EXECUTIVE SUMMARY:

Kierk has served in the cyber security field for over 20 years and has extensive experience in enterprise security design, implementation and thought leadership. He is the head of engineering for the central US, and is a part of the office of the CTO team at Check Point.  Kierk also is an active presence discussing cyber security risks with local and national media.

Preventing cyber attacks, lost cause or is it possible?

Breaches are on the rise and some leading cyber security voices are saying to focus on detection and response. The argument is attackers only need to be successful once with their attacks to gain a foothold and compromise the network or endpoint. Other cyber security voices are saying we need a prevention-first mindset that focuses on blocking threats before they can infect a network or host.

Recently, Microsoft’s Digital Defense Report highlighted how hackers could shift from network exploitation to a full-scale ransomware attack in less than 45 minutes. The time the adversaries need to execute their playbooks has decreased. In fact it’s not uncommon to see domains related to these attacks live for minutes before attackers move on to new C&D. Threat actors know that the longer they are on a network, the greater the chance of detection, so they need to move fast. With advanced automated ransomware attacks emerging, we need to be sure that we have the proper defenses in place.

Ask any cyber security professional if you should invest in prevention or detection methodologies and they will tell you that you need both. 

The real problem is the balance. How much of your cyber security budget should go to prevention and how much should go to detection and response? Every organization has a strategy and there are always tradeoffs.

Many organizations today are looking at or should implement a zero trust strategy. Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters and instead must verify anything and everything trying to connect to their systems before granting access. This is a prevention first strategy since it helps mitigate outbreaks within organizations and prevents lateral movement, if there is a malware infection.  Zero Trust Network Access (ZTNA) also be applied to files that enter the network or are downloaded to an endpoint.

At RSA in 2014, the Department of Homeland Security (DHS) and the National Security Agency (NSA) conducted a panel discussion on the application of content disarm and reconstruction (CDR). This discussion focused on innovation around zero trust for files that enter an organization. The speakers highlighted the lack of effectiveness of hash clouds and sandbox systems at stopping advanced zero day attacks that were embedded into files. They needed to come up with a solution that would allow them to reduce the number of security incidents they were experiencing.

From 2006 to 2012, the DHS had seen a 900% increase in security incidents. At that time, they were focused on trying to detect things that were malicious at the perimeter or the endpoint. This approach, from their perspective, was just leading to more security incidents. 

What decisions did the DHS and NSA come to?

These governmental organizations decided something needed to change and they wanted to flatten the security incident curve. That is when the discussion around passing known good as a strategy was brought forward. Passing known good means that we have sufficiently altered the original file in a way that disables embedded malwares ability to execute. They highlighted how they eliminated 99.5% of the zero day malware that was embedded in email attachments or through file downloads. This strategy allowed them to clean the files and pass known good content immediately to the users who seamlessly received the files. With this process, they could be certain that the files that were delivered contained no malicious code capable of executing on that machine.

Documents could be reconstructed and passed securely without unnecessary active content, image files could have trace amounts of noise added (not visible to human eye) that disrupted the malwares’ ability to execute.  In essence, this approach rendered the embedded malware incapable of running, reduced the noise and allowed the DHS to focus on a much more modest number of security incidents. 

This type of content disarming and reconstruct technology has been commercially available for a number of years and is gaining momentum as a prevention first technique.  If you can be sure that the content you are passing cannot contain malware that can execute, you have reduced the noise and can now focus on the detection and response needs you still may have. This technology also has self-service capabilities in the event that the user needs the original file to do their job. This methodology also is very efficient, not looking for malicious content, simply removing document ‘infrastructure’ that could be harmful.

In conclusion: 

We must change our approach as the landscape changes. If we understand that there are alternatives to always looking for bad things, and that passing known good content is possible, we can reduce the tremendous noise and distractions that many cyber security incidents could cause.  Let’s start by locking the car door before we enable LoJack to find it once it’s stolen.