to Guantanamo Bay, Cuba for excellence in investigation and intelligence practices. Luke was employed by the Federal Bureau of Investigations in the Counterterrorism and Cyber Division for over nine years. While in the cyber division Luke constructed the first inter-agency task force to investigate the illicit uses of virtual currency in nation-state hacking activity. Luke has advised the U.S. government and regulators on nation-state cybersecurity threats. While employed at the Federal Bureau of Investigation, he Integrated, coordinated, and shared investigative techniques, tactics, and procedures throughout the United States Intelligence Community. Luke has led business development at Elliptic, a cryptocurrency analytics firm, and has held the position of Vice President of Intelligence at cyber attribution company 4iQ. He is currently the Vice President of Operations at CounterCraft.

luke-wilson has 1 posts and counting.See all posts by luke-wilson