Turn the tables on your attackers with deception technology

Chris Sienko: Hello and welcome to today's edition of Infosec Institute's weekly video series and podcast. Today our guest is Carolyn Crandall, Chief Deception Officer at Attivo Network, who will tell us about deception technology, incident response teams, and security awareness strategies and triage mechanisms after you've been breached.

Carolyn Crandall is Chief Deception Officer at Attivo Networks. She has over 25 years of experience in building immersion technology and markets in security, networking and storage industries, and is an active speaker on security innovation, CISO forums, and industry events.

In 2018, Carolyn was inducted into the Hall of Femme by DMN, recognized as a Businesswoman of the Year by CEO Today, and as a Power 100 Woman of the Channel by CRN.

In her role as Chief Deception Officer, Crandall focuses on helping organizations mitigate their breach risk by educating them on how to shift from a prevention-based security infrastructure to one of an active security defense, based on the adoption deception cyber warfare. Please welcome Carolyn Crandall, thank you for being here.

Carolyn Crandall: Thank you for having me!

Chris: So, let's start out with the concept of deception technology. It's not necessarily a concept that's common knowledge to all up and coming tech professionals. Can you describe what deception technology is and how it differs from, say, incident response or threat hunting?

Carolyn: Sure, absolutely. And it's really interesting because deception as a method for outsmarting or outwitting the adversary is not necessarily new. It's been used for millennia for military, sports, gambling, chess. It's very common.

But what Attivo has done is that it's brought deception technology into the world of cybersecurity. And it's different because most security mechanisms are all focused on keeping the bad guy out. And in today's world it is impossible, with all the different threat vectors, the attack surface, things are gonna get in. And so deception specifically is designed to lay traps and misdirections for the attacker.

How it would be different from the incident response side of things is that that's generally once you've detected an attack, and you're trying to respond to that attack to stop it, remediate it, and make sure it doesn't return again. And it's kind of a little blend with the deception that it's not only about the early detection, but what some people will deem as an active defense, which pulls in those accident response actions, that says, well, it's interesting to detect the attack, but it's more value to be able to detect and respond, and it's even more interesting if you could automate those things to simplify and speed up that response.

With today's distributive deception platforms, you get the detection plus you get that act of defense all the way through response.

Chris: Okay, sort of walk me through how would one, sort of, implement deception technology or deception response into their security plan? Do you have like an in-house team?

Carolyn: It's really interesting because there's a lot of myths that we come across with deception. And the first says, "Wow, this sounds really complicated. And I am going to need to have a fleet of highly trained personnel on board to be able to run this."

But it's really not true because with today's technology, there are things available like machine learning, which will self-learn the network, and it will basically generate the deceptions for you, and those deceptions could be in the form of network decoys. So, they could look like your servers, your end-points, your routers, your voice systems, industrial control, medical IT.

It really doesn't matter. So, the setup of making those decoys look identical is all automatically generated.

And the second piece people will do is catching the attacker at the endpoint. So, for them to be able to get to their assets, they're not only going to have to do a reconnaissance of the network, but they're going to need the credentials to where they want.

You get those deceptions that are planted out at the endpoint. And again, those are all automatically generated by learning the attributes, and even integrating with active directories. So, you get mirror match authentication plus you get the validation, so that becomes believable to the attacker.

What we found is it generally takes a quarter of a person to deploy and generally within one day, the deception environment, and typically less than a quarter or an eighth of a person to even operate a large global network given the ease of use with commercialized deception projects.

Chris: That's really interesting. And that was gonna be another question I had, so when you were first hired at Attivo, you were tasked with creating the deception technology market from scratch. What were some of the challenges involved with this?  And, as you say, I was going to ask how you might convince the C-Suite of the need such a department, but it sounds like it's a very efficient system that you could certainly sell them on from a financial standpoint. Eighth of a person and so forth.

Carolyn: The biggest challenge with deception is perception. Pretty sophisticated adversaries. Usually it’s “Does this work?”. Is an attacker going to find this believable and fall for it? It's very different than some of the early low interaction emulated type deception, which an attacker could find their way through very easily.

With today's deception it is extremely authentic. It even validates that an attacker is going to take a look, 'cause it's going to look attractive. All it takes is one mistake to reveal them. It is a very useful way of getting the in network, eyes in the network, visibility to threats before they become a problem, which you would think that most people would then go, "This is great. I've invested a lot of prevention. Layering prevention isn't getting me to where I need to be, let's look at detection."

If I can get over the believability hurdle, the next hurdle becomes, "Isn't this a luxury item only for the companies with the most sophisticated security infrastructure, and isn't this what we do last?" What I would say for that is we have quite the mix of customers from very sophisticated to, we had actually a new customer that came on board, they're the first new company. They first purchased a firewall. Their second purchase was deception.

The reason that they went “This is the second purchase” is that for them to get every security control that they would need to have reliable detection, they didn't have that budget. What they needed was very accurate detection when an adversary did get in the network. Or maybe it was an insider, or a supplier, or a contractor that they needed to know with high fidelity, that that attack was there.

A lot of it is taking the C-Suite through, "This is your security controls you have today. Here's the attack phases, here are the different types of attacks, here's the attack surfaces. How confident are you in the reliability of your tools to detect throughout this process?"

It really boils down to deception being the most accurate and efficient form of detection that is out on the market today. That's the hurdle is, breaking down the process that it's not a replacement, keep preventing as much as you can. But here is your eyes and ears visibility in the network with a lot of substantiation when it goes off, 'cause it's only based upon attack or engagement so that they can respond quickly and effectively.

That's a little bit of the top track that we go through. It is working because we are seeing a dramatic increase in sales. But I like to also joke around it's kind of like the first rule of fight club is you don't talk about fight club. The first rule of deception is you don't talk about deception. a lot of companies are out using it, but they're not talking about in big, broad public places.

Chris: When you're using deception in tracking potential attackers and so forth, how much data does that give you about what the attackers are doing, where they're making their way in? Is this the sort of thing where you can sort of see where your soft points are, where your potential breach points are and things like that?

Carolyn: Absolutely. There are different facets of deception, and so I would definitely encourage anybody looking at deception technology to really look at what's within each vendors’ products. Since I work for Attivo, I'll talk a little bit about what is included inside of that platform.

The first thing is it's important to be able to create an environment to detect the attacker, but it becomes more interesting when you can continue to let that attack play out in a sandboxed environment. So you can pick up the full threat intel, you can pick up adversary intelligence, and there are even some things that can be done today to plant deception documents so that you get counterintelligence such as what files are being stolen, geolocation of where they're being opened up.

The ability to be able to pull all of that full TTPs, the IOCs of the attack and be able to share that with other systems becomes extremely valuable in making that alert high fidelity and actionable. We also say actionable with confidence because you know that we're not going off unless something is happening that really shouldn't be.

I think that's where you can look at the detection through the incident response piece. If you go post-compromise, and we've been brought in in situations where we walk with a lot of the large incident response companies. Their concerns are, one, how do I know if this has been eradicated, and in situations where even active directory is compromised, they already know the full map of my network. How do I know if they return? Many will even shoot out a stat that says, "Over 50% of attackers return." How do you set the traps and the landmines when the attacker comes in and returns?

We do a lot of things after a company has been infected, whether it was a full breach or not. But to make sure that it's completely removed and that in places where it will stop the most effectively, those traps are put into place.

Other things that can be done is attack replays, so you can understand how the attacker moves during their attack. You can also get attack path visibility, which people would look at as, "Let's reduce the attack surface." So if I remove those exposed credentials from the network that would lead them to their target, their job just got a lot harder to be able to complete.

There's a lot of visibility tools that are built into the deception platform that will let them know "Here's how you stop them and slow them down and set up those little booby traps along the way to catch them as they're getting close to what they may be looking for."

Chris: Very interesting. It almost sounds like the equivalent would be a house security system where it sort of almost follows the thief after they've tried to break in unsuccessfully and follows them back to their lair or something like that. You can really see the whole path there.

Carolyn: The geolocation is really interesting. I won't say it's going to give you 100% accuracy.

Chris: Yeah, you're not going to break down their evil lair or anything like that I'm sure.

Carolyn: But it's interesting too because a lot of people will go, "Can I invite malware, or do other counter hacking?" And for the record, that is illegal.

Chris: Highly unrecommended.

Carolyn: - oppose that you do that. However, government and military could choose to if they wanted to. But for most organizations, we would say, it just gives you intelligence. Let's take a look at patent theft, IP theft, recent things that were stolen with the autonomous cars. That person wouldn't have been caught. How would they have known that that data even got exfiltrated before all of a sudden their designs showed up somewhere else and created a competitive disadvantage?

This way at least if they lift those documents, they'll get alerted when somebody opens them to say, "Aha, this was the kind of file they were going after or data they were going after, and this is the place that was opened." Again, just a little more counterintelligence to strengthen the defenses.

Chris: What you mean ... when I was talking to you before the interview you said a phrase that stuck out with me was that breaches are inevitable. How do you define that, and how should that concept be internalized by companies’ in-house security departments for an effective strategy?

Carolyn: It's an interesting piece. I was looking at that and some of the notes before, and I thought, "Aha." If I said breaches are inevitable, I probably should rephrase that and say infections are inevitable. I think that breaches could be avoidable with the right measures.

The reality is is that everybody has infections on their network today. It's just a matter of figuring out what's there and how likely is it to harm you. I think it is really important for companies to take an assumed compromised position to their network security. That is that things are in the network, and how accurately and efficiently can you find them?

If you do that you can set up those traps so that the attacker is going to make a mistake. Normally it's the security teams, we have to be perfect, right? We can't make any mistake or the attacker will exploit it. Well, let's make the attacker be perfect. All they have to do is this ping recon lift the wrong credentials and it'll get an alert.

Because of that I think you can stop an attacker early in the cycle before they get a chance to establish a foothold. Even if they don't go to a full breach, there's a mess they can often leave in the network of just things that are time triggered, they compromised your active directory. There are things that become a giant mess to clean up. But if they don't even get a chance to get past the foyer, then we can stop them before any real harm is done.

Chris: Knowing that breaches are inevitable is one thing, but how do you convey this to a staff? This is sort of moving it into the security awareness arena. But how can you convey this concept to your staff without making it seem like the threat isn't a big deal? Because some employees might hear "Breaches are inevitable," and use it as an excuse for risky behavior online. But how do you convey that there's no such thing as a breach proof security system while also making sure that they continue to follow the company's security strategy?

Carolyn: I think the reality is is that we're human, so we're prone with making mistakes and error. That, as a security team you just have to assume that human mistakes are going to happen, and you're never going to get that 100% done. It's really interesting looking at some of the phishing campaigns that are there. We study a lot of these things. You look at it and you go, "Even if you could get down to 10% of your employees are only the ones that make a mistake, make a wrong click, do the wrong thing," that is still a pretty gaping hole.

So as much as you might try to educate your employees, don't click, don't do this or that, the attacker's going to get in. Absolutely educate, "here are the behaviors and things, and don't assume that there is 100% security, and don't assume that there's a silver bullet." That then you start with the foundation that says that if we believe that, now let's do what we would do if we were in a game of chess. You put things around, you take offensive and defensive measures to outmaneuver and you secure it.

I think ultimately, a security team just has to assume that human error is going to happen and that, depending upon the industry you're going to have very aggressive, targeted attacks that are just going to get more and more sophisticated. And as a small company you're not immune either. There are things that you can buy off the dark web now. You can buy these kits to attack and you just slightly repackage them and you're going to get by a small company's security system.

Chris: Again, how do you know when those adversaries get through? Or maybe it's an insider. Make sure you catch it before it becomes a problem.

Assuming your company is breached, what is the next step? Is it possible to examine the end user data through deception to see whether security awareness training or more information for the staff might have prevented it?

Carolyn: In a lot of detection mechanisms, it's not possible because it just blocks or stops. Then all of that information is removed. The neat thing about deception is that we can study the attack. So you can look at the lateral movement. You can look at the targets. You can even do things to fight, figure out what the credentials are that are being stolen. There's a lot of intelligence that can be gathered to strengthen defenses.

We recently set up something where we set up some web servers that were deception to try to figure out whose legitimate credentials were being used to compromise the networks. There's lots of different tools and techniques that we can apply within the deception environment to get a better understanding of who's not patching, who's not using good hygiene. All those other things that may or may not come out with other tools.

There's even some things down to memory forensics which are often lost that we can pick up off the end point in our deception. Again, it helps get a better understanding of what the attacker's tools, methods they were using, and again use that to try to improve. Which is again very unique to deception because so often it's just lost when you just cut off the lifeline and then you just don't know.

Chris: Going back to the scale of things, do you generally recommend having in-house deception teams, or do most people use freelancers to come in? Do you set up a system and let it go? Do you keep someone on staff like that? What are the benefits versus freelancing similar experts on a case-by-case basis?

Carolyn: I think the interesting answer to that is that even in our largest of global networks, they have never added a dedicated person to staff the deception environment. As I mentioned early on, it's usually a quarter to an eighth of a person that will be responsible for managing even these large networks.

I don't think you need to outsource that. There's a lot of native integrations with existing security controls that even make the incident response simplified because we'll just feed that through their fire walls, their knacks, their EDR systems so that all of that is automated and simple.

That said, there are a large number of small organizations that are using managed services for managed prevention. I am a huge fan of managed services to include a managed detection service so that they get the help. Because even if I raise an alert for someone and give them all the information, they may not have the expertise to know how to remediate the situation and to prevent that attacker from coming back.

I think that's a great place for people to get help to make sure it's been eradicated, and it's been remediated and it doesn't have an opportunity to return. But the overall operations of a deception environment to start is actually really recognized for its ease of deployment, the machine learning to make the operations automatic on that; and then you really just get proposed campaigns that will say, "Here's a refresh of the credentials. Here's a refresh of your decoys. Do you like that, push the button." And you're going forward again.

Then we've also done things to create different levels of the user interface. So if you're a very small business, very small infrastructure. You might go, "I just want to operate on a basic menu." And if you're a Fortune 10 costumer, you're probably like, "I'm going to turn on the advanced ones because I want to do a lot more with what the platform has to offer." And there's a lot of things they can do with the platform.

Chris: Is it kind of a sliding scale in terms of buying different packages or different levels or different sizes of security? Or is it just what the organization feels they need and want to incorporate?

Carolyn: It's really all included. So it's really based upon the appetite. I'll say that the majority of people will buy deception for that early and accurate detection. But what they start to fall in love with is all of the other things that they can do for the attack analysis, the forensic program, the automations for incident response.

We kind of joke about it being the week to experience, that when people get comfortable that they've got things deployed, and now they want to start utilizing the tool, understanding how to better respond, how to better visualize the attacks, that's when they kick on the other features.

But there's no incremental charge for those things. They all become available. It's probably just a matter of going from that basic window over to that advanced one and deciding how much customization you want to apply or how many of the features you want to use.

Chris: Can we talk a little about the issue of remote workers and BYOD and so forth? What are some of the strategies used to reduce risks involved in any remote workers and having people offsite or off network and so forth? Is that connected in any way?

Carolyn: It's interesting. We have a lot of conversations around BYOD. It is just such a hard situation. Some of the more interesting ones come out of the university campuses. It is, as they call it, the wild west. They can't control what devices that are coming on the network. They can't control whether they're patched or not patched. They can't control even what they do as students.

I think the reality is that we tried to design a system that said it's going to happen, whether it's BYOD, whether it's an IOT device that has no real security standards or requirements today. There's always going to be something coming onto the network. Again, it just goes back to, in trying to stop it, don't take that approach, but just accept that it's going to happen. Then you put in the controls to trust but verify. Do it in a way that you're not going to get plagued by lots of false positives or other things. Because if that BYOD device sits on your network and nothing bad is happening with it, you might go, "Okay, that's just something I'm going to accept the risk on."

If all of a sudden you start to get reconnaissance coming from that system, or other bad behavior, then you get triggered to say, "I'm just going to isolate it. I'm going to cut it off the system, and then I'm going to go investigate." But now you're working on the needle in the haystack versus trying to remove all the needs before you know whether they're going to hurt you or not.

Chris: In the future, where do you see deception technology going? Everyone I've spoken to in the last couple of days about security awareness topics have described it as this arms race of, hackers go up on level, we go up one level, and so forth. Inevitably there's going to be, I imagine, a counter response by hackers, where they find a way to cover their footsteps. Where do you see all this going, and where do see the next big innovation for deception in the future?

Carolyn: I think that you're right, the games are always being upped. I think that that's where the reality is, is that innovation, even free of what an adversary is doing is going to outpace our ability to detect and add the security as quickly as we want, as an overall industry and society.

What you have to do is set up something that regardless of the type of attacks, regardless of the threat vector, regardless of the attack surface, you still have those traps in place to catch the activity before it comes through.

I'm not saying stop trying to innovate to stop and build the tall castles and deep moats. I think that's still an excellent idea. But have your contingency plan, and that says there's always going to be innovation, so let's just plan for it, and let's set the traps so that if the things do get in, we know right away and we can stop them.

From an innovation standpoint, will the attackers get more aggressive? I'm sure they will. Will they react different when they find deception in the environment versus if they don't find it? There's an argument of, will they then attack harder? I would say, you could argue that they won't because now the attack surface just got more harder for them.

They have budgets and time that they're trying to work off of as well. If you make it a harder organization to attack, they may choose a different place to go attack that's easier for them to be successful. At a minimum you're slowing them down so that you have more of a chance to strengthen your defenses against them.

As attack surfaces change, we need to see, and we have seen, deception keep up with things like IOT, SCADA environments, router and VoIP infrastructure, printer infrastructure. There's just so many things that deception has done to, say, regardless of what the attack surface is, we're going to keep covering, and we're going to add the applications and deceptions on top of it.

But we're also going to modify so that as things like serverless computing, containers, other things come in that change the way that you do security that we stay relevant as well. And we continue to be able to offer them the best detection across any attack surface and any form of threat.

Chris: That sounds great. I've been going back to this home defense thing. It seems like it's a really good point, that if a burglar sees a sign in front of the window, then too much time or too much threat or whatever. There's sort of that balance between if they know they're being watched, they're maybe less likely to stick with you. But at the same time you kind have to keep your deception department a secret so they don't necessarily know it on the way in.

Carolyn: Sometimes it does just act as a determent. If you think about it, even having security guards at the front door, there's only so many of them that you can watch people coming in and going that's going to be effective. But you start to plant things throughout the store and put video surveillance and other things, and things that would look like easy targets to steal that have the little buzzers included. That's what we're doing. We're giving that extra line of defense.

Instead of going to three, four, five, six security words at the front door, take a little bit of that investment and put the detection inside so that you can stop things from happening through ... like everything, you never win a chess game without a little mix of offense and defense. That's what we're proposing, and people are buying into today is is that it's a pretty cool and efficient way. And it works. We've got a long list of detections that we found that show that we can outsmart and trip up the adversaries. People are buying into this as the de facto security control for in-network detection.

Chris: That's great. Thank very much Carolyn for telling us about detection today. Thank you all for listening and watching. You can find more of these videos on our YouTube page. Just go to YouTube and type in Infosec Institute and you'll find lots more videos. Career track videos, tool videos, and also these security awareness topics.

If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search for Cyberspeak with Infosec Institute on Apple Podcasts, Stitcher or wherever you get your podcasts.

If you'd like to read more about security awareness topics, please visit resources.infesecinstitute.com where thousands of articles, labs and videos and more. And also check out securityiq.infosec.com. It's a new security awareness system we've built. You can send fake phishing emails to your friends. When they click on them you can find out just who is taking the bait right now.

Again, thank you to Carolyn Crandall from Attivo for her time. Thank you all for watching and listening, and we'll talk to you next week.