Written by: Kevin Hiltpold, CISSP, Federal Sr. Solutions Engineer – Trust is an integral component of expected outcomes. Employers trust employees to be productive when working from home, countries trust other countries to honor treaties and people in a relationship regaining trust after a betrayal. Company’s spend significant resources training users on which e-mails to trust because cyber attacker instill doubt with their phishing e-mail tactics. But those that seem to have no trust issues are cyber attackers, especially with their tool sets.
Why should attackers have any reason to doubt their tools? When an attacker compromises an endpoint, every piece of information they gather during the reconnaissance phase is 100 percent true.
Should it be this way? No. Can this be changed? ABSOLUTELY!
I recently helped a Department of Defense blue team detect, deter, and redirect their red team adversaries. For those of us who have been involved in red team exercises as a member of the blue team, the out briefs are rarely fun. Red teams and the cyber attackers they emulate expect to win, since they are taking a test with the answer sheet in hand. However, on this occasion they failed the test because they had the wrong answers. In the out brief the red team proudly and confidently declared they owned the domain, that the domain controllers are Alpha and Beta and they had achieved persistent domain dominance.
But in response, the blue team informed the red team that they were wrong. The true domain controllers in the environment were Charlie and Delta. In effect, the red team had just spent hours attacking a deceptive domain that their tools saw as real, revealing their tactics, techniques, and procedures (TTPs) in the process.
The red team leader insisted this was not possible. They always work with the truth, especially with Active Directory. The blue team then explained the capabilities provided by Attivo Networks Endpoint Detection Net (EDN) Suite solution. The red team leader’s response?
“Well now I feel lied to.” The trust in their own tools was now in question.
When a company applies the unofficial motto of the Marines “Improvise, Adapt, Overcome” to methods for detection and protection against lateral movement, the result is innovative and revolutionary technologies.
Attivo has announced revolutionary credential protection technology in the fight against cyber attackers. The EDN ThreatStrike solution’s new capability hides and denies unauthorized access to applications, allowing only the legitimate application access to its saved credentials. At launch, 75 of the most critical applications are supported with planned additions in the near future. This capability can be managed individually or as a group, such as VPN, Messaging, Windows credentials, cloud applications, and memory dump tools.
Now with the solution’s credential protection, the attacker’s tools are denied real credential access and only collect misinformation that channels the attackers to threat intelligence-gathering network decoys.
Attackers are fully aware that Endpoint Detection and Response (EDR) solutions detect the default compilation of well-known attack tools, and that a recompilation or customization of these tools provides signature-based static defense evasion. Luckily cyber defenders are starting to understand the necessity of an active defense for cyber resiliency as static defenses are consistently bypassed.
The Maginot Line of World War II was probably the last time a military relied on a static defense to keep an attacking force out. This did not work out too well for France, and the German Army used deception as part of the attack strategy. Fast forward to 2017, France learned the value of deception, applying it in cyber defense to protect their elections from Russian interference.
Introducing doubt to a cyber attacker does two very important things. It enables defenders to reduce dwell time and forces the attacker to incur the cost of time. Attackers do not want to work hard; time is money for them too.