Deceive, Disrupt, and Deny: The 3 D’s of Preemptive Cybersecurity
Preemptive security attempts to minimize the cost and impact of cyberattacks by heading them off in the early stages. Rather than mitigating an attack in progress (responsive security) or trying to prevent one through enhanced defenses (proactive security), preemptive security identifies early signs of malicious intent and prevents attacks from even being executed.
In this article
Gartner defines the preemptive security model as consisting of “three D’s”: deceive, disrupt, and deny. Each of these techniques independently reduces the likelihood of a successful attack against the organization. In combination, these techniques reduce the risk that an attacker will execute an attack at all, let alone succeed in causing harm to the business.
An Overview of the 3 D’s
Gartner’s model of preemptive security includes five different technologies designed to help stop attacks before they happen. These are distributed across the “3 D’s,” each of which describes a method that an organization can use to prevent attacks.
Deceive: Redirecting the Attacker’s Focus
Deception is a critical component of an effective preemptive security strategy. If an attacker can’t identify the right targets, they won’t be able to mount an attack against them. Gartner’s model of preemptive security involves two forms of deception: automated moving target defense (AMTD) and advanced cyber deception.
Automated Moving Target Defense (AMTD)
AMTD is designed to dynamically change the attack surface to confuse an attacker. This might cause the attacker to give up or to launch an attack on the wrong system, revealing their presence to the organization.
For example, an organization may proactively change names, IP addresses, ports, and protocols away from their default values. An attacker who assumes that an organization’s network will use standard configurations – such as hosting web servers on port 443 – will likely make mistakes that reveal their presence and may be thwarted in their attack campaign.
Advanced Cyber Deception
The other main form of deception is advanced cyber deception, which is designed specifically to lure in attackers. For example, an organization may deploy a honeypot or honeynet that uses AI to create a realistic environment for the attacker to exploit, luring them away from real systems. Since any activity in this environment is unauthorized by default, the attacker reveals their presence by targeting these fake systems. Additionally, honeypots and honeynets provide a low-risk environment for an organization to observe an attacker and learn about their
Disrupt: Breaking the Kill Chain Early
The Cyber Kill Chain describes the various stages that an attacker must complete to achieve their goals, starting with reconnaissance through exploitation to eventually take action on objectives. Earlier detections reduce risk to the business and the complexity and cost of restoring the organization’s environment to a clean and secure state.
Predictive Threat Intelligence
Preemptive security attempts to disrupt attacks early in the kill chain through the use of predictive threat intelligence and automated response. Feeding multi-source threat intelligence to AI for analysis increases the likelihood that early indications of malicious intent will be detected. Automated remediation enables the organization to quickly act on this information to prevent the attacker from successfully executing their intended attack.
Deny: Preventing Access to Data and Resources
The final pillar of preemptive security is focused on preventing the attacker from accessing the data and resources targeted in their attack. This can be accomplished via a combination of advanced obfuscation and preemptive exposure management.
Advanced Obfuscation
An intruder into an organization’s network usually has limited information about its layout and the locations of critical assets and information, forcing them to perform internal reconnaissance after they have gained initial access.
Advanced obfuscation applies the principles of the zero trust security model, which states that users, apps, and devices should only have the access required for their role. Since each access request is individually validated, users in a zero trust environment can only see assets that they can legitimately access.
The organization can go further to thwart unauthorized users by “concealing” code and configuration information. A simple example of this would be to configure wireless access points (APs) not to broadcast their SSIDs so that only users who know the network name and password are able to see and access it. Shared drives and other resources can be made similarly “invisible” by requiring users to specify their names and locations in order to access them.
Preemptive Exposure Management
Traditional vulnerability management (VM) takes a one-size-fits-all approach to managing vulnerabilities, relying heavily on manual processes and prioritizing risks without considering potential business impacts. However, this approach is resource-intensive and unscalable, leaving organizations vulnerable to attack.
Preemptive security programs modernize VM through preemptive exposure management. Exposure management uses continuous discovery to offer up-to-date visibility into an organization’s risk exposure rather than the snapshots of traditional VM. Each identified vulnerability is validated through simulated attacks to ensure that it poses a real risk to the business and is actually exploitable. Finally, automated processes expedite and streamline the process of remediating real threats, closing security gaps before they can be exploited by an attacker.
Exposure management reduces the window during which an attacker can exploit a newly discovered and disclosed vulnerability. Since many attackers scan for and exploit vulnerabilities weeks, months, or years after a patch is released, exposure management shuts down these attacks before they happen.
Putting the 3 D’s Together
Each of the “3 D’s” has the potential to block incipient attacks against an organization. Deception causes attackers to miss their target, disruption breaks attack chains before they complete, and denial increases the difficulty of carrying out a planned attack. However, these techniques are even more effective when combined with one another due to the potential synergies between them.
For example, the predictive threat intelligence used for disruption may reveal that an attacker plans to exploit a novel vulnerability. On its own, this information is enough to disrupt the attack in progress, protecting the organization from any potential damage.
However, with knowledge of the intended attack, an organization may also be able to develop and deploy a patch for the issue or virtually patch it through firewall rules. This blocks not only this attack campaign but also any others using the same vulnerability.
Additionally, knowledge of the new attack vector could be fed into the organization’s deception engine to inform the creation of new deceptive machines, services, and accounts. This may allow the organization to snare attackers using that vulnerability and observe their actions. This may reveal new variations on the attack or other techniques used by the attacker, which can be used as additional threat intelligence and to inform new defenses.
Implementing Preemptive Security Through the “3 D’s”
Implementing any of the security technologies that make up the three D’s improves an organization’s protection against advanced cyber threats. A mature preemptive security program that includes all three takes advantage of the compounding effects to continuously improve the organization’s ability to deter attackers before they can execute their attacks.
Preemptive security depends on the ability to predict future attacks and rapidly implement defenses against them. The IONIX platform continuously scans an organization’s attack surface for potential exposures and validates them with high accuracy via simulated attacks and threat intelligence. To learn more about enhancing your organization’s security posture with the IONIX platform, sign up for a demo.