Deception Technology for Active Defense: Changing the Game on Attackers
By: Carolyn Crandall, Chief Deception Officer, Attivo Networks
We live in an increasingly interconnected world and have created an on-demand society that expects instant access to information along with the ability to conduct business at any place and at any time. New technologies that provider faster services and improved economics are seen within new cloud architectures and the Internet of Things (IoT) is growing at an unprecedented pace—so much so that IoT devices are now already outnumbering the human population and will likely be in the operations of over 50 percent of companies in 2019. It’s an exciting time from a consumer perspective, as well as from a tech industry perspective. But with innovation comes new challenges—particularly when it comes to security.
The threat landscape is changing as innovation outpaces traditional cybersecurity solutions and attackers are proving they can easily bypass perimeter defenses. The fight against intruders is growing more sophisticated and has moved inside the network. Organizations without proactive, in-network security will find themselves unprepared to deal with adversaries who use advanced attack methods or that exploit weaknesses in human behavior.
Perimeter Security Is Important—But It Isn’t Enough
Explosive growth in the number of internet-connected devices has broadened the threat landscape, providing attackers with countless new devices and architectures to exploit. While it’s tempting to try to address this problem with advanced endpoint protection (EPP) and next-gen firewalls, significant risk remains if they are not coupled with detection controls to identify threats that have bypassed perimeter defenses or result from an insider or supplier who gains privileged access.
Organizations must adjust their security controls to address today’s advanced attacker and the evolution of attack surfaces. Deception is an approach that has been used for millennia in military, sports, and gambling to outmaneuver the adversary. Organizations are now rapidly deploying deception technology within cybersecurity for a valuable, proven solution that allows them to quickly and accurately detect in-network threats. This doesn’t mean that traditional cybersecurity tools should be discarded, but rather augmented with tools that provide early detection, reduce dwell time, and provide intelligence to better understand one’s attacker. Adding deception-based detection to the security stack will also provide visibility into whether security tools are working reliability, as well as high fidelity alerting when an attacker is successful in bypassing them. A comprehensive deception solution that includes network, endpoint, application, Active Directory, and data deceptions can be extremely powerful in derailing attacks accurately and efficiently.
The unfortunate truth is that many organizations are strictly reactive to attacks, unable to gather threat or adversary intelligence to understand the attacker and prevent them from successfully spreading or returning. Deception technology addresses these issues by implementing an active defense strategy with wide-ranging impact.
Deception arms defenders with improved adversary intelligence
Put simply, deception technology provides better detection against better attackers, as well as the adversary intelligence required to respond to an attack, shut it down, and make sure it is eradicated and cannot successfully return.
One of the most valuable things that deception does is reduce dwell time, or the amount of time that an intruder spends inside the network before detection. This prevents the threat actor from camping in the network and reduces exposure. Additionally, once an attacker enters the deception environment, the system will track their movements, identify tactics, techniques, and procedures (TTPs), and gather indicators of compromise (IOCs), providing valuable threat and adversary intelligence.
Deception also provides visibility into exposed credentials, misconfigurations, and network device changes that create increased security risk. This allows for ongoing assessment of risk related to mistakes, policy violations, and unauthorized device access.
Outmaneuvering attackers with an active defense strategy
Any game of strategy requires both offensive and defensive strategies. Applying an active defense approach to cybersecurity is critical for outwitting today’s advanced attackers. Prevention devices like firewalls, IPS/ IDS, or antivirus are passive and reactive. By contrast, deception technology deploys authentic and attractive decoy docs, traps, and lures to proactively misdirect and engage attackers. By applying a matrix of decoys mimicking servers, endpoints, applications, credentials, mapped shares, data, and other items that appear as desirable targets, the attackers will be attracted into investigating or engaging, and in doing so will reveal themselves. In this way, deception turns the table on attackers by forcing them to be right 100 percent of the time as they move through the network, leveling the playing field.
The addition of deception increases the odds of an attacker making a mistake as they cannot tell real from fake—a strategy that will also increase their costs as they are forced to start over or seek easier targets. Increasing the complexity and cost of attack is a significant deterrent for attackers.
An Active Defense won’t stop at detection. Stopping an adversary is critical, but doing so without knowing where they started, how they are attacking, or what they are after will leave an organization ill-equipped to ensure the attack is eradicated and can’t successfully return. To achieve the value of an Active Defense, one must also be able to analyze attacks, run forensics, and be able to share information so that all security controls can work together in derailing any attack.
Deception-based Active Defense for Actionable and Confident Incident Response
An alert is not helpful when overlooked. Alert fatigue is a genuine problem for cybersecurity professionals who constantly find themselves frustrated from chasing down a barrage of false positives. Given that deception technology is engagement based, alerts are substantiated and actionable. These high-fidelity alerts are augmented with root cause information that includes forensics, threat intelligence, and correlation of relevant data.
In advanced platforms, native integrations facilitate information sharing and streamline incident response for automated blocking, isolation, and threat hunting allowing security professionals to focus their efforts on only credible, verified threats or policy violations. The accuracy of these alerts combined with automations eliminates the need for incremental manpower or skills training. Organizations will now achieve not only confidence in their alerts but also more efficient and effective use of their existing cybersecurity personnel.
The Weakest Link May Be Within Your Supply Chain…