Contributed by Carolyn Crandall, Chief Deception Officer, Attivo Networks
Many will advocate that the cybersecurity battle is fought at the endpoint. Completely secure these devices and the attacker will not be able to advance their attack. This belief has fueled a new interest and focus on moving from endpoint protection (EPP) to endpoint detection and response solutions (EDR) as well as managed detection and response (MDR) solutions.
The threat landscape is rapidly changing, and organizations’ defenses need to change with it. The latest generation of sophisticated attackers have proven that they can evade anti-virus solutions and bypass traditional perimeter defenses. Given their ability to routinely compromise networks, it has become more important than ever to layer in a “Defense in Depth” strategy that includes prevention, detection, and response. In many cases, predictive measures are also becoming a factor, increasing the need for collection of threat intelligence, which may have been discarded with prior prevention-only approaches.
Unlike endpoint protection solutions, EDR is more than a single product or simple set of tools. The term covers a range of capabilities that combines monitoring, analysis, reporting, response, and forensic functions into a suite of defenses designed to respond to highly skilled attackers. By placing sensors and response capability on the endpoints, these systems are positioned to identify and stop an attacker while the attack is in play. The forensic capabilities in many EDR solutions also facilitate the ability to capture threat intelligence and to analyze an attack for identifying weaknesses in their existing defenses.
Despite the many enrichments found in EDR, a full Defense-in-Depth strategy requires more. EDR solutions from major providers such as Carbon Black, Cisco, CrowdStrike, Cybereason, FireEye, Symantec, Tanium, and others still have gaps related to the detection of in-network threats, discovery and inventory of endpoint assets, information sharing amongst security controls, and processes to minimize response times. Complementary technologies can close many of these gaps.
The deployment of deception technology as a complimentary technology alongside an EDR platform can play a significant role in closing these exposures. Most people will identify with deception as an efficient means for early and accurate detection of threats and for its role in reducing attacker dwell time. However, with advanced distributed deception platforms (DDPs), organizations can also gain visibility, asset discovery, and information sharing automations.
The following are four areas in which deception technology adds significant value when deployed with EDR platforms for Defense-in-Depth, or what Gartner, Inc. refers to as an “Adaptive Defense.”
In-network Detection and Visibility
Deception Technology enhances EDR defenses by quickly detecting threats that are moving laterally within the network, credential theft, and other forms of sophisticated attacks like man-in-the-middle compromises. By creating a synthetic attack surface based on skillfully crafted decoys designed to mirror production assets, organizations create an environment where an attacker is unable to differentiate between deception and real devices. This not only redirects them away from legitimate targets, but also proactively lures and entices them into engaging with the deception environment that will raise a real-time alert of their presence.
Detection strategies include placing breadcrumbs on the endpoints in the form of fake credentials, file shares, mimicked services, and decoy data that can quickly lure attackers into the deception environment where their actions can be recorded and studied without their knowledge.
Discovery and Tracking of Endpoints
To prepare, deploy, and operate deceptions, modern-day DDPs use machine self-learning to understand new devices coming on and off the network, along with their profiles and attributes. Originally designed for creating authenticity, this information also provides security teams with powerful knowledge of adds and changes to the network. This has proven invaluable for detecting unauthorized personal devices, IoT, and other less-secure devices being placed on the network, or devices added with malicious intent. In addition to device visibility, platforms also come with the ability to alert on exposed credential attack paths. Exposed and orphaned credentials, along with system misconfigurations, are often the opening needed for an attacker to gain a foothold. The insight provided in topographical maps not only reduces risk but eliminates hours of manual processing work.
Information Sharing
By using high-interaction decoys, security teams can gather detailed forensic analysis on their attacker. Following the initial detection, deception technology safely collects and automatically correlates attacker TTPs, IOCs, and counterintelligence for insight into attacker capabilities, goals, and the information they are seeking to exfiltrate. With 3rd party integrations, IOC information can be shared automatically with EDR solutions and used to accelerate incident handling, threat hunting, and remediation.
Automated Incident Response
DDP solutions will also now facilitate the automation of incident response, which can be critical for high severity alerts. With native integrations, security teams can set the deception platform to automatically trigger endpoint isolation, blocking, and threat hunting, saving critical time in stopping the spread of an attack and the harm it can inflict. Some solutions will also integrate with EDR management tools, further simplifying the view and response to threats.
Coupled with conventional perimeter defenses and EDR on the endpoints, a deception platform complements and enhances ones Defense-in-Depth strategy, make an attacker’s job radically more difficult, and often serve as a deterrent that drives them to pursue an easier target.
The opinions expressed within this article are the personal opinions of the author. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
