Last month I met with the security team at a major bank to discuss their detection capabilities. The head of the bank’s security operation center claimed that his organization’s security stack could detect certain threats but he was worried about them missing other attack vectors. He asked his team to figure out how to close this security gap and, during our meeting, they were listing the pros and cons of buying a solution and building their own system.
As the security team debated the merits and drawbacks of each method, I surprised them by saying their whole approach was wrong. For years, practicing security meant building a fence to keep adversaries out, plugging any holes that appeared and fortifying the fence as the attacks grew more advanced.
This approach has failed to keep companies safe: no matter how many fences a security team constructs or what defensive measures are implemented, they will still be the underdog compared to the sophisticated enemies they’re facing. Cyber attacks are constantly evolving and increasing in complexity. It is virtually impossible for the defenders to keep up with the pace of change. Stopping every threat is simply impossible and unrealistic.
To meet this security reality, I presented the bank’s security team with an alternative approach: the house of cards paradigm.
Successful defense doesn’t mean stopping every attack
Even the most sophisticated hacking operations can be compared to a house of cards. While likening the serious task of protecting a company from attackers to a card trick may seem frivolous, it’s actually very accurate. A house of cards is an elaborate construction comprised of many connected components. But when you remove a few cards, the entire house falls down.
Now, apply that thinking to detecting a cyber attack: find one or just a few components of the hack and, over time, the entire operation can collapse.
To reach their goal, hackers must complete a series of actions in a company’s environment that are linked together. Fortunately for the defenders, carrying out each of these steps makes the attackers vulnerable and provides the good guys with a great opportunity to intervene.
The house of cards theory in action: the Kohl’s Cash scam
Earlier this month, Brian Krebs reported on a scam in which criminals used hacked Kohl’s customer accounts to order hard-to-return items to rack up reward points called “Kohl’s Cash,” which they’d redeem for gift cards or cash before the items were returned.
A KrebsOnSecuirty reader noted that she received an email from Kohl’s stating that the email address on her account had been changed. A common enough scenario, but a single action on her part caused the whole scam to unravel.
She logged in with the updated email address and her existing password, which the thieves didn’t change. After checking her order history, she discovered that two fraudulent orders totaling $700 had been placed in the 20 minutes since she received the notification email.
She then alerted Kohl’s, which resolved the issue and acknowledged that the retailer was aware of the scam.
While this is not an enterprise security example, the same theory applies to companies with security teams that are hunting for anomalies within their complex IT environments.
With the combination of the right data and advanced analytics, security teams just need to catch one of these activities to link it to other actions and discover the entire campaign. With that approach, defending against an attack is no longer a losing proposition. If a hacker gets through the perimeter defenses, the security game isn’t lost. In fact, it is just starting.
Moving away from the IT mindset to security
Finding the slightest trace of an attack can undo the whole campaign, and security teams should approach detection in this manner. They must proactively search for single parts of an attack and develop the ability to link these components to a larger operation. Following this trail of evidence will reveal the entire hacking campaign. In other words, finding the slightest trace of an attack can undo the whole campaign.
For example, catch one instance of lateral movement or a command-and-control communication attempt, and an analyst could start piecing together a complete attack picture.
The house of cards approach requires moving away from the IT mindset that encourages analysts to quickly close incidents. Instead, it calls for an investigative mentality with every incident considered a potential piece of a bigger puzzle.
The house of cards approach brings a fresh take to security. And, perhaps most importantly, it shifts the odds in favor of the defenders. The attackers, on the other hand, now become the vulnerable ones. They have to evade every possible detection mechanism and be totally invisible to win. With the house of cards framework, the defender has to win once and the attacker has to win 100 percent of the time, returning power to the security teams.
Lior Div is the CEO and Co-Founder of Cybereason. This article previously appeared in Network World.
