Intelligent CIO Middle East Issue 34 - Page 67

CASE STUDY companies and organisations across the Middle East, Turkey and Africa can use it so it spans financial services, ministries, governments, oil and gas, all across the board. The solution we offer is basically an inside-of-the-network threat detection and response so for those various verticals it lays out a deception network to lure the attacker. If there is somebody lurking inside the network who shouldn’t be there then the deception will automatically alert and lure the activity to a safe haven, not the actual network itself. Can you explain how deception fools the cybercriminal? The way we have done it is we’ve taken human behaviour, we have understood what the attacker does usually and what is the purpose of compromising and penetrating networks all across the world. We understood the motives of why hackers do it and we also understood what they do in a typical network to reach their objective. We can plant many different decoy servers or decoy assets to mimic the customers environment providing what appears to be authentic assets to the attacker. The beauty of those decoy assets, is that the attacker does not distinguish it from the real server because we use their gold images if they wish, which is why it is so authentic and hence effective. A properly designed deceptive environment will quickly shrink adversary dwell time and potentially help mitigate the impact of a breach. We use machine learning to learn the topology of the network and the types of operating systems and then we build decoy servers that are almost identical to the one next to it (the real one), so the attacker does not think that he has fallen into a trap. We plant our servers in unpublished IP addresses; as soon as the attacker does lateral movement in an unpublished IP they are guilty by association because there is no need for anybody to come and touch it. Therefore, once they do this they are actually captured because this IP address is mapped all the way up to the Attivo appliance which s its inside the network. That is how we capture the attacker inside our network and we now take over dealing with him but he doesn’t know that. We are watching all his moves and recording it in a forensic file. What are the main benefits the ministry can get from the ThreatDefend Platform? Dynamic, real-time threat detection and accelerated and orchestrated incident response. The emphasis is on early detection and also accelerated and orchestrated response with the whole eco-system that the company or organisation has. WE IN THE MINISTRY OF ENERGY, INDUSTRY AND MINERAL RESOURCES ARE ONE OF THE HIGHEST TARGETED AGENCIES IN THE KINGDOM. INTELLIGENTCIO 67