Writing for Defence Online, Carolyn Crandall, Chief Deception Officer at Attivo Networks, looks at the importance in intelligence gathering to combat the threat of cyber attackers.
Throughout military history, armies have used deception as a tactic for defending against a hostile force. It has the benefits of wrong-footing the enemy into wasting time and resources, trying to gain a false prize, which has no value. At the same time, it forces them to reveal their hand in the process. Observing how the enemy responds to when exposed to decoys gives defenders a clear understanding of the assailant’s tactics, techniques, and procedures (TTP). The lessons learned prepare them to repel future attacks better.
Many enterprises are now applying modern deception tactics to not only solve their cyber security detection challenges but also for gathering company-centric threat intelligence. Gathering accurate information about how a threat actor has infiltrated a network will help identify security prevention gaps and help to understand how to prevent the recurrence of a similar attack.
The need for company-specific intelligence
The attack surfaces of modern, connected businesses are expanding and are more complex than they have ever been. Further, attacks are growing in number and sophistication, and with the adoption of AI and automated attack tools, we are seeing threat actors more easily getting into networks and remaining undetected for increasing lengths of time. Research by insurers Hiscox found that the proportion of UK companies experiencing cyberattacks has risen from 40 percent in 2018 to 55 percent in 2019.
Many organizations use intelligence gathered about recent attacks on similar businesses in an attempt to understand how to deploy their cyber defences best. Although understanding how attackers are attacking companies in the same industry is useful information, it is not sufficient to prevent an attack on one’s organisation from happening, as all security infrastructures and policies are unique.
The inherent design of traditional prevention and detection systems is to stop and deflect an attack. They do not possess the means to learn from the attack automatically and instead leave many questions unanswered or create a manual process where the security teams must try to recreate the incident so they can learn from what happened.
Deception for Rich Intelligence
By deploying a cyber deception platform, businesses can gain a greater insight into the TTPs threat actors uniquely use against them as well as what they are after. Unlike other technologies, deception misdirects attackers away from real assets and into decoy environments where the solution can safely study their actions. Breadcrumbs placed on endpoints can also deliver powerful insight into indicators of compromise and the often hard-to-determine origin of the attack.
Security professionals recognize cyber deception for its ability to impact detection times positively. A report by Enterprise Management Associates highlights that once in a network protected by conventional means, a threat actor can dwell for an average of 60 days before detection. In a deception environment, the research indicated an average of 5.5 days. This finding is a 90% improvement, which has material implications in reducing the amount of time spent in triage and in remediating infected systems.
Pre-emptively, deception can provide intelligence to assist in identifying lateral movement paths that attackers can leverage to move from system to system. This capability gives security teams visibility and awareness into exposed credentials and misconfigurations to remediate before attackers exploit them.
Early detection and the ability to gather threat intelligence is possible through implementing a deception environment that looks and feels like an organisation’s real network. Machine learning is applied to create appealing decoy data and apps to lure the attacker away from valuable assets and into the deception servers. Once the attacker interacts with anything in the deception environment, accurate and actionable alerts notify a security team that an intruder is inside the network. The information they receive through these alerts can include IP addresses, details of credentials the attackers used, and what activities they have carried out.
The deception solution backs these alerts with forensic evidence to aid in analysis and triage. It can also replay the attack activity in visual form to give security teams a timeline view of attack activity as the attacker engaged with the decoys. The deception solution also correlates these activities to simplify and accelerate investigations and analysis. Using these data points, security professionals can gain a clear understanding of how an attacker moves through the network and what they are targeting.
Engagement within a deception sandbox produces an extremely accurate picture of the threat actor’s TTPs and eliminates false positive fatigue that is the bane of cyber professional’s lives. This capability can save a security team a lot of investigation time and allow them to focus their efforts on more critical alerts. For instance, they no longer need to wade through systems logs to identify anomalies or worry about looking into time-wasting false alarms. A recent survey found that many IT security teams spend more than half of their time looking into false positives.
Previously, trying to find any evidence of a cyberattack was like looking for a needle in a haystack. Deception technology effectively hands the needle over to the IT security team. While attackers are carrying out what they believe to be valuable reconnaissance to discover the secrets of a network, it is now, in fact, the cyber attackers who are being spied upon and figured out. Deception turns the table on cyber attackers, using their techniques of trickery against them.
To learn more about cyber security and how your business can stay protected from threats, visit the Cyber Essentials Online website.
If you would like to join our community and read more articles like this then please click here.
Attivo Networks Carolyn Crandall
Post written by: Matt Brown
.
RELATED ARTICLES
April 26, 2024
Homeland - Armed forces accommodation is about to move up a rank
As part of the Ministry of Defence’s (MoD) Modernised Accommodation Offer (MAO), armed forces personnel are due to benefit from
April 25, 2024
Homeland - New procurement rules help rapid fitting of military laser
The cutting-edge DragonFire laser will be installed on Royal Navy warships for the first time from 2027 – far quicker
