By Michael Fabrico
The last couple of months have taught that there is no insurance policy that will keep you safe from a data breach that could harm, if not destroy your business. Week after week the stories rack up, and big names follows big names admitting that they failed to keep their business and customer’s data secure.
When we analyze the correlation between data loss with dwell time, the pattern is very clear: The longer the adversary is in your network, the more data you’re going to lose. The last five years have seen the majority of the security spend going on prevention, rather than detection. This followed an agenda focused on stopping threats, but ignored the fact that when the attacker bypasses the prevention mechanisms, the company was laid bare to massively injurious data breaches.
Early breach detection becomes a key factor in threat management and adversary identification to prevent and minimize losses from data exfiltration.
Let’s try to understand what is required from an early breach detection layer in your environment;
- Supporting large networks and hybrid on-premise / cloud environments. You never know where the attacker will hit.
- Dynamic technology that is impossible to fingerprint. Don’t let the attacker understand what tools you have.
- Quick and easy deployment and maintenance. The over-worked security teams don’t need MORE to do!
- Ecosystem support. Feed the existing tools with high confidence outputs from the system.
Now let’s imagine a technology that adds several deceptive layers; fake assets, fake data, fake applications on top of the real network to confuse the threat when he starts to move laterally. The idea is that this fake layer makes no changes to your existing topology, and adds no active software on your infrastructure, but that is also attractive enough that the attacker will waste cycles interacting with the fake assets trying to compromise them.
Using the ‘false approach’ will allow you to highlight the fact that no legitimate system or user should ever interact with a fake asset, and following this strategy will give you early breach detection from high fidelity alerts. Remember – no one should be touching something fake!
Deception is a new generation of honeypot historically used to find new threats. From AV companies to security researchers, the honeypot was designed to find ‘unknowns’ by letting someone interact with an asset for detection and investigation. Applying this approach to a corporate network in search of ‘unknowns’ leads to lateral movement and attacker actions that today’s tools miss. Quick deployment and no topology changes mean powerful capabilities for early breach detection.
TrapX Security meets customers every day looking to find the extra layer to detect lateral movement within the Security Stack. Deception is more and more commonly adopted by Fortune 500 companies in support of this.
One of the coolest ways to see immediate ROI from a Deception Solution is to ask your Red Team to run a penetration test without letting them know that you’ve got Deception on the network. You’ll be amazed at how fast you get that first, gold alert informing you that your network is attacked and a breach might be in progress.