By Carolyn Crandall, Chief Deception Officer and CMO at Attivo Networks
Every device that connects to a network creates a security risk. There are many forms of defenses designed to protect these endpoints including anti-virus, firewalls, HIPS, endpoint detection and response (EDR), and other forms of access control. Most of these solutions require installed agents to manage authorizations and authentication, track device activities, and detect and remove viruses and malware. Despite the efforts applied to endpoint protection and EDR solutions, it is inherently insufficient. Even if you could find every endpoint, manage every agent, and keep every device consistently patched, there are fundamentally too many attack vectors to keep up with.
However, what if you were able to change the game and create an environment where every path an attacker takes to move off from a system leads them away from their target and into a deception environment? What if every endpoint became a decoy? What if you could lock down the lateral movement of an attacker so that they could not conduct network discovery, Active Directory reconnaissance, credential theft, Man-in-the-Middle attacks, or services exploitation? Seems farfetched? Fortunately, with modern cyber deception, it is not a vision but a capability that is available today.
The Attivo Networks ThreatDefend Cyber Deception Platform brings forward innovation that changes the game so that attackers can’t successfully break out from the endpoint. The solution works by not only interweaving deception throughout the network but also by making every endpoint a decoy designed to disrupt an attacker’s ability to break out. It also does this without requiring agents on the endpoint or disruption to network operations. The attack methods that the solution derails include, but are not limited to:
- Stealing local credentials
- Looking for file shares and connected systems
- Network reconnaissance as they look for production assets and available services on these hosts
- Active Directory Reconnaissance to query AD for privileged domain accounts, system, and other high-value objects
- Man-in-the-Middle attacks where attackers steal credentials in transit
The benefits are material in detecting threats early and accurately. In a recent EMA survey, deception customers cited 5-day dwell times and high confidence in detecting threats. These results reflected a more than 90 percent improvement over non-deception technology users. Survey respondents also cited deception as the top tool of choice for detecting insider threats compared to 12 other security controls. Insiders using legitimate credentials are often hard to detect. Deception reduces this risk by removing exposed attack paths and through the use of decoys, which are extremely effective in detecting policy violations and attempts at unauthorized access.
What you need to know
A modern cyber deception platform provides the ability to lock down lateral movement from the endpoint in an efficient and agentless manner. This capability results in early detection of threat activity and in the facilities to gather company-centric threat intelligence for stopping an attack, threat hunting, and faster remediation. One should not view cyber deception as a replacement for prevention controls, but instead as a force-multiplier in that it can detect threats from all vectors, do so non-disruptively, and through native integrations share attack data for automated system isolation and remediation.
Deception credentials install on endpoints, which appear identical to those of the system user. They are crafted to mirror-match and are dynamic so that their timestamps refresh. Notably, the solution can also plant cloud deceptions for improving identity access management.
Endpoint deceptions can deploy with such a high degree of authenticity that even advanced Red Teams and tools like HoneypotBuster can’t tell the difference. With attempted use of a deception bait, the deception platform raises a high-fidelity alert, and the credentials breadcrumb the attacker into the deception decoy environment where defenders can study the forensics and attack activity.
Deceptive mapped shares attract an attacker into the decoy environment, generate an alert, and through native integrations with existing endpoint solutions, can automatically quarantine the infected system from the network. The solution also proactively stalls the attack by feeding the attacker reams of data, so they remain occupied, and security teams gain valuable time to respond.
Network discovery gets derailed as the deception fabric interweaves decoy endpoints throughout the environment, with support for real Microsoft, Linux, and Mac OS and a wide variety of applications. Running both endpoint and network deceptions provides the most comprehensive and in-depth detection for organizations. For optimal protection, organizations typically deploy both endpoint and network solutions together.
Active Directory queries get derailed as the deception solution hides real credentials and system data and returns deceptive content, creating an altered reality for the attacker. In this case deception ventures into prevention as even the mere act of observation can trigger an alert. This method of prevention can also be invaluable in that attackers can no longer trust what they see or the tools they typically rely on.
Lateral path exploration based on exposed or orphaned credentials can get identified and remediated quickly, shutting down attack paths. This knowledge helps reduce risk and the overall available attack surface.
In addition to early lateral movement detection, defenders also uniquely gain visibility into the attacker’s tools, the use of malicious software, and the ability to quickly quarantine infected systems. Additionally, because deception can direct activities into the deception environment, teams can also safely study the attack and gather indicators of compromise (IOCs), forensics, and Tactics, Techniques, and Procedures (TTPs), along with company-specific threat intelligence.
There is really no other security control quite like the cyber deception for reducing the risk associated with endpoints. Detections are early and accurate, forensic evidence substantiates alerts, and as such, the technology is making a material impact on reducing the time an attack goes undetected from initial compromise. Plus, it is straightforward to deploy and manage for organizations of all sizes.
Carolyn Crandall is the Chief Deception Officer and Chief Marketing Officer at Attivo Networks. A technology-marketing executive with over 25 years of experience in building emerging technology markets in security, networking, and storage industries, Carolyn also has a demonstrated track record of successfully taking companies from preIPO through to multibillion-dollar sales, and has previously held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.
CISO MAG did not evaluate the advertised/mentioned product, service, or company, nor does it endorse any of the claims made by the advertisement/writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.