“It’s not a matter of whether an intruder will get in; it’s a matter of how far.”
-Vjay La Rosa, Senior Vice President, Security Architecture, ADP
If you ask any enterprise cybersecurity professional which tools are the most essential to an organizational protection profile, they will mention solutions such as two-factor authentication, anti-malware, server logs, firewall rules, intrusion detection systems, EDR, and encryption. These are certainly important factors to reduce cybersecurity risk—ones that every enterprise should include in their security architecture mix.
Do you want to be Patient Zero?
The challenge with these traditional solutions is that they operate on a known premise, where the company producing the tool and intel must know something about the particular attacker tradecraft in order to generate an alert on the same. Far too often, there are Patient Zero infections and data compromise because of this approach to threat identification. You might hear this referred to as “indicators of compromise” or some variant of this language. Do not let the variants fool you. They all operate on a known premise. Even companies using machine learning to enhance processing of new data or offering predictive modeling to block “previously unknown malware” are still using existing data sets of known or discovered tactics, which will skew the detection in favor of things that look like what has been seen prior, although not exactly the same.
Unfortunately, most cybersecurity technology built today is just an iteration of the same, highly imposing solution lacking an effective foundation. Hot names, big marketing claims, same wasted expense. However, a few next-generation security technologies are being built on completely different foundations that are exponentially more effective and seamless to the infrastructure, end user, and IT operator.
“Enterprise security teams and IT operations teams must agree to leapfrog existing security solutions and move immediately to world-class solutions that have the ability to stop elite hackers,” said Ed Amoroso, former Chief Security Officer, AT&T.
Traditional deception is insufficient
As reported in the latest Verizon 2017 Data Breach Investigations Report, the average number of days an attacker dwells inside an organization undetected is 149 days. This is unacceptable and proves that prevention technologies are not able to keep up with hackers. There are ten reasons why traditional deception technologies are inadequate:
1. Traditional deception is network centric.
Attackers are trying to get into the network. So why allow them to go there in the first place? Keep them contained to the point of compromise, like an endpoint or server.
2. Traditional deception is network specific.
Even a basic understanding of network architecture clearly shows that network specific approaches are:
- Segment limited – only sees IP traffic in the segment in which they reside.
- Not scalable – impossible to protect an entire organization, every computer, everywhere.
- Easily identifiable – hackers know the difference between real and fake network elements. They don’t walk in the path the IT person wants them to! They go where they want, subversively.
3. Traditional deception is NOT dynamic.
Organizations are constantly changing. Adding new employees, adding new resources, deleting resources, terminating employees, changing privileges, changing credentials, etc. To monitor and adjust false resources on an hourly or even daily basis across an entire organization is impractical and operationally inefficient.
4. Traditional deception is NOT real-time.
No matter what the marketing documents say, honeypots and network deception technologies all rely on one methodology: they must collect and aggregate data to make a decision. This is not viable detection or prevention when faced with advanced attackers. Hackers know that once they move, the time to detection will take days to weeks, or even months, even if the technology shows something odd.
5. Traditional deception requires lures.
APTs are persistent. They test the environment over and over again. Lures are a dead giveaway to today’s hackers, rendering the entire effort of detection and prevention useless, or at the very least, highly ineffective.
6. Traditional deception is expensive.
Implement a honeypot approach requires skill, addition of network elements, constant monitoring, constant updating (per the dynamic organizational change, if it wants to look real), extensive integration, and adjustments to the architecture. This unnecessarily complicates and adds expense to an already confusing and expensive topology.
7. Traditional deception is invasive.
Why even have protection and detection if it is highly invasive to the IT operator and/or the business end user? The whole objective of cybersecurity is to reduce risk without adding additional burden. Too many cybersecurity technologies have failed because while they are onerous to the business. Traditional deception and honeypot approaches are just this. That’s why a 25-year-old approach has never been a default protection approach.
8. Traditional deception is detectable.
Don’t believe the marketing. Deception is detectable. Hackers are smart. They don’t risk their identity, tradecraft, or other attribution. They know the organizations they penetrate have cyber detection tools in place. They also know how computer systems work—where there are hooks, traps, cameras, recorders, SIEMS, and people resources all focused on detecting an errant move. Thus, hackers know what to look for. Traditional honeypots have all kinds of presence indicators. Plus, attackers even sacrifice an identity here and there to expose the defensive tool so they can come back and surpass it the next time.
9. Traditional deception is only detection.
Just because a cyber defense tool is able to alert on an errant movement does not mean it provides the Incident Response team the proper information to make a forensically sound verification that it’s an attack. Additionally, any information it provides is basic and not enough for automating a response to stop the hacker from getting the information he wants, killing the attack chain, or mitigating the attack altogether.
10. Traditional deception is not a complete solution.
In the scheme of an entire security posture, adding a honeypot or deception strategy is no use if it’s not able to immediately and automatically initiate a shutdown on the attack. We see this with ransomware, as it might be detected by a technology, but the response actions are either manual, require integration coordination, or cannot close the cycle between detection and mitigation. It is not enough to just detect. A solution needs to mitigate, provide full forensics, and automate response to stop the attack before it can get into the network.
Obfuscation for deception is clever deception
The right approach for deception is to obfuscate Active Directory to deceive the hacker, thereby changing their perception of the path (instead of hoping that the attacker finds your breadcrumbs “in their path”). If you are going to invest the money, time, and resources to use deception as a strategy, make sure you use a next-generation approach that is both operationally efficient and highly effective.
Clever deception tackles the problems of attacker reconnaissance, credential theft, and lateral movement. The following are five attributes of clever deception:
1. Clever deception is focused.
Hackers want one thing: a computer connected to a Windows Domain. A Domain-connected computer is one connected to the Active Directory. It gives the hacker all the information he needs to understand the organization’s resources, steal credentials, escalate privileges, and move laterally off of the compromised endpoint, undetected. Clever deception should detect and block where the attacker gets his first foothold—the endpoint—and not draw them into the network.
2. Clever deception is non-intrusive.
Implementing security defenses should not add to the burden of IT operations or end user business. It should install and integrate seamlessly with the current topology. It should be agentless on the endpoint and activated via native protocols and services already a part of the architecture.
3. Clever deception is authentic.
Each organization is unique and constantly changing. Proper deception should be automatically dynamic and native to the organization’s naming convention and structure. IT operators should not have to make updates, validate configuration changes, or create new objects just to ensure authenticity.
4. Clever deception is automated.
The biggest problem with all of today’s security tools is that they are highly manual. They all require data collection, aggregation, analysis, and response. While much of this is automated, the crucial task of determining a threat from real activity is manual. Additionally, since all detection technology is naturally focused on collecting information, little of it is actually automated to deliver specific attack forensics without false positives.
5. Clever deception is infinitely scalable.
Through the native protocol of Active Directory authentication, Javelin injects an agentless deception element into the memory of each Domain-connected endpoint. This means each and every computer that a hacker could use to violate the organization can be protected, eliminating the need to deploy a plethora of appliances or software agents manually.
Javelin AD|PROTECT: Deception by Obfuscation
As most IT operations experts know, Active Directory provides the structure and support for a corporate Windows environment to properly function. Just about every IT service in a corporation, including virtual private network (VPN) remote access, single-sign-on (SSO), and SharePoint usage, is controlled and protected using Active Directory. Some like to think of it this way: no administrator in a complex environment can possibly sit down and define access control and protection settings for every computer and service. Instead, the more acceptable and scalable approach is to perform lockdown using Active Directory services.
Thus, if the corporate environment includes one hundred servers supporting a couple thousand users, then the Active Directory will include these user and computer accounts in the database schema. System administrators can query schemas for data about users and computers including names, identifiers, etc. This schema is extended to add information about applications, third-party software, or other services such as Exchange.
Attackers naturally gravitate to Active Directory to guide their lateral movement as part of an advanced persistent threat (APT) campaign. Javelin Networks mitigates this security risk by introducing a deceptive mask of the Active Directory from the endpoint perspective. The result is an obfuscation of the enterprise’s topology. The goal is for the good guys to see correct information from Active Directory but for the bad guys to see something very different.
As part of their APT initiative, attackers want to access this information to learn about the users and computers that have desirable information. If, however, they compromise an endpoint with a masked Active Directory protected by Javelin Networks, then they will be shown an intentionally and exponentially larger view of the corporate environment with many thousands of servers and users. The result is a confused attacker performing reconnaissance on assets that do not exist.
“Javelin Networks provides a unique and effective solution to deal with Active Directory weaknesses.”
-Ed Amoroso, former Chief Security Officer, AT&T.
Javelin AD Protect is moving the deception to Patient Zero with obfuscation of Active Directory on the endpoint. This approach creates the opportunity to generate alarms and alerts when activity is made on a false user or computer entry. In this sense, the deception complements security information event management (SIEM) tools and host or network intrusion detection and response systems by helping to identify errant access across the enterprise in real-time. Very few existing security tools have this ability, and almost none include such embedded knowledge of activity inside Active Directory Services as Javelin Networks.