LIFARS recently interviewed Mike Fabrico, Sales Director, TrapX Security of the US East Coast. In this three part interview, we discussed deception technology and why this approach to cybersecurity is growing in popularity amongst the largest companies in the world. TrapX Security currently leads the market as it pioneered the idea of deception technology back in 2010. In addition, TrapX has been releasing new reports, case studies and whitepapers frequently about how they repeatedly stop attacks for the largest companies in the world.
LIFARS: “Why has deception-based cybersecurity become such a hot topic? What do organizations need to know about the approach?”
Mike: “Deception-based cybersecurity has gained traction as a result of high-profile cases where it was shown effective in stopping highly sophisticated attacks that bypassed other solutions.
The economy of cybercrime is rigged in the favor of the attackers that only need to succeed once while the defenders must address every breach and vulnerability. Security professionals are leveraging deception to take a more proactive stance, forcing attackers to show their hand by giving up valuable information about their intentions, technics and attack tools, significantly changing the economy of cybercrime. It’s no secret that cybercriminals are becoming more sophisticated and bolder in their attack methods. Consequently, security solutions must stay ahead of the attackers, not only anticipating their next move but their next series of moves. With this intelligence, security teams can make much more of their existing investment bringing it to use where it is needed and matters the most.”
LIFARS: “Can you give us more details about deception technology and why TrapX introduced this concept to the market to battle cyber-criminals?”
Mike: “Sure! Deception has been used for a long time on the battlefield. Sun Tzu’s Art of War, the millennia-old and highly regarded Chinese book on this topic discusses the many ways deception can be used to prevail in military conflict. Today’s modern military has developed a full set of policies and supporting doctrine to leverage the strategic benefits of deception, and deception within corporate and government networks can be just as impactful as it is in war. Deception is also used in professional sports. In the NFL for instance, the play-action pass deceives the defense by causing them to believe in a run play and then the quarterback bombs the ball downfield after the defenders have moved closer to the line of scrimmage. Why should cybersecurity be any different? What we do by deploying deception technology, is baiting, engaging, and ultimately trapping cyber-attackers that have penetrated your network. Deception enhances visibility and helps you identify attackers that have bypassed all your other cyber defenses. Deception fills your network with lures (Tokens) and decoys (Traps) to deceive and detect cyber-attackers within the network. Deception surrounds the attackers with tempting targets. Everywhere they turn, they face immediate identification.
Some more details:
Tokens are fake credentials and scripts that are placed within your real information technology assets. These tokens appear to be exactly what attackers seek – information about valuable resources, credentials, and authentication to escalate permissions – and can include cached credentials, database connections, network shares, and much more. Attackers find this bait attractive and then these fake credentials and fake information lead them directly into a trap.
Traps are fake information technology resources that are placed by automation within your network amongst and between your actual information technology resources. Trap placement is designed to blanket your network with protection. Everywhere an attacker turns they are faced with these traps. An attacker doing reconnaissance will find them almost impossible to avoid.”
LIFARS: “But how is deception different than legacy honeypots?”
Mike: “The simple answer is, legacy honeypots require manual administration and typically require the use of virtualization. This approach does not support the scale of a typical enterprise or government customers. Honeypots are deployed one at a time. Each honeypot requires the setup of a full operating system, with the attendant expense and manual set-up labor. Use of real operating system in legacy honeypots also puts the defender at risk for the honeypot to be compromised and used as a jumping point deception technology brings automation and large enterprise scale for the deployment of thousands of traps. Also, important to note is the integration with ecosystem technologies such as network access control (NAC) that can take indicator of compromise (IOC) data to trigger immediate isolation of an attacker.”
LIFARS: “So how is deception different than other detection approaches?”
Mike: “Great question, let me teach you about detection methodology. It is simple and absolute: Just one touch of a trap will set off a high-confidence alert. Alerts are high accuracy that detect attacks unseen by other cyber defense mechanisms.
Alternate technologies spend many CPU resources filtering traffic, trying to match signatures or guess at signatures, or worse yet, run complex black box algorithms to try and cluster behavior against some model or another. In the final analysis, these black box approaches are based on probability. Either the rules are so tight that a target may be missed, or the rules are so loose that so many alerts are produced such that they become virtually useless.
That in itself is a major difference!”
LIFARS: “Now that we understand that the difference between deception and other detection approaches, what can deception help us understand about cyber attacker activities?”
Mike: “Another great question. Deception technology can help you discover:
- a) Where attackers are hiding in your network;
- b) Which systems they’re interrogating;
- c) What tactics they’re using;
- d) Whether they’re attempting to steal data; and,
- e) Whether they’re attempting to deploy ransomware.
Deception can do all of this without exposing your actual systems and assets.
By deploying fake devices, systems, and assets among your real assets to bait attackers, deception technology shows you which systems attackers and malware are attempting to infiltrate, what lateral spread techniques are being used, and even what an attacker may already know about your network.
Deception also gives you the ability to see how attackers are moving in your network, their primary targets and how they are progressing, exactly, through your infrastructure.
This new information and the anatomy of the attack series provided by deception technology can help you establish or refine your security priorities, including endpoint security, user entity and behavior analytics, and OT/IoT security, and it’s also valuable in helping you justify your current security budget and spend allocations.”
During our interview, Mike mentioned two case studies that document the capture of zero-day malware that has bypassed other security controls by use of deception technology.
They are linked below:
LIFARS: “What about highly sophisticated nation state attackers using the most advanced tools and special vulnerabilities? Can deception detect them as well?”
Mike: “Yes indeed, deception technology enables detection of early-breach reconnaissance and lateral movement, regardless of attacker tools used. Even if an attacker does have access to nation-state intelligence agency grade tools, techniques, and procedures, deception technology can still identify them quickly and effectively, minimizing time-to-breach-detection and reducing or eliminating your potential losses when the next attack on your network inevitably occurs. Several case studies document the capture of national threat actors that has bypassed other security controls by use of deception technology.”
Case studies are linked below:
LIFARS: “Ok Mike, you sold us; now let’s talk strategy. How does deception fit into my organization’s overall threat management strategy?”
Mike: “Organizations have begun moving from a prevention-to-detection ratio of 9:1 to a 6:4 ratio advocated by many security thought leaders. A deception infrastructure is the best way to identify attackers’ positions and gain valuable information about their techniques, tactics, and procedures. Both Governments and industries must continue to expand and grow their cyberspace security strategy. Deception technology provides expanded visibility to sophisticated cyber attackers once they are active inside of the targeted networks. This expanded visibility strengthens your consolidated threat management strategy and becomes an essential part of your overall cyber strategy.
LIFARS: “Does deception work to protect my internet of things (IOT) devices?”
Mike: “Internet of things (IoT) devices are particularly vulnerable to attacker tools propagating through the network. Many IoT devices may have older, embedded operating systems which are closed and not accessible to your IT teams. These unpatched operating systems are highly vulnerable to attacker’s malware tools and can be used as a foothold for the establishment of an attacker’s “backdoor.” Additionally, most endpoint security and other internal cyber defense tools do not install in, nor protect IoT devices. The security operations center team has no visibility to an attacker’s presence within these devices. Deception greatly enhances visibility. Deception traps will find lateral attacker movement to or from IoT devices. Almost any way an attacker moves within the network, they will trigger a deception network trap. This makes deception a leading cyber defense technology to secure IoT and connected devices.
LIFARS: “What is the architecture of deception technology today?”
Mike: “Wow, that’s a great question, I will answer you in detail.
In the past few years, the deception market has evolved from managed honeypots using virtualization towards a full stack architecture. Integrated platforms that include all of the deception techniques available and supports the best practices in deployment to make these techniques successful. A full stack architecture would include:
- Tokens/lures that entice attackers to traps or fake IT resources. These lures would be scattered within your real IT resources and then lead the attackers to the deception traps in your network. Nothing is more tempting to an attacker than fake credentials and passwords.
- A disguise of fake network traffic between the traps to distract and confuse attackers in the earliest phase of their reconnaissance within your networks.
- Medium interaction or emulated traps that enable a broad diversity of deployed fake assets to be deployed easily, and at the lowest cost. Emulations exist for medical devices, automated teller machines, industrial control system components, switches, workstations and much more, by industry vertical, as a comprehensive packaged set.
- Full interaction traps or full operating systems traps (fullOS) enables the deepest attacker engagement and diversion. They are relatively the most expensive to deploy so it is ideal if the emulated traps can extend, perhaps by proxy, to these fullOS traps.
Most of the vendors within the industry offer one and sometimes two of these capabilities, I can confidently say that TrapX Security is the only vendor on the market that can offer all of these phases and that all three work effectively and seamlessly together.”
LIFARS: “Last Question for you Mike, what is the value and what are the expected benefits that enhance situational awareness and visibility for attackers that have already penetrated our network?”
Mike: “Alright, most existing security products do not detect advanced malware or malicious activity in the network. Attackers can work around most standard defense in depth products. Deception provides situational awareness to internal networks not provided by other cyber defense and can save the customer potentially millions of dollars from losses.
Uniquely, we detect midpoint lateral movement by malware or human attacker in real-time which is unseen by other cyber defenses. TrapX monitors and protects these areas.
Reduce time to breach detection/dwell time deception technology detects the movement of advanced adversaries almost immediately. We dramatically reduce the time to breach detection for the most sophisticated zero-day events, advanced persistent threats (APTs) and other attackers. The time to breach detection is often many months; during which significant damage will be done.
In fact, per the Ponemon Institute report in 2017, the average to breach detection in 2017 was 191 days (6.5 months!) – this is completely unacceptable!
Uniquely, deception can detect the movement of sophisticated attackers much faster, often within the hour, and substantially reduces the time of breach detection.
This, in turn, reduces the potential for financial loss and impact to business operations. Reduce false positives and help with SOC team operations Existing security products generate too many alerts. Either the filter is set too low and there are many extraneous alerts, or, the filter is set too high and critical events are missed. We decisively identify attackers. Just one touch of our traps and they are caught. We generate almost no false positives – only highly accurate and actionable alerts. They are touching a trap and clearly, they should not be doing so. This is recognized as an absolute violation – not probabilistic or subjective. This increases effectiveness and efficiency in the security operations center, saves both time and money, and reduces alert fatigue. Deception generates a small number of highly accurate and actionable alerts. Important events are not missed or ignored by your SOC team.”
In summary, we learned a lot of valuable lessons about deception technology and about how TrapX prevents attacks for their many customers.