By Gary S. Miliefsky
As I said in my recent presentation on Time-based Security, which was first discovered and written about by Winn Schwartau in his book of the same title, either we find a way to make breaches go slower or we must be able to detect and respond to them much faster. On one side of the coin, we have the concept of honeypots and encryption and on the other side, we have real-time threat intelligence through A.I., machine learning and human intelligence.
I’ve looked into honeypots for many years. I love http://www.honeynet.org because it is the first open source concept on deception technology that made it mainstream. However, many of us want to buy a commercial solution, just like, while it’s fun to deploy IP Tables, none of us really want to build our own firewall from scratch.
Then, I heard about Attivo and as one of the four CDM judges on our Infosec Awards from 2017, with them being one of our winners, receiving an overwhelmingly positive vote from the judges, I wanted to dig into what they are up to a little further and look at them within the purview of the Time-based Security model – could a solution like the Attivo ThreatDefend™ Deception and Response Platform actually deliver a way to slow down the breaches, because, frankly, we’re not yet going fast enough to stop them?
With over 1500 breaches reported throughout the USA in 2017 alone, one has to wonder how attackers are able to bypass and remain undetected by security solutions that are available from over 3000 security technology providers. One could point to sophisticated automated and human attacks that are leveraging an evolving attack surface to penetrate perimeter defenses. However, most security professionals have come to accept that attackers can and will get into the network based on targeted attacks, human error, insiders, contractors or suppliers.
If you are willing to accept this, then the center of focus shifts to detection or the concept of time-based security. Time-based security is derived from what we will call exposure time (Et), which is compiled based on detection time (Dt) plus response time (Rt). Typically, security teams have been unable to react fast enough to stop the attack.
The exposure time is too great meaning hackers are afforded a dwell time to complete their attack. Early identification and response times need to improve to a tipping point above the exposure time (Et). When executed effectively, the attack is halted before data exfiltration or other damage can occur.
Deception technology plays a critical role in changing the asymmetry of the attack and is designed to provide the threat intelligence, counterintelligence, and adversary intelligence required to decrease exposure time. The Mandiant M-Trends 2017 report states that time to detection averages 99 days. Typical time-to-compromise continues to be measured in minutes, while time-to-discovery remains in weeks or months. Attivo Networks has developed an innovative deception-based solution to tackle the issue of exposure time head on. The Attivo ThreatDefend™ Deception and Response Platform provides a globally scalable security control for early threat detection and accelerated incident response against attackers.
Detection Time (Dt)
Dynamic traps and lures essentially turn the network attack surface into a “hall of mirrors”, altering an attacker’s reality and increasing their costs as they are forced to decipher what is real versus fake. The solution operates differently than IDS or other database lookup or pattern matching solutions. It isn’t reliant on known signatures nor does it require time to learn or “get good” to add value. Endpoint deceptions also serve to close the gap on credential based detection and ransomware attacks by planting deception drives to misdirect the attacker to a deception server and keep them distracted while security teams are afforded the time to respond.
Key to early detection is the authenticity and attractiveness of the deception to the attacker. The Attivo deception decoys are built for the highest authenticity with real operating systems, a wide variety of application and data deceptions, along with the ability to run the same “golden image” software as production assets. The Attivo solution is designed for the evolving attack landscape, as you never know which point of entry an attacker will take.
The ThreatDefend™ platform has been proven at scale in global installations that include deployments in user networks, data centers, cloud, remote office, and in specialized environments such as POS, ICS-SCADA, IOT, SWIFT, telecommunications, and network infrastructure devices. Deception is notably designed to work throughout the phases of the Kill Chain and detect regardless of attack vector. Setting in-network traps and endpoint lures work to attract and detect the attacker during reconnaissance and lateral movement when harvesting credentials for reuse, when conducting man-in-the-middle attacks, or when attempting to compromise an Active Directory server. The combination of network and endpoint deceptions detects attacks early and efficiently throughout the entire network.
Deception files that contain fake sensitive data already provide value by misleading attackers. New technologies like HoneyDocs (real or decoy files) with beaconing technology that provides call back when accessed by attackers are also being adopted for adversary- and counter-intelligence. Knowing what types of files are being targeted, by whom, and having insight into where the data ends up can be crucial in knowing where to focus additional security.
Maintaining attractiveness is critical to luring and detecting attackers. In addition to authenticity, deception must constantly refresh and reset the attack surface, so attackers cannot fingerprint and avoid deception. The Attivo deception campaigns use machine-learning to collect data on user information and network behavior. This information is then used to build new deception campaigns that can be easily and quickly deployed. Going one step further, Adaptive Deception campaigns automate the process and empower organizations to reset the attack surface on-demand as part of security hygiene or during an attack. The use of deception campaigns is highly effective to further delay and deter attackers as they become confused and are forced to start over or else reveal themselves.
Gartner has openly recognized the efficiency of deception for APT detection, recommended it as a 2018 initiative, and acknowledged Attivo Networks for having the most comprehensive deception platform.
Response Time (Rt)
A recent SANS survey indicates that only around 50% of companies can respond to a discovered compromise in 24 hours or less, while remediation can take months. High-interaction deception technology plays a key role in not only detecting threats quickly but also in identifying potentially exposed attack paths. It can also accelerate incident response by analyzing attacker tactics, techniques, and procedures (TTP), identifying indicators of compromise (IOC), and automating incident response through 3rd party integrations.
The Attivo ThreatDefend platforms provide in-depth threat intelligence, which saves time by automating the gathering of TTP, attack analysis, and correlation of IOCs that can then be used to accelerate incident response. Threat intelligence and forensic evidence capture and catalog attack activity to support understanding the attacker’s objectives, which can be used to strengthen overall security defenses. Integrations with firewalls, security and event management systems, network access control products, and endpoint detection solutions empower the sharing of attack information to automate blocking and isolation of infected endpoints, as well as threat hunting. The ThreatOps™ solution can create repeatable playbooks, simplifying incident response and negating the need for additional resources to mitigate an attack.
Protection Time (Pt) and Exposure Time (Et)
As you now know, either we must go faster in our Detection Tim and Response Time or we must make breaches go slower. So think about this, the amount of protection you have on your network, to keep the prying eyes and cybercriminals from stealing the data, the best chance you won’t be robbed, just like having a strong vault at the bank. However, a strong vault is not enough. If someone steals the keys to the vault (keyloggers, malicious insiders, spear phishing dropping remote access trojans – RATs), where does that leave you? Extremely vulnerable from the inside out. So we need to increase our Protection time (how long it takes to reach us) and it must be greater than our Detection time plus Response time, or we lose and the cybercriminals win.
Pt must always be greater than Dt plus Rt, or:
Pt > Dt + Rt
and if we can’t find ways to speed up our detection and response to be faster than the cybercriminals, we’re completely exposed. That’s why I’m so excited about Honeypots and the commercialization of Deception technology by Attivo. Expect this to be an explosive market in the coming years, and I’m telling you about the first vendor on the block to get it right.
Exposure Time (Et) = Detection Time (Dt) + Response Time (Rt)
Deploying the Attivo deception platform will play a critical role as both a detection and incident response security control, ultimately tipping the scale on the exposure time and putting the balance of power back into the security team’s hands.
Many organizations have deployed it and are realizing the benefits of the platform, such as early detection of advanced threat actors, delaying and disrupting their activities, and accelerating incident response to mitigate their activities. Attacks will continue to happen at ever-increasing rates, and organizations seeking to avoid being the next breach headline would do well to implement deception technologies.
In summary, this is a solution to checkout – we’ve made this our opening article in this December edition of our eMagazine because we want it to be first on mind for 2018 – it’s so promising – to slow down the breaches. While our next article is about speeding up Dt – detection rates, using A.I., you’ll need to do both if you wish to manage your InfoSec risk dilemma by thinking about Time-based Security as a forward-thinking model. On increasing your Pt – Protection time or reducing Et, your Exposure time, this is something you simply must look into if you consider yourself a forward-thinking, proactive, offensive infosec professional who is tired of the breaches and tired of being victimized. Get Deception technology into your 2018 budget cycle and you’ll be pleased with the results.
About the Author
Gary S. Miliefsky is the Publisher of Cyber Defense Magazine, a globally recognized cybersecurity expert, an inventor with issued e-commerce and cyber security patents and founder of numerous cybersecurity companies. He is a frequently invited guest on national and international media commenting on mobile privacy, cybersecurity, cybercrime, and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the infosec arena, he is an active member of Phi Beta Cyber Society (http://cybersecurityventures.com/phi-beta-cyber/), an organization dedicated to helping high school students become cybersecurity professionals and ethical hackers. He is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Gary is a member of ISC2.org and is a CISSP®. Reach him at http://www.cyberdefensemagazinebackup.com/about-our-founder/