High-interaction Decoys and Deception Techniques Misdirect and Automate Quarantine of Attackers
FREMONT, CA – May 15, 2017 – Attivo Networks®, the award-winning leader in deception for cybersecurity defense, challenged not only healthcare, but all industries to take immediate steps in the wake of Friday’s global ransomware attacks. “It’s not only the sheer magnitude of the attacks, but also that hackers are now crossing ethical boundaries,” says Tushar Kothari, CEO of Attivo Networks. “Friday’s attacks signify a change in ransomware attacks from holding files hostage to creating situations that impact human safety.”
WannaCry Ransomware hit globally and has been referred to as a weapon of mass destruction based on its ability to spread like wildfire once it has gained access to unpatched computers. The impact has been significant and has targeted financial, energy, transportation, government, and hospitals. In Britain, attacks not only blocked doctors’ access to patient files, but also forced emergency rooms to divert people seeking urgent care.
The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet. Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries with Russia, Ukraine and Taiwan the top targets.
“There are solutions in the marketplace today that can isolate ransomware immediately upon an attacker’s attempted access to networked drives or their in-network lateral movement,” Kothari adds. “Deception technology, for example, sets up a system of lures and decoys that draws attackers to an engagement server that raises an alert on the attack and automates the containment of the infected system.”
The Attivo Networks solution for ransomware starts by providing a “motion sensor” that alerts the organization of an attacker that tries to encrypt the decoy drive or compromise a Windows SMB vulnerability. The decoy drives are set up as networked drives and designed with high-interaction technology and lures to attract the attacker to engage with the deception asset instead of production drives. What makes this solution unique is its ability to slow down and block the ransomware by tricking the attacker into believing it is being successful, where in reality, the attacker is being occupied with technology that is engaging and occupying the attention of the attacker. Capturing the attention of the ransomware provides security organizations the much-needed time-to-respond advantage to quarantine the infected system off of the network and prevent further infections. Third party integrations with current security infrastructure can also be set up for automated quarantine and isolation of an infected system. This time-to-respond advantage can make the critical difference between the loss of a single system or widespread outage.
Another important differentiator of this technology is that the solution does not depend upon signatures, so the decoys are accurate and effective regardless of the variant of ransomware (WannaCry, WannaCrypt0r, WannaCrypt, WCry or Wana Decrypt0r or other ransomware strains). Technology that is based on signatures or pattern matching can often miss new strains of ransomware and the alerts often become lost in what appears to be a benign looking alert, buried in streams of log data.
“We have many customers that have seen the benefit of using deception as an in-network detection security control,” Kothari concludes. “Regardless of the threat vector of the attack, organizations using deception technology are efficiently and accurately alerted to infections in their networks and are given the tools to quickly respond. Ransomware attacks can be exceptionally destructive, but they don’t have to be, when the right early detection tools are deployed.”
The Attivo advanced ransomware detection solution that added high-interaction engagement techniques was announced as part of its 4.0 release and was made generally available in April of 2017. For more information please see our blog and solutions.
About Attivo Networks
Attivo Networks® is the leader in deception technology for real-time detection, analysis, and accelerated response to advanced, credential, insider, and ransomware cyber-attacks. The Attivo Deception and Response Platform accurately detects advanced in-network threats and provides scalable continuous threat management for user networks, data centers, cloud, IoT, ICS-SCADA, and POS environments. Attivo Camouflage dynamic deception techniques and decoys set high-interaction traps to efficiently lure attackers into revealing themselves. Advanced attack analysis and lateral movement tracking are auto-correlated for evidence-based alerts, forensic reporting, and automatic blocking and quarantine of attacks. For more information visit www.attivonetworks.com
415-963-4082 ext. 101