Why Traditional Cyber Tools and Strategies Fail to Address the Threat of Intrusion

If your organization is solely using traditional security strategies to protect against cyberattacks, you’re missing out on an entire set of Active Defense tools aimed at improving incident response and using countermeasures to better protect your network. (For more information on what Active Defense tools are, check out the first post in this blog series.)

Traditional methods focus mostly on vulnerability risk scoring and signature-based tools that only recognize known threats. This is a major problem for two reasons: Not only do these methods fail to stop attackers, but they are disproportionately expensive compared to the cost of carrying out cyberattacks, which is virtually nothing. These tools are not deterring actors because they aren’t making attacks more costly or risky for them. Instead, intruders leverage these cheap, offensive tools for attacks, while organizations are hesitant to adopt these same tools due to a lack of understanding and a fear of potential legal issues.

Most organizations are stuck defending and protecting their data with confidentiality, integrity, and availability rather than using these freely available tools and techniques that confuse, delay, and perform reconnaissance on an intruder. That is a missed opportunity. Here are some examples of why traditional tools just aren’t enough in today’s cybersecurity climate.

Three ways traditional cybersecurity tools fail to address the threat of intrusion

Traditional tools and strategies are failing to address the threat of intrusion in three primary areas:

• Deterrence: Traditional tools do not effectively increase the cost, time, and effort required for actors to complete their objectives. That means actors can operate anonymously with no threat of attribution by the target organization or law enforcement. Adversary operations are built entirely on deception while traditional tools not only encourage more attacks, but also contribute to more defeats.
• Detection: Once an intruder has gained a foothold on a network, signature-based tools fail to detect custom malware and legitimate account usage—two techniques frequently used in high-profile data breaches. Modern lateral movement throughout the network and C2 operations from adversary-controlled infrastructure present multiple complex problems for reputation and signature-based tools. These problems extend across the entire incident response cycle including scoping, containment, and eradication efforts.
• Response: Automation is not fully utilized by organizations for fear of blocking legitimate traffic. Instead of automated, immediate responses, many organizations today rely on manual response processes which are not always as effective—and take much longer to accomplish. Traditional responses have proven to be passive, threat-generic, and unable to factor in the identity, tactics, and objectives of the intruder. They also fail to utilize trusted configurations and fail-safe techniques that can adequately protect the critical data and assets of organizations.

Why most organizations haven’t adopted Active Defense tools

There are three main reasons why most organizations aren’t using Active Defense tools. One, like most people, orgs are more comfortable using tools and strategies that they know won’t cause them legal trouble. Two, there isn’t a lot of official guidance on how to use these tools, and three, that creates a fundamental lack of understanding of how Active Defense tools work and how to implement them.

Organizations are more comfortable taking advice from governing bodies

Most organizations prefer to rely on the advice of government agencies and information security industry leaders, who recommend traditional defenses, like antivirus, IDS and IDP, firewalls, and web gateways, because these tools have been used to guard against cyber threats for years.

As we’ve said, these tools are not enough to detect and thwart intruders because they are static, known to the attacker, easy to evade, and unnecessarily expensive. Still many organizations associate increased cost with increased protection, while others want the perceived security provided by vendor support contracts and special equipment. That leads us to our second point, which is that government agencies have very little guidance on how to respond to an intruder that has compromised your network.

There is a lack of guidance from industry leaders on how to deal with an intruder who has penetrated a network.

One of the main reasons organizations are hesitant to adopt Active Defense tools is a fear of legal problems. The Computer Fraud and Abuse Act (CFAA) does not give organizations legal means to retaliate against attackers, which has made most orgs hesitant to implement these technologies. Since the CFAA is interpreted differently by different courts, offensive “hack back” strategies bring with them a significant risk of civil and criminal liability.

In addition, the U.S. currently does not have a cyberdeterrence policy or official legal guidance or doctrine regarding offensive countermeasures available to organizations. Third, U.S. Department of Justice guidance that is available is extremely passive in nature. This guidance provides strictly defensive-based strategies for organizations dealing with an intrusion including rerouting traffic, isolating segments of the network, and even abandoning the network. Finally, there is little emphasis on the benefits of intelligence gathering, denial and deception, counterdeception, and counterintelligence. In short, organizations are encouraged to deploy inadequate tools that alert when a network is under direct attack—which is too late—and then told to “duck and cover” to avoid further damage deploying these types of tools.

Organizations lack a fundamental understanding of Active Defense tools

The majority of the industry is either uninformed about Active Defense tools, do not understand their true value to the organization, or do not know how to implement the tools in their network. Without knowledge of alternative tools, organizations have no choice but to spend more money on the latest “next generation” firewall, IDS, and antivirus solutions.

Unfortunately, the existence and advantages of Active Defense tools have not been successfully conveyed to organizations, which means they don’t understand why they should leverage these automated, inexpensive tools or how they can begin using them to counter the threat of an intruder with access to their network.

That’s where we come in. Contact us today to learn how Active Defense tools can work for your organization—and how to implement them now.