This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
The term "advanced persistent threat" is tossed around so frequently that some people might think that every cyberattack results from an APT. This is far from the case. In fact, APTs represent a very dangerous category of cyber threats that use sophisticated resources and techniques to evade detection and that are tenacious in their mission, whether it's to steal information or disrupt normal operations.
NIST defines advanced persistent threat by describing three characteristics. The APT:
1. Pursues its objectives repeatedly over an extended period of time
2. Adapts to defenders’ efforts to resist it
3. And is determined to maintain the level of interaction needed to execute its objectives.
An attacker who uses APTs is smart and knows what he is looking for. And he has many ways to penetrate a network. Once he does penetrate a network, he looks to get to the asset he wants.
The first time he lands on a machine on the network, he needs to orient himself. In order to move laterally to find the asset he is seeking, he needs to answer two questions: Where can I go from here, and how do I get privileged to execute that move? This process is called orientation and propagation. Very often an attacker has to make hundreds or even thousands of small moves to reach the target asset.
If an attacker is proficient at this process, little can stop him. He knows how to be evasive, often by mimicking legitimate user activities so as not to stand out. Moreover, the attacker has one big advantage over defenders: asymmetry in what defines mission success. The attacker can fail 99 times out of 100, and if he only succeeds once, he is a winner. If defenders are successful 99 times out of 100, they have lost the battle.
Illusive Networks is a security company that specializes in the use of deception to address the scourge of APTs. The company believes you have to think like an attacker in order to catch and stop an attacker who is already inside your network. In fact, the company has a number of ex-attackers on staff who share their perspectives with their colleagues to help make a more useful solution.
Illusive Networks plants deceptions everywhere in your network so that no matter where an attacker first lands after penetration, he is presented with false answers to the questions he must answer to move around the network.
On the first question – "Where can I move from here?" – if he had three legitimate possibilities, Illusive Networks will present him with 20 choices. Only three of them are real and the other 17 are traps. If he needs credentials to make a move, and he finds two sets of legitimate credentials, Illusive Networks will provide him with an additional ten sets, so now he has 12 credentials he can work with.
Each time he is using the deceptive credentials or moving to a deceptive computer – which doesn't even exist – the attacker is getting detected because there are sensors behind every deception. By doing this, Illusive Networks has flipped the asymmetric situation on its head because if the attacker is making one mistake, he is getting detected right away.
In addition to increasing the chances of detecting the attacker's moves, Illusive Networks launches a forensic application that collects essential forensic data in real-time from two minutes before the attack, during the actual attack, and two minutes thereafter. This information gets sent to your SOC so security analysts know where the attacker is in the network, what he is doing, and how he got in. Illusive Networks also can automate a response, if desired, to shut down the attack.
Delivery of this solution uses on-premises software on two servers. A Deception Management Server is the management console where deceptions are created and deployed and the forensic tool is launched in real-time when an attack is detected. A Trap Server triggers alerts when a sensor detects that a deception has been tripped. No agent software is installed on any devices in your network.
A unique feature of the Deception Management System is it is continuously planting new and different deceptions in order to reflect the way your network is changing over time. The deceptions also adapt to the existing attributes the attacker is using. This makes the illusion appear all the more real to the attacker.
Illusive Networks claims to have no false positives. Neither legitimate end users nor the IT professionals can see the deceptions or know they are there. The deception sensors would only be triggered if an attacker – even someone from the inside – lands on them. What's more, Illusive Networks says it only takes a few moves, and sometimes only one, before an attacker is detected. With a typical advanced attack requiring hundreds or thousands of moves to get to the target asset, the person should be detected long before he is successful in his mission.
With ransomware being a pervasive problem today, Illusive Networks addresses this problem with special deceptions. First the company creates the illusion of backup data – essentially a mirage – with the hope the ransomware will target this data instead of your real backup data. If the malware attempts to delete this backup data mirage, it is detected and gets killed. Likewise, Illusive Networks plants the deception of critical data that ransomware typically targets for encryption. Again, if this mirage data is hit, the attack gets detected and is killed. The ransomware can never complete its mission to put a stranglehold on your real data.
This strategy sounds a bit like a chess game where the malicious opponent encounters a checkmate after only one or two moves. With the stakes of a cyberattack being so high, a quick end to the match is critical.