For over 2,000 years, people have leveraged elevated terrain, or “high ground,” to gain a strategic advantage over enemies and protect their realm. The Chinese “Art of War” suggests high ground as a strategic position that provides a wide point of view with full visibility over the landscape. In medieval Europe, castles and fortresses included towers and walls designed to provide structural advantages for positions of troops and weaponry which could be thrown or fired from above.
One would expect that in our modern age, organizations would continue to leverage their strategic assets to gain an unfair advantage over their adversaries. Specifically, enterprises have full control over their infrastructure, such as servers and user devices, that could be used to win in cybersecurity. However, it seems that cyber adversaries have gained the upper hand over the defenders and that there’s a strong asymmetry between attackers and defenders, in the favor of attackers.
A Huge Attack Surface Gives Attackers The Upper Hand
Defenders have to protect a huge attack surface with multiple points of failure. The biggest gap relates to users and their devices. There are many different types of users, each with their own set of apps, operating systems, policies and different personalities/understanding of security. It’s almost impossible to successfully defend the operating system (OS) running on a user’s device. It’s like an old, huge castle built a thousand years ago. From the outside, it might look impressive, but the walls are crumbling, there are hundreds of different gates and windows through which one could enter, hidden back doors and tunnels built by the owners, and no one can really check the people coming in and out.
Windows was built 30 years ago and has ~40 million lines of code (estimate), not to mention the huge volume of software running on top of Windows: middleware like .NET/Java/ActiveX, custom enterprise applications, device drivers, secret features and configuration options that no one has heard of, and a need to be backward compatible.
The attackers only need to find one vulnerability to be able to get in. The defenders need to protect all of these entrances, a herculean/impossible task. On top of this, even without a vulnerability, the user might make a single mistake that will open the doors for or share critical sensitive information with the enemy. Users are not well-trained.
A typical enterprise security team is still very limited in its capacity. The attacker could be anyone with an Internet connection and enough motivation. From hacktivists to script kiddies to organized crime and nation-sponsored, well-funded hackers. Their techniques are constantly evolving, they are well-organized, trained, have a thriving community of information/tool sharing and can work behind a veil of anonymity.
If the attackers make a mistake, they might still get away with it. If an enterprise gets breached, it could face devastating losses to revenue and reputation. Attackers find new unexpected paths into the OS all the time and think out of the box. Defenders are typically using the same techniques with incremental changes over time.
Attackers leverage the OS on a user’s device as a “front base” inside the corporate network. It’s a strategic location for attackers with by-design access to both the enterprise crown jewels and a command-and-control server on the Internet. The OS also provides attackers with a persistent foothold, as malware can be stealthily resident in the OS, surviving reboots. Modern operating systems (typically Windows) are familiar ground for which attackers already have a variety of tools.
Reduce Your Attack Surface To Win
It’s time for defenders to step out of the conventional terrain and leverage their home court advantage. The defenders control the terrain of their enterprise. They should plant the right infrastructure in place to flip the asymmetry. Defenders could build an invisible defensive layer out of attacker reach, a strategic point that has a very narrow attack surface and can oversee the entire endpoint battle.
Hysolate enables enterprises to grab the higher ground on endpoints. It seamlessly splits endpoint devices into multiple, completely separate zones. Hysolate builds endpoints atop a bare metal hypervisor platform that sits below the device operating system. Everything an end-user does happens in isolated, local virtualized operating systems running side-by-side on the same device—for example, one that’s locked-down and limited to privileged resources and another for corporate day-to-day work, including email and Internet browsing, where users can access, install, and work with the websites, apps, external devices like USBs, and cloud services they need.
With Hysolate, the defenders can see their whole terrain–everything in all virtual OSes on their device– but attackers can only see the “unlocked” VM that they penetrated. They don’t even know anything else (e.g., the ‘spoils’ that they hoped to get by initiating the attack) exists on the endpoint.
This approach disrupts the entire attack lifecycle:
- Penetration: On a normal Windows machine, attackers use OS-specific attack vectors (e.g., Windows vulnerabilities) to get in. With Hysolate: the attacker only penetrates the Internet VM and never reaches the sensitive VM. The Internet VM could also actually be unfamiliar ground for attackers as it may run non-Windows OS (e.g. Linux).
- Installation: Normally, attackers hide within Windows and elevate privileges to gain admin rights. With Hysolate, attackers constantly lose their persistence due to VM revert to snapshot / non-persistence.
- Propagation: Typically, a user device is allowed access to multiple network segments (e.g., both Internet and enterprise crown jewels). With Hysolate, attackers are only able to propagate in the Internet VM network zone and never reach the corporate/sensitive zones.
- Action: A Windows device allows attackers to impersonate the user and act in his name, causing havoc. It’s extremely hard for the defenders to distinguish between legitimate user and attacker actions given the volume of activity. With Hysolate, attackers do not assume your privileged identity and cannot transport stolen data out of the sensitive zone.