Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Procedure

12/8/2017
10:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Startup Attivo Advocates for 'Deceptive' Security Protection

When it comes to security, how deceptive should enterprises be to thwart cybercriminals? Attivo Networks and a number of other security startups are advocating a different approach.

Is it next-generation threat detection? Is it counter-hacking? One thing we know is that it's designed to lure hackers to a replica enterprise environment so that threats can be eliminated. It's deception.

Startups in this niche include TrapX Security, GuardiCore and Attivo Networks, which recently closed a Series C round for $21 million. (See Attivo Goes On the Attack Against Hackers.)

"Why does this company exist? It really boils down to that a perimeter-based defense is just not reliable anymore," Carolyn Crandall, chief deception officer and CMO at Attivo Networks told Security Now. "People can and will get into the network, and over the last couple of years, people are accepting that."

Crandall is adding her voice to a growing number of experts that agree the better strategy is to accept that penetration is inevitable and therefore the focus should be on protecting the data in the network, not erecting a fence.

One of the dangers is that hackers booted off the network can, according to Crandall, easily get straight back in. To counter this, a response at scale is required, and detection and response has become part of the security control stack. But detection is challenged because it's tough to get arms around and decide with limited information what the most virulent threats are.

Threat detection is flawed
Apparently, standard threat detection technologies are flawed because they basically only generate alerts. However, they don't often provide information about the type and techniques of threats, or the tools used; it's challenging to respond by, say, automating quarantine blocking or threat hunting to eradicate an attack.

Attivo lays traps in the network, optimized to encourage the disturbance of decoys by mirroring the existing environment so hackers think they have successfully accessed it. Crandall has seen a shift in the market from three years ago, when companies believed all they really needed was prevention.

"Now people are shifting their budgets, they're adopting detection," she said.

"Decoys can be set up to look like endpoints, servers, POS networks, industrial control fuel sensors, or maybe direct infusion pumps at a hospital," Crandall added. "We can take anything that runs an operating system and we can make the decoy look identical to production assets, by running on their software."

So, if the decoys are identical, how are the odds improved that a hacker will be snared?

Making decoys more pervasive than real network assets improves the chances that a hacker will engage. The decoy environment is not an emulation, but rather uses the same software as the real network, except sweetened, for example, with bogus assets such as honey docs.

Enterprise misconceptions about deception
Enterprises can't be blamed for making assumptions about deception technology, because it's so new.

The first assumption is, if a company is less advanced with its security infrastructure, the belief that deception should be the last thing they would adopt. Typically, these are healthcare organization which have to economize because of small budgets.

Secondly, there's a feeling that integration of deception technology is far from straightforward. Aflack, an Attivo customer, motivated to try deception because it did not want to make headlines from security slips that reveal PI, apparently easily integrated deception into their security controls system for a single view.

"If you had asked me two years ago if anybody would have had deception in their budget, it wouldn't have been [there], and not in their initiative list," Crandall said.

In 2018, the big difference will be that budgets will be earmarked and put into action, with extra incentive that for some firms, it helps with compliance, M&A strategy, is part of an insider threat strategy and/or is part of a supplier management strategy.

Come get me
Is deception encouraging attackers?

The current Active Cyber Defense Certainty Act (ACDC) hacker bill, proposed by Rep. Tom Graves of Georgia, who sits on the House Defense Committee, fundamentally poses the question: "is an eye for an eye" OK, when it comes to enterprises and consumers striking back?

It's unclear if there's the stomach or the expertise for users to "hack back" at attackers and try to retrieve lost data. There are stumbling blocks. Often, enterprises don't have white hackers on staff and would need to look elsewhere for help. Also, attribution is hard, so the chances of attacking the wrong person are extremely high.

"Will they come back at you with greater vengeance?" Crandall asked. The answer is maybe, but she recommends that companies keep their powder dry and use the counter intelligence they gather to fortify their own systems. If there's information for law enforcement, hand it over but don't act on it.

Deception is forecast to grow into a substantial market.

"By 2018, 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers," Gartner analyst Lawrence Pingree wrote in a recent report.

On a Fox5 TV appearance this summer, Crandall predicted that, "If we end up going at the pace we are, we're going to have 1,500 breaches this year (in the US), compared to the 1,100 we had last year. Last year there were 4 billion records stolen."

In Security Now's latest poll, the largest percentage of readers (about 45%) said they would go "on the attack" against hackers.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.