How can organizations use deception tactics to thwart


The Big Picture: It's naturally assumed that hackers have the upper hand when it comes to deception because they hide their tactics and methods. With the right tools, the organization can also leverage deception to their advantage. Taking cues from military strategic theory, deception can be used to bait and trick the hacker into misdirecting his efforts where you lead him to and away from your valuable assets.


Mike Matchett:                  Hi, I'm Mike Matchett with Small World Big Data. I'm here today with Carolyn Crandall, who's the chief deception officer, otherwise known as the chief marketing officer for Attivo Networks. We're going to talk about what it means to provide a deception solution in today's high threat, high risk computing environment. Welcome, Carolyn.

Carolyn Crandall:              Thank you. Great to be on the show today.

Mike Matchett:                  All right, so what is a Attivo Networks up to. And tell me the truth. You've got to tell me the truth at this point. What is deception.

Carolyn Crandall:              What is deception. It's great. Deception has been used for decades in military warfare, gambling to basically get the upper hand against the adversary. What Attivo Networks is doing is bringing that competitive advantage back to the defender. So we allow the organizations to take deception, decoys, lures, bait and basically use that to misdirect attackers and derail their attacks. So it's a very efficient and effective way, and an easy and fast way to get started in being able to detect the threats that are inside a company's network.

Mike Matchett:                  Now, we walked through a lot of very detailed and complex technologies you guys offer. It gets very sophisticated, but you've made it very easy to use and deploy so that someone without a lot of deep networking skills can get started in deception. And so just maybe just for the audience here, give me a little example of what it would mean to deceive a network attacker. What would you be putting up there? What does that look like?

Carolyn Crandall:              Sure, sure, great. There's different degrees of deception, so let's start with the most basic. Let's set out some traps for an attacker. Let's say if you have a attacker inside your network, they're going to start to look for recognizance, move around the network and try to find their target. So setting decoys that look like the actual production assets, but setting them up in an attractive way for the attacker will lead them into use scanning, engaging with that deception decoy so that the minute you know that somebody engages, that they're doing something that they shouldn't be doing.

                                                      So a lot of organizations will start with network deception as the first place they'll go to get started. So lay the traps and the landmines throughout the network. And then the second thing that they'll do is they'll add endpoint deceptions. The majority of the attacks are going to come in, and the attacker's going to want to steal credentials, and then escalate their attack by harvesting more credentials as they move around the network.

                                                      If we plant these fake credentials or fake SMB shares for ransomware attack there, that as they attacker looks to move and escalate their attack, again there are going to be breadcrumbs that lead them back to the engagement server where all their tools, techniques can be studied in a alert that's substantiated with the information on what they're doing can be provided to the security team. Then they can go take the correct incident response action, so they could maybe block or isolate the attack, and maybe do some threat hunting to make sure it's not somewhere else inside the network.

Mike Matchett:                  And we even looked at where, once you've identified very quickly that someone's using a deceptive credential, or an endpoint they're not supposed to be attaching, you actually shift them over into the side away from production. Now, they're in their own little virtual play space hacking away on a copy of nothing, basically, right? But it looks to them like they're really working hard at it.

                                                      Then it's like, "Whoa, man." It's almost not worth it being a hacker anymore, right?

Carolyn Crandall:              Yeah, using today's deception with real operating systems in a high interaction environment, the attacker cannot tell what's real and what's fake. We know this based upon reports from our customers. It's a lot of fun to watch pen testers and the red teams come in and think all the while that they're penetrating a network. But they're in this deception environment where we can pick up tools, techniques, the IOCs of the attacks and use that information to create forensic reports to be able to respond to that incident.

                                                      The key to it is, is if you create a highly authentic environment, the attackers will come. Then, they can engage in this environment that's safe. You can even up a port to command and control, see what type of communication activities are happening there, then have the strength to be able to deal with polymorphic and other types of attacks that you might not have been able to detect and respond to using other detection security controls.

Mike Matchett:                  We talked about how one of your strengths is making this really easy to deploy, and for especially for people that don't have a lot of big end security staff, what level of company really could benefit from this? I mean, at one level I'm thinking, "Deception, you must have to be a really big company with a lot of ... a SOC, and extra people to say, hey, you're my deception person. You full time and do that." What's really the entry point?

Carolyn Crandall:              Yeah, the entry point is, we have customers as small as 30 people organizations with nobody with security in their title. We have all the way up to Fortune 10 type of accounts. So the neat thing about the way the Attivo deception platform works is, it's very scalable. If you have a person coming in that says look, "I know I need detection in my network, but I don't have the scaled of the IT staff to do a sophisticated deployment." Well, the nice thing is, is that machine learning gets applied today. It'll learn the environment, the profiles, and the applications. It'll propose the deception campaigns to roll out, so you don't have to have that sophistication. It's already built into the solution itself. Where on the other end, we may have a very sophisticated organization that's really diving into the threat intelligence, the counter intelligence, matching it up with other security controls that may want to have very sophisticated deployments. That's possible for them to do too.

                                                      But the short story of it is [inaudible 00:06:02] it's very easy to deploy. Most people are up and going within a couple hours. It's very easy to maintain because the alerts that they get are all engagement based, which means that somebody's engaging with a decoy or using credentials that are deception credentials, and they have no production value to an employee. So you know somebody is doing something that they shouldn't.

                                                      It'll give you information down to where the infection is, the endpoint, and what you need to do to respond to that attack. So it makes it very easy to maintain and operate, and to respond to in the even that you do find you've got something in your network that you need to get rid of.

Mike Matchett:                  I mean that's awesome. I think we're sort of out of time already. I think we could go for a couple hours talking about this, because we haven't even gotten into a lot of the terminology that we were tossing around before, which is just all very interesting to me. But thank you, Carolyn, for coming on today.

Carolyn Crandall:              It was great to be here. Thank you very much.

Mike Matchett:                  By the way, where can someone find out more information? I assume on your website, but what is that?

Carolyn Crandall:              On our website, Attivo Networks, A-T-T-I-V-O

Mike Matchett:         Thank you very much. I'm Mike Matchett with Small World Big Data. Thank you for watching. And we'll be back, I'm sure, with some more about deception from Attivo Networks, at some point, nearby, in the future. Take care. Bye.

Carolyn Crandall:              Thanks.