The classic spring-loaded mousetrap was first patented by William C. Hooker in 1894. Since then, many have argued over the humanity of the contraption, feeling it would be more humane to trap and release the mouse. But no matter what type of trap you use, the goal is ultimately the same: get the mouse out of the house.
A mouse trap can also be seen as an analogy for cybersecurity. As with capturing a mouse, in issues of cybersecurity you have to consider the appropriate action to keep a threat actor out of your environment. Should you implement catch and release or should you terminate them? Both methods have their flaws and their benefits, which we’ll discuss in this article.
For the purposes of this analogy the threat actor in a cybersecurity context can be viewed as the mouse entering a house. When a threat actor enters your environment, the first goal is to detect that they are there. This is the equivalent of the mouse touching the spring on your mousetrap and your resulting action. The next aim is to ensure that they are fully within the scope of your mitigation, regardless of poison or a cage. Just like a mouse that senses the danger of a mouse trap, a savvy threat actor can detect when they are being monitored and attempt to navigate away from the threat or develop a persistent presence to evade any action being considered in response. The key is to respond fast enough to avoid evasion and stealthy enough to avoid detection.
After a threat actor has been detected, a security solution typically has two courses of action: either detect and record, or terminate and recover. Both are similar to how the mouse would be dealt with in the mouse trap analogy. So, how do you know which approach to choose?
Detect and record
Once a threat actor is detected, determining the motives, techniques and mission may be the primary concern for an organisation. Risks can be introduced through live detection and monitoring against the systems, and many organisations may use honeypots to snare a threat actor in order to prevent access to true sensitive resources. The results of monitoring can be used to mitigate security risks and ultimately build better defences in the future. Unfortunately, both the monitor approach and the log approach have no end game. At some point, a threat actor's access must be terminated or shunted. It becomes a matter of when. Is simply terminating the activity better than using the incident as an opportunity to collect forensic data? More on this in a moment.
Terminate and recover
This is the typical approach for most security solutions. If you find malware, an inappropriate process or blacklisting of applications, the typical response is to terminate the resource immediately. The difference between this and a threat actor’s access is important. Just terminating an application does not stop a threat actor, it only stops their current activity. The method that they used to gain entry (or are currently using to probe your environment) could easily still be present and fully active. The only way to determine this is via monitoring and logging. While terminating and recovering is a valid step for many security activities like malware, it is not a good immediate response for all detected inappropriate activity. In this case, you would potentially be switching the pistol in our mousetrap to a machine gun, and the results could be catastrophic.
At this point you should now be able to draw the conclusion that both of these actions should always be done in tandem. Acknowledge your mouse before you get rid of it. Knowing its specifications – for example, its weight and size – will help you determine if it is a new mouse or a persistent threat actor that you’ve previously encountered and can’t seem to get rid of.
In the case of cybersecurity, collate as much information about process or resource you plan to terminate and potentially reinstate as a “clean version”. This could happen in the form of security events for your SIEM or logs for log management. If the action to terminate becomes a periodic action, the details from this data collection will help determine how the threat actor maintains their persistent presence. Escalating the correspondence of both will become the foundation for your better mousetrap.