We all know what cybercriminals are after – data. It’s as good as gold. One cybersecurity firm decided to break all the rules and give attackers the very thing they were after: Data to encrypt. Why waste time, they decided. Keep these rogue actors happy, as quickly as possible.
Attivo Networks, an innovative defense for protection against identity compromise, privilege escalation, and lateral movement attacks, has noted the rise of identity-based attacks in the past year.
They found that organizations have not given enough focus to securing enterprise and personal identities. They convinced their clients that giving the data to attackers was the smartest thing to do to not only keep attackers busy but also to study their methods, and discourage them from coming back, over and over again. Their clients bought the idea. It was pretty ingenious.
Really? This piqued our curiosity, and AMEinfo decided to discuss it with Ray Kafity, Vice President at Attivo Networks, and find out what’s so clever about that plan.
More humans than scripts
Identity is becoming the new frontier in cyber security today.
Readers might be familiar with Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Network Detection and Response (NDR), and other detection solutions.
But Attivo is introducing a new security category and coined it IDR (Identity Detection and Response).
“Cyberattacks are becoming more human in nature, meaning they are less triggered by a malware script. There are humans behind it, big teams that work night and day to be able to breach and penetrate networks, encouraged in the last couple of years by dynamics in the market that expanded the attack surface,” Ray told AMEinfo.
“This is partly due to a massive move into digital transformation, and towards the cloud with Microsoft Azure, Amazon Web Services and others. Plus, expanding remote work environments gave attackers more ammunition and territory to go after in their cyberwar.”
“Before the pandemic, only 4-5% of employees were remote workers. After COVID-19 hit, that percentage rose to 95%, and cyber attackers saw an opportunity to go after individual users rather than the company directly,” Ray added.
With everyone more online than ever before, human targets became the new surface. These targets required live intervention by actual human attackers whose aim is to use deception to steal credentials.
Can I have your ID, please?
Attackers are becoming clever in their approach, impersonating the IDs of those with higher access privileges to access certain assets in the organization faster, in a more guaranteed way, instead of sending company-wide malware.
According to Ray, identity security is now paramount on every CIO’s mind, which sets it apart from EDR and NDR, both of which address whether one has a malware attack in his endpoint or whether suspicious activity is in the network.
“These services are important, but today it’s also about how to secure identities, to make sure their people have solid entitlement and security measures that allow access to resources whether on the LAN (network) or the cloud, but the attackers don’t. That’s where Attivo comes in,” Ray stated.
How does Attivo do it?
The first step for Attivo is to identify where identities lie in the network because they are usually associated with credentials providing access to corporate assets and resources.
“The majority are in the Active Directory, a Microsoft product for directory services used by 95% of organizations. Once the attacker lands in the network, credentials become the prime targets,” Ray explained.
“Attivo has very advanced solutions to slow down the attacker inside the network, and if they try to reach credentials, we have very smart solutions that will divert those efforts and prevent access.”
Here, Attivo will engage in what it calls intelligence and counter-intelligence tactics.
With ransomware attacks on company files, Attivo hides the real data that cyber thieves are trying to encrypt and instead present fake but believable data that the attackers can use. They chew on the fake data while Attivo observes and records their actions. At the same time, Attivo activates the quarantining of the threat, preventing the ransomware from propagating.
“If bad elements go to the Active Directory and try to harvest all the credentials, we interrupt that process and redirect them to our deceptive environment. They can feel they accomplished their mission, but on a fake environment that looks and feels real, not on the real Active Directory,” Ray revealed.
He said Attivo is unique in this approach because it uses three pillars of solution differentiation, i.e., protecting companies’ critical assets inside the network, preventing major ransomware attacks from propagating in the network, and generating real-time intel on the attackers.
“Using cyber deception tactics, we waste attackers’ efforts and gather threat intelligence about their tools tactics and procedures, essentially catching the thief with their hands in the cookie jar,” Ray described.
Attackers are discouraged by the time invested and wasted trying to break defenses while getting nowhere in the process. They also can no longer trust the accuracy of their tools. This causes them to operate at a much slower pace and opens up a higher risk of being detected as they have to change attack tactics.
“We don’t just catch them red-handed, but also gather real-time threat intel on motives and actions that feed into our incident response, preventing future attacks.”
Doing business with Attivo
While Attivo works mostly with enterprises, it also offers solutions in a managed service provider environment. For example, telcos can acquire the Attivo license and offer it as a service to SMBs.
“With every enterprise customer, we recommend regular penetration testing (pen test) exercise, breach exercises, and on-demand assessments where companies test their solutions and defense mechanisms, to see how Attivo reacts,” Ray said.
“So, they try to breach the network, and we catch it and show a report on how they penetrated it and how we quarantined the attack while recording all the activities in the decoy environment.”
Using modular active defense solution platforms, Attivo provides:
- Deception technology or decoys and fake networks to reduce dwell time in the network and gather HiFi threat intel and solutions from the HQ to decentralized environments
- The Attivo Endpoint Detection Net (EDN) Suite, also a deception-based protection, to defend against ransomware and other advanced attacks. The solution feeds the attackers with fake data and redirects malicious activities to decoy environments using cloaking techniques for data and credentials
- IDR and assessment tools to detect vulnerabilities and attacks targeting identities in endpoints, Active Directory, and the cloud to reduce ID risks and entitlement exposures