Written by: Carolyn Crandall, CMO & Chief Deception Officer – Most companies have invested heavily in perimeter defenses, but there remains a gap in detection, which leaves risk and exposure to attack. Internal network monitoring remains a challenging task, and while there are many ways to tackle this, most of them involve resource-intensive solutions. Whether it is monitoring all internal network traffic and looking for anomalies, deploying internal IDS sensors and hoping to get signature alerts, or using analytics to identify bad actors, many solutions require time, effort, and resources to implement, tune, and maintain, with no guarantee of accurate alerting with no false positives. A different approach is needed and this is where organizations are turning to deception technologies to help.
Modern deception technologies can stand guard over internal networks with low noise, low effort, and low maintenance. While this is an emerging market, the technologies are based on sound principles going back hundreds of years: deceive the attacker to give yourself an advantage. By deploying decoys throughout their internal network, organizations can monitor for bad actors that have breached their perimeter and are moving around inside their environment. While attacks may differ, all attackers follow an intrusion “kill chain” that involves everything from reconnaissance to actions on the objective. Deception decoys can silently detect such actions and alert the organization’s security teams to the attacker’s presence, all the while delaying or diverting the attacker from actual production assets. Attivo Networks has real world customer examples of such detections that were ONLY detected by Attivo Networks Deception Technologies.
Recently, an Attivo Networks customer reached out to support regarding some alerts on their BOTsink dashboards. Their small IT staff needed a way to efficiently detect threats on their internal network, and had chosen the Attivo Networks BOTsink to give them that capability. Attivo Engineers immediately identified four separate alerts that indicated multiple system compromises. The activities indicated network reconnaissance, attempts to access the Veritas Backup services, attempted SMB share access with a compromised network login, and attempted access to default windows shares. The activity indicates a possibility that the attackers are leveraging information gathered from previous activity, as their reconnaissance used system names that were internal to the organization.
These activities were missed by all their other internal detection systems. Only the Attivo Networks BOTsink solution captured the information and provided records of malicious activities, PCAPS, and all relevant information for the organization to investigate. This is an example of how attackers can dwell for long periods of time inside a network without being discovered and can leverage the knowledge gained from previous attacks to target specific systems or services within the network. This level of inside knowledge highlights the difficulties of internal threat detection, from staffing and resources, to proper configuration. Had the attackers gone undetected, the attack was destined for a full breach, with the potential for extensive impact to the organization.
Although the specific goal of the attackers remains unknown, the fact that they were conducting extensive reconnaissance and targeting specific services points to prior knowledge of the network. Despite what appears to be multiple penetrations to security defenses, Attivo was the only system on the network that detected the reconnaissance activity and alerted the organization to the fact that they had attackers inside.
Score one for the good guys.