Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

The 6 D’s of Cyber Security Part 2

Written by Thycotic Team

April 14th, 2015

In last week’s article, we discussed the first three D’s of cyber security: Deter, Detect, and Defend. This week, we will discuss the remaining three security concepts that can help you reduce the risk of your organization facing potentially costly incidents due to external threats: Deflect, Document, and Delay.


Wouldn’t it be nice if an attacker went after a fake system instead of a system with your real data? It’s possible, all you have to do is set up a honeypot, which is with a fake system with fake sensitive data, specifically made to attract attackers and divert them from your real data. Honeypots are widely used today. By attracting attackers with desirable data and sub-par security, system administrators can monitor the attackers’ behavior on the honeypot while the rest of the network is isolated and protected by a firewall. Honeypots come in several variations, each ranging in cost to maintain and effectiveness in simulating a real machine. The cost will depend on how much insight and monitoring you will want for behaviors happening within the honeypot.


Always document incidents, whether they were successful attacks that did damage or not. A large number of data breaches in 2014 were revealed to the public months after the attackers gained access and stole the information already, proving that documenting incidents is important even if they seem small and insignificant.

If an incident occurs, you should record this type of information:

  1. IP address that was connecting to the machine (the attacker’s machine)
  2. IP address of the machine that was being connected to (which server was being attacked?)
  3. Type of attack
  4. Date and time the attack occurred
  5. Logs generated from the incident

Using this information, you can notice patterns in an attacker’s behavior, deduce his goals based on what type of attack he is attempting, predict his possible next moves, and filter logs in the future to search for repeated attacks of the same type.


Every wall an attacker hits on his way to your sensitive data slows him down – that is why it is a good idea to practice setting up layers of defense in case the first one fails. A firewall facing the outside world is a good start, but depending on your organization, many ports can be open that are necessary to provide services to customers and keep business moving every day. So when an attacker finds his way past this first layer of defense, what happens next? There should be more obstacles in his way before he gets to the sensitive data he wants.

Access control lists help restrict who can log on to systems and when, meaning an attacker may have trouble moving throughout a network without leaving a glaringly obvious trail of failed login records.

Long and complex passwords are a very basic delay tactic that are not used nearly often enough. They protect against password guessing, brute force attacks, and Pass the Hash attacks. Even if the attacker obtains password hashes and is attempting to obtain the plaintext passwords by using a cracking tool, it will take significantly longer for him to do this – meaning more time for you to change the password to something else.

While stopping an attack completely is desirable as opposed to merely slowing it down, buying your team time to react to the attack and follow your company’s incident response policy could very well allow for machines to be patched and passwords to be changed before the attacker has a chance to successfully extract any sensitive data.

While no company wants to take its systems offline, that may be necessary if you are under a serious attack, and you should have a plan for when you would do this and who makes the call. Doing so is the most effective way to stop many attacks and prevent an attacker from connecting to your system. Taking a system off of the network so attackers have no way to get into it is the best delay tactic there is, and buys you as much time as you need to patch the system and correct whatever vulnerabilities allowed the attacker to get in in the first place.

Want to talk security with our IAM experts? Next week we’ll be attending  RSA Conference in San Francisco. Stop by booth #2121 in the South Hall to discuss your 2015 security strategy and to meet our team.