An increasing number of companies are looking at an innovative approach to deal with hackers that attempt to break into their computer networks. Note to hackers who may be reading this article, “There is nothing here of interest to you.”
Companies are adding a new tool to their cybersecurity defenses called deception technology, which seeks to trick hackers into thinking they are getting close to critical data. They lure cybercriminals into thinking they are getting close to the good stuff, and then they trap them. The idea is to convince the attackers they have been successful, so that they will then reveal their methods
This is what Land O’Lakes, the suburban Minneapolis agricultural giant, is doing today. “Manufacturing-plant technology is difficult to protect, because those mills, generators, and turbines were built 20 years ago with little consideration for security,” says Land O’ Lakes Chief Information-Security Officer. If a hacker shuts down a dairy plant, “we lose hundreds of gallons of milk that we’ve already paid for. And we can’t make any butter.”
The company now uses a tool called DeceptionGrid, created by Boston-based cybersecurity shop TrapX. The technology deploys an array of decoys and booby traps throughout the Land O’ Lakes network that mimic crucial information, to convince hackers that they have gotten access to the company’s crown jewels. “Once any of the [decoys] are accessed or probed in any way, one centralized console alerts us, so we know to start investigating the source of that activity,” says Land O’ Lakes. Their team can then contain the intruder.
It is a method known as deception technology and it is gaining momentum as cyberattacks become more sophisticated, and the world moves to less-secure work-from-home models and cloud computing. This new method does not try to bar intruders from getting in, like firewalls. Instead, deception technology scatters fake information such as false credentials that can be used to access vital information throughout a company’s network to lure attackers.
When the false information gets hacked, the company is alerted and can either kick out the bad guys or isolate them from the rest of the network to study their methods and better identify them in the future. Land O’ Lakes says the technology has helped shield it from attack. For example, the company had a contractor whose laptop was infected with malware that began scanning the network. But the malware hit many of the decoys, and his security team was able to locate the source and disable the intruder quickly. Land O’ Lakes has not had an attack from an unauthorized outsider since it implemented deception technology. “We still have the older defenses like firewalls in place,” they say, but we layer deception tech on top of it.”
Deception technology is the evolution of another idea called “honey pots”: fake servers that mimic a company’s actual server. They sit passively and wait for an attacker to climb in. The problem with these baits that have been in use for over 20 years, is that they allow security teams only to monitor and learn the behavior of bad actors as they attempt to move closer to high-value targets. Studying patterns is useful, especially if that intelligence can be fed into a machine-learning system to adapt to hackers’ tricks, but it does not capture the attackers.
Those honey pots can be linked together into a sophisticated network called a honeynet to make them even more effective, but that was not and is still not cheap, says the CISO at Voya Financial, who created such a network for the financial-services company last year. A large bank, for instance, could pay up to $1 million in subscription fees alone for such a setup, he says, “plus you have to hire human monitors,” which brings up the price substantially.
Enter deception technology. Unlike honey pots, it is not only designed to study attackers but to stop them outright. As soon as a malicious actor interacts with a decoy, an alarm is raised, and the cybersecurity team can go into active-defense mode, isolating attackers or ejecting them before they have escaped with any valuable property. Since deception technology operates within the main network and requires very little hardware or infrastructure to implement, it can be a much more cost-effective solution. This simplicity can bring more risk since deception technology lives inside the main network, there is always the chance that hackers who are inside could get their hands on real assets instead of decoys. Therefore, users couple deception systems with traditional defenses like firewalls, anti-malware solutions, encryption and authentication systems, which aim to keep attacks out of networks in the first place, read multi-levels of defense.
“I’m adamant about [defenses like deception technology] being only one component of the security strategy,” says the principal security researcher at deception-technology maker Rapid7 in Arlington, Va. For instance, he says, he builds defenses into his systems to look for suspicious credential uses, such as employees logging in from new locations.
The chief executive of deception-technology firm Illusive Networks (IN), says the technology is more widespread than many assume, especially in highly regulated industries like banking, insurance, and government. IN believes that to stop an attack, you have to think like a cybercriminal. “If I’m an attacker, I’m going to dig into your browser history and find your saved login credentials. And I’ll go unnoticed because I’m using the same pathway that you use to log into the cloud as part of your daily routine,” they say.
Illusive’s technology plants dozens of fake but believable data points into every company-issued laptop or cellphone. If the attacker exploits an administrator’s credentials, the system disorients them with deceptive data and lets defenders know there is an unauthorized presence on the network. Setting up the system takes less than a second, IN says, “and we have a 95% true-positive rate, meaning almost no false alarms.”
One of Illusive’s competitors is Attivo Networks, of Fremont, Calif., which in 2018 helped supplemental insurance giant Aflac install deception technology. Aflac Global CISO is rolling out the system to subsidiary networks now. “Fortunately, we have not caught a criminal, but that means we have a high belief that so far we have had no theft,” they reported.
The vice president of growth and strategy at TrapX, says people would be surprised to see exactly how and where companies are hacked. “A lot of times it’s a third party that comes in with a USB to service a machine, and it has [ransomware] on it,” he says. He knows of a petrochemical plant in Europe that was not connected to the internet but was infected with ransomware through a coffee pot in a break room that was online. “Attackers are agile and fast. They are adapting to the new-normal chaos, taking advantage of remote workers and new security gaps,” says TrapX. “When security analysts can focus on real threats detected through deception technology, they waste less time chasing false alarms—and a quicker response means reduced loss.” And beware of those complicit kitchen appliances.[1]
Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have learned through our clients that the installation, updating, and monitoring of firewalls, employing cybersecurity practices, and providing proper employee training are keys to success, yet unfortunately at times - not enough. Our current CTAC and RedXray tools provide a valuable look into the underground, where malware and all the different variants of malware are bought and sold. This includes forum conversations of Vishing techniques. Our information can help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.wsj.com/articles/in-battle-against-hackers-companies-try-to-deceive-the-deceivers-11607371200
Comments