Hackers heading into an enterprise have another reason to be cautious: they could become the hunted, not the hunter. In a kind of cyber bait-and-switch, valuable data turns out to fake, and the trap is sprung. More and more enterprises are becoming interested in so-called deception technology, designed to turn the tables on attackers.
Attivo, a deception developer, just raised a venture capital C series of $21 million, led by Trident Capital Cybersecurity with participation from existing investors Bain Capital Ventures and Omidyar Technology Ventures. In May, it secured a series B round of $15m, representing $36 million raised in the last five months. Tushar Kothari, CEO of Attivo, attributes the pace to a mushrooming interest in fooling the thieves.
An image of an enterprise customer network is stored on Attivo's ThreatDefend platform, which then "projects" data decoys which nestle among genuine data nuggets. If an attacker touches the decoy, they sealed in a sandbox environment, which mimics the real environment. The hacker considers they have been successful and continue about their business. Meantime, this offers time for the enterprise to either disarm the attack, or indeed, observe behavior and learn about malware approaches. One outcome is that hackers become frustrated and they turn their attention to easier targets.
Attivo uses what it calls "high interaction deception" with authentic operating systems and image customization. Apparently, attackers cannot tell the difference between decoys and production assets. Decoy users act like real users, and data and systems look like real data and systems. Until there's an attempt to harvest information. This methodology deals another blow to perimeter security –- possibly one of the most direct blows it could receive –- by being unconcerned when bad actors breach the perimeter.*
It also raises the possibility of a strike back by the target organization, with the hacker unaware and placed on the defensive. "It all depends on what our customer wants," Attivo's Kothari told SecurityNow, "we have the ability for offensive or pre-emptive (retaliation)."
According to Rik Turner, principal analyst, infrastructure solutions at Ovum, the platform extends beyond network- and endpoint-based deception technology out into vulnerability assessment and response automation, and into threat hunting.
Can the platform be fooled, made to look the other way while hackers drive past the decoys? Maybe overwhelm the platform?
"This type of attack would not distract (the platform), since all attacks would be coming from one IP, which we would use to ID the attacker and alert the attack," Carolyn Crandall, CMO of Attivo, told Security Now. "Unlike an external DDoS attack, launching multiple attacks just allows us to identify the attack more quickly based on more data points."
Typical attacks which can be foiled include reconnaissance attacks, credential raids, man-in-the-middle attacks or active directory attacks. Kothari said the platform can be integrated with other security systems, avoiding a situation where one system treads on the toes of another.
In theory, this also reduces false positives. "If the mouse bites the cheese, we know he exists because the cheese is missing," said Kothari.
Although deception technology is still maturing, Kothari plans to keep moving the cheese, leaving companies one step ahead. The timeline of staying ahead, of course, is always subject to hackers learning patterns and eventually spotting deception.
"Every security technology goes through its lifecycle, hackers learn and deception technology is no exception," said Kothari. He projects three phases: firstly, during the first two to three years, the deception is totally unexpected and a surprise. Next, attackers begin to learn and differentiate between what's a decoy and what is not.
In five to ten years, target organizations will need to up their game and launch what Kothari terms "deception campaigns," where snares are placed at multiple layers. Data is attacked and eventually extracted, but ultimately the hacker can't differentiate between a valuable data haul or an empty swag bag.
Attivo claims Aflack as a public reference, and customers in a wide spread of verticals concentrated on financial, utility, law firms and the energy sector. It claims evaluation trials with about 350 companies.
* The stance of Attivo toward bad actors and their breaches of the perimeter has been clarified from the original sentence.
— Simon Marshall, Technology Journalist, special to Security Now