Written by: Carolyn Crandall, Attivo Networks CMO – The High Performance Computing community gathers once a year for the International SuperComputing Conference ( SCinet ). Started 30 years ago, it is the premier HPC event of the year, where the world’s leading researchers share results and applications, and debate the future of HPC, networking, storage, and analysis.
One of the hallmarks of the SC Conference is SCinet, the commodity network for attendees that, for the duration of the conference, is the fastest and most powerful network in the world. During the conference, the SCinet experimental network delivers greater bandwidth than any other facility in the world and more capacity than many cities and countries. Naturally, because SCinet is wide open to the internet and experiences numerous attacks while it is up and running during the event, it employs several security solutions to protect itself from being used for malicious purposes. One of those solutions is the Attivo Networks ThreatDefend™ Deception and Response platform.
Attivo’s participation in SCinet started last year at SC17, where we deployed a BOTsink® appliance on the network. Using dynamic deception techniques and a matrix of distributed decoy systems, the BOTsink turned the network into a trap designed to deceive attackers. The platform serves as an early warning system, efficiently detecting attacker reconnaissance and lateral movement and misdirecting attackers into targeting the decoys instead of production systems. By deploying decoys in specific network segments, the BOTsink not only detects attacker activity, but also captures critical attack details such as TTPs, IOCs, and adversary intelligence when the attackers engage with the decoys. Collectively, this can be used to accelerate incident response.
The solution proved its effectiveness last year when the decoys detected numerous attacks coming from around the world. Unsurprisingly, the decoys detected several ransomware attacks, but also identified activity attributed to human attackers. In one such instance, an attacker compromised a Linux decoy via SSH and dropped a payload on it. The decoy captured all the network and disk activity, including the dropped file, and the SOC determined that the activity was malicious enough to put the IP on a watchlist. Two days later, the same IP address accessed the SCinet network again and successfully compromised a production system. The SOC immediately blacklisted it, preventing further exploitation and avoiding a large-scale attack. In total, the deception environment captured about forty unique dropped files on the decoys, many of them unique samples with no recorded information, and over 7,000 unique attacker IP addresses, illustrating how widespread the activity targeting SCinet was.
This year, Attivo Networks deception technology will be used to protect SCinet. Every year, SCinet gets bigger and faster, pushing the envelope for high performance networking to support high performance computing, and Attivo Networks looks forward to detecting and derailing the varying types of attacks and files it will see during the event.