Written by: Marc Feghali, Attivo Networks Co-founder and VP of Product Management – Following my last blog on the deployment of deception technology, I received some questions/comments that fell into the following 2 categories:
- Deception technology is targeted at large companies, but not mid-size organizations
- Resource constraints – smaller companies have a one-person shop, so how can they possibly deal with deception on top of everything else?
These comments highlight a common misconception that deception technology is only for large organizations and made it clear to me that I need to illustrate the benefits that deception brings to any size company.
Deception can be a foundational tool in any security strategy. Deception technology provides organizations with early detection and accelerated incident response, regardless of attack type. Additionally, businesses on the smaller side don’t have the time or resources to sift through hundreds of alerts each day. Instead, deception technology only alerts based upon attacker engagement so there are no false positives. In fact, about 2/3 Attivo customers are mid-market companies.
For example, one Attivo customer is a mid-size company with a one-person security department. A few years ago, before deploying deception, the company was attacked. In the attack, most of the company’s servers were compromised and the intruders erased all the data. The company was offline for over two weeks trying to recover from the attack, greatly impacting their ability to conduct business.
Network: handful of subnets, locally hosted and managed servers
Security Department: One-person show
Once they recovered their systems, a looming question was why were they targeted? They are a local business focused on sales and distribution of specialty goods! The sad truth is that anyone can be a target regardless of organization size. Smaller companies are generally more relaxed about their network security and are therefore relatively easy targets. Privileged data has value on the dark web regardless of its origin and some attackers tend to be destructive to cover their tracks.
- Attackers successfully infiltrated the network
- They remained in the network undetected for a long time, moving laterally and infecting every server
- Key C-suite members were targeted and their credentials were compromised (possible social engineering)
- Lack of visibility on lateral movement and stolen credential attack
- No ability to detect attacks early in the cycle to minimize the attacker impact
In conjunction with recovering the servers and getting the business up and running again, the company became more disciplined about their security posture. They limited access to systems to employees who needed it, kept the perimeter solution rules up to date, reviewed accounts and privileges on a periodic basis, AND added deception to give them internal visibility to quickly detect and remediate attacks.
Their reason for implementing deception was very straightforward:
- Give the attacker deceptive targets to engage with and better understand what they are changing on the servers to enable faster remediation.
- Deploy deceptive credentials, especially around the C-suite and IT admin department to detect stolen credential/targeted attacks.
- No false positives due to high-fidelity alerts that only go off when something is wrong.
- Easy, automated deployment and management with machine learning capabilities.
To implement deception, they deployed a single Attivo BOTsink 3200 to cover their entire network, from which they generated deceptive credentials. The system does not require any additional overhead and it notifies them when it detects any attack activity. The system can easily project up to 2,000 deceptive targets natively across the whole network and can distribute the deceptive credentials to selected machines autonomously. Additionally, to make deployment and operation simple, the system uses machine learning to propose authentic deception campaigns in as little as an hour. However, if customers do not want to manage the system directly, they also have the option to have it managed by an MSSP that can cover the installation (on premise or cloud-based), operation of the system, and response to the attack.
Overall, the ThreatDefend™ platform is not only a great option for large enterprises but is also ideal for smaller businesses who need a simple way to quickly detect and remediate threats from the network.
To learn more about the Attivo Networks solution and to continue the conversation with a Deception Expert, contact us here.