Despite investments in security modernization and layered security controls, cyberattacks are consistently occurring – particularly during the COVID-19 crisis, as businesses operate with highly distributed workforces and security limitations related to remote working. Attackers continue to successfully infiltrate corporate networks, gaining access to valuable data that they can then steal or subject to ransom demands, which businesses are unfortunately paying more than 50% of the time. One primary reason for the success of these tactics is that there are detection gaps in the security controls ostensibly designed to stop them. Attackers simply know them too well, meaning defenders require new tools and tactics to derail their attacks successfully.
By Carolyn Crandall, Chief Deception Officer, Attivo Networks
Layered Defenses Have Helped, but Not Enough
One of the most encouraging things about today’s cybersecurity landscape is that more businesses and organizations have begun to recognize that it is essential to have layered defenses, rather than relying on a single security solution or strategy to fight attackers. The combination of tools like EPP, EDR, and deception technology, each designed to perform a specific function at a particular level of the network, has dramatically increased the defender’s ability to detect potential threats. One recent study has shown that merely combining deception technology with EDR technology can increase detection rates by an average of 42%.
A standard security setup today might look something like this: EPP effectively functions as an antivirus, weeding out known threats before they can enter the network. The next layer of defense, EDR, is there to catch more unusual threats that might slip past EPP, observing things like suspicious endpoint processes. Finally, there are tools like deception, which provide the in-network detection capabilities necessary to identify lateral movement, privilege escalation, and other signs that an intruder is already within the network. Deception — as its name implies — can also help confuse attackers by concealing valuable data, which has become an increasingly useful tool in the fight against attackers using advanced persistent threat (APT) tactics.
APTs and Ransomware 2.0
One of the reasons this type of layered defense has become more important is that the threat landscape has changed dramatically. In the past, ransomware attacks were often “smash and grab” operations, where attackers would begin encrypting whatever information they could get their hands on as quickly as possible and hope for the best. Today’s ransomware threats are more insidious: attackers will attempt to enter the network undetected and spend time conducting reconnaissance to identify the most valuable data. They will try to acquire credentials, often by targeting Active Directory, which they can then use to move throughout the network and escalate their attack.
The longer these attackers can remain undetected, the better the odds they will be able to identify, encrypt, and steal valuable data — and the more damaging the attack will be. Ransomware enters the network by circumventing perimeter defenses, targeting human beings with spear-phishing emails and other social engineering attacks designed to trick users into giving them a foothold on a network endpoint. For this reason, effective in-network defenses are more critical than ever when it comes to stopping ransomware. Attackers will conduct reconnaissance as part of their discovery tactics, and defenders can fight them by improving their ability to detect lateral movement—and by hiding and denying access to their data.
Concealing Your Data Is Easier Than You Think
There is a wide range of things that attackers may target, such as files, folders, removable storage, cloud or network shares, AD information, and more. Data concealment works by preventing attackers from finding these assets. After all, attackers can’t encrypt or steal what they cannot see. While having useful detection tools in place is a critical component of a layered defense, actively concealing the data from attackers takes the strategy one step further by preventing them from advancing or escalating their attack. InfoSec teams can automatically receive an alert to the presence of an attacker and isolate infected endpoints.
Better still, the ability to actively feed attackers fake data can not only derail their efforts but make them believe that their attacks are succeeding. If they are unaware that they have fallen for a trick, they will still attempt to carry out their attack, allowing defenders to gain additional information on their TTPs and IOCs, and enabling them to better prepare for future attacks. And while this sort of trickery is a great way to keep attackers off balance, it is important to note that it does not disrupt employee operations. Despite the fact that attackers will not be able to identify the data they are seeking, employees will be able to access it without complexity or any disruption to how they operate.
Concealing Your Data Makes the Attacker’s Life Harder
After infecting an endpoint system, ransomware will try to encrypt files and local, network, or cloud folders while attempting to steal credentials to further its attack. By hiding and denying unauthorized access to these assets, defenders can prevent lateral ransomware propagation and data encryption, dramatically decreasing the attack’s effectiveness. By improving detection capabilities to identify recon and lateral movement, defenders significantly reduce the time attackers have to gather intelligence on the network as well. Additionally, by steering the attacker into a deception environment, the defender can turn the attack on its head, stop it, and gather adversary intelligence on the intruder for remediating infected systems and fortifying defenses.
Combining this type of data concealment with effective perimeter defenses can put the finishing touches on a truly comprehensive approach to cybersecurity. Ransomware attacks have proven notoriously difficult to stop over the years, but by concealing the very targets that attackers are after, defenders can gain the power to give themselves a major advantage.
About the Author
Carolyn Crandall holds the roles of Chief Deception Officer and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Crandall has received many industry recognitions including Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 9 years a Power Woman by Everything Channel (CRN).
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
