Today’s defenders can have reams of information and log data available to them, with databases chronicling known threats and attack patterns. Unfortunately, the information available in these databases is most effective against documented threats or those with extremely well-established baselines. If an attacker does something different — especially when targeting a specific company, segment, or vertical—the information in these databases is often no longer sufficient or reliable.
By Carolyn Crandall, Chief Deception Officer and CMO at Attivo Networks
The sheer volume of available attack data can also be daunting, and while some may believe that more data is better, the truth is that concise and more precise information is what is really needed. Swiftly gathering and correlating company-centric threat intelligence has become an increasingly important aspect of cybersecurity and can make the difference between a small infection, outbreak, or breach.
Putting Defenders in a Position to Gather Better Intelligence
When it comes to collecting highly specific adversary intelligence, deception technology has proven to be a pivotal asset to companies seeking to stop, eradicate, and prevent the successful return of attackers. Whereas most security tools are designed simply to deflect an attack, deception technology redirects them to decoys where attackers believe they are still attacking a production system or advancing their attack with stolen credentials or other bait. Defenders can then observe the attacker’s movement through the deception environment, gathering information on their tactics, tools, and strategies. Using decoy documents for counterintelligence purposes can result in gaining knowledge of what an attacker is targeting. This enhanced visibility provides the security teams with unique insight into the attacker’s intent and approach, specific to the network they are attempting to infiltrate, accelerating investigations and analysis and ultimately decreasing the organization’s risk of future compromise and data loss.
Look at it this way: if you simply deflect the attack, you’ll never learn anything about how it behaves or how to stop it truly. If attackers encounter security tools designed only to remove them from the network, they can (and likely will) simply come back — and with each subsequent attempt, they will gain new intelligence on their target. Attackers can be very patient, gathering information over a long period as they acquire a fuller picture of the network and learn to circumvent its defenses. Tools like deception technology flip the script, alerting defenders to the presence of an attacker while enabling them to gather adversary intelligence, rather than the other way around.
Combining the General and the Specific to Visualize the Complete Threat Landscape
Gathering adversary intelligence is a central activity in everything from sports to law enforcement. Most companies seek to gain intelligence information by subscribing to threat intelligence feeds, which pull data from threat intelligence vendors who share it with subscribers. Typically, software patches will have already incorporated this information. It is often not specific enough, and attempts to pattern match can result in a flood of threat information that can be difficult to sift through. In contrast, the information provided by deception technology offers live insight into what is actually happening inside a company’s network. With cyber deception, businesses receive up-to-date, relevant indicators of compromise (IoCs) as well as the adversary’s tactics, techniques, and procedures (TTPs). With this information, they can defend against current and future attacks quickly and with a high degree of accuracy.
This level of specificity augments the more general public threat databases, to which the organization can append its self-generated adversary intelligence. Organizations capable of this level of intelligence gathering can create precise attack profiles unique to a given attacker, resulting in extensive information that provides insight into attack methods and prevention options. Concise, accurate, and highly specific information allow organizations to determine more quickly what actions they need to take. It can also automatically feed into other systems, which can save on both the time and resources required for incident response and refined threat hunting.
Valuable Adversary Intelligence Can Emerge Even in Simulations
Cyber deception can provide insights into security exposures during security risk assessments and in prep for compliance audits. With Red Teams acting as proxies for attackers and Blue Teams using deception, they can log their movements as in a real attack, tracking their path through the network and identifying potential vulnerabilities. These exercises can also demonstrate the network’s resiliency and confirm that things are working as they should. Deception holds an impressive track record of cases where Red Teams believed they had fully compromised a network’s Active Directory or other assets, only to learn after the exercise was over that they were in a deception environment the entire time.
Armed with company-specific attack data, defenders can quickly assemble actionable response plans. Additionally, by using deception technology’s unique ability to collect in-depth information about attack patterns and escalation they can build a powerful active defense, fortify defenses, and identify and stop attacks early in the attack lifecycle.
Putting That Adversary Intelligence to Use
Gaining more specific insight into how an adversary attacks within their particular network arms defenders with the information they need to protect themselves more effectively and gain insights across a wide variety of attack vectors and surfaces. By placing added focus on internal visibility — which, by design, prevention controls lack — defenders can better identify the specific tactics that attackers are deploying against their network and gather valuable information on the attacker’s entry point, IoCs, and potential targets.
Although removing the attacker from the network is pivotal to security, savvy companies are adding depth to their security programs by gathering adversary intelligence. Such information provides them with not only a safety net for detecting in-network attackers, but also the critical insights needed to understand what controls attackers bypassed and how. No cybersecurity technology is a silver bullet — comprehensive security requires layers of defense with multiple solutions working together — however deception’s ability to make life harder for attackers makes it a unique and indispensable tool for defenders.
About the Author
Carolyn Crandall holds the roles of Chief Deception Officer and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate. Crandall has received many industry recognitions including Top 25 Women in Cybersecurity 2019 by Cyber Defense Magazine, Reboot Leadership Honoree (CIO/C-Suite) 2018 by SC Media, Marketing Hall of Femme Honoree 2018 by DMN, Business Woman of the Year 2018 by CEO Today Magazine, Cyber Security Marketer of the Year 2020 by CyberDojo (RSA), and for 9 years a Power Woman by Everything Channel (CRN).
Disclaimer
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.
