Site navigation

Should you Adopt Deception-based Tools to Protect Against Cyber-threats?

Graham Turner


Deception-based tools
DIGIT speaks to Robert Golladay, EMEA and APAC Director at Illusive, about the cybersecurity landscape and how deception-based tools are beating pen testers.

1.5bn attacks on IoT devices, 14.6 million ransomware attacks in the UK this year and a 45% increase in phishing email attacks.

These stark statistics are the reality – cybersecurity protocols are failing; businesses are under constant threat and the current approach just isn’t cutting it.

Robert Golladay, EMEA and APAC Director at Illusive, is cognisant to the fact that there are plenty of options out there when it comes to cybersecurity. But many of them are approaching the problem reactively as opposed to proactively.

Golladay’s take is that to be effective in cybersecurity, more companies need to adopt deception-based technology. An approach that essentially uses techniques inspired by the hackers themselves.

“In a lot of cases with a large corporation – whether it’s via shadow IT, or it’s simply cloud apps that have been licensed that you didn’t know about, you end up with data and information all over the place that you didn’t know you need to protect.

“The signature move of cyberattackers is lateral movement in a network. For example, an attacker infiltrates via the cloud, or they come in through an enterprise email attack, they land on a workstation, or they end up on a print server or somewhere in the network.

“They’re going to have to move from that point to get to their end goal. That’s where deception-based technology can come in. You can stop them there. You can track, in real time, where an attacker lands and where they move from that point.”

Understanding these attack surfaces is of paramount importance. Second, what techniques and tools do you put in place to now become offensive yourself?

The crown jewels

One of the biggest issues many companies have is that they struggle to identify the critical assets of their business. And, if you don’t know where the value is in your business, it’s difficult to protect it.

That’s why, for Golladay, it’s vital that you determine what it is in your business that’s vital to protect. Or, its “crown jewels”.

“The first thing you have to understand is what’s at stake and where does that data and information live.

“There are the obvious things like a customer database. If I’m a pharmaceutical company, it’s my drug discovery data, and my clinical trial data. If I’m an online retailer, it’s my customer databases, or it may be the contracts I’ve got with my supply chain.

“We must understand value at risk, we have to understand where your crown jewels are. And then you can start to put controls in place that are going to protect that value at risk.”


The cybersecurity quandary

Golladay identifies three critical problems in many businesses’ security environments. The first is the means in which they can gain access to your network – credentials and poorly protected networks.

“[Errant credentials and connections] are what the attacker is going to use to move laterally in the network. If you can do reconnaissance and remediation of the attack surface, we can build an attacker’s view of the network, find the errant credentials and connections, and then remediate, or remove those.”

This of course begs the question, how do these discrepancies end up there in the first place?

“It could be as simple as a help desk,” says Golladay.

“You work from home, Help Desk calls, gives you advice on a problem. Right there, what they’ve done is they’ve connected into your laptop through something called RDP. Through this, they leave their credentials in memory when they think they’ve disconnected properly.

“It’s as simple as that. There are many other ways – software being installed, shadow admin accounts, local admin accounts, domain admin accounts. The bottom line is, can we find where those credentials are? Can we eliminate them and thereby reduce the attack surface?

“The second problem clients have is around the problem of lateral movement. How do you implement early detection, and that’s where deception technology comes into play.

“The other problem is that there’s a lot of data and information coming off the network. So if I detect someone, how do I get the right data to the right person, at the right time?

“What you don’t want to do is detect an attack, then find out it happened two days ago, and you just never presented it to the right person. So, this idea of being able to do real time forensics, in early detection are, are essential.”

Deception-based tools

How deception-based tools addresses this

Slowing an attacker down can be the difference between a minor and major attack. If you can send a hacker down a rabbit hole that essentially identifies the tools they’re using and informs how they exploited your system, you can react and stop the problem before it becomes serious.

“If I can use machine learning and other advanced techniques, to understand your specific attack surface – the systems that you use, the operating systems, the browsers, the networks, flavours of cloud that you use, then I can create lures or breadcrumbs.

“Think of it as like a honey glaze, spread completely across the network. In doing this, if an attacker lands somewhere in the network, they are presented with a hall of mirrors. We create credentials that look valid, but are in fact traps for attackers.

“It’s reflective of a hacker’s mindset, based on obfuscation.

“If an attacker attempts to use one of those lures, we slow them down, put them into a tar pit, effectively. We then collect data off what they’re doing and infer intent.

“We can also find out what tools they’re using. In many of the attacks that we’re seeing, they’re never before seen tools. Which means you can do a screen capture off the endpoint that they’re on and get that information immediately to a security analyst or an incident response team.”

Why the approach to cybersecurity needs to change

A huge issue in the approach to cybersecurity right now is rooted in something akin to apathy. The idea of ‘assumed breach’ – a self-defeating terminology where you approach cybersecurity from the standpoint that you’ve already been compromised. This is a big problem.

“Almost all big companies run red team exercises, penetration tests, etc. Oftentimes, they are judged on whether they did better than the last attack, which is just not the way to go.

“It should be pass or fail. Because if you can’t beat a red team, or a pen tester or an ethical hacker, then how can you beat a real attack? That’s why deception-based technology is a requirement in any modern security attack security stack.

“That doesn’t mean that it’s going to replace something like endpoint detection and response solution. It’s there to augment some of the existing security controls.

“Fundamentally, that red team, penetration tester or white hat hacker needs to be defeated and it needs to be defeated consistently.”

All this ties into Golladay and Illusive’s stance that the mindset has to change from defence to offence.

“If you take the stance that the attacker is already in your network, then your approach to life becomes quite different. You move away from a defensive mindset to an offensive mindset.

“You move away from just simply counting on your EDR control on the endpoint, to having a true active defence for offensive stature in the network. And that, of course, is where this whole this whole point of deception technology comes in.”

To round off, Golladay gives an eyebrow raising case study that sums up the need for a change in security architecture, approach and implementation.

“This particular organisation was quite concerned about nation state attacks, because 40% of their goods were being sold in China, and they were extending their supply chain in China. They were very concerned about enterprise ransomware.

“Their Risk and Audit Committee said, ‘let’s bring the best ethical hacking company that we can and see what damage they can do in our network’. They had invested a huge amount of money in cybersecurity and thought their system was impenetrable.

“They brought in this ethical hacking organisation gave them an entry point into the network. And within 24 hours, these guys were on a domain server and able to harvest the domain admin credentials and declared themselves king of the hill.

“Nine months later, they brought in deception technology, deployed it throughout the network, and brought in the ethical hacker to redo the exercise. They attempted to use the credentials to do damage in the network and were busted through that approach.”

Get the latest news and features from DIGIT direct to your inbox

Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.

We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.

Click here to subscribe.

Graham Turner

Sub Editor

Latest News

%d bloggers like this: