GUEST ESSAY: Here’s why castle-wall defenses utterly fail at stopping deceptive adversaries

By Ofer Israeli

When it comes to cyber attacks, most businesses think: “It could never happen to us,” but some plots are just hitting a little too close to home.

Related: T-Mobile breach reflects rising mobile device attacks

For instance, if you’ve ever played Grand Theft Auto, you know the goal is quite simply mass destruction: Use whatever resources you have at your disposal to cause as much damage as you possibly can and just keep going.

Not familiar with Grand Theft Auto? Let’s try Super Mario Bros. then. As Mario makes his way through eight increasingly difficult worlds, each of them is protected by a castle. As Mario reaches the end of each castle, he can defeat Bowser.

This is not unlike the mindset of modern cyber attackers – they’re wreaking havoc and becoming pros at finding ways to get away with it.Living-off-the-land (LotL) attacks are providing a way for adversaries to stay under cover. Attackers use tools and features that are already available in the systems they’re targeting so they look like legitimate users — until they steal your crown jewels.

But you can fight back. There are several methods of active defense that companies can utilize to safeguard their networks, and it’s time for CISOs to start picking. To date, the main goal in mind has been to prevent attackers from breaching your defenses and making their way into the castle, but the reality is this approach is flawed.


Attackers will get in, it’s only a matter of time. Traditional network security solutions, such as firewalls, are not effective at detecting and stopping lateral attack movement – and that’s where the real damage is done. Many forms of access control and endpoint protection, such as EDR, are nothing more than a checkpoint that provides unfettered access once defeated – like Mario raising a flag after beating a level.

To take the analogy further, only after defeating Bowser does Mario learn that it wasn’t the real Bowser after all and that “our princess is in another castle.” Rather than just keeping Mario out of the castle entirely – i.e. deploying traditional perimeter defenses – in this scenario, Bowser deployed an advanced threat protection by sending Mario on a wild goose chase.

Much like modern day deception technology, Bowser successfully led Mario to accept an incorrect version of reality, forcing him to expend effort and energy time and again, all without reaching the princess.

The most simplistic way to stop a “Bowser” is adopting proper cyber hygiene. Creating a routine around cyber hygiene helps ensure a system’s health by enabling practices that continually help prevent cybercriminals from causing security breaches, installing malware or stealing personal information.

To add, cyber hygiene also ensures better incident response if a successful attack occurs. Organizations can invest in automated cyber hygiene that preempts and deters malicious lateral movement by discovering and eliminating network violations, rogue credentials and connections and cyberattack pathways to crown jewels.

As you can see, when it comes to ransomware and other sophisticated threats, stopping lateral movement is the name of the game. When organizations begin to think like an attacker by blocking this lateral movement, it’s “game over” for these cyber criminals – your princesses are counting on it!

About the essayist: Ofer Israeli is Founder and CEO of Illusive, a supplier of advanced network security systems. He previously managed development teams at Check Point Software Technologies and was a research assistant in the Atom Chip Lab focusing on theoretical Quantum Mechanics.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone