Page 74 - Cyber Defense eMagazine April 2021 Edition
P. 74
EDR is an important endpoint security control to monitor and protect endpoints, but this technology is chal-
lenged to identify when the attacker is not behaving differently than the user of the breached system – and is
moving laterally leveraging authentic credentials and normal connections and
pathways. Furthermore, EDR is increasingly targeted by attacker techniques to disable and
circumvent as part of their beachhead establishment and persistence tactics.
How to change from reactive defense to active defense
MITRE, the 62-year-old nonprofit dedicated to creating engineering and technical guidance for the U.S. gov-
ernment, recently created an active defense-focused knowledge base it calls Shield.
MITRE Shield is a set of best-practice recommendations for organizations from practitioners to executives.
Shield includes structured elements such as data tables connected by links, as well as less structured - but
no less important - concepts and explanations, such as those found in blog posts. It includes recommen-
dations for basic cybersecurity hygiene, as well as advanced defensive techniques covering deception and
adversary engagement.
The goal, wrote MITRE in its introductory blog post about Shield, is to allow “an organization to not only
counter current attacks but also to learn more about that adversary and better prepare
for new attacks in the future.” At its core, active defense seeks to create a hostile environment for the attack-
er, raising the cost of hacking to a level where it becomes unattractive to the threat actor.
Raising the cost of lateral attack movement with an environment hostile to attackers creates a
situation where even sophisticated adversaries are unable to move laterally without detection. With a deter-
ministic detection approach, it’s possible for an organization to gather valuable real time
telemetry to understand their target, remediate and adjust security strategy and tactics to safeguard against
similar attacks in the future.
The SolarWinds attack indicates that there are shortcomings in existing security controls to ensure adequate
credential and connection hygiene and prevent undetected lateral movement.
Organizations need to adopt an active defense strategy to make it more difficult for attackers that have es-
tablished a beachhead to move laterally without detection and achieve their objectives.
About the Author
For more than 25 years, Jeff has been leading teams to pioneer
disruptive network, data, and security solutions to improve the
performance and security of infrastructure and organizations.
Now as VP of Product Marketing for Illusive, Jeff is focused on
helping organizations understand how adopting an offensive security
strategy with Active Defense can change the game on the attackers,
giving the defenders a long overdue advantage
Learn more about him at https://illusive.com/
74 Cyber Defense eMagazine – April 2021 Edition
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.