Do I patch my system in the name of security, or do I leave it unpatched to enable critical operations and business functions?
Heeding CIO or CISO advice to patch systems and update information technology (IT) as soon as an update is available is a best practice that will help secure systems against most known threats and vulnerabilities before they can be exploited. However, there are times when you simply cannot avoid maintaining legacy IT. How does one choose between security and operations? Incident response will only get you so far. Adopting an adversary disruption strategy becomes a critical element of any security posture for heterogeneous IT systems. Getting in the adversary’s way means that you don’t always have to choose – you can have both.
The legacy dilemma
IT ecosystems change and evolve over time, but their functions usually remain constant. Critical functionality often centers on connectivity between IT and more expensive assets. Take the example of a weapons system built to communicate with an early version of Microsoft Windows. While the outdated operating system is vulnerable to exploitation, updating the IT would require an expensive interface retrofit or even replacement of the entire weapons system at a huge cost.
This legacy dilemma affects large-scale, expensive functionality most acutely. Machines in manufacturing operations or critical systems for municipalities tied to obsolete software can prove too costly to replace. Even more common is payroll software running on old operating systems or obsolete and unsupported software.
Other compatibility challenges
Many endpoint security products only operate on the most recent Windows operating systems and are not designed to protect systems that use other operating systems. Nor can they defend other IT infrastructure, like modems or routers. In these circumstances, the network’s firewall assumes even greater responsibility for blocking attackers before they can reach individually unprotected computers or devices. Unfortunately, firewall access control lists can wreak havoc on legitimate communications paths used by legacy systems. In addition, firewalls can be susceptible to control by the adversary, completely compromising unprotected endpoints.
Often, larger corporations inherit distinct IT infrastructures from each firm incorporated into the whole through mergers and acquisitions. This creates a patchwork system incompatible with a common endpoint defense. Those companies embracing Internet of Things (IoT) substantially increase the number of network endpoints and also introduce riskier technology. Current IoT devices simply lack the processing power to perform even basic security measures and rely entirely on extra-device measures.
Endpoint security and the use of firewalls are critical and should remain staples in any cybersecurity protocol. The problem, however, is that these measures treat the cyber threat like an inevitable force of nature against which victims are powerless. Incident response and recovery is as passive as preparing for and enduring a storm – yet the cyber threat bears no resemblance to weather. Instead, it is created by an adversary who has an objective, a set of tools, and a level of knowledge. If a malicious hacker has you in his sights, you can passively hunker down, or you can proactively get in his way.
Understanding the adversary’s playbook
Adversaries routinely capitalize on unevenly defended networks and known vulnerabilities of common applications and operating systems. A month after Microsoft released an unprecedented patch for Windows XP, The Shadow Brokers published a set of tools that exploited the weaknesses in how Windows XP uses the Server Message Block protocol. Shortly after, the WannaCry ransomware attack and devastating NotPetya attack affected hundreds of thousands of Windows XP systems that had not upgraded, at an estimated worldwide cost of between $14 billion and $18 billion.1 Some systems remain exposed to this threat today.
This is a classic example of why relying on patch management alone is a failing and costly strategy. Heterogeneous or legacy-bound systems require a strategy for actively disrupting cyberattacks when installing a patch will take time and could hinder important functionality. Likewise, homogeneous networks require the same strategy for defense before a patch can be installed.
One example of this adversary-focused approach is a strategy my team and I developed for protecting the Department of Defense networks against the Heartbleed vulnerability. After a researcher published a method of getting target systems to spew data from memory, teams across the cybersecurity space acted quickly to spread word of the vulnerability. By contrast, my team used the attempt at exploiting these vulnerable systems to identify those systems and neutralize the incoming threats to vulnerable devices until an upgrade could take place. In short, we interfered with the adversary’s attacks and used their methods to benefit us.
Exploiting adversary methodology offers a critical strategy for protecting uneven defenses and networks in need of an upgrade. Every adversary must complete a series of actions in sequence to attempt an attack. Rather than simply blocking an adversary based on simple indicators of compromise (IOCs) or even next generation firewall rules, why not disrupt the adversary’s methodology? And if you can, use the adversary’s methodology to your favor? Cybersecurity professionals can not only increase adversary work factor but can also decrease their operational expenses by reducing the number of incidents to respond to.
Cybersecurity strategy for incompatible networks
Any network, including heterogeneous networks and those running outdated software, can add a valuable layer of defense by operationalizing knowledge about the adversary and adopting a strategy of adversary disruption rather than passive response and recovery.