Every device that connects to a network creates a security risk. There are many forms of defenses designed to protect these endpoints including anti-virus, firewalls, HIPS, endpoint detection and response (EDR), and other forms of access control. Most of these solutions require installed agents to manage authorizations and authentication, track device activities, and detect and remove viruses and malware. Despite the efforts applied to endpoint protection and EDR solutions, it is inherently insufficient. Even if you could find every endpoint, manage every agent, and keep every device consistently patched, there are fundamentally too many attack vectors to keep up with.
However, what if you were able to change the game and create an environment where every path an attacker takes to move off from a system leads them away from their target and into a deception environment? What if every endpoint became a decoy? What if you could lock down the lateral movement of an attacker so that they could not conduct network discovery, Active Directory reconnaissance, credential theft, Man-in-the-Middle attacks, or services exploitation? Seems farfetched? Fortunately, with modern cyber deception, it is not a vision but a capability that is available today.
The Attivo Networks ThreatDefend Cyber Deception Platform brings forward innovation that changes the game so that attackers can’t successfully break out from the endpoint. The solution works by not only interweaving deception throughout the network but also by making every endpoint a decoy designed to disrupt an attacker’s ability to break out. It also does this without requiring agents on the endpoint or disruption to network operations. The attack methods that the solution derails include, but are not limited to:
- Stealing local credentials
- Looking for file shares and connected systems
- Network reconnaissance as they look for production assets and available services on these hosts
- Active Directory Reconnaissance to query AD for privileged domain accounts, system, and other high-value objects
- Man-in-the-Middle attacks where attackers steal credentials in transit
The benefits are material in detecting threats early and accurately. In a recent EMA survey, deception customers cited 5-day dwell times and high confidence in detecting threats. These results reflected a more than 90 percent improvement over non-deception technology users. Survey respondents also cited deception as the top tool of choice for detecting insider threats compared to 12 other security controls. Insiders using legitimate credentials are often hard to detect. Deception reduces this risk by removing exposed attack paths and through the use of decoys, which are extremely effective in detecting policy violations and attempts at unauthorized access.