Detection is Key When Prevention Fails

By Tony Cole, CTO, Attivo Networks

Last year Gartner estimated cybersecurity spending to grow to $124 Billion US dollars globally, and by 2021 to be over $170 Billion yet we consistently hear about major compromise after major compromise. What’s going on? Why isn’t the massive amount of dollars being pumped into our security infrastructure, paying dividends by stopping breaches?

It’s really a simple answer:  we’re spending almost all of it on preventative technology, which doesn’t always work to stop attacks. Today, battle-hardened security experts understand that we cannot prevent all attacks from getting into our enterprise and that we need to even the odds. We must allocate portions of our resources into quickly detecting attacks that overcome or bypass our preventative security stack. They understand that a determined attacker, given enough time and resources, can almost always find a way to get through our defenses. Our job isn’t to prevent every attack since that isn’t possible. It’s to stop what we reasonably can and quickly detect any breach and promptly mitigate the impact of that compromise. In 2020, that’s a win.

So how do we do it? Deception is how. There’s a reason NIST has incorporated deception into multiple guidelines for industry and government such as 800-160, 800-53, and 800-171B. There’s a reason that Gartner recommends deception since they state “simple, inexpensive, and it works,” “we don’t know any other technology that has a better signal to noise ratio,” and “deception is the first starting point for detection.” Deception’s time is here so that we can detect threats inside our network quickly and accurately, allowing us to shrink breakout time, dwell time, and containment time.

So, what is deception? Modern deception platforms provide great capabilities in detection by minimizing lateral movement, detecting MITM attacks, protecting AD, providing analyst visibility, and much more. It puts the control firmly in the hands of the defender by locking down endpoints with deception and leading the attacker into an authentic decoy environment, using real operating systems, where you can track and study their malicious activity. This is done by installing dynamic and authentic-looking deception credentials on endpoints or into cloud environments, all leading adversaries into the authentic-looking decoy environment. You can further enhance this deceptive environment with deceptive mapped shares, which when touched, generate high fidelity alerts. If an adversary begins with AD queries, the deception module can hide the real credentials and return misleading AD information to the attackers, once again putting the defenders in complete control inside their own enterprise. When attackers attempt to move laterally, they are moving throughout the decoy environment, which tracks and monitors their activity, either for quick expulsion or to study their TTPs. Proper deception platforms can also work in almost any type of enterprise environment: cloud, ICS/SCADA, and IoT. Some of those can’t provide sufficient logging making deception critically important in providing new visibility in an area previously blind to cyber defenders.

Deception platforms can be diverse and also limited in capabilities. Ensure you select one that can align to your goals, the campaigns you want to create, and that can look like your environment, whether that’s an on-premises enterprise, in the cloud, a hybrid system, an IoT-heavy system or a utility providing power. It shouldn’t matter; it must look like your system to be successful since authenticity is vital.

Our job is to protect our enterprise and minimize risk. To be successful in that endeavor, we must recognize that we cannot stop all attacks and, therefore, must have the instrumentation inside our enterprise to detect the attacker once they crossed the preventative security stack. EMA conducted a survey in 2019 where deception users saw on average a 91% reduction in dwell time. It’s clear that deception is that answer to that essential requirement inside the enterprise, that it is, after all, the solution for detection. Early detection of threats via deception means you can minimize breakout time and containment time as well since the adversary has less time in your environment to move laterally and establish beachheads.

About the Author

Tony Cole, CTO, Attivo Networks.  He is the Chief Technology Officer at Attivo Networks responsible for strategy and vision. He’s a cybersecurity expert with more than 30 years’ experience, a bachelor’s degree in computer networking and is a CISSP. Prior to joining Attivo Networks, Mr. Cole served in a number of executive roles at FireEye, McAfee, and Symantec. He’s retired from the U.S. Army and was an early advisor to Wall Street on the Cyber Security market. Mr. Cole serves on the NASA Advisory Council, the (ISC)² Board of Directors, and he’s also a former president of ISSA-DC. In 2014, he received the Government Computer News Industry IT Executive of the Year award, and in 2015 he was inducted into the Wash 100 by Executive Mosaic as one of the most influential executives impacting Government. In 2018 he was awarded the Reboot Leadership Influencer Award in by SC Media. Mr. Cole is also a volunteer member of the WhiteHat USA Board, a charity benefiting Children’s National Medical Center.

Tony can be reached online at (@nohackn, and at our company website