A Better Mouse Trap

In 1894, William C. Hooker was awarded a patent for a mouse trap that killed a mouse with a single loaded trap upon contact. While some may argue it is more humane to trap and release a mouse versus creating a literal mess of the rodent, the goal is the same: to keep the mouse out of the house. The action to achieve the goal is what is different. This is a crude analogy for cybersecurity, but it works — you have to consider the appropriate action to keep a threat actor out of your environment. Should you terminate them or practice catch and release? Both have merits, and both have serious concerns that we will cover in this article.

Let’s say a threat actor (mouse) is entering your environment. The first goal is to detect that they are there. This is true for all scenarios. This is analogous to a mouse touching the spring on your mousetrap and your resulting action. The next goal is to ensure they are fully within the scope of your mitigation regardless of a gunshot (or poison) or a cage. A mouse that can jump away when it hears the trigger will only leave a bullet in the floorboards. A savvy threat actor can detect when they are being monitored and attempt to navigate away from the threat or develop a persistent presence to evade any action being considered in response. The key is to respond fast enough to avoid evasion and stealthy enough to avoid detection.

Once a threat actor has been detected, a security solution typically has two courses of action: monitor and log, or terminate and recover. Both are similar to our mouse trip analogy (minus the humane aspects). So, how do you choose your approach?

• Monitor And Log

Once a threat actor is detected, determining the motives, techniques and mission may be the primary concern for an organization. Live detection and monitoring against the systems do introduce risk, and many organizations may deploy honeypots or tarpits to ensnare a threat actor to prevent real access to sensitive resources. The results of monitoring can be used to mitigate security risks and ultimately build better defenses in the future. Unfortunately, both the monitor approach and the log approach have no end game. At some point, a threat actor’s access must be terminated or shunted. It becomes a matter of when. Is simply terminating the activity better than using the incident as an opportunity to collect forensic data? More on this in a moment.

• Terminate And Recover

This is the typical approach for almost all security solutions. If you find malware, an inappropriate process or blacklisting of applications, the typical response is to terminate the resource immediately. The difference between this and a threat actor’s access is important. Just terminating an application does not stop a threat actor, it only stops their current activity. The method that they used to gain entry (or are currently using to probe your environment) could easily still be present and fully active. The only way to determine this is via monitoring and logging. While terminate and recover is a valid step for many security activities like malware, it is not a good immediate response for all detected inappropriate activity. In this case, you would potentially be switching the pistol in our mousetrap to a machine gun, and the results could be catastrophic.

Hopefully, by now you have come to the conclusion that both of these actions should always be done together. Take a picture of your mouse before you dispose of it. Knowing its color, weight and size will help you determine if it is a new mouse or a persistent threat actor. When it comes to cyber security, gather as much information about the process or resource you plan to terminate and potentially re-instatiate as a “clean version.” This could happen in the form of security events for your SIEM or logs for log management. If the action to terminate becomes a periodic action, the details from this data collection will help determine how the threat actor maintains their persistent presence. Escalating the correspondence of both will become the foundation for your better mousetrap.

Leave a Reply

%d bloggers like this: