The Mean Time to Detect (MTTD) an adversary is embarrassingly high. The 2021 IBM Cost of a Data Breach Report (page 6), notes that the average number of days to identify and contain a data breach is 287! The longer it took to identify and contain, the more costly the breach.
Traditional layers of cybersecurity are an indispensable part of a multi-layered defense-in-depth strategy. These layers are amazingly effective at detecting and blocking known threats. However, we regularly find that adversaries still manage to bypass traditional layers of defense, undetected.
How can we detect the adversary early and reduce the MTTD? Is there value to reducing MTTD? Can we help customers learn about the tactics, techniques, and procedures (TTPs) the adversary is using against them? Can we burn down the ROI on new zero-days? Can our solution help drive up operational costs for the adversary?
Our capstone product, Kohana, attempts to address these challenges. Kohana is a distributed deception technology focused on protecting cloud assets through adversary engagement. We help customers operationalize their MITRE Engage™ playbooks. MITRE Engage is a new framework released in February 2022 that will help standardize Adversary Engagement (AE) and create a strong market for solutions like Kohana. The premise of adversary engagement is that the adversary only needs to be wrong once for us to detect and deny.
Through adversary engagement Kohana can meet the challenges we mentioned in the previous section. With Kohana, customers can operationalize their AE playbooks to detect the presence of adversaries early, gather information about TTPs and potential zero-days to enrich threat intelligence, deny the adversary success and ultimately drive-up operational costs for the adversary.
- Cal Cybersecurity Research Fellowship from UC Berkeley’s Center for Long Term Cybersecurity (CLTC)