Deception Technology Comes Of Age
By: Carolyn Crandall, CMO
Over the past two years, we have been working to build not only awareness of our deception based technology solution, but awareness for the category itself. Although the concept of deception for detecting threats is not completely new, the original form of “decoydocs” was not commercially viable and was significantly limited in its functionality. Because of this, the concept of deception was understood, but dismissed as interesting but not ready. Fast forward ten or so years from the introduction of decoydocs and a lot has changed in the technology. I have also seen a fundamental shift in interest and adoption of this generation of deception technologies. The times are changing and with that has come a steady stream of awards, reports on the category, and standing room only attendance during speaking sessions at events.
With this blog, I want to take you through some of the events that may have gone unnoticed through the last year.
One of the first reports anointing the category appeared in a Gartner report earlier this year, “Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities“. The report noted that although deception technology is still in its early stages, its role as a defense technology against hackers has merit, and larger organizations that want advanced threat detection and defense will begin to consider adding it to their arsenal.
In early September we also saw the release of The 2017 TAG Cyber Security Annual, by Dr. Edward G. Amoroso, Former SVP and CSO of AT&T; Current CEO of TAG Cyber, LLC. where the technique known as deception is highlighted as an important tool in the cyber defender’s kit. Attivo Networks is recognized as a Distinguished Vendor in this report because we have made our products “Simple to install and operate via slick user interfaces, comprehensive reporting capabilities, and efficient automation. In the midst of such advances, one can only conclude that enterprise cyber security teams must begin accelerating the use of deception in their infrastructure.”
I am excited to share that Frost & Sullivan has also chimed in and is the latest analyst firm to produce a report on the category. Author Michael Suby was clear in his look at deception technology saying that it should be established as a security discipline within all organizations. In “Deception as a Security Discipline: Going on the Offensive in the Cybersecurity Battlefield”, he provides insight into how deception works, why it is such a compelling technology, and four attributes he believes organizations should consider when deciding whether deception is for them. These four attributes are: authenticity, vitality, automation, and ambition. Here is what he had to say about Attivo:
In creating a believable deception tailored to an organization’s unique system circumstances and assets to protect, the Attivo ThreatMatrix Platform supports deception-building capabilities across a wide range of virtual machine types; supervisory/process control devices, protocols and standards commonly used in supervisory control and data acquisition (SCADA), and Internet of Things (IoT) systems; and credentials. Credentials are particularly noteworthy, as they are: (1) highly attractive to attackers, as they are the access keys to valuable assets; (2) diverse in type and operating system; (3) numerous; and (4) unique to each organization. In addition to providing extensive support for credential type and operating system (Windows, Mac, and Linux), Attivo offers wizards, administrative tools, and directory integrations to help its customers in creating and updating deception credentials: based on the organization’s policies, geographic footprint, and even quantity.
Recurring reconnaissance is also employed by Attivo, not for exploitation purposes as with attackers, but to produce a heat map of the organization’s systems to determine where and what breadcrumbs to put in place, and the dimensions of the deception environment hosted in the ThreatMatrix BOTsink deception server.
With regard to adapting to the evolution in attacker methods, the ThreatMatrix platform has purpose-built mechanisms to mitigate email phishing attacks, and file encrypting ransomware. To identify and mitigate email phishing attacks, questionable emails with their file attachments are sent by users to the ThreatMatrix BOTsink deception server, where the email and its attachments are activated in this controlled environment (a replication of the organization’s production system), to assess intent. Since the end-to-end process is occurring in real-time, and the user involvement is limited to pressing a “click to send” icon in the email client).
The mechanism for identifying the existence of file encrypting ransomware, so its propagation can be contained, differs slightly from the email phishing mechanism. Rather than triggered by users sending questionable emails, the ransomware—as it moves laterally to encrypt more local user files and the more coveted network drives—is lured into the BOTsink deception server, where analysis is conducted as the ransomware encrypts documents in the BOTsink network drives (fake documents in fake network drives). Supported with clear evidence on the existence of ransomware and its code, the organization can confidently initiate steps to contain the spread, such as quarantining the infected subnet; and remediate infected devices by first conducting a targeted scan for the ransomware.
In the previous two attributes, features of the ThreatMatrix Platform that cross over into this Automation attribute were noted. They include establishing and maintaining deception realism and automated mechanisms to fight phishing and ransomware attacks. Also, pertaining to automating deception realism, Attivo customers can upload golden images of their end-user devices and services into BOTsink. Of high importance for security analysts is the ability to seamlessly work across multi-vendor, multitechnology security infrastructure to support operations—namely, detection forensics and incident response. This, too, is an Attivo ThreatMatrix Platform feature, and a feature that crosses over into the next solution attribute: Ambition. Over the last year, Attivo has established technology integrations with multiple security vendors in detection forensics (SIEM) and incident response (perimeter defenses). Two partners were interviewed in preparing this insight: Blue Coat Systems and ForeScout Technologies. A common theme that bubbled up was assisting their customers’ ability to mitigate risk faster and with greater confidence, by incorporating ThreatMatrix high-fidelity alerts into automated and semi-automated incident response policies (e.g., block, quarantine, and remediate). On SIEM integrations, ThreatMatrix high-fidelity alerts and detailed IOC are automatically fed into SIEM forensic engines. Combined with the SIEM’s other IOC sources, vulnerability knowledge, client-specific vulnerability assessments, and global threat intelligence, the SIEM’s forensics capabilities are further augmented.
Strongly fitting into this attribute is the upcoming Attivo ThreatPath feature. The noteworthy aspect of ThreatPath is threat prevention. With ThreatPath, threat prevention is accomplished by: (1) continuously and transparently gathering information about the customers’ production network, systems, and devices via dissolvable or persistent agents; (2) combining that information with knowledge of attacker behaviors accumulated by Attivo; (3) defining the pathways attackers would likely follow; and then (4) producing high-fidelity incident prevention recommendations back to the customer, which correspond to those likely pathways to vulnerable assets. The ambitious aspect of ThreatPath is in advancing the security value of Attivo from its initial core value of deception-improved incident response to the proactive incident prevention.
We are extremely pleased with the recognition we are receiving for our ThreatMatrix Deception and Response Platform. As industry leaders in the space, we know that cyber attacks move quickly and change even quicker. We have been enhancing our platform constantly over the past two years, in many instances at the direct request of our customers. The result is a solution they say has unparalleled accuracy and effectiveness today. Our commitment is to evolve the application of deception well beyond its initial use and into additional areas of visibility, automations, and accelerated incident response for cyber defense. You can expect to read more about the new enhancement in the coming months.
Click here to read Mike Suby’s report in its entirety.
We welcome you to also join the webinar on October 12, 2016 where Mike Suby will share an overview and perspectives from his report.