Stolen Credential, Ransomware, and Phishing Detection
Typical intrusion detection systems are based on detecting malware, which has been the historical method of attack. The threat landscape has changed dramatically with over 2 out of 3 attacks being cited as starting with the use of stolen credentials. In recent studies, results have shown that 60% of organizations feel they are ill equipped to detect these types of attacks. Compound this situation with ransomware attacks that can quickly erase or encrypt networked drives, organizations must now turn to a new approach to protect their data and critical infrastructure. Attempts at using behavioral analytics have proven to be challenging given the alert storm that they generate, with the end result being incidents being unattended to until it is too late.
Stolen credential attacks used to be done in sweeps that would try 1,000s of credentials at a time. These attempts were fairly easily detected. Attackers have become more sophisticated and are now coming in “low and slow” with only 1 to 2 attempts per hour making them challenging to detect.
Deception takes a different approach to detecting attackers trying to steal and use stolen credentials. Deception credentials are placed on end-points and servers that appear to be employee credentials, application and other data. This bait sets “bread crumbs” that lead an attacker to an engagement server where their attack can be analyzed and a substantiated alert raised. Unlike behavioral analytics, these alerts are based on actual engagement and provide the detail required to immediately block and quarantine an attack.
A similar approach can be used to deceive and misdirect ransomware attackers. Deceptions can be placed so as the attacker looks to move to the next networked drive, they are instead being led to the engagement server for detection.