Deception: A part of security ecosystem

When it comes to IT security, experience tells us there is no system to protect us completely.

You can invest tens or hundreds of thousands in different security solutions, but you still won’t get a 100% guarantee. This means IT security is all about reducing the risk: by investing in it, you essentially lower the possibility of a security breach or data loss.

Did you know?
18% of organizations reported a ransomware attack in 2020.

However, things are not as dreadful as they might seem. Deception technology has lately become a key strategic tool in many organizations: experienced professionals are already well aware of MITRE. Famous for its MITRE ATT&CK methodology, MITRE helps in developing threat models and defensive methodologies, for private and public cyber safety community alike. Recently, MITRE Shield has been introduced – an active information base to record and organize security techniques in line with the MITRE ATT&CK measures.

Did you know?
A cyber-attack is happening every 39 seconds.

MITRE Shield methodology is focused on the active defense and engagement of the attacker, stepping away from the passivity of network defense. This is the first time Deception has been referenced within MITRE methodology, which is of great importance.

Cyber criminals are continuously developing their tactics, which makes traditional solutions insufficient to deal with today’s sophisticated attacks. This means companies mustn’t rely on sheer hope that firewalls would be enough to protect business-critical systems and information: instead, they should consider the “active defense” as described within MITRE Shield, to make this fight a more equal one.

Did you know?
Ransomware attacks have increased by 148% in March 2020 due to Covid-19 crisis.

Why Deception?

The key to the Deception technology and its importance is the fact that it surpasses the simple detection, in order to identify and prevent lateral movement – one of the hardest aspects of network defense. These last couple of months have been especially challenging for the security teams: the global pandemic and the sudden shift to remote working have made organizations much more vulnerable. Cyber criminals are well aware of this – and they use it well.

In 2020, the number of data breaches has nearly doubled compared to the previous year, with more than 3.950 incidents in August. What’s more, yet undiscovered breaches are not counted in here: attackers that access the company network can plan their moves for weeks or months before acting.

Did you know?
The average ransomware payment has increased by 33%, up to $111,605, compared to Q4 2019.

Deception is basically a network in the shadows. Its “traps” do not affect the real infrastructure, which makes it quite valuable for various environments including IT, OT and Internet of Things (IoT) devices.

 

How does Deception work?

By placing assets acting as “baits” and creating false data, Deception is basically a fake layer in your infrastructure. It helps defending from threats because only the person actively looking for something (or in a case of wrong configuration) will get in contact with the fake layer.

Additionally, if an inside threat interacts with the fake layer, endangering the real assets, it means it found a way through all of your safety layers. This is why the forensic data Deception provides is a critical part of your threat awareness. It allows you to discover the breach early on: from the moment you notice the first Deception system warning, you can think about whether you need additional forensics, how to organize your security experts to neutralize the threat and so on.

Apart from “feeding” the existing tools with information, Deception is also quite useful while making security-related decisions. What is to be done with the attacker: keep it, engage in surveillance, reduce it or completely destroy? How can you use the forensic data? Can you use the identified IoC (Indicator of Compromise) and find the devices with the same infection? Can you stop the processes to remove the risk?

Finally, using the forensic data, you can strengthen your firewall and block the malicious IP addresses connected to the campaign. If the attacker has injected the malicious code into your system to secure outside access, this code can be analyzed and stored into a security ecosystem to prevent any C&C (Command and Control) activity even before the attack begins. On the other hand, you can change the credentials on the first warning of a compromised account.

As you can see, the Deception technology uses traditional, well known tools from your security arsenal. These tools can help you improve the security ecosystem, making it ready to defend itself even from the attacks you’ve missed.

LEAVE A REPLY

Your email address will not be published. Required fields are marked *