Thomas Phillips drew on his unique background to develop an original approach to cybersecurity – interactive deception. Ridgeback Network Defense’s co-founder and CTO has not only spent 30 years of developing software but also has extensive experience in both offensive and defensive hacking. He studied computer science and psychology in college and is a military veteran. As a consequence, Phillips sees the world from a number of different perspectives. He sees things in terms of what’s possible, what you can compute, what’s probable and what it costs to compute. He thinks in terms of what people are like and what they do. His military background allows him to frame cyber events in terms relating to armed conflict.
Over his more than thirty years in software development, Phillips witnessed the evolution of computers and networks. In the beginning, computers and IT systems were designed to be easy to use. Computing became ubiquitous in the workplace, while software tools became ever more complex and interconnected – but securing IT systems was always an afterthought. This has brought us to the serious cybersecurity dilemma we’re experiencing now.
We will soon enough reach a point that, if we don’t do something dramatic about security, Phillips said, the losses from cybercrime could exceed the benefits we associate with information technology. For example, Equifax stock lost $6 billion in value almost overnight when its breach was made public, without taking into account the many aftereffects still to be counted. And it’s getting worse – the cost for hackers to develop their attack vectors and prosecute their attacks is going down while the cost to defend systems is ramping way up. Moreover, with well-understood compliance requirements and defensive solutions, we are training the bad guys. They are extremely capable of staying ahead of the good guys, using their knowledge to breach networks and commit cybercrime.
We all have our stories about a security incident. Here is Phillips’ story:
“I was responsible for a server and noticed it was going slow. I went on the server and found a lot of curious processes and realized someone had come in and compromised the server. I thought I’d start cleaning it out, but I was at a tremendous disadvantage because I’m sure they had a bunch of automated controls. Every time I thought I had something cleaned up, 60 seconds later they took it back. This wasn’t just an automated attack; someone was coming into the system through backdoors. I eventually lost control of the server.”
It was this lack of control over the system and the hackers that jumpstarted Phillips’ approach to cybersecurity.
Cybersecurity is all about control. Cybercriminals want to take control of our systems and data. We want to keep control of our systems and data. In IT, the bottom line is to not let an adversary gain any control over our systems.
It sounds simple; yet, organizations continue to fail at cybersecurity, resulting in the massive attacks we see today. That’s because, with increasing connectivity and endpoints, there are infinite ways for adversaries to get into our networks and access our data. Like with military strategy, we need to consider all of the potential ways the bad guys can gain control of an area and protect that area. We define the approaches and set up our defenses.
Except, with all of the entry points in a complex network, we just don’t have a comprehensive understanding of the many avenues of approach. Those cybercriminals are able to use many of the security tools in place and reverse engineer them to their advantage makes cybersecurity even more challenging.
So – the traditional approach, protecting perimeters and attempting to detect breaches after the fact, is failing. It’s time to change the way we are looking at the problem and make the job of our adversaries difficult, extremely difficult. It’s time to take control over our networks.
With this in mind, Phillips decided to focus on deception rather than detection:
“I wanted to change what the adversary sees. I wanted a tool that would change the odds of this game of control. But I knew I could never know who was good or bad on the network. Instead, I had to change what the adversaries saw.”
However, the tools that were out there were difficult to install or maintain or integrate with other systems and tools. Phillips again turned to military and psychological strategy, this time coming from Sun Tzu from The Art of War:
“Reduce hostile chiefs by inflicting damage on them; and make trouble for them, and keep them constantly engaged; hold out specious allurements, and make them rush to any given point.”
To begin with, Ridgeback’s interactive deception approach tricks adversaries. Instead of a finite network environment, what they see are billions of fake assets, automatically generated by Ridgeback’s system. As they plan their movement through the target network, the adversary will come into contact with the spoofed resources. The probabilities guarantee it. Once a Ridgeback phantom is contacted, Ridgeback automatically isolates the compromised hosts that are trying to break into endpoints and expand their presence in a search for the treasure they seek – so the threat is effectively extinguished. Ridgeback gets its name from the Rhodesian Ridgeback, a dog breed originally bred to protect farmers’ flocks in southern Africa. Ridgebacks are capable of killing lions.
The tools developed by Ridgeback follow Phillips principles of defense:
• Be able to see in real time what’s in the network.
• Influence adversary behavior.
• Automatically trigger countermeasures.
• Extinguish threats in real time.
• Be easy to install, maintain, and integrate.
“When you are trying to take control back, it is your machine and you don’t want a fair fight,” said Phillips.
“If your life is on the line, you don’t want a fair fight. You want to make sure the adversary loses. And you should think the same way about your assets. You shouldn’t take a passive role. You should say this is mine and you won’t let anyone else take over your server.”