Honey Everything — The Way Forward for Security
As a security consultant, I spend my time devising efficient protective measures — options that have the lowest impact on business capabilities and development output.
Yet, I increasingly find myself questioning whether the current trend of fixing everything cheaper and faster is going to be sustainable.
Instead, I think it is time for us to address the question at the heart of security: asymmetry.
We are fighting an uphill battle and we have to start fixing this!
We have undoubtedly become much better in the last decade. A good portion of security tasks are now automated, frameworks and development methods have also evolved to rule out the usual suspects.
However, in the larger scheme of things, cyber attacks are as prevalent as before. Whilst we have managed to raise the bar and cost of attacks accordingly, returns for the attacker have also increased and expertise for both sides are becoming abundant.
We have got most of the low hanging fruits but this arms-race, the next steps will provide less returns but with much higher business costs. Anyone who has written or read a report urging the disabling of all macros in Word, or has seen a slow revolving door built in a high security site, would know this.
I believe this concerns the difficult question at the heart of security: defenders need to find all combinations of flaws that can lead to a compromise, while attackers need only find one viable combination.
We are at the point where we should start turning this around.
Let’s consider anti-doping agencies — what really changed the game was not any single test or new method. They had the same type of arms race. What changed the game was freezing the blood samples. All of a sudden that altered the playing field by forcing the complexity that once was on the inspectors on the dopers: to find a way that will not be detected in the next decade by any method.
We have to start directing more of our focus to making this shift.
Make no mistake — monitoring is not the solution. It does make the landscape a little less stacked against defenders, but we will still need to find all the right signals in the torrent of information coming in. We are still facing the same complexity, just that it got harder for the attackers.
A few months ago, I read a fantastic article on honey tokens in AWS. I think that is one of the most ingenious example of what we could do and what we should be talking about. No business impact, very little cost, very little maintenance and very precise signal. I believe that this is what security should be busy with:
Find a way to honey everything, by creating cheap booby-traps and trip-wires that are transparent to users and hence have no impact on businesses.
I guess the few of you who have tried to create honeypots or vulnerable apps know that creating a convincing trap is very complicated. To you, I say there is hope. Luckily we already have them: All the legacy applications on your intranet or the unpatchable appliances.
To start the discussion, I would like to make a case to all security people that the next time you start to think about fixing an old legacy app you find on the internal network, think about the alternatives:
1. Dig up a developer that still writes, Cobol, have him understand the code and write a patch, potentially break other applications (or require them to be patched), to fix something that most likely would have never been exploited; or
2. Name it a honeypot and start creating decent monitoring around it without any extra cost of fixing and adding one more thing in your network to make an attacker suspicious about their next move, detect lateral movement or catch a careless one.
I have had enough of being a paranoid defender. I want the attackers to feel the same from now on!