{"id":2033,"date":"2017-04-25T19:23:15","date_gmt":"2017-04-26T02:23:15","guid":{"rendered":"https:\/\/new.acalvio.com\/?p=2033"},"modified":"2017-04-25T19:23:15","modified_gmt":"2017-04-26T02:23:15","slug":"deception-in-depth-a-novel-effective-way-to-mitigate-attacks-from-the-inside","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2017\/04\/25\/deception-in-depth-a-novel-effective-way-to-mitigate-attacks-from-the-inside\/","title":{"rendered":"Deception in Depth:  A Novel, Effective Way to Mitigate Attacks from the Inside"},"content":{"rendered":"<div class=\"section post-body\">\nRecently, an interesting survey pointed out that malware attacks are goingB <a href=\"http:\/\/www.networkworld.com\/article\/3186497\/security\/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html\">fileless<\/a>.B  In some cases, this means even using an internal employee to help with the process. For example, the attack on the Bank of Bangladesh and you quickly realize that advanced attackers continue their rapid evolution from amateur to professional.B  What can enterprises do?<br \/>\nToday, security teams deal with insiders in a number of disjointed ways:<\/p>\n<ul>\n<li><strong>AnalyticsB b\u0000\u0014B <\/strong>Many UBA vendors attempted to identify insider threats using statistical analysis to flag anomalous behavior. However, this approach is prone to false positives (e.g., flagging admins for conducting patch updates is legit but looks aberrant).B B B  Also, analytics often requires a period of data mapping and ingest.B  This often proves time consuming and requires customization (aka, professional services and a really, really long deployment).<\/li>\n<li><strong>Endpoint monitoringB <\/strong>b\u0000\u0014The EDR market is growing. The promise of finding Indicators of Compromise or various activities indicating malicious internal (or external behavior) is attracting a lot of security spend and attention.B  However, SOC teams are finding that finding IOCs is nice, but time consuming.B  Indicators of attack, theyb\u0000\u0019re finding, are much more pertinent.<\/li>\n<li><strong>DLPB <\/strong>b\u0000\u0014The issues with policy-driven security is well documented. DLP, arguably, is the king of false positives and in need of constant tuning.<\/li>\n<\/ul>\n<p>In security, we have to follow a basic maxim:B  Prepare for the worst and hope for the best.B  Most insider incidents are accidents, b\u0000\u001cOoops, I clicked on that or didnb\u0000\u0019t mean to send this.b\u0000\u001d At its worst, security teams have to prepare for a complex attack:B  be ready if the attacker takes time to understand the target, prepares sophisticated attack based on knowing your infrastructure with clever plans to bypass your defense.B  In the Bank of Bangladesh incident, where attackers allegedly worked with internal employees, the hackers almost siphoned off nearly $1B.<br \/>\nThis is where deception comes in.B  To counter a sophisticated attacker, b\u0000\u001cdeception in depthb\u0000\u001d can be a real asset.B B  But what if that attacker has moved into the inside?B  How does this work?B  Letb\u0000\u0019s assume you have a malicious insider who knows your infrastructure and has sophisticated tools.<br \/>\nFor the sake of illustration, letb\u0000\u0019s use the recent ATM attacks.B  In this case, attackers around the world attack banks to take control ofB <a href=\"https:\/\/www.helpnetsecurity.com\/2016\/11\/22\/cobalt-hackers-synchronized-atm-heists\/\">ATM machines<\/a>:<br \/>\nTo perform a logical attack, hackers access a bankb\u0000\u0019s local network,<br \/>\nwhich is further used to gain total control over ATMs in their system.<br \/>\nCash machines are then remotely triggered to dispense money,<br \/>\nallowing criminals to steal large amounts with relative ease.<br \/>\nHow would deception identifyb\u0000\u0014and stopb\u0000\u0014the ATM attackers from moving laterally to take over the bank network?B  Deception would go through a multi-step process to give the insider an option to access and download sensitive documents:<\/p>\n<ul>\n<li><strong>Step 1: DetectB  the malicious motivation<\/strong>.B  How can you know someoneb\u0000\u0019s intentions?B  This is where the role of fake content comes in.B  It should mimic the enterpriseb\u0000\u0019s environment.B  Does the user want to access FTP or SharePoint for sensitive information?B  If an internal user is legitimate, there is no need for a legitimate user to touch the fake deception sensors. For example, there is no need for a use to access the fake SQL or FTP server.<\/li>\n<li><strong>Step 2: Engage<\/strong>:B  With deception, the attacker is supplied a decoy or virtualized networked.B  How they behave in this test tube gives a clear indication of motivation.B  In the first step, they have access to our fake and attractive information.B  What do they do with it?B  For example, In case of ATM hack, the attacker would have installed, ATM malware in the fake engagement server.B  If the answer is yes to any these, onto the next step.<\/li>\n<li><strong>Step 3: Response<\/strong>. From engagement, once a malicious action is identified, the infected endpoint can be isolated to prevent further spread of infection and\/or the IOC which has been generated by engaging the threat can be used to harden the internal weak links in an organization.<\/li>\n<\/ul>\n<p>What is the technical underpinning that allows this to work?B  Fundamentally, deception is attack agnostic.B  With more attacks taking place inside the perimeter, for example, attackers constantly change their form:B  executables, Javascript as well as fileless.B  Eventually, the volume of attack permutations breaks down detection capabilities.B  Attackers simply figure out how to outsmart the latest defense.<br \/>\nDeception, since gets activated during the execution of threat, it is independent of the file type and of the delivery vector. When it executes in the networkb\u0000\u0014whether from an internal or external source&#8211;you know.B  By giving someone the option to misbehave and they eagerly cross a Rubicon, thereb\u0000\u0019s no more guesswork.<br \/>\nJust under a year ago, Gartner recentlyB <a href=\"http:\/\/www.gartner.com\/smarterwithgartner\/deception-wave\/\">praised<\/a>B b\u0000\u001cdeception in-depth as a new strategy for comprehensive threat defense against the onslaught of advanced attackers and attack techniques.b\u0000\u001d At that time, the attack du jour was ransomware.B  With the CIA leak, todayb\u0000\u0019s threat du jour focuses on insiders.B  Tomorrow, who knows.B  Whatever the threat, a pliable, effective defense is needed.\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Recently, an interesting survey pointed out that malware attacks are goingB fileless.B In some cases, this means even using an internal employee to help with the process. For example, the attack on the Bank of Bangladesh and you quickly realize that advanced attackers continue their rapid evolution from amateur to professional.B What can enterprises do? [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[87,109,123,142],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2033"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=2033"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/2033\/revisions"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=2033"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=2033"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=2033"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}