Chris Dale, Principal Instructor at SANS Institute, on Cyber Deception, Cybersecurity, the threat landscape and more.
What’s your take on the threat-security landscape today?
For a long time, cybersecurity has been a bane to organisations. It seems like it is inevitable that we will never really protect ourselves fully. We see companies with large digital footprints and vast security budgets get hacked, but also smaller organisations with seemingly nothing to hide or steal. Attackers in the threat landscape today find value in targeting both. A large corporation is an interesting target because they often hold valuable data, can pay larger ransoms, and have more systems to provide value to attackers. Smaller organisations are also valuable to attackers as they can be targeted in larger quantities. While perhaps the value of the target is lower, by targeting small organisations in larger quantities, it can offset the value accordingly. Value in compromise come through data or processing capabilities. Smaller companies often think they can go under the radar, but with fewer security capabilities it often enables attackers to hack them more easily. On the contrary, larger organisations have more budgets to spend, but due to larger footprint may give attackers more avenues of finding vulnerabilities to exploit. Companies, large or small, still struggle with the most critical security controls: knowing themselves, which assets and which software they manage. To make things worse, unfortunately, people are most often targeted and used as an entry point into the inside of an organisation. Attackers are continuing to target our employees but are being deterred by more commonly used security controls such as Multi-Factor Authentication (MFA). This does not however prevent the attackers from abusing our people, as they are starting to utilise more clever techniques in bypassing said control. Attacks combined with social engineering attacks and other vectors which render MFA to be less effective are rapidly on the rise. It has been a long time since attackers were known for making mistakes that could easily be pierced by attentive employees. The modern-day attacker is educated, trained and well capable of not being restricted by today’s security controls. Vendors are known to quickly respond to the latest hacks with how their solutions could have prevented them but unfortunately, they are proven wrong by security professionals time after time.
You recently authored a new SANS Course; can you tell us about it?
Cyber Deception is quickly becoming a great security strategy to help flip the coin on attackers. It is often said that attackers must be successful once, but defenders must succeed every time. Cyber Deception aims to arm defenders with a flip of the coin. Using deceptive controls, we can attempt to force the attacker’s hand to reveal themselves. This makes the attackers have to be successful every time, otherwise they risk being detected by high fidelity alerts. The SEC550: Cyber Deception –Attack Detection, Disruption and Active Defence course seeks to arm cyber defenders with the skills necessary to create such detective controls and furthermore allow a strategic approach on how cyber deception can help produce actionable threat intelligence on attackers trapped in a web of lies and deception. What are attackers looking for? What is their mission, and what are their capabilities? Cyber deception allows us to seek and produce such answers. The class supports students in thoroughly understanding what cyber deception capabilities can give us. It shows us how it is a control that can easily be implemented to complement existing security controls, but also for advanced operations where deception can disarm attackers, giving defenders time and opportunity to respond accordingly.
Today, it is imperative for organisations to not only find the right cyber talent with specific skill sets, but also invest in continuing skill development. How does SANS help with this?
There are many ways through which SANS supports organisations to find the right talent and equally how we help cyber talent take the necessary steps to become an even better version of their current selves. Our cyber academies are a good example, but our cyber ranges also offer interactive and educational ways to hone ones’ skills. But mostly, SANS hosts a wide variety of free and accessible material for everyone to seek knowledge from. These resources are made by industry experts and are provided for free, as part of giving back to the community. Furthermore, SANS produces some of the highest standards of course materials and instructors in the industry today. We have a comprehensive roadmap for training new talent into security roles, ranging from introductory classes for security novices to the advanced classes only applicable to the most elite participants.
In your opinion, what’s the biggest challenge to effective security implementation, in organisations?
I see many organisations suffer from patch and alert fatigue. We have too many things to patch, but not enough information to know where to start. Additionally, sometimes patches break functionality, giving us extra concerns when rolling them out, often causing us to patch too late. Alert fatigue is a different aspect where we see security operations being overflooded with too many alerts, too little actionable information and with skill gaps preventing staff from thoroughly investigating and concluding alerts. The security workforce in many cases is not empowered or given enough time to properly understand alerts and improve security controls and alerts to be more applicable for the future. We must also take lessons from the offensive way of thinking. Think like attackers. Offensive must inform defence. If organisations focus on core aspects such as knowing themselves and knowing the attackers (and their skills and capabilities), the defence should not have to fear a “hundred battles,” to quote Sun Tzu. The information and training is available out there, but can we change ourselves to make changes fast enough?