Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Procedure

12/8/2017
10:05 AM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Startup Attivo Advocates for 'Deceptive' Security Protection

When it comes to security, how deceptive should enterprises be to thwart cybercriminals? Attivo Networks and a number of other security startups are advocating a different approach.

Is it next-generation threat detection? Is it counter-hacking? One thing we know is that it's designed to lure hackers to a replica enterprise environment so that threats can be eliminated. It's deception.

Startups in this niche include TrapX Security, GuardiCore and Attivo Networks, which recently closed a Series C round for $21 million. (See Attivo Goes On the Attack Against Hackers.)

"Why does this company exist? It really boils down to that a perimeter-based defense is just not reliable anymore," Carolyn Crandall, chief deception officer and CMO at Attivo Networks told Security Now. "People can and will get into the network, and over the last couple of years, people are accepting that."

Crandall is adding her voice to a growing number of experts that agree the better strategy is to accept that penetration is inevitable and therefore the focus should be on protecting the data in the network, not erecting a fence.

One of the dangers is that hackers booted off the network can, according to Crandall, easily get straight back in. To counter this, a response at scale is required, and detection and response has become part of the security control stack. But detection is challenged because it's tough to get arms around and decide with limited information what the most virulent threats are.

Threat detection is flawed
Apparently, standard threat detection technologies are flawed because they basically only generate alerts. However, they don't often provide information about the type and techniques of threats, or the tools used; it's challenging to respond by, say, automating quarantine blocking or threat hunting to eradicate an attack.

Attivo lays traps in the network, optimized to encourage the disturbance of decoys by mirroring the existing environment so hackers think they have successfully accessed it. Crandall has seen a shift in the market from three years ago, when companies believed all they really needed was prevention.

"Now people are shifting their budgets, they're adopting detection," she said.

"Decoys can be set up to look like endpoints, servers, POS networks, industrial control fuel sensors, or maybe direct infusion pumps at a hospital," Crandall added. "We can take anything that runs an operating system and we can make the decoy look identical to production assets, by running on their software."

So, if the decoys are identical, how are the odds improved that a hacker will be snared?

Making decoys more pervasive than real network assets improves the chances that a hacker will engage. The decoy environment is not an emulation, but rather uses the same software as the real network, except sweetened, for example, with bogus assets such as honey docs.

Enterprise misconceptions about deception
Enterprises can't be blamed for making assumptions about deception technology, because it's so new.

The first assumption is, if a company is less advanced with its security infrastructure, the belief that deception should be the last thing they would adopt. Typically, these are healthcare organization which have to economize because of small budgets.

Secondly, there's a feeling that integration of deception technology is far from straightforward. Aflack, an Attivo customer, motivated to try deception because it did not want to make headlines from security slips that reveal PI, apparently easily integrated deception into their security controls system for a single view.

"If you had asked me two years ago if anybody would have had deception in their budget, it wouldn't have been [there], and not in their initiative list," Crandall said.

In 2018, the big difference will be that budgets will be earmarked and put into action, with extra incentive that for some firms, it helps with compliance, M&A strategy, is part of an insider threat strategy and/or is part of a supplier management strategy.

Come get me
Is deception encouraging attackers?

The current Active Cyber Defense Certainty Act (ACDC) hacker bill, proposed by Rep. Tom Graves of Georgia, who sits on the House Defense Committee, fundamentally poses the question: "is an eye for an eye" OK, when it comes to enterprises and consumers striking back?

It's unclear if there's the stomach or the expertise for users to "hack back" at attackers and try to retrieve lost data. There are stumbling blocks. Often, enterprises don't have white hackers on staff and would need to look elsewhere for help. Also, attribution is hard, so the chances of attacking the wrong person are extremely high.

"Will they come back at you with greater vengeance?" Crandall asked. The answer is maybe, but she recommends that companies keep their powder dry and use the counter intelligence they gather to fortify their own systems. If there's information for law enforcement, hand it over but don't act on it.

Deception is forecast to grow into a substantial market.

"By 2018, 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers," Gartner analyst Lawrence Pingree wrote in a recent report.

On a Fox5 TV appearance this summer, Crandall predicted that, "If we end up going at the pace we are, we're going to have 1,500 breaches this year (in the US), compared to the 1,100 we had last year. Last year there were 4 billion records stolen."

In Security Now's latest poll, the largest percentage of readers (about 45%) said they would go "on the attack" against hackers.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...