INTELLIGENT BRANDS // Enterprise Security
BY ADDING
DECEPTION, THE
GAME WAS MORE
CHALLENGING, AND
ALSO ANSWERED
THE QUESTION:
IS DECEPTION
TECHNOLOGY
AUTHENTIC
ENOUGH TO
FOOL SKILLED
ATTACKERS?
user credentials from various places
like credential manager and registry
and memory using tools like Mimikatz
and utilising them to move laterally or
compromise remote systems.
Once an attacker steals credentials, they
will either assume they are all real, as they
are unable to validate them, or they will
try to verify them against Active Directory.
Deploying deception on the endpoints
changes the credential landscape by adding
deceptive credentials and deceptive hosts
that appear valid and authentic.
The ThreatInject simulator provides the
ability to discover managed and unmanaged
POWERED BY
credentials and demonstrates that their
deception environment is working accurately
and reliably.
Attivo Networks took the public challenge
at last year’s ISSA International Conference
where Attivo Networks sponsored the
Capture the Flag event that challenges
participants to hack into a network and steal
information from certain assets or ‘flags’
without getting caught.
For this event, Attivo Networks publicly
announced that it had deployed deception
across the entire network to deceive and
detect attackers as they try to move laterally
in the network looking for the flags. By
Pen testing is used for compliance and
to test the resiliency of an organisation’s
security controls. A mission is often defined
by a Red Team’s ability to capture an
embedded flag without being detected. Blue
Teams, the ‘defenders’, are using deception
to obfuscate the attack surface and trick the
Red Team, much like an attacker, into making
a mistake and revealing their presence.
In this test scenario, an advanced pen
tester gathered information and attempted
to execute their attack over the period
of a week in order to capture the flag.
Immediately upon activating their attack,
Attivo was alerted to the tester’s presence
and captured and recorded all of his
actions. This test scenario validated the
authenticity of deception and the accuracy
to provide early detection of a threat, and
proved that even expert pen testers can be
fooled by deception.
To validate the resiliency of deception and
stolen credential detection, Attivo Networks
has released its ThreatInject simulation
tool. Credential theft attacks are inherently
difficult to detect because perimeter and
anti-virus solutions are not designed to
detect attacks based on credential use
or lateral movement. Credential-based
attacks start with attackers extracting
72
INTELLIGENTCIO
credentials, and test their authenticity along
with the computers that these credentials
point to. The simulator will demonstrate an
attack launch using the selected credentials,
query Active Directory to calculate
authenticity and understand credential
access, and to simulate attacker behaviour.
Similar to a pen test, the ThreatInject
simulator empowers an organisation with
a window into what an attacker would see
for credentials and computer hosts, verifies
that an attacker is unable to determine fake
adding deception, the game was more
challenging, and also answered the question:
Is deception technology authentic enough
to fool skilled attackers?
Collectively, this pen test validation, the
ThreatInject simulation tool and taking
the CTF challenge all provide substantial
validation to the resiliency of deception and
its ability to fool and misdirect attackers,
putting offensive control back into the
hands of the organisation and away from
the attacker. n
www.intelligentcio.com