Authored by: Carolyn Crandall, Chief Deception Officer, Attivo Networks – One of the first games babies learn to play is peekaboo: the parent hides their face, and the baby is left wondering where they have gone. Not long afterward, children graduate to playing hide-and-seek, where finding a good place to hide can earn bragging rights for days. And of course, hiding Christmas presents from the sight and access of childrenis a time-honored tradition experienced every December. From almost the moment we are born, we have been taught the value of effective concealment.
With modern concealment technology, security teams throughout the world can have the same attackers and send them aimlessly looking under bushes and hunting through “empty” closets. Attackers are always working to infiltrate the network and poke around for valuables, and defenders are responsible for making sure they leave empty-handed. For cybersecurity professionals battling for data security and for the ultimate in hide-and-seek supremacyaka data protection, one thing is clear: a good hiding place is essential, and effective concealment is critical.
The Need for Layered Defenses
There is no silver bullet in cybersecurity, and the cybersecurity industry widely accepts the need for a layered defense. Combining tools like endpoint protection platforms (EPPs), endpoint detection and response (EDR) technology, and deception technology produce compounding value, creating a much more vigorous defense than a single tool. A recent study demonstrated that merely adding deception technology to an EDR system can increase detection rates by an average of 42%, highlighting the combined value of these two essential pieces of technology.
EPP and EDR are both designed to detect threats early, with EPP identifying known threats and EDR detecting suspicious endpoint processes that might indicate the presence of an attacker. Both EPP and EDR identify specific types of threats, and they are great at it. Still, neither has the in-network detection capabilities of deception technology—because that’s not part of their design.
Given the evolution of advanced persistent threat (APT) tactics that today’s attackers are using, closing the detection gaps left by perimeter defenses is critical. Attackers are no longer content to steal or encrypt whatever data they quickly find. Ransomware 2.0, as it is now known, involves attackers conducting reconnaissance, moving laterally within the network to identify the most valuable (and vulnerable) assets before striking. Networks that lack in-network protections capable of detecting lateral movement are particularly vulnerable to this type of advanced attack, contributing heavily to its rise.
Concealment to the Rescue
So, what can defenders do? Like a parent hiding Christmas gifts, the answer is concealment. After all, an attacker can’t steal, encrypt, or destroy data they can’t find in the first place. The innovative DataCloak function of the Attivo Networks Endpoint Detection Net (EDN) prevents attackers from finding or accessing files, folders, mapped network and cloud shares, removable drives, and privileged Active Directory objects, effectively cutting intruders off from their most prized targets. By concealing the most high-value targets, the solution prevents the intruder from escalating their attack by peppering the network with fake data designed to alert defenders of their presence and guide them into an isolated decoy environment.
Since the attacker is unaware that they have interacted with a decoy asset, they will continue attempting to carry out their attack within the deception environment. This activity provides defenders with the unique opportunity to capture the attacker’s indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs), producing valuable adversary intelligence that they can use to strengthen defenses in the future.
Lateral movement is the ransomware attacker’s bread and butter, and based on the sharp increase in ransomware attacks this year, it’s safe to say they have been eating well. EDN, with its DataCloak function, provides defenders the unique combination of increased in-network detection abilities capable of identifying lateral movement and hiding the information that attackers value the most. This technology represents a significant step forward for in-network defenses.
Stopping APTs with Effective Concealment
Ransomware attacks—particularly Ransomware 2.0 attacks—are notoriously difficult to stop. But the solution can be as simple as turning back the clock to simpler days when climbing the right tree could make you the hide-and-seek champion of the schoolyard. If attackers won’t stop searching for information to steal, encrypt, or destroy, then the course of action for defenders is clear: keep that information hidden and deny any attempts for access.
Data concealment can dramatically reduce the attacker’s ability to move throughout the network, escalate their privileges, and identify high-value targets. By hiding the very thing they are after and instead offer an attractive selection of authentic-looking decoys, data concealment technology represents one of the most valuable weapons yet in the ongoing fight against APTs.