Written by: Carolyn Crandall, Chief Deception Officer and CMO – I recently read the Gartner guidance document on being resilient to prepare for cyber risk following COVID 19. I thought it would be interesting to look at their guidance and to see how using Attivo deception technology can help. Gartner has the original document at the below link, noting that the full report will require a subscriber log in.
The document suggests that security and risk management leaders take preemptive steps to ensure the resiliency and security of their organization’s operations and that they seek out proactive ways to stop attackers from exploiting human nature and nonstandard operating modes. There are many interesting things to dive into, but for this blog, I will focus on how cyber deception can help defenders combat these risks.
Activity: Tracking of Orphaned Credentials and Privileged Accounts
Audit and, where required, delete any orphaned privileged accounts. Where possible, suspend any privileged user accounts that are not directly related to mission-critical systems.
Attivo Security Tip
Traditional security tools do not show where orphaned credentials may still exist. This lack of visibility creates increased risk, which is compounded in a time where there may be increased employees and supplier transition and delayed communications on turning off access.
The Attivo Endpoint Detection Net (EDN) suite of products includes the ability to manage and reduce the attack surface risk by finding and remediating stored, exposed, or orphaned credentials at each endpoint. The solution displays these as connections on a visual diagram or table form that provides an easy interface to search and filter for specific credentials. Organizations can define critical paths to identify during their evaluation. These critical paths highlight high-value assets that attackers can move to laterally and provides the organization with the information needed to remediate the exposure automatically. The solution also presents a summary of misconfigurations, credential-based vulnerabilities, a risk score to evaluate the current status, and any exposed attack paths by severity.
Activity: Data Loss Tracking
Wherever possible, leverage data-loss-prevention capabilities, such as Microsoft InTune (for Microsoft Office 365-hosted information repositories), to prevent users from saving sensitive corporate information onto personal devices or printing to home printers.
Attivo Security Tip
Data loss prevention is a critical component of preventing data theft. However, it does not always provide the visibility into attacker intent or who has opened the document. For this reason, organizations should consider adding data loss tracking to their DLP programs.
The Attivo ThreatDefend® platform includes a function for data loss tracking called DecoyDocs. These decoy files contain a “phone home” function that sends out a signal whenever anyone opens them, whether inside the network or outside of it. If the endpoint is inside the network, the beacon contains all available host information, including hostname, IP address, logged in user, and much more. For an endpoint outside of the network, the DecoyDoc sends the external IP address and geolocation of each system that opens it. This function gives security teams not only notification of successful exfiltration but also information and insight into what types of data the attackers are targeting so they can adjust their security controls appropriately.
Activity: Remote Access / VPN Security
Confirm with I&O teams that all remote access infrastructure (such as VPNs) are tested and have the latest vendor and security patches in place. Also, ensure that these capabilities are load tested to ensure all those working remotely can connect and that their connections are stable. Enable split tunnel configurations to minimize backhaul traffic.
Attivo Security Tip
With many workers now remote and more traffic coming into and out of the VPN segments, organizations must consider that existing security controls may no longer suffice. As organizations change their remote access programs and increase their use of split-tunneling VPNs to keep business traffic separate from personal traffic, they will face new security challenges. The change in traffic patterns renders any network baselines obsolete, making identifying suspicious behavior such as network discovery and AD reconnaissance difficult. Since more traffic now comes into the organization from the VPN segment, existing communications patterns no longer apply. Beyond the VPN infrastructure, organizations must also consider cloud and SaaS accounts, since remote workers will be leveraging these as well.
The Attivo ThreatDefend® platform reduces remote worker risks related to VPN and AD reconnaissance, providing proactive threat detection with decoy VPN credential bait and cloud and SaaS credential monitoring. The solution gives rapid detection of attackers attempting network discovery within the VPN subnet. It can create VPN credential and concentrator decoys to detect attacks targeting the VPN infrastructure. These decoys engage the attacker while providing high-fidelity alerts and recordings of their activity for faster investigation and response. Given that all detections originate from direct engagement, each alert represents confirmed malicious activity, a policy violation, or a configuration issue (such as misconfigured cloud storage buckets).
With this solution, security teams can monitor for the use of disabled SAAS accounts and services, unauthorized attempts to access the VPN, as well as unauthorized queries to Active Directory that indicate attacker attempts to escalate privileges and identify critical targets. The platform can create detection campaigns that reference cloud administration activities and alerts if a remote worker or supplier’s endpoint attempts to gain administrative access to cloud resources, thus protecting the business’ VPN infrastructure.
Activity: Privileged Account Protection
Where possible, leverage privileged session management (PSM) capabilities to monitor (and manage, as necessary) any user activity involving escalations to access permissions. Pay particular attention to privileged account sessions to determine if there are any unaccounted-for deviations in usual privileged account sessions and privileged account user activity.
Attivo Security Tip
Active Directory is challenging to protect because it must communicate with all member systems to operate correctly. As such, any member system can query the AD controller, and it will respond with results. Most AD security practices revolve around proper policy enforcement, server hardening, limits to the number of privileged accounts, and other such actions. Still, there is very little that traditional security controls can do to prevent an attacker from pulling AD data. As part of the EDN suite, the ADSecure solution sits on the endpoint and identifies unauthorized queries to Active Directory, regardless of the tool the attacker uses. Not only does the ADSecure solution alert on the illicit queries, but it also misinforms and misdirects the attacker by returning fake AD results that lead the attacker to network decoys for engagement. Attackers often use tools like Bloodhound that create user and privilege maps that can get them administrator access. Even those get fooled such that they map user groups and privileges to bogus accounts that exist only within the decoy environment. ADSecure is unique in its ability to defend the AD environment without requiring any modifications to any AD controller operations or data.
Activity: Protecting High-Value Assets
For a security technology or application or service that is part of your organization’s primary detection or response strategy for crown jewels or business-critical assets:
- Identify potential replacement products and from where to acquire them.
- Work with your colleagues in procurement and I&O to develop a high-level acquisition and implementation plan for that product if your current provider falls over.
Attivo Security Tip
When adopting security controls to protect business-critical assets, one should consider overlapping controls that exist at multiple levels of the organization.
The Attivo ThreatDefend platform creates a deception fabric around an organization’s crown jewels that identifies lateral movement attempts before they reach critical assets and data. By creating and deploying network, endpoint, application, and data decoys and deceptions, the platform creates a digital minefield that challenges attackers to bypass while remaining undetected. An organization can deploy full OS virtual machine network decoys around critical servers and assets that look identical on the network but contain fake data.
Because these decoys have no production value, any interaction is immediately suspicious. By focusing on full OS decoys that an organization can customize to look precisely like other critical servers, the ThreatDefend platform deception hides the server “needle” in a “haystack” of fake systems. Attackers attempting to find the critical assets on the network won’t be able to discern the real systems from the decoys and must interact with them in some way to identify the systems they want. This very interaction alerts the security teams to their presence.
Additionally, the decoy systems help identify attacker network discovery activities such as ping sweeps and port scans, as well as Man-in-the-Middle credential theft, especially on VLANs that house critical assets. These activities are hard to identify since pings are part of typical network noise, and one must be on the same segment as a MitM attack to detect it. Cyber deception gives this level of visibility and awareness with accuracy and fidelity into network-based attacks that evade detection from other security controls.
Activity: Asset Management and Detection
Attackers are prepared to target organizations across all industry sectors in a bidirectional cyber-physical mode, including those that are in the front line in the fight against the coronavirus. Some of their recommendations include:
- Prioritizing asset discovery, inventory, and network topology mapping.
- Evaluating the risk of fixing a vulnerability against the risk, likelihood, and impact of an attack
- Focusing on endpoint hardening and open port restrictions.
- Understand and map out remote operations, connections, vulnerabilities, audit trails and password vaults, and valid credentials for unauthorized use
Attivo Security Tip
Organizations need to look closely at their current security stack to understand how well they can inventory and track assets and quickly detect intrusions. They should also use security frameworks (NIST, ISO, etc.) and the MITRE ATT&CK framework to assess where security gaps and holes are. Environments will be dynamic, and it is a best practice to have a detection safety net that can comprehensively detect attacks that have compromised across all attack surfaces or various attack vectors.
The Attivo ThreatDefend platform offers several features that assist in asset discovery as well as defend IT, OT, and IoT devices on the networks. The platform provides visibility into network activities on broadcast and multicast domains and logs all systems on all VLANs it can see. It then creates a visual map and table for every endpoint that communicates on the network to assist in asset inventory. The EDN suite identifies misconfigurations and credential exposures for organizations to proactively remediate to reduce the attack surface. The EDN suite’s deflect function alerts on port scans and can redirect scans that touch on closed ports to open ports on decoys for engagement, making every endpoint part of the deception fabric. These features not only harden endpoints from credential vulnerabilities but also from open port discovery attempts, disguising what they look like from the attacker’s probes.
The BOTsink deception server offers many different types of network decoys that can deploy anywhere within the enterprise network. The server can create decoys for virtually any system in the environment, whether endpoint, router, switch, VOIP device, IoT devices, medical IoT device, SCADA HMI, or many other IT and OT systems. Beyond these decoys, the BOTsink can import custom or golden images to use as decoys, making it the most flexible deception solution available.
During post COVID times, organizations will need to be prudent in their investments. However, they must still find ways to reduce gaps and risk by activating features on their existing solutions and by giving priority investment to new technologies that complement their current security stack. Ideally, their solutions of choice will integrate for improved efficiencies, automation, and faster response. Attivo Networks can help with the challenges of today as well as how to scale where the attack surface is continually evolving, and threats are getting progressively more aggressive and destructive.
We welcome you to schedule a briefing with one of our security experts so that we can help you address critical security challenges while reducing risk and operation costs.
I also encourage you to read the paper “9 NOTABLE 2020 CISO CHALLENGES – ARE THEY THE SAME AS YOURS?” for additional insights.