Written by: Tony Cole, Attivo Networks CTO – Over the years the tools, tactics, processes, and expertise has become readily available to organized crime through leaks, uncovered attack campaigns, moonlighting, and countless other routes. In other words, the lines have blurred between who is organized crime and who is a nation-state attacker, not to mention the false flag operations where one brand of attacker pretends to be another to redirect blame if uncovered. Most of these adversaries will only use tools they need to use to accomplish their objective, meaning that if they don’t need to use a secret new zero-day exploit to break into a systems and steal data, they’ll save it for a more difficult objective.
Most enterprises today have a pretty significant blind-spot in their cyber defenses. Once an adversary gets inside their wire and attempts to move laterally and escalate their privileges, the preventative tools that they have in place fail to provide them with the visibility and insight they need to adequately eradicate the threat actor and prevent further unwarranted compromises. While deceptive credentials throughout the network can be beneficial, this still can leave a significant lateral movement blind spot, the very thing Attivo Networks works to eliminate with a deceptive layer that blankets across the enterprise.
If you place Active Directory (AD) deceptive credentials in your system, you may catch an adversary inside the wire. Deploying deception only via credentials doesn’t give organizations a trap to catch the adversary. An authentic trap environment, which looks identical to your enterprise network, is key to eliminating holes in an organizations’ detection environment.
For example, an adversary breaks into your environment via a spear-phishing email. It’s something new and unique, and your preventative tools miss it. At this point, the attacker checks out the system they’re on and finds a deceptive Active Directory credential. They try to validate the credential in AD and find that it isn’t real. With basic deception technology, you may get an alert on this activity, but that’s all the information you are able to extract.
With a deceptive platform that uses deceptive credentials, lures, breadcrumbs, and network decoys, it’s a totally different scenario. That same attacker finds the AD deceptive credential, examines it and is led to a deceptive AD server. The adversary thinks they’re really in the AD and you’ve gotten not only an alarm, but the ability to gather adversary intelligence by being able to study their next moves as they look for new and interesting systems to compromise and plunder. In reality, they are in the decoys you planted that blend in seamlessly with your environment, and they can’t pivot back to your production systems. All the while, you’re collecting adversary intelligence, tracking their path through the deceptive systems, watching and understanding their use of tools, files, directories, exploits, and ultimately using this collected data to enhance your security posture.
What if that adversary intended to plant ransomware in enterprise servers? I would prefer they plant the ransomware in my decoys and not on the production assets, yet with credential only deception it WILL be on the production side and will quickly impact operations. To be effective, deception solutions need to provide alerts that are early and actionable. A comprehensive deception platform can provide deceptive credentials, mapped deceptive shares, lures, decoys, and decoy documents that will lead the adversary away from your production systems while alerting you of the threat. It also provides a deep integration with your existing cyber investments to allow for automated remediation through playbooks, orchestration, and many other types of tools, all while capturing the details of the attack and providing visibility into other attack paths.
Using deceptive credentials is good. However, when used alone, they can still leave you blind when someone is conducting a Man-In-The-Middle attack, a ransomware attack, or other network-based activity. The most critical component of a deception platform is its ability to look and feel like your real production environment. If you don’t have real decoys with real operating systems that allow you to import your own golden images, today’s sophisticated attacker will not be fooled. This is why Attivo Networks supports IoT, ICS, POS, medical devices, printers, and more out of the box. With the ThreatDefend™ platform, your deception environment will be indistinguishable from the real thing, giving your organization home field advantage against the wily, ever-evolving cyber-adversary, regardless of who they are or their intent.