Written by Tony Cole, Attivo Networks CTO – There is a tremendous amount of history surrounding the world of espionage. Today most people think of movies like the James Bond series, which really ignites the imagination on espionage between nation-states. Even the old sitcom from the 60s’ called ‘Get Smart’ mocking the espionage movies had some spy items in the show that were pretty close to today’s reality of nation-state attacks. Although we often think most of the Hollywood gimmicks and tools used by 007 or Maxwell Smart are far-fetched, some really weren’t that far off the mark.
If you’re not aware, there is a museum in Washington, D.C. called the International Spy Museum that may definitely surprise you on what has been collected and now on exhibit from recent spy tradecraft and tools. Walking through that museum is a walk-through history and I learn something new each time I visit. There always seem to be new items that catch the eye.
Espionage has been around for many millennia. However, it was always in the physical realm prior to the Internet. During the past couple of decades, nations have watched each other’s work on building out connected infrastructure. It became apparent very quickly that many previous physical espionage efforts could now move online. The benefit? The cost and risks are much lower since the attacker doesn’t have to be in the country they are attacking. This means it’s also much cheaper to steal, manipulate, or destroy data online. They also have plausible deniability since it’s harder to prove who the culprit is online if, and only if, the victims can even detect they have been attacked.
How is this related to protecting your data from nation-state attacks?
If you go back to my opening comments and look at the Spy Museum in D.C. with real artifacts from spy cases, you’ll quickly note an ever-increasing sophistication in tradecraft and tools. Today, we see this same trend continue in the online world when nation-states attack nation-states. If you’ve built a system of static defenses, you’re likely already compromised and simply don’t know it. There are many studies, including the Ponemon Institute’s recent report that show the dwell time numbers of over 197 days and even then, 97 more days to contain the breach. This is a major problem since sophisticated adversaries can extract data in mere hours. This is often the result of CISOs having overconfidence in their existing security infrastructure. A good example is the new Endpoint Detection & Response (EDR) tool trends.
If you look at EDR, it’s a great concept. Secure the endpoint as much as possible, detect what you can’t stop, and build in response mechanisms. Are there gaps in existing solutions? Definitely. MITRE ATT&CK® recently ran their second set of tests on EDR tools, and although they didn’t report scores, anyone can compile them based on what they did and didn’t detect. It was clear there are significant gaps. We took the Attivo Endpoint Detection Net (EDN) tool and tested it with MITRE ATT&CK® DIY tool, taking a comprehensive look at what gaps we filled in the EDR tools. It was enlightening. There’s a great report from Dr. Ed Amoroso of Tag Cyber that gives more data on how EDN compliments EDR and why together they make your endpoints’ security much stronger.
So, what is EDN, and how does it protect you against nation-state attacks?
EDN strengthens endpoint defensive capabilities by detecting and alerting on attack tactics that attackers use once they manage to compromise a system to spread to other devices on the network.
Here are a few examples of what EDN can do to protect your organization against sophisticated nation-state attacks.
So, let’s say a system gets compromised, and EDR doesn’t report on it. The attacker queries Active Directory (A.D.) to get information on domain accounts and other high-value assets they are targeting. EDN protects you by providing fake A.D. query results to the attacker, thereby slowing his attack while reporting on the query to the SOC. As an optional component, you can also direct the attacker into a decoy environment.
Here’s another example. The attacker on that same compromised system steals a stored or in-memory credential to reuse on production assets. Those credentials (and other breadcrumbs) are deceptive and will trigger an alert and collect forensics on the attack.
One more example. That same compromised system has access to mapped shares on the endpoint. The attacker accesses them without knowing that EDN has placed decoy file shares for the attacker to find while hiding and denying access to sensitive files, folders, and cloud or network shares to prevent data compromise. Once again, this triggers an alert for the SOC while collecting forensics for later analysis.
One more way to counter adversaries is via EDN’s Deflect function. This feature detects and alerts on traffic that touches a protected endpoint and forwards any communications that hit closed ports to decoys with a corresponding open port and service. This is true denial and deceptive capabilities on your endpoints. It allows you to detect nation-state adversaries and move them into a decoy environment outside of production and under your security teams’ control where they can be analyzed and monitored.
So now you’re building a dynamic defensive structure that can be changed up frequently to counter sophisticated attacks from nation-states, all from EDN on the endpoint. Now you’re using real deceptive tradecraft to identify, deter, slow, and alert on attacks that otherwise would have evaded your existing security infrastructure, including EDR on the endpoint. It doesn’t matter if it’s organized criminals, nation-states, or malicious insiders, EDN will alert and help defend you. Denial and deception have been used in the physical world for a long time. Using it in your enterprise can help assure you that your high-value assets and data stays right where it belongs, inside your enterprise.