The concept of the security perimeter is outdated. But how do you make life harder for hackers?

The need for teamwork in the field of information security did not arise yesterday: modern realities dictate to us the need to unite our efforts, no matter if we are talking about partners or competitors in the market, because ultimately the goal of information security is to protect the client. That is why, at the dawn of the Internet, various alliances and alliances began to arise.

But almost none of them has proven to be large enough, persistent, or influential enough to drastically influence what is happening in the information security space of products and data. Moreover, the very nature of such cooperation, regardless of market conditions, is directly opposite to the concept of free competition. And in general, the joint search for exploits and ways to counter hackers is vicious, because it is based on the tools for hacking the product – which can result in banal industrial espionage, covered with good goals of collective security. And why not watch your direct competitor fight off a hacker attack? Such a typical: “I am sitting by the river, and the corpse of my enemy is floating by.”

But this “corpse” then poisons the whole “river”, because in the heads of potential customers, including the heads of those people who sign budgets and the implementation of new solutions, the names of companies do not linger, but the concept itself is lingering. As a result, we still have “clouds are dangerous”, “data is stolen daily” and so on.

And now we have a world where information, including information on the topic of information security, is valuable, closed and extremely reluctant to share it. And for this reason, hackers win, and with confidence.

Why do hackers win?

First: the exchange of information. Unlike commercial companies huddled in their own corner, the hacker community is very sociable and quite open. And burglars are actively sharing information among themselves. At times, of course, not the key one, but the fact itself: the circulation of data among gray and black hat hackers is much more active than the same at the company level. Hackers have entire forums, channels, communities. Companies, at best, gather for a couple of conferences a year, where speakers, importantly clicking slides on the big screen, talk about something that has been out of date for at least six months. Now, when the world is paralyzed, it has completely moved into the category of recorded performances for 15-20 minutes, which you can simply watch online without any interaction.

Second, we are always lagging behind. It is impossible to foresee all attack vectors and hacking methods. We are on the side of the shield, not the sword, so the only thing left for us is to patch up security holes and make sure that this particular exploit, mechanism, scenario, or whatever else was used, never works like that again. A hacker can prepare his attack for weeks, carry it out in a minute, and you will rake its consequences for months. Or, as in the case of speculative code execution on processors, you will not be able to overcome the problem to the end. And you are lucky if the attacker is White Hat, who will provide you with all the data on how exactly he carried out the attack, and your data will not go anywhere. And if not?

The walls came down and we woke up in a new world

Only the lazy does not know about the concept of the “security perimeter” and, we are sure, almost everyone who worked in IT has come across it in one form or another. Or he built it himself.
The essence of the perimeter is that this is a thing from the bearded 80s. It was just that once on the table of 40 or so large CTOs of technological companies at that time, the concept of information security was laid down according to the principle of the perimeter, which they signed … Or they even invented it themselves. Or they spied on the military. Not the point. And the bottom line is that the perimeter no longer exists – COVID-19 destroyed it in the bud along with the advent of the concept of mass remote work.

How were employees transferred to telecommuting or partial telecommuting earlier? This process was step-by-step, worked out. Access – often through VPN, encryption, separate workspaces for such employees and, of course, their isolation from the tidbits and softest parts within the company or project. Well, most of the time. Either employees who were absolutely unimportant in terms of access, or specialists trained for such interaction were transferred to a remote location. What do we have now?

Tunnels are now being lifted for millions of displaced remote workers around the world, but how many of them maintain at least the basics of information hygiene and security on their home computers? How many have checked their passwords, and at least made sure that their machines can be connected to the corporate network?

And if earlier we had a distributed infrastructure on virtual machines, cloud disks and SaaS environments, which already made the level of security from site to site, to put it mildly, uneven, from which the concept of the “perimeter” itself was bursting at the seams, now this very concept can be sent to the trash can. Because with so many potential holes and human factors, no perimeter is possible in principle.

And paid solutions in the field of device protection, DevOps, SecOps and so on are far from a panacea. Because they all, in fact, stand on the shoulders of open source projects, with all the ensuing consequences. Have you ever wondered why companies that spend hundreds of millions of dollars on such software are still subject to cyber attacks and successfully hacked by some lone or group of hackers?

We live in a world where a 100% effective solution simply cannot be bought, because it does not exist. And we get a paradoxical situation when a lone hacker can terrorize a specific company or, in general, the entire sector. Simply because he is smarter, more capable and more attentive than any single engineer hired by these companies. Well, or because he was just lucky to find something in the source code that even the authors of the code did not notice.

Such a paradoxical situation, when the tail does not just wag – it rotates the dog around its axis – is possible only in our native IT-sphere and network 🙂

We are all in the same boat

In our opinion, the most valuable for modern hackers are IP addresses. They are like masks that ensure their anonymity and the more of them freely available, the better.

But we have all been living for a long time in the conditions of a shortage of free addresses in the IPv4 space, and so far there has not been a massive transition to IPv6. So each attacker has a limited pool of addresses in terms of availability. And the further – the more expensive they are for him, both in terms of finance and in terms of labor costs.

We created our product with a simple thought: if you increase the cost of the “game”, then it will simply not be “played”. If for each attack on the target it is necessary to obtain more and more new IP-addresses, or even to look for “clean” ones that have not appeared in other “projects” of the hacker, then we will be able to significantly increase the price of entry and start of the “game”.

The very concept of banning IP addresses and creating any block lists is imperfect, and does not save you from really ingenious guys who are able to bring a corporation to its knees. But it is able to cut off the bulk of hackers who are engaged in hacking on their own, do not have huge resources and value their time and money. Such a practice, in our opinion, is able to slightly balance the current “rules of the game”, which have noticeably sideways towards the hacker community after the start of the pandemic: after all, the perimeter as a concept has, in fact, fallen. And it is not known whether it will ever be restored at all.

Moreover, in other industries and spheres, such collectivization – when everyone is openly sharing information – is already working. It is worth remembering how Reddit under the slogan “To the moon!” decided to punish short-term Wall Street brokers. The foul-smelling wave that rose after the massive pumping of GameStop stock is still rolling around the world today, check the news.

The concept of a collectively formed and collectively verified ban list leads us to the very beginning of the text: to the thesis that it is necessary to share critical information. For a hacker, the IP address is critical; this is his entry point. For the company, information about the address from which the attack was carried out has no value and does not threaten its secrets and secrets in any way. We get a Win-Win situation when the wolves are fed and the sheep are safe; not a single paranoid within the company will reproach you for leaking strategic data into the public domain, but at the same time we have the ability to painfully hit points that are important for attackers.

Exactly because of this reason we are working on CrowdSec and we invite everyone else to join us in the formation of ban lists. Just in order to make the Internet and, in general, our world, cleaner and safer with minimal effort.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *