Tuesday04 October 2022

Illusive Networks says that deception everywhere is the way to go Featured

Reading time is around minutes.

Black Hat 2017, Las Vegas, NV -
When an attacker gains a foothold in a network the first thing they need to do is learn the lay of the land. They have done some research on the target to gather information about possible systems they might encounter. In reality, they do not truly know what is going on. They are likely to have hit an exposed system with little true access into the good parts of the network. They are going to need to check shares, network connections and also scrape memory for and stored credentials. With these in had they begin the process of moving around the network and building their map of the target environment.

What if that same system contained real data and deceptive data? When the attacker scrapes memory for credentials he might find 2 real ones and 8 fake ones. This means that now that attacker has an 80% chance of choosing the wrong credentials and alerting someone to their presence. The same thing can be done with net connections, and network shares. Stacking the deck against the attacker so they are likely to tip their hand and get caught. This is the solution that Illusive Networks described to us during a conversation with Ofer Israeli, Founder and CEO of Illusive Networks on final day of Black Hat 2017.

Illusive gets their inspiration from having members that were formerly part of Israel’s offensive “cyber” warfare unit. They felt that they have a unique perspective on how attackers worked and wanted to turn that into a defensive product. They wanted to see if it really does take a thief to catch a thief. Well, it turns out that this is not always the case. Their initial project did not work out so well and they had to start over. What they came up with is something… we’ll call if different than your normal deception based product.

In the majority of the deception based products they reply on projected or actual systems that appear attractive to an attacker. This is the honey pot style of deception and while this has matured significantly since its introduction it still requires interaction with the deception system to capture an attacker’s movement. There are also issues with honey pots in that they can be fingerprinted and then avoided by an attacker. Yes, there are new methods to help prevent this, but even with dynamic systems and simulated traffic it is possible for an attacker to ID the deception systems and bypass them.

Instead of relying on these systems and fake connections, Illusive networks pushes out deception data (user credentials, net connections, shares etc) to all systems on the network. This is done by an executable that runs periodically and then cleans up after itself. This means that every production system in the environment becomes part of the deception. This effectively corrupts the data that an attacker needs to continue to operate in an environment. The deceptive data stack the odds towards failure on the part of the attacker. Once that failure happens (again on any machine) the system begins to capture forensic data on the attack and can show how the attacker is trying to move around an environment.

Illusive has also added in something they call the Attacker View. This shows you what your network looks like from an attacker’s perspective. This relatively unique view gives you a quick look into the potential attack vectors that exist in your environment. This view adds a level of risk analysis to the product that visually shows you the dangers and how far they are from an attack vector or an actual attacker if they are already in your system. The system can also ingest data from other security systems to add to your risk analysis.

When you put all of this together you get a system that has the potential to bring you better security and also a low risk of false positives. Which is what you want in a security system.

Last modified on Monday, 31 July 2017 21:03

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.