IT Briefcase Exclusive Interview: Using Deception Technologies to Turn the Tables on Attackers
August 30, 2017 No CommentsDespite a greater awareness of advanced cyber threats, and a renewed focus on IT security, the number and scale of successful cyber-attacks continues to grow at a frightening rate. The Ponemon Institute’s 2016 Cost of Data Breach Study: Global Analysis estimated that the average total cost of a data breach in 2016 was $4 million and Juniper Research predicts that cybercrime will cost $2.1 trillion globally by 2019, averaging $150 million per breach by 2020. This demonstrates the immediate need for organizations to have a detailed understanding of the tactics, techniques and procedures (TTPs) of today’s emerging threats.
Since the dawn of time, deception has been used in nature in various forms as a successful survival strategy and has played an important role in the physical and behavioral adaptations of all organisms. This certainly holds true for businesses of all sizes today. However, despite some innovative approaches in recent years, deception solutions have not addressed the key aspects of what a modern distributed enterprise needs: to deploy deception at scale, automatically, cost-effectively, from the cloud or on-premise, and deploy it to on-premise or cloud workloads.
So what do businesses need to know in order to detect, engage and respond quickly to malicious activity on their networks?
Raj Gopalakrishna, Co-Founder and Chief Product Architect at Acalvio explains:
- Q: Tell me about Acalvio. What makes ShadowPlex stand out from the competition?
A: Acalvio ShadowPlex incorporates many break-through technologies. There are 30+ patents already filed. Acalvio Deception 2.0 technology leapfrogs the competition by combing deception technology, automation, AI and SIEM data.
ShadowPlex provides comprehensive deception fabric that includes decoys, applications, breadcrumbs, lures, data, low-interaction deceptions and high interaction deceptions.
Acalvio provides both scale and authenticity of deceptions due to patent pending Fluid Deception and Reflections technologies.
Acalvio deceptions are projected onto the network due to the patent pending Deception Farms Architecture. This unique architecture is the basis for truly dynamic deceptions including deceptions being morphable in real-time. This unique architecture also enables just-in-time deceptions, wherein deceptions are born in real-time in response to changing threats or environment.
ShadowPlex enables centralized administration while deploying distributed deceptions across the entire Enterprise Network.
Acalvio tightly weaves in AI into the fabric for automated deployment and management of deceptions. ShadowPlex also relies on AI for detecting and engaging with attackers in real-time.
- Q: Let’s talk about deception. How can deception technologies be used by an organization to turn the tables on attackers?
A: In the natural world, deception is arguably the most common and powerful technique to protect oneself. As Sun Tzu observed, “All warfare is based on deception”. Acalvio believes this observation applies to modern Cyber War too.
The attackers have come to the same realization and hence leverages the combined power of Deception and Automation in their campaigns. WannaCry ransomware infected 230,000 computers within a day in May 2017 whereas there were 1.38M unique phishing emails sent in 2016 (per APWG) due to power of Automation
Deception technologies, especially when combined with automation and AI, are a game-changer for defenders. At Acalvio, we have already demonstrated the combined power of deception & AI to detect advanced threats such as unknown variants of ransomware with speed and precision.
Deception can be used to actively respond to threats. Deception can be used to frustrate, slow-down or confuse the attacker or malware. This gives IR team a chance to respond or divert the attack.
Finally, deception changes the economics for the attacker. Attacker needs to be very careful to not cause an alert by accidently interacting with deceptions. Deceptions increases the duration of each attacker campaign.
- Q: How can deception as a strategy help businesses protect against the upsurge in threats targeting connected devices and the Internet of Things (IoT)?
A: Deceptions are already proven in natural world and wars. Similarly, deception technologies can be applied to protect all sort of asset including ICS and IoT. Deceptions can be used to detect compromised devices, account, man in the middle attacks and network intrusions.
- Q: How do you see deception technologies evolving over the next 12 months?
A: Deception technologies are poised to change the way we defend our Enterprise networks and hosts.
For example, Acalvio Deception Technologies platform will be used to create “applications” to solve very hard problems like malware threats, APTs, triaging of Incidents, protection of Enterprise assets like AD besides protection of home networks, connected devices and even trains.
Real-world benefits of deception technologies will enable wider adoption of this powerful technology. Meanwhile deception technologies will combine with even more advanced AI to turn the tables on the attackers.
- Q: Ransomware is all over the news these days. Why has ransomware continued to be such a major threat?
A: There are many reasons for the ongoing ransomware threat:
1. Ransomware is very lucrative to the attackers. Estimates are round $1B were paid by victims in 2016.
2. There is heavy R&D investment by the ransomware attackers to take advantage of their market opportunity. They are bringing tools and techniques from other campaigns to ransomware campaigns.
3. Ransomware campaigns requires very little infrastructure to launch. There is no big C&C to run or hide. No big data to exfiltrate
4. The advent of Ransomware-as-a-Service (RaaS) has lowered the bar for technical skills to launch a ransomware campaign.
5. Each Enterprise’s private data is valuable to them. The attacker does not need to find buyers for the data. Hence most verticals are vulnerable to ransomware threat
6. Enterprises have an egg like security architecture. Strong on the perimeter but weak on the inside. So once an endpoint is compromised via phishing email or otherwise then it is easy to propagate through the Enterprise network and encrypt most devices very rapidly.
7. The existing security solutions (AV, IDS, Sandbox, UEBA) on the market are unable to keep up with the deluge of ransomware variants. In 2016, there were more than 1000 new variants of ransomware released per day, making it very hard to create signatures quickly.
- Q: How does a solution, like Aclavio’s ShadowPlex, protect against ransomware attacks?
A: Acalvio uses ShadowPlex platform along with Ransomware Kill Chain to mitigate this growing threat. Acalvio ShadowPlex-R detects and automatically responds to ransomware in real-time.
Raj Gopalakrishna is Co-Founder and Chief Product Architect at Acalvio. Prior to Acalvio, Gopalakrishna was a distinguished engineer and Senior Vice President at CA Technologies. He received his degree in Computer Science from Bangalore University