This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The number of U.S. data breaches tracked in 2014 hit a record high of 783, according to the Identity Theft Resource Center (ITRC), a whopping 28% increase over the number reported in 2013, and an 18% jump over the previous high of 662 in 2010. And the news gets worse. The ITRC reports that data breaches in 2015 are on pace to break records both in the number of breaches and the number of records exposed.
A review of the ITRC 2015 Breach List (pdf) indicates that many of the breach types are listed as "electronic." In other words, it wasn't simply a case of an employee losing a laptop, but an intentional intrusion of a network or system.
It's probably safe to say that many if not most of the organizations that suffered a breach have some sort of network security in place designed to prevent or detect breaches. Maybe an IDS or IPS, or a SIEM, or a layered combination of technical safeguards. Whatever technology was in place, it wasn't effective enough to prevent the breach.
With the massive changes in IT infrastructure, the disappearance of the network perimeter, and the failure of existing technologies to prevent malware, there's a dire need for solutions that can quickly detect attacks before real damage is done. The founders and engineers of Attivo Networks looked at this problem and developed a last line of defense they call "dynamic deception." It's designed to attract, engage and trap any malicious actor – human, bot or APT – that gets inside your network with the intention of doing harm.
Once installed on your network and endpoint devices, Attivo creates a deception that makes an attacker think that the Attivo environment is the real target. Inside the Attivo product are multiple real operating systems, servers and services—the kind of things that hackers, bots and APTs are designed to look for. Attivo's solution inserts itself in multiple places across the network and uses advanced dynamic luring to purposely attract the attack. Once it is attacked, Attivo knows which devices are impacted and where the attack is coming from. Attivo lets the attack play out within its system – where it is totally isolated from your real network – in order to provide the threat intelligence you need to neutralize the attack and the full forensics to capture method and intent.
According to Attivo, its solution is easy to set up. The company typically plugs into a vLAN trunk port and acquires unused IP addresses in every subnet it is trying to monitor. Those IP addresses are sent to Attivo's engagement servers and assigned to the vendor's operating systems and servers. Attivo also inserts breadcrumbs in every endpoint device so if someone attempts to steal credentials from an endpoint, Attivo provides false credentials that will lead the attacker right to the trap.
The deception is designed to mimic your real network environment. Attivo's systems have three versions of Linux operating systems, three version of the Windows operating system, and a variety of common services. These are real OSes and services so an attacker wouldn't see them as fake. Attivo's servers take on the naming conventions and nomenclature of your real servers to extend the deception. If you like, you can add your own golden image on Attivo's systems to make them indistinguishable from yours.
The solution is preconfigured for a certain level of deception but you can increase what the system does by selecting additional features through a console. For example, there are more advanced techniques aimed at trapping human attackers which are typically deployed by companies like banks and government agencies with high value targets.
Attivo monitors its systems and the moment that anybody touches the deception environment, Attivo knows this person or thing has bad intentions. Alerts go off, typically to a SIEM or your in-house SOC, to let you know there is an active attack underway. Attivo doesn't stop the attack; that's up to you. However, Attivo records all the actions and details for your forensic analysis and potentially for evidence if you want to pursue legal action against the perpetrator. Some organizations want to actively engage the attacker—to let him steal fake data or information in order to bolster a legal case and possibly prosecution.
The company recently announced two significant enhancements. First, it now supports the AWS cloud environment, so the dynamic deception can take place in the cloud or in your own datacenter. Second, there is now a central management system for enterprises that deploy the Attivo solution in multiple geographic locations. All of the threats can be aggregated and monitored through a single pane of glass.
According to Attivo executives, there hasn't been a case yet when a customer was attacked and Attivo's system didn't detect it. The company calls this a last line of defense. There have been occasions when this solution was installed and no attack was ever detected, but knowing that your network is free of malware can be as important as knowing that you've been compromised. Imagine being able to tell your CEO that you are completely confident that your network is operating properly and everything is secure.