Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


10:05 AM
Simon Marshall
Simon Marshall
Simon Marshall

Startup Attivo Advocates for 'Deceptive' Security Protection

When it comes to security, how deceptive should enterprises be to thwart cybercriminals? Attivo Networks and a number of other security startups are advocating a different approach.

Is it next-generation threat detection? Is it counter-hacking? One thing we know is that it's designed to lure hackers to a replica enterprise environment so that threats can be eliminated. It's deception.

Startups in this niche include TrapX Security, GuardiCore and Attivo Networks, which recently closed a Series C round for $21 million. (See Attivo Goes On the Attack Against Hackers.)

"Why does this company exist? It really boils down to that a perimeter-based defense is just not reliable anymore," Carolyn Crandall, chief deception officer and CMO at Attivo Networks told Security Now. "People can and will get into the network, and over the last couple of years, people are accepting that."

Crandall is adding her voice to a growing number of experts that agree the better strategy is to accept that penetration is inevitable and therefore the focus should be on protecting the data in the network, not erecting a fence.

One of the dangers is that hackers booted off the network can, according to Crandall, easily get straight back in. To counter this, a response at scale is required, and detection and response has become part of the security control stack. But detection is challenged because it's tough to get arms around and decide with limited information what the most virulent threats are.

Threat detection is flawed
Apparently, standard threat detection technologies are flawed because they basically only generate alerts. However, they don't often provide information about the type and techniques of threats, or the tools used; it's challenging to respond by, say, automating quarantine blocking or threat hunting to eradicate an attack.

Attivo lays traps in the network, optimized to encourage the disturbance of decoys by mirroring the existing environment so hackers think they have successfully accessed it. Crandall has seen a shift in the market from three years ago, when companies believed all they really needed was prevention.

"Now people are shifting their budgets, they're adopting detection," she said.

"Decoys can be set up to look like endpoints, servers, POS networks, industrial control fuel sensors, or maybe direct infusion pumps at a hospital," Crandall added. "We can take anything that runs an operating system and we can make the decoy look identical to production assets, by running on their software."

So, if the decoys are identical, how are the odds improved that a hacker will be snared?

Making decoys more pervasive than real network assets improves the chances that a hacker will engage. The decoy environment is not an emulation, but rather uses the same software as the real network, except sweetened, for example, with bogus assets such as honey docs.

Enterprise misconceptions about deception
Enterprises can't be blamed for making assumptions about deception technology, because it's so new.

The first assumption is, if a company is less advanced with its security infrastructure, the belief that deception should be the last thing they would adopt. Typically, these are healthcare organization which have to economize because of small budgets.

Secondly, there's a feeling that integration of deception technology is far from straightforward. Aflack, an Attivo customer, motivated to try deception because it did not want to make headlines from security slips that reveal PI, apparently easily integrated deception into their security controls system for a single view.

"If you had asked me two years ago if anybody would have had deception in their budget, it wouldn't have been [there], and not in their initiative list," Crandall said.

In 2018, the big difference will be that budgets will be earmarked and put into action, with extra incentive that for some firms, it helps with compliance, M&A strategy, is part of an insider threat strategy and/or is part of a supplier management strategy.

Come get me
Is deception encouraging attackers?

The current Active Cyber Defense Certainty Act (ACDC) hacker bill, proposed by Rep. Tom Graves of Georgia, who sits on the House Defense Committee, fundamentally poses the question: "is an eye for an eye" OK, when it comes to enterprises and consumers striking back?

It's unclear if there's the stomach or the expertise for users to "hack back" at attackers and try to retrieve lost data. There are stumbling blocks. Often, enterprises don't have white hackers on staff and would need to look elsewhere for help. Also, attribution is hard, so the chances of attacking the wrong person are extremely high.

"Will they come back at you with greater vengeance?" Crandall asked. The answer is maybe, but she recommends that companies keep their powder dry and use the counter intelligence they gather to fortify their own systems. If there's information for law enforcement, hand it over but don't act on it.

Deception is forecast to grow into a substantial market.

"By 2018, 10 percent of enterprises will use deception tools and tactics, and actively participate in deception operations against attackers," Gartner analyst Lawrence Pingree wrote in a recent report.

On a Fox5 TV appearance this summer, Crandall predicted that, "If we end up going at the pace we are, we're going to have 1,500 breaches this year (in the US), compared to the 1,100 we had last year. Last year there were 4 billion records stolen."

In Security Now's latest poll, the largest percentage of readers (about 45%) said they would go "on the attack" against hackers.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...