How deception can provide an edge in fighting cyberattacks [Q&A]
Businesses are starting to recognize that it may be impossible to keep attackers completely out of their networks, so they are starting to look for ways of fighting them more efficiently.
One of the ways of doing this is to use decoys to lure attackers and allow the threat to be dealt with before it affects live systems. We spoke to Carolyn Crandall, chief deception officer at Attivo Networks to find out more about how this deception technology works and what it can do.
BN: How common is the use of deception technology?
CC: Like Fight Club, the first rule of deception is that you don't talk about deception, so it's out there in a lot more places than people realise. We've seen a huge growth in the market in recent years.
BN: How does deception work?
CC: No game of strategy can be won without some form of deception and defensive measures. Many people today are waiting for an incident to happen and then reacting to it. Deception changes the game because it means we can be proactive and get a better understanding of the attack cycle. This lets us reel in an attack before it has the opportunity to really begin and in a way that isn't reliant on signature, pattern matching and so on. There's also no risk of false positives. If anybody touches the deception environment there's no employee value to it, so you know it's malicious.
The other problem with deterring adversaries is that it's one thing to spot them, but if you don't know anything about them it can be hard to ensure that any malware is properly removed from the network and that they can't come back in. Deception provides adversary intelligence, we can determine where the attack starts, do a full attack analysis in sandbox environments so we can study the attacker and understand their tools, techniques and methods. We can also deliver decisive actions through integration with other systems to prevent an attack on live networks. Even if the attacker does compromise an active directory we can reset the attack surface to prevent re-entry.
BN: Is this something just for large enterprises or does it work for smaller companies too?
CC: About 35 percent of our business is with high end enterprises, the rest is mid-market companies. Many businesses are now realizing that traditional approaches involving firewalls and anti-virus systems are not enough. The attackers are getting through, you can buy a cheap attack kit on the dark web and find a way to get into a small company, exploit a mistake in configuration for example.
Deception is an easy and efficient way for even smaller organizations to operate. It is designed so that everything is easy and intuitive, and it can help with reporting and compliance tracking. It can also be delivered as a managed deception and prevention service, reducing the need for in-house expertise and without needing a physical appliance on site at remote locations.
BN: Is artificial intelligence part of the process?
CC: Some deception players talk about using AI to detect the attacker. We at Attivo don't think that's the most efficient way to handle deception, because by that point it's too late. We want to use the trap to attract and lure the attacker. There's no machine learning applied in the decoy or the lure, however, it is used in the way you prepare the deception, to learn the environment. We use the same operating systems and environments that are used in production on the decoy system for complete authenticity. Machine learning can understand the environment and recommend what deception is needed, cutting the time spent analyzing the system and building the decoy. In the early days of honey pot deception it was too hard to manage, too hard to build and not easily scalable.
BN: How effective is deception against insider threats?
CC: Between insiders, contractors and suppliers it's being used regularly. Even an insider doesn't necessarily know where things are inside the network, so they are going to have to go and look. If an employee is doing reconnaissance on a part of the network they are not authorized to be, you are going to get an alert. If they use stolen credentials and try to get into a server you are also going to get an alert. If they are trying to harvest credentials to access the target they will be caught there too. The tracking and logging means that any attempts are substantiated and this can be passed on to HR and legal teams to allow them to take action. Showing that you have a detection mechanism in place can also help with things like obtaining cyber insurance.
BN: How complementary is deception to other security technology?
CC: We currently have over 30 native integrations. Everybody wants to layer more prevention mechanisms. Our belief is that, fundamentally, attackers can and will get into the network. Almost every network on the planet has some form of detection so it becomes a matter of being able to detect early.
If an attacker has bypassed firewalls or other preventative tools we can detect that activity and pass the attack analysis back to those systems, or to security dashboards, or create a service ticket and we can do that in an automated way. One of the byproducts is that the machine learning can pick up things like old credentials or misconfigurations and flag them up for action.