Written by: Carolyn Crandall, CMO and Chief Deception Officer – In part 1 of my Black Hat recap, I published a post highlighting some of the key themes and noteworthy topics that drove conversations at Black Hat 2018. One development that was abundantly clear, was how far deception technology adoption has progressed during the past year. I still recall at the CS50 in 2017, the first time that a company walked up to the Attivo booth and shared that they were planning to budget for deception in 2018. What struck me most at Black Hat this year was the sheer number of attendees that dropped in to share that they are actively evaluating deception technology, are ready for a POC, or are planning budget in 2019. Some, even indicating available budget in the second half of 2018. Isolated or trend? These discussions point to trend, as our team at ILTACON in DC came back with similar stories of interest. It would seem that we are hitting the “crossing the chasm” point for deception technology.
So, what has changed? The concept of deception has been intriguing to IT leaders in the past, however there were a lot of preconceived perceptions about the technology that were holding them back from adopting deception technology- it was unproven, too complicated to deploy, and operate, and it was a luxury item that should only be adopted by those with mature security infrastructure or as something you would do last.
Possible catalysts to change could be:
- Organizations realizing that there are limitations to a prevention-only strategy.
- Dwell times remain extremely high, and all too often, notifications received from external sources.
- Other forms of detection come with heavy overhead or false positives.
- Attack surfaces are everchanging as well as the attacks on non-traditional devices including IoT, ICS, network, and telecom infrastructure.
- Detecting lateral movement is hard and is compounded with the adoption of cloud, container, and serverless environments.
- EDR has been adopted, EDR hasn’t been adopted… if only one knew where all the endpoints are on the network…
- Challenges related to DIY honeypots are removed with commercialized deception platforms.
- No longer the first to deploy. Attivo deception technology has been shipping since 2014, is globally deployed, has millions of endpoint deceptions installed, and is a proven stable and mature detection platform across all major verticals. Happy customers, happy references.
Decision makers are now realizing that previous perceptions and misunderstandings about deception are not a good reflection of reality, and as such, are no longer real barriers to adoption.
Many customers are also realizing the benefits of deception in creating an Active (Security) Defense. Through the ThreatDefend™ platform, customers gain not only early and accurate in-network visibility and threat detection, but also automated attack analysis, rich forensics, and native integrations which simplify and automate incident response actions. Security analysts often tell us that Attivo high-fidelity alerts are the most trusted and accurate way to quickly understand the threat and what needs to be done to quickly remediate.
A quote that I love from one of our customers is:
“The most important thing you do is provide me alerts based on confirmed activity… you are my eyes and ears on the inside of my network… the nerve center” – Senior Director Info Sec at top 50 retail organization
A question that comes up with sceptics and was also exploited in the Black Hat 2018 Black Hat Session: Real Eyes, Realize, Real Lies: Beating Deception Technologies, was whether deception actually works. It was an interesting session and did highlight risks that immature deception technology may fall prey to.
The session outline included:
- Define How Deception Works
- Fundamental Argument Is That Confrontation + Believability = Success
- Insight into How to Attackers Can Discover and Avoid Deception
Deception fundamentals covered:
- Companies must move from a reactive to proactive defense
- Deception is extremely effective, if:
- It covers effectively covers legacy to current tech
- If it is believable
He started with a warning about overconfidence in believing that an endpoint-driven defense alone is enough:
- Not realistic to isolate them
- Not even realistic to be able to know where they all are and keep them patched
- How well does AV really work anyway?
He then went on to speak about the need to have deception coverage at a decoy and credential level. He also noted that the more attack surface coverage, the better the odds of attracting and derailing the adversary.
I love this message, as Attivo has the broadest attack surface coverage and offers endpoint, network, application, and data deceptions. Decoy coverage extends to cloud, data center, user networks, and specialized attack surfaces such as IoT, ICS-SCADA, POS, network, and telecommunications infrastructure.
In this part of the session, he reviewed weaknesses that can be leveraged by an attacker to discover deceptions if they didn’t have proper validations and authentication. Ultimately, if not done right, lack of thorough validation will compromise attractiveness and believability of the deception environment. Areas he drilled into included:
- ARP, DNS, DHCP, AD entries, OSINT information
- High interaction services
- Tip offs if files are hidden
- Fake user account privileges
- Use of login credentials
Fortunately, for Attivo Networks, these considerations were factored into the ThreatDefend portfolio products and Attivo deception will not fall prey to these issues.
In general, I liked the way he presented deception and the value. Unfortunately, this session may generate confusion and has created more FUD for deception providers to navigate. Attivo has thoroughly reviewed the session and is open to discussing in detail if you would like to get into the specifics. Simply send a note to email@example.com to schedule.
Other things worth checking out to learn more on deception:
- 20 Hot Cybersecurity Products Announced at Black Hat 2018
- SC Media Review: Attivo Networks ThreatDefend Detection and Response Platform
Black Hat was a great event for Attivo Networks and I look forward to following up with everyone that I met and hearing more about how deception fits into everyone’s security plans at one of the various fall events or at RSA in the spring.