Deception to Compliment Endpoint Detection and Response
Tushar Kothari, Attivo Networks CEO – The threat landscape is ever changing, and defenses need to change with it. Case in point. The days of being able to rely exclusively on perimeter defenses are long gone. We have known for a while that sophisticated attackers were getting through the perimeter and we subsequently learned to expect it. To defend against them we had to harden our environment, and we did that by adding additional defenses inside the perimeter. The evolution of Endpoint Detection and Response (EDR) tools was a direct response to the increasingly challenging threat landscape posed by the newest generation of sophisticated attackers. It became another important layer in a “Defense in Depth” strategy.
Like Advanced Threat Protection (ATP), which evolved largely to stop Zero-Day exploits and other advanced techniques, EDR is more than a single product or just a set of tools. The term covers a range of capabilities that combines monitoring, analysis, reporting, response, and forensic functions into a suite of defenses designed to thwart highly skilled attackers. By placing sensors and response capability on the endpoints, these systems are positioned to identify and stop an attacker while they are in play. The forensic capabilities in many EDR solutions also let you analyze an attack to identify weaknesses in your existing defenses.
However, a full Defense in Depth strategy requires more. You need to consider other solutions when reviewing your defenses and, fortunately, there are other solutions available to complete the picture.
Deception is the art and science tricking people into believing something that isn’t true. Camouflage and decoys are all part of the art. Hunters have used decoys and deception for hundreds of years. Law enforcement and the military use it routinely. Seventy years ago, the military was building fake airfields, deploying inflatable tanks, and using other tricks to deceive their opponents to great effect.
People don’t often think of deception in the context of cybersecurity, but they should.
The relative ease with which sophisticated attackers have learned to bypass perimeter defenses is what led to more advanced defensive techniques, such as EDR, in the first place – shifting detection and defense away from just the perimeter and adding those capabilities to hosts inside the network. But EDR doesn’t become fully effective on its own until after an attacker has gained a foothold inside the environment.
Deception enhances your defenses in multiple ways. By artificially expanding the attack surface with skillfully crafted decoys it is nearly impossible for an attacker to identify live assets, which diverts them away from legitimate targets and minimizes damage. Decoys waste their time and effort while giving an organization more time to react. By including extensive instrumentation on the decoys, security teams can do detailed forensic analysis on their attacker and improve the rest of their security stack – or simply shut intruder down and block future attacks.
Placing breadcrumbs on the network, in the form of fake credentials, bogus file shares, dummy services and the like, can quickly lure attackers away from vulnerable assets and stop them from doing real damage. For example, decoy credentials can not only divert an attacker to another decoy, they can throw immediate red flags when an attacker tries to use them on a live asset. By placing legitimate-looking false documents, it becomes easy to waste an attacker’s resources acquiring them and subsequently track their efforts to exfiltrate them. The decoys increase the intruder’s work load and magnify the chance of catching them with only a minimal investment in organizational resources.
In fact, deception technology alters the economics of an attack substantially. A small investment into deceptive systems can dramatically increase the effort an intruder must expend for a successful attack. This shifts the equation from favoring the attacker, where they have time to work in an easily identified environment, to favoring the defender, who can quickly and effeciently deploy deception to increase the apparent attack surface.
It’s sleight of hand for your environment, complimenting the other pieces of your cybersecurity stack. Coupled with conventional perimeter defenses and EDR on the endpoints, a deception suite will enhance your defense in depth strategy and make an attacker’s job radically more difficult. Pre deception, defenders had to be right 100% of the time in order to prevent a breach. Post deception, orgnizations are now able to flip this paradigm on attackers, making it so the adversary has to be right 100% of the time in order to avoid detection.
To learn more about the Attivo solution and speak with a deception specialist, click here.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise