Insight

Offensive security

Carolyn Crandall, CMO, Attivo Networks, discusses how security teams can gain the upper hand by going on the offense and creating an environment that provides continuous real-time detection against an ever-changing landscape of cyber threats.Offensive

Deception as a strategy has been used for years in war and, notably, by cyber attackers. However, using deception to address threats that have bypassed traditional prevention security measures is an emerging and additional line of defence.  Today’s deception-based technology abandons the reliance on known attack patterns and monitoring and instead uses advanced luring techniques and engagement servers to entice an attacker away from valuable company servers.

According to the Ponemon Institute, it takes 46 days, on average, before an attack by hackers can be fully resolved. Deception, on the other hand, detects hackers throughout the phases of the kill chain cycle, preventing them from completing the attacks.

To understand deception and decoy technologies, it’s important to understand the terms security teams, security solution providers, industry analysts, editors and others use, and sometimes misuse.  Key terms include:

Kill chain cycle – a definition of the steps taken within a cyber-attack, which includes: 1) reconnaissance 2) initial compromise 3) establishing foothold 4) escalate privileges 5) internal reconnaissance 6) move laterally 7) maintain presence 8) continue to escalate privileges until the attacker completes their mission.

Honeypot – a server, computer or network that appears to be an integral part of an organisation’s network or network of networks, but is, in reality, bait for hackers.  The IT or security team installs honeypot software on these devices and connects them to the network.  Hackers will scan the network for weaknesses and attempt to break in. When they break in, they won’t find anything, and will then attempt to run their malware.  Because the malware has no impact, the hacker will attempt to install additional malware or simply move on.

Honeynet – a honeynet is simply two or more honeypots on a network.  IT and security teams deploy honeynets to protect larger networks or networks containing diverse types of information. Honeypots and honeynets were among the first deception-based technologies used by IT and security teams. These solutions are generally based on emulating an environment and without regular updates, may be recognised and detected by an attacker over time. Lack of a central management UI adds to the operational cost and complexity of managing these solutions.

Deception engagement servers – deception techniques are similar to a honeynet in their use of engagement servers to lure an attacker into their trap. However, with deception, advanced use of endpoint and distributed engagement servers are used to actively attract an attacker.  In addition to real-time detection, advanced solutions will provide the ability to communicate with a command and control centre along with the forensics required to update prevention systems and shut down attacks. Advancements in technology have also made deception solutions non-disruptive to deploy and non-resource intensive to manage. A comprehensive deception platform will be scalable and take a deception everywhere approach, supporting user networks and data centres across private, public and hybrid cloud environments. Some may refer to a deception engagement server as a honeynet on steroids.

Deception credentials – These are the lures placed on endpoint devices that work dynamically with deception engagement servers to actively draw attackers away from the enterprise’s servers and get them instead to engage with the deception engagement server.

Engagement or deception servers – deception providers use high interaction engagement servers that will lure, trap, and analyse an attack.   Engagement or deception servers run real or emulated OS and services, support virtualisation, and can be customisation for layer two to seven deceptions.  They can be located in a private data centre as well as private, hybrid and public clouds.  In addition, they have a self-healing environment which, after containing and analysing an infection, can safely destroy the infected VM and rebuild itself for the next attack.  Mature platforms will also have the ability to engage with C&C servers so that additional data about the attacker’s methods and intent can be understood.

Emulation – this uses best efforts to copy an environment to deceive an attacker into engaging. Since emulation is a thin copy, it can’t match exact OS and services they are running.  Given their static nature, they can be easier for an attacker to detect.

Real operating systems – real operating systems and services provide significantly better authenticity over emulation solutions because they use active licenced software that is loaded on the engagement server. These solutions can be customised by turning on or off operating systems and services to match a company’s environment. Solutions that allow the loading of a company ‘golden image’ provide an environment that is virtually indistinguishable from company servers. Maintenance of these operating systems and services is provided by the deception manufacturer under a standard support agreement. There should not be additional costs or resources required to maintain this software.

Friction-less (non-disruptive deployment and management) – deception solutions should integrate seamlessly with existing security infrastructure and should play an active role in an organisation’s continuous defence strategy by enabling real-time threat detection. By design, they should not require any signature or database look up require network topology or traffic changes or require heavy computation to detect an attack.

Threat intelligence – when a BOT or APT is engaged, the solution should run full forensics to capture methods and intent of the hacker.  It should include a threat intelligence dashboard and a full range of indicators of compromise (IOC) reports to enable prevention systems to shut down current attacks and prevent future ones.

False positives – many monitoring systems will trigger an alert based on what may be BOT or APT activity. These solutions tend to generate a high volume of alerts that often are not an attack and are false positives. Deception solutions will not deliver a false positive since they only deliver an alert based on actual engagement with their platform. Advanced systems will provide the option to set alerts at low, medium or high for additional customisation.

The shift to continuous detection

New deception technologies bring a heightened level of aggressiveness in addressing cyber-attacks.  Dynamic deception steps in when prevention systems fail and provides organisations with an efficient way to continuously detect intrusions with high interaction traps, engagement servers, and luring techniques to engage attackers – all without requiring additional IT staff to manage the solution

Statistics pointing to the increasing number of threats and the growing sophistication of these threats are in the news every day.  Symantec noted in an April 2015 Internet Security Report that attacks on large companies are up 40 percent over last year and Dave DeWalt, FireEye’s CEO, stated recently on 60 Minutes, “Literally, 97 percent of all companies have been breached.”

According to a recent Ponemon Institute report, the average cost of a breach has risen to $15 million.  With that in mind, corporate management has a responsibility to customers, shareholders, employees and partners to do everything they can to protect critical data and IP assets.

Dynamic deception solutions are a new, powerful weapon in the IT and security team’s arsenal for protecting an organisation’s most critical assets.  Prevention systems have demonstrated that they have gaps and will continue to be unreliable given the gaps in the network’s perimeters, the sophistication of modern day cyber-attacks, adoption of new technologies and human errors

Deception can play a critical role as the next line of defence for detecting intrusions that have made their way inside the network before an attack can be completed and damages were done. Breaches can be a costly and time-consuming challenge to deal with. It’s time to turn the tables and use deception to outsmart the hackers and to protect your company’s assets and brand.

Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

GET TAHAWULTECH.COM IN YOUR INBOX

The free newsletter covering the top industry headlines