Securing your network when the prevention gap is too wide to fill
Image credit: Daniil Peshkov/Dreamstime
Existing network security controls tend to be focused on the perimeter and rely on signatures and anomalies. Deception-based detection is an alternative approach that could help organisations keep pace with the increasing frequency and sophistication of attacks.
Organisations aren’t short of technologies they can deploy to protect their digital assets. From old-school firewalls to SIEM (security information and event management), endpoint detection and response (EDR), network analysis, and continuous vulnerability scanning, tools exist to cover virtually the whole potential attack surface of a company’s IT infrastructure. Yet attacks continue to happen and cyber crime is at an all-time high. In 2020, ransomware attacks increased by 62 per cent compared with the previous year, to a total of 304 million. This means either that cyber criminals are doing something right, or that organisations are doing something wrong.
Yes, attackers have upgraded their playbooks and technology arsenals, but we shouldn’t give cyber criminals more credit than they deserve. Their tools may be sophisticated, but so are the defensive technologies deployed by today’s enterprises. Attacks are often opportunistic and leverage known vulnerabilities, misconfigurations and the inevitable human error. Even highly targeted attacks, such as advanced persistent threats (APTs), enterprise ransomware and nation-state espionage campaigns, which tend to rely on months of reconnaissance work, succeed not solely thanks to the sophistication of the tools threat actors have access to, but because of a fundamental problem in the current approach to cyber security.
Part of the problem is the way solutions are being implemented. For the most part, everyone is adopting the same control-based approaches – which are more compliance and policy based – and the same technology approaches, which are vulnerability-based, indicator of compromise-based, and so on. But what if an attacker is able to evade detection at these stages? What if they can mimic normal user behaviour and avoid signature-based detection?
Taking the recent SolarWinds attack as a cautionary tale, threat actors were able to roam free in the network for 95 days before their presence was discovered. Once they were able to evade detection at the entry point and gain access to their targets’ internal networks, attackers managed to stealthily operate for months, despite their victims’ sophisticated security teams, tools and processes. This is a symptom of how our current security controls are too focused on the perimeter and rely excessively on signatures and anomalies for detection. When the attacker circumvents the perimeter, it’s far too easy for them to move laterally without detection.
This is not to say that the perimeter should be disregarded; endpoint threat detection and response remains an important security control that’s an essential part of an enterprise’s defensive arsenal. But these tools are sensitive to change and can only flag anything unusual happening on an endpoint. If an attacker leverages authentic credentials and normal connections and pathways, this technology is no longer sufficient to protect an organisation.
One solution is to use deception-based detection to target lateral movement. If attackers are able to evade EDR tools, it follows that more layers of detection are needed to stop a motivated attacker from reaching critical systems and sensitive data. The step that attackers take once they manage to make their way inside their target’s network is to move laterally to establish a beachhead from where they can look for privileged credentials or exfiltrate data. And that’s where deception comes in.
Deception is a limited offensive action that counterattacks to prevent an adversary from taking digital territory and moving laterally within the network. With deception-based threat detection, organisations essentially acquire visibility beyond the endpoint, so that if something goes wrong at the perimeter level, threats can still be stopped before they can cause harm. This is done by creating a net of fake endpoint connections and by planting deceptive data that looks like what the attacker would need to move towards critical assets. Any time there is an attempt to use one of these artefacts, the attempt is flagged and the user kicked out.
Deception-based detection also has the advantage of being resilient, as it isn’t tied to specific behaviours or signatures. As cyber-criminals’ tactics continue to evolve, having controls in place that aren’t sensitive to a particular baseline provides security teams with a tactical advantage. Essentially, any activity that involves a deceptive connection will trigger an alert and expel the intruder.
This type of approach requires a more deterministic view of security: rather than desperately trying to keep attackers out, today’s organisations should accept that compromises will inevitably happen, and prepare to stop them when they occur. Deception technology is the best protection, as it will continuously monitor the network, deterministically detect suspicious activity with high fidelity and stop any lateral movement before the hacker gets a chance to find and encrypt valuable company information.
Robert Golladay is EMEA and APAC director at Illusive.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.