Written by: Carolyn Crandall, Chief Deception Officer & CMO
It was great to attend the NH-ISAC 2018 Spring Summit last week in Ponte Vedra Beach, FL as Grand Round Sponsors. This year’s conference was primarily focused on fostering and building relationships within the trusted healthcare and public health sector community through educational events aimed at advancing the global health sector’s cybersecurity approach. As a Grand Rounds Sponsor, Attivo had a tremendous opportunity to engage with the healthcare community and gain feedback on top security concerns and challenges.
Attivo took this opportunity to survey attendees about their top detection concerns, apprehensions they may have about threat deception as a technology solution, and what role they see threat deception playing in their incident response strategy. The results were compiled live and used to drive a lively and interactive discussion. It turned out to be an excellent forum to dispel some of the myths surrounding deception technology and further explore the value threat deception can play in early detection and in improving an organization’s incident response.
Here are the results and findings from the survey and discussions.
IoT Medical Devices
The top detection concern reported by respondents at NH-ISAC was in ensuring the security of IoT medical devices. Rightfully so, as healthcare organizations are major targets for cybercrime as a result of their high-value data and the challenges associated with securing inherently vulnerable medical devices.
To address these challenges, mitigate the risk of a breach, and protect patient care, Attivo Networks has made available threat deception technology that appears identical to IOT medical devices and supervisory control servers on the network. This Attivo BOTsink® solution uses decoys and lures to misdirect potential attackers away from production assets and provide high fidelity alerts from attacker reconnaissance, lateral movement or attempts to download malware to a decoy.
Additionally, Attivo has partnered with BD (Becton, Dickinson and Company) to deliver visibility and improve detection capabilities against potential cyber threats that can impact certain BD medical devices. As a result of this collaboration the BOTsink solution decoys now operate with the same software as production asserts to create mirror-match decoy authenticity on certain BD products. This produces an environment where a potential attacker truly cannot tell what is real and what is fake; ultimately, revealing an attacker’s activities.
Tied for second with ransomware, survey respondents at NH-ISAC reported having substantial concerns about their ability to detect credential theft. Stolen credential attacks occur when an attacker gains access to the network, steals cached credentials from an endpoint they have infected, and then uses those stolen credentials to mount persistent attacks.
As cybercriminals move deeper into a network, their tactics, techniques, and procedures become extremely difficult to detect. Once administrative privileges are gained, threat actors’ activities often become untraceable.Enterprises need an advanced threat deception platform that can detect zero-day malware, malicious communications, and attacker behaviors that are invisible to standard security defenses.
In response to these challenges, Attivo has created a customizable and non-intrusive solution that identifies targeted attacks to detect infected endpoints, infected servers/VMs, and stolen credentials. Attivo plants fake credentials to deceive attackers; when a device is infected and is attempting to use fake credentials, organizations receive substantiated alerts. SIEM integrations provide the ability to easily query of failed login attempts, identify infected systems, and quickly remediate threats.
It’s no wonder that NH-ISAC survey respondents listed ransomware as one of their top security concerns: nearly one million new strains of malware are released each dayand they are extremely difficult to detect without a comprehensive detection solution.Detection technology that is based on signatures or pattern matching can often miss new strains of ransomware and the alerts often get buried in streams of log data. The Attivo threat deception solution closes these detection gaps.Our decoys don’t depend upon signatures, so they are accurate and effective regardless of the variant of ransomware or the attack surface they are trying to infect.
The Attivo Networks solution for ransomware begins by providing a “motion sensor” that alerts an organization of an attacker encrypting the decoy drive or compromising a Windows SMB vulnerability. What makes this solution unique is its ability to slow down and block the ransomware by fooling the attacker into believing they are escalating the attack, when in actuality, the attacker is being distracted with technology that is engaging and occupying their attention. This engagement also affords the security teams with the time advantage to isolate the attack before it has time for wide-spread infection.
This next section explored common concerns and myths that may impact an organization’s adoption of deception technology.
Fitting into the security stack
NH-ISAC respondents reported being most concerned about how deception technology would fit into their existing environment. A well-designed deception system is made to fit non-disruptively and non-intrusively into an organization’s existing security ecosystem in order to close detection gaps and raise only extremely high fidelity actionable alerts. Attivo Networks works closely with top security infrastructure providers to offer organizations a seamless integration process with their existing SOC and EDR tools and to share attack information and automate incident handling. The Attivo solution maintains native technical integrations and partnerships with security solutions for blocking, quarantining, remediation, and future cyber-attack prevention. Incident response can be fully customized, activated, and automated within the Attivo dashboard for utmost operational ease.
The deepest conversations centered around early detection and closing attacker dwell time. By detecting early reconnaissance, lateral movement, and credential theft, the Attivo deception solution closes the gap left by a perimeter only defense or one where other detection solutions are limited or produce a volume of alerts in which the real threats get lost in the noise.
Key threat deception benefits discussed included:
- Early attack detection
- Across all attack surfaces
- Through all attack methods
- For known and unknown attacks
- Scalability without network disruption
- High-fidelity actionable detection alerts
- Automation of incident response
Operations and Deployment
Many survey respondents at NH-ISAC listed operations and deployment as a top concern when thinking about adopting deception into their security stack.With the Attivo ThreatDefend Deception and Response platform, organizations benefit from ease of operation, simple set-up, and scalability allowing security teams tocentrally manage and customize for global deployment. Attivo Networks provides a number of flexible deployment options for deploying deceptions with preservation for ultimate authenticity. A common misconception some have about deception technology is that deception customization results in complexity and increased operational overhead. In reality, this out-of-the-box deployment using the 50+ operating systems, applications and protocols can be set up in under an hour and is easily maintained with automated self-learning. Through machine-learning capabilities, the Attivo solution can designate the appropriate types and numbers of decoys to deploy to each VLAN based on what it learns of the network and canautomate the deployment of decoy and credential campaigns to bolster deceptions to maintain deception attractiveness and to address today’s evolving threat landscape.
Security teamscan add, edit, or further customize the campaigns to their liking, changing any characteristic on the decoys, such as the naming convention, IP addresses, account names, etc. Golden-image customization will take more time, but it definitely ups the ante on decoy authenticity.
Attivo deception technology also removes the legacy operational overhead that was commonly experienced with honeypots or other opensource deception trapping or decoy deployments. Unlike other deception options, Attivo has designed its solution for easy scalability without the need to add staff to support the largest of global operations.
No False Positives
Attivo understands that no security administrator has the time or resources to waste chasing false positives or noisy alert storms. That is why the Attivo solution only provides accurate, actionable, and substantiated alerts, based on attacker engagement. There is no legitimate reason for a company employee to engage with the Attivo BOTsink solution, so any scans or attempts to engage it or attempts to use deception credentials represent an attacker trying to find and target high-value network assets, steal credentials or at a minimum a policy violation.Because of its high-fidelity alerts and operational efficiency, the Attivo solution has become a trusted and essential tool for organizations of all sizes, Fortune companies to mid-size organizations, and of various levels of security infrastructure maturity.
The Role of Deception in Incident Response:
Many organizations recognize the value of deception in early detection. This survey question explored other areas of value around improving attack analysis, forensic reporting, and incident response.
NH-ISAC respondents are correct about threat deception being the ideal tool for early detection. The Ponemon 2017 Cost of a Data Breach Study found that US companies took an average of 206 days to detect a data breach. This is a slight increase on the previous year (201 days).Reducing these timeframes is essential and should be on the “critical to do” list of every IT and security team.Using inside-the-network detection puts time back on your side and away from the attacker with the real-time detection of targeted attacks, reconnaissance, stolen credential attacks, lateral movement, insiders,Man-in-the-Middle, and ransomware attacks.
Many NH-ISAC survey respondents listed visibility as a top role deception technology could play in their incident response. Often time security teams have limited visibility into network changes. The ThreatDefend platform is ideal for this, as it can be an instrumental resource in providing visibility to when less secure or unauthorized devices are added to the network and increase security risk profiles.
The BOTsink network visualization tools empower the teams to quickly discover the adds and changes of devices on the network. Topographical maps allow users to watch how the network changes overtime and provides a simple way of understanding where deception is operating and what opportunities there are to strengthen defenses. Attivo’s attack visualization tools provide security teams the ability to quickly visualize attacks on the network and improve their understanding of cross VLAN attacks. This can save hours of manual time to understand an attack and can be instrumental in determining the actions of complex Man-in-the-Middle attacks.
Automated Attack Analysis and Forensics
NH-ISAC survey respondents highlighted automated attack analysis and forensics playing a key role in their incident response. Attivo knows the value of understanding an attacker’s methods and strategies, which is why we have created the most comprehensive deception solution that empowers organizations to defend their networks and data centers with the help of threat intelligence.
To help security analysts investigate incidents, gather forensic evidence, and analyze malware, the BOTsink solution provides the Attack Threat Analysis (ATA) engine and the Malware Analysis Sandbox (MAS). The BOTsink solution uses the information gathered by the ATA to initiate automated incident response via native integrations with other security tools, while the MAS analyzes malicious binary file submissions. With an intrusion contained, the BOTsink solution captures full forensics including time, type, and other important attack information in order to identify infected systems and complete analysis to gain a better understanding of the attack’s anatomy and objectives.
The latest version of the ThreatDefend platform augments its current threat and adversary intelligence gathering by adding counterintelligence that identifies the types of data the attacker is attempting to steal and, through geolocation services, where the documents are being accessed. This information provides powerful insight that can be used to better understand the adversary and strengthen a company’s overall defenses.
Organizations can monitor these intrusions and use the information gathered to update the security of the production network. By utilizing these features of the BOTsink solution, organizations have full analysis capabilities while reducing the need for a manual analysis, which can often consume hours in a day.
Why Customers are Choosing Attivo for Early, Accurate, and Actionable Detection of In-Network Threats
It is essential to have both defensive and offensive strategies in place to turn the tables on an attacker. With Attivo’s active defense approach, organizations can proactively detect and derail attacks early and collect the threat intelligence necessary to understand an attacker’s tactics, techniques, and procedures in order to prevent similar recurrences. Learn more about why the sole implementation of prevention-based security solutions are not a reliable line of defense against today’s sophisticated attackers and how the Attivo ThreatDefend™ Deception and Response Platform addresses your security needs here.To continue the conversation and speak with an Attivo security specialist, contact us here.