Ready, FIRE!!!!, aim.... : sometimes information security can feel like trying to put up flak into an air-raid, just hoping that you might take out the threat honing down on you from above - never quite knowing if you have succeeded until after the event.
Whilst we have a veritable arsenal of technology to counter the complex blended threats out there today, more often than not these aim to second-guess the next move by an attacker. Indeed today's application firewalls, IPS etc all do a good job at keeping order in a chaotic environment and when combined with a good SIEM solution, you can also create the analogue of an air-raid siren in the analogy above.
Unfortunately, with the best will in the world, the reality is that we still have the chance for threats to go unnoticed - how many times do we see in info sec books that an attacker only needs to be successful once to achieve their goal. Then there is the consideration that even with the most refined tuning of our network security infrastructure, we still have the false positives to deal with that distract us from our day jobs.
Enter Mykonos Software which was recently acquired by Juniper Networks. It was clear to me watching a recent demo of this solution, that this truly is a game changing technology - indeed it puts us on the front foot against attackers compared to trying to second guess their next move.
The concept of honeypots/honeynets has been around for many years and provides a wealth of insight into the threat landscape - but at what cost, and more importantly, what is the real benefit to the business? Indeed for many organisation’s the hassle of implementing such infrastructure is just not worth the effort or is merely seen to satisfy an academic curiosity.
Mykonos has done a great job at providing technology that surreptitiously puts the equivalent of mousetraps into your existing eCommerce site’s code. What this does is provide an attack surface that would only be exposed to a malicious user; regular users are blissfully unaware of all these Machiavellian machinations behind the scenes as they go about their normal use of the site.
This has the net result that only an attacker will trigger these traps - meaning a positive is a positive and well..., there are no false positives!!!.
Of course, this is only half the story. What do you do when you have an attacker in the trap? There's no point wasting resources messing with script kiddies who may move onto other targets at the first hurdle, however you also want to keep the more advanced attacker at bay from causing intentional or unwanted consequences on the operation of your site, hence the need to have the equivalent of a Judo move to use their own efforts against them.
Again, Mykonos does a good job to profile the attacker and can enforce tar traps and the like to gain the confidence of the attacker into wasting their time, removing the impact on their actions on revenue generating transactions and providing a real-time, step-by-step surveillance of their actions (maybe even offering a means for service providers to monetise the concept of a honeynet with the practical benefit of keeping their customers site up and running smoothly). Ultimately this could stop an attack altogether, but more than likely, the attacker will get fed up and move onto another target (and hopefully onto someone else's domain).
Whilst this represents a significant step forward as a countermeasure to the threats out there today, I can already see potential for this type of approach beyond just web apps, so I highly encourage you to check out Mykonos Software for more info.
Now, ready, aim.... FIRE!!!