This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Every CISO knows it’s not enough to just use prevention tools to try to keep attackers out of the network. CISOs must have the mindset of “they will get in” and plan accordingly with detection tools.
According to Gartner, the average time before a breach is detected is more than 200 days, and too often the breach is detected by an outside organization such as a credit card processor or a law enforcement agency. These facts are simply indefensible when a CISO is called before the Board of Directors to discuss preparedness for cyber incidents.
Assuming that an attack will happen eventually, the important thing is how quickly the attack can be detected and stopped. The ideal scenario is to catch the attack in action before any data can be exfiltrated, or in the case of ransomware, encrypted.
When an attacker first comes into a network, usually via malware planted through a phishing attack or a drive-by download, he is basically blind. To remove the figurative blindfold, he has to probe around to figure out where he is and where he wants to go next. His goal is to get to the valuable assets in as few moves as possible, and without being detected.
Deception technology can be used to give the attacker the illusion they have discovered a coveted asset or a beneficial next move; for example, allowing him to see a system administrator account within Active Directory that (theoretically) should have elevated access privileges. However, if that account is just a fake decoy and the attacker still goes for it, he can be lured into a trap that sets off a silent alarm. Once the attacker’s presence is known, security professionals can decide what to do, such as terminate the attack or perhaps play a game of cat and mouse to gather more information about the attacker and follow his path.
TopSpin Security has a deception-based platform called DECOYnet that provides the complementary layers of deception and detection right out of the box. The company says DECOYnet covers all stages of the attack chain—it detects the infected assets, hunts and traps the attacker, and deflects the attack from the real assets.
DECOYnet connects to a TAP or SPAN port and looks at all traffic in a certain network or subnet through its network traffic analysis engine. This allows DECOYnet to map the organization’s network to do asset profiling to know what kind of endpoints and servers exist, where they are, what the operating systems are, what services they are running, and so on. This discovery process determines where to place the decoys – i.e., fake assets such as endpoints, servers, data repositories, IoT devices, etc. – as well as what types of decoys to use so they look like a legitimate part of the network.
DECOYnet maintains this connection to see how the network evolves, which helps create realistic deceptions, and to tune them to match the current network configuration. TopSpin calls this feature adaptive deception.
DECOYnet’s decoys are like any other asset; they will appear to have the same operating systems, the same applications running on the same ports, the same protocols and even similar data in some cases. However, legitimate users of the network have no reason to access them, so any access to a decoy should be an indication that an intruder is at work. Decoys are not physical devices, just emulated services. This enables deployment of more than a thousand decoys using a single rack-unit.
Mini-traps, also known in the industry as breadcrumbs or lures, are fake data items planted on real assets to direct an attacker to a decoy. DECOYnet’s mini-traps are diverse. They can be files, documents, user credentials, email messages, system resources—anything on a system or on the network that an attacker might look at. TopSpin puts a lot of emphasis on the realistic appearance of its decoys and mini-traps so an attacker doesn’t realize what’s going on.
DECOYnet provides for both automatic and manual deployment of decoys and mini-traps. What gets deployed is not an agent, but rather files, credentials in memory or registry keys. DECOYnet does the placement based on network “soft spots” that are identified during the discovery phase and the ongoing network analysis. The solution can essentially build an attack route to direct an attacker right into a trap.
Decoys can interact with an attacker. For example, the intruder might see a 500KB file that appears to be a financial report in an Excel document. When he goes to download it, DECOYnet feeds him a fake file that is 1 gigabyte in size. The lengthy download slows the attacker while it also alerts the network security team of the intrusion.
The security team gets very rich forensic information that helps in the attack investigation; for example, whether it is a human or machine type of attack, whether it has had C&C communication, if it has been uploading or downloading files, which assets in the organization it was trying to probe, what kind of application it’s running, the communication channel it’s using, and other good stuff. This can all be fed to a SIEM or viewed via the DECOYnet console. TopSpin says it works with customers to determine what to do with the forensic data according to each customer’s best practices.
Another feature of DECOYnet is that its traffic analysis engine looks at all communication that leaves the organization. DECOYnet isn’t looking at the actual data packets; rather, it’s reading the patterns of the communication as a means to detect unusual activity. For example, encoded traffic where pure HTML code is expected would sound an alarm. Why would someone use that? Why is it encrypted? Maybe somebody is doing something they shouldn’t.
If a certain application that identifies itself as a browser is static only on one outside IP address or domain and isn’t accessing different websites, that looks suspicious. If the use of TOR is detected, the CISO would probably want to know. DECOYnet looks at a variety of activity and builds a forensics rap sheet for each machine. The organization can set policies and thresholds and be notified when things are outside the norm. This is a simple way to augment the deception capabilities.
As a technology, deception has evolved tremendously since the days of static honeypots. It’s now an important layer in the enterprise security stack. Done right, deception can detect and trap an attacker within just a few moves on the network.