Blog.

In the rapidly evolving world of cybersecurity, traditional Identity Threat Detection and Response (ITDR) systems are foundational in safeguarding organizational assets. Yet, these systems frequently display critical gaps, especially when faced with sophisticated, identity-based threats and the exploitation of system vulnerabilities. These traditional systems rely heavily on signature-based detection, anomaly behavior analysis, and logs, which may not effectively distinguish between legitimate activities and sophisticated malicious tactics. As attackers continue to evolve their techniques, especially in exploiting third-party components and using stolen credentials, the limitations of traditional ITDR become apparent. Why attacks succeed: despite the deployment of traditional monitoring approaches on Active Directory (AD) and cloud identity stores, identity-based attacks are continuing to escalate at an alarming rate. Attackers have evolved with stealthy techniques that exploit gaps in traditional ITDR for credential misuse and privilege escalation, such as: Cached credentials: are copies of user authentication data stored locally to speed up re-authentication processes, including passwords, session tokens, and Kerberos tickets. While they enhance system performance and user convenience, they also provide attackers with a potential goldmine. Cybercriminals leverage tools like Mimikatz, LaZagne, Seatbelt, and other credential dumping utilities to extract these credentials from various caches (like Windows Security Accounts Manager (SAM), Local Security Authority Subsystem Service (LSASS) cache, and browser caches), enabling them to persist within networks, move laterally across systems, and escalate privileges. The subtlety of these attacks often allows them to bypass traditional security measures, which struggle to differentiate between legitimate and malicious use of these credentials. Third-party sync agents and identity stores beyond AD: organizations are increasingly adopting a hybrid identity architecture with cloud identity providers (IdP) for identity federation. To keep AD in sync with the cloud IdP, synchronization agents are deployed. Additionally, organizations have servers such as Active Directory Federation Services (ADFS) and Active Directory Certificate Services (ADCS) that have trusted access to AD. Attackers target the third-party sync agents to gain access to domain credentials, leveraging the lack of monitoring on these agents to obtain access to privileged credentials. Stealthy attacks that evade traditional detection mechanisms: attackers have evolved, with stealthy attacks such as offline attacks, client-side attacks that evade traditional detection approaches based on monitoring AD network traffic and logs. Offline attacks such as Kerberoasting, client-side attacks such as Silver Ticket attacks are being used with increasing frequency by attackers. These attack techniques do not result in anomalous network traffic or event log traces, resulting in detection gaps through traditional ITDR approaches. Adversary in the middle (AITM) attacks: attackers gain access to domain credentials through AITM techniques such as LLMNR poisoning and use these credentials for lateral movement. Traditional ITDR is unable to detect malicious use of the valid credentials. Cyber deception emerges as a critical solution to these challenges. It introduces deceptive elements, such as honey accounts and honeytokens, strategically placed within the identity stores and endpoints to lure and detect attackers by triggering undeniable indicators of an incursion. This proactive defense mechanism not only enhances detection capabilities but also provides actionable intelligence, enabling more effective and rapid response. By addressing the inherent weaknesses of conventional detection methods, especially in the context of cached credentials and stealthy identity attack techniques, cyber deception creates a more resilient and adaptive security posture against the increasingly complex threat landscape.

A critical aspect that is often overlooked is the nature of asymmetric warfare between the attackers and the defense teams. Any glitch in cyber security defense theories/practices is a winning amplifiable opportunity for the attackers, while there is no extra penalty or risk associated with attacker side missteps/errors. Attackers can continue “trial and error” until succeeding. This cyber security asymmetric warfare is due to the fact that the Internet was originally built on the top of a “trusted” model in which all the participants were considered to be collaborative with good intent, and all the digital assets, whether owned by individuals, enterprises, or governments, should be genuine and real. Attackers exploit the “trusted” model to the extreme.

Earlier this month, we witnessed ( Reuters, TechCrunch, Washington Post, CNN etc. ) the US Department of Energy, several other government agencies, banks and other commercial organizations were hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software called MOVEit by Progress Software.

The CrowdStrike Global Threat Report for 2024 highlights a rapidly evolving cyber threat landscape. The sophistication and speed of cyberattacks are skyrocketing, with adversaries leveraging identity-based tactics, exploiting unmanaged device vulnerabilities, and even capitalizing on trusted relationships for initial access. Several key takeaways warrant attention in response to the disturbing trends highlighted in the report: 1. The increase in identity-based attacks signals a need for more sophisticated identity and access management solutions. 2. The susceptibility of unmanaged devices underscores the importance of comprehensive asset management and endpoint protection strategies. 3. The exploitation of trusted relationships stresses the importance of zero-trust architectures. 4. Adversaries continue to gain in stealth and speed, increasing their ability to complete their mission before becoming discovered

The ever-shifting landscape of cyber threats demands constant adaptation and expertise from security professionals. This is where Large Language Models (LLMs) are making a transformative impact. By enabling the development of specialized AI assistants, LLMs empower professionals to work smarter and faster. Here at Acalvio Technologies, we have harnessed the power of LLMs to create an AI Assistant that transforms the way security professionals leverage standardized cybersecurity frameworks. Imagine an assistant that sifts through data to identify threats, and even helps develop effective response strategies – all powered by the vast knowledge and contextual understanding of LLMs. Of course, challenges remain. The computational power required and the need for specialized training present hurdles. However, the potential benefits are undeniable. Leveraging the wealth of cybersecurity defensive knowledge sources, the Acalvio AI Assistant provides comprehensive, real-time, up-to-date answers, thereby enhancing user efficiency and effectiveness. This blog post delves into the process of building a LLM based AI assistant. We’ll discuss the key components involved, including LLMs, datasets, RAG technology, vector databases, and how we evaluate the final product.

GigaOm’s recently published Radar chart on cyber deception platforms for 2024 provides detailed comparison of leading deception vendors. The research involved a set of key business criteria for deception solutions and considers the requirements of different market segments.

One hundred and forty pages strong, the Health Industry Cybersecurity Practices (HICP) Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations document is a technical volume that provides an overview of cybersecurity practices that have been outlined by the U.S. Department of Health & Human Services (HHS) as highly effective at mitigating risks in the healthcare industry. There are many great insights in the document, and one that we were super excited to see was the inclusion of deception technology as a critical component of a comprehensive security posture. Cyber deception is a technique that many organizations have used to create decoys, traps, and other mechanisms that mislead attackers and divert their attention away from actual targets. The document suggests that deception technology is useful for detecting and responding effectively to attacks, and for gaining insights into an attacker’s tactics, techniques, and procedures (TTPs). We applauded their recognition of the compelling reasons to add deception to an organization’s security posture. Some of these highlights include: Reduction of dwell time, which is achieved with early detection and by diverting an attacker’s attention, so they reveal their presence. Therefore, reducing the time they have to spend time in the network. Improvement in threat intelligence that is gained through insights into the TTPs of attackers. Increased situational awareness can be achieved by using decoys and other mechanisms, while providing early warnings of potential attacks. The report (Section 8.l.F) includes how Healthcare Delivery Organizations (HDOs) can implement cyber deception techniques, such as deploying honeypots, honeytokens, and other decoys, to create a layered defense and make it more difficult for attackers to gain access to sensitive data. Benefits such as disrupting attacks, early warning of intrusions, and reduction to the impact of a successful attack were also noted. The document goes on to suggest that using cyber deception as an additional layer of defense will improve an organization’s ability to detect and respond, gather threat intelligence, and reduce the impact of a cyber incursion. The cyber deception landscape has undergone many changes since inception, ranging from technology enhancements to integration into other vendor technologies through partnership and acquisition. The Acalvio Defense platform is designed for AI- driven autonomous deception and carries the most patents, 25 in total, that protect complex environments across all industries, both on-premises, and in the cloud. Acalvio also has Federal Risk and Authorization Management Program (FedRamp) certification, further validating Acalvio cloud service offerings (CSOs) on their efficacy related to security assessment, authorization, and continuous monitoring. The use cases for deception in healthcare organizations can be quite extensive. However, Acalvio has found Advanced Persistent Threat (APT) attacks, ransomware, insider threats, and identity threats to be amongst the most popular and consistently deployed. APT attacks are particularly concerning to healthcare organizations because they are sophisticated, stealthy, and can go undetected for long periods of time. APTs are designed to infiltrate a network and remain undetected for extended periods, stealing sensitive data or causing damage. Acalvio deception detects APTs by creating false environments that appears to be legitimate but are actually lures and traps designed to detect and analyze malicious activity. Insider threats occur when someone with employee, contractor, or third-party access to a network or system misuses that access to cause harm or the theft of data. Acalvio deception efficiently identifies insider threats by embedding deceptions into the data, deploying deceptive identities and creating false environments that are designed to accurately detect unauthorized access. Because deception does not have a production role, any attempt to use the deceptions creates a high-level alert that carries detailed evidence substantiation that can dramatically reduce investigation time. Ransomware attacks have continually attacked healthcare organizations due to their complex environments, fluid workforce, and a range of challenges that can prevent the best cybersecurity operating environments. Ransomware groups generate new variants through Ransomware-as-a-Service (RaaS) affiliates, evading traditional security. Acalvio deception creates a variety of snares for attackers that will detect credential misuse, privilege escalation, deletion of backups and propagation attempts. Ransomware can move very quickly and since deception does not rely on baselines or trends, it is proven to be an imperative alerting mechanism for early ransomware detection, including evolving variants. Identity Threat Detection and Response (ITDR) is another key deception use case. The misuse of credentials is not new, and as most know, is a staple in almost every attack. Gartner, Inc. coined the term ITDR in 2022 based on the need to educate organizations on Zero Trust architectures and why network-based security is not sufficient for detecting and deterring attacks using credentials and privilege escalation. Endpoint Detection and Response (EDR) vendors have taken note with SentinelOne acquiring Attivo Networks and CrowdStrike partnering with Acalvio. You can read more about the CrowdStrike and Acalvio partnership at our web page. The highlight of this partnership is that it enables deceptions to be deployed at scale without requiring an additional agent. Now, CrowdStrike customers can deploy Acalvio deception and identity solutions across the organization and manage the detections in CrowdStrike’s incident response dashboard. Acalvio uses AI to refresh the deception environment for authenticity and scale. Another recent document of worth noting is the technical report called the HHS Cybersecurity Program: Cybersecurity Framework Profile for Healthcare Delivery Organizations. This also discusses the importance of cyber deception as a key strategy for protecting healthcare organizations from a variety of cyber threats. In this report they included additional use cases for deception, which included social engineering and attacks against network connected medical devices. Medical devices based on IoT can be challenging to protect against threats due to their inability to upgrade, inability to deploy EDR agents and limited downtime windows. Acalvio deception plays an important role in IoT because it can use decoy elements such as false credentials, simulated data, and decoys to detect malicious network activities without having to load software on the devices. It is another use case for deception for creating layers of defense in specialized networks. Many healthcare organizations have successfully deployed cyber deception and have realized its benefits towards patient safety and well-being. It is exciting to see deception receive an important recommendation in this new journal. Deception technology serves to efficiently address a wide range of cyber threats, including APTs, insider threats, ransomware, identity, IoT, and social engineering attacks. By creating false environments that appear legitimate, cyber deception non-disruptively lures, detects, and diverts attacks making it faster and easier for security teams to eradicate the threat before it can cause harm. Click here to request a consultation or for insights into what’s new in cyber deception in 2024.

In cybersecurity, unmanaged endpoints represent a significant vulnerability within even the most meticulously planned defense strategies. These unprotected access points are attractive targets for identity-driven attacks. Organizations are unable to gain coverage for all the endpoints with endpoint security and detection tools; even those maintaining the highest levels of vigilance might only achieve around 80% endpoint security coverage. This leaves a consequential proportion of endpoints – about 20% – unmanaged and susceptible. In addition, there are a large number of peripherals and IoT devices, such as printers, cameras that are not compatible with endpoint security solutions and add to the pool of the unmanaged endpoints. These exposed endpoints, linked with the network and Active Directory (AD), offer an easy entry point for attackers to compromise the system, gain access to privileged credentials, and cause substantial damage. Recent research indicates over 25% of modern attacks originate from an unmanaged endpoint.

In the world of digital defenses and ever-changing threat landscapes, October holds a special significance – it is Cybersecurity Awareness Month! While we observe this Awareness Month with great enthusiasm, at Acalvio we believe cybersecurity is about more than a single month; it should be a year-round commitment to strengthening our digital defenses. Cybersecurity Awareness Month, initially known as National Cyber Security Awareness Month (NCSAM), was established in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security. This month was created with the goal to elevate cybersecurity education and awareness across the United States. Fast forward to today, where it has become a vibrant, widely observed global initiative. With this rich history in mind, let’s look at a history of our own: how Cyber Deception and Active Defense have evolved over the years, and how they help organizations and defenders stay ahead of emerging and evolving threat landscapes as well as the increasingly vital role deception is playing in our defense strategies. Cyber deception differs markedly from traditional cybersecurity methods, offering a proactive strategy that confuses and diverts attackers away from critical assets. This approach not only detects and distracts adversaries, but also provides security teams with time to analyze their tactics and respond effectively. Deception’s adaptability and continuous evolution make it a powerful capability in the battle to secure key assets, identities, applications, and data across multiple environments – on-premises, cloud, ICS/OT, and IIoT networks. Though deception was once a niche concept in cybersecurity, it has evolved dramatically over the years, transforming into an advanced and indispensable early threat detection and response system. In its nascent stages, deception primarily relied on honey pots, which were decoy systems designed to lure attackers away from assets. While effective in some cases, these techniques were relatively simplistic, often struggling to keep pace with the increasing complexity of enterprise networks, expanding access boundaries, and the rapidly evolving sophistication employed by threat actors. As adversaries became more adept at evading traditional security measures, deception underwent a profound transformation. Modern deception systems leverage artificial intelligence, machine learning, and advanced predictive analytics to create highly realistic and attractive deceptions and traps within an organization’s network. The assortment of the deception palette has also grown remarkably to suit the purpose and different use cases for deception deployment. Deception types are no longer just decoy systems and honeypots. At Acalvio, we design precision-engineered endpoint deceptions, tripwires, lures, and honeytokens that all enable early and high-fidelity threat detection. Deception technologies not only mislead and divert attackers from key assets; they also actively detect and analyze their activities. Active Cyber Defense effectively changes a defense team’s position from postmortem analysis of what the attacker did to predicting what an attacker might do, enabling them to take appropriate measures to strengthen their defenses before the threat strikes. Cyber deception has become a cornerstone of modern proactive cybersecurity and Active Defense, offering organizations a dynamic and agile approach to high-fidelity threat detection and response. With Acalvio’s world-class deception platform, organizations have the ability to turn the tables on the attackers: by empowering the defenders with the attacker’s view of the network, predicting attack trajectories, detecting the threats early, and impacting the attacker’s speed, attack paths, and cost – all with precision and speed. The evolution of Cyber Deception reflects the industry’s recognition of the need for sophisticated, and adaptive measures to counter an ever-evolving cyber threat landscape. With deception systems continually innovating to outsmart attackers, deception plays a vital role in bolstering the resilience of modern digital infrastructures. Deception technology is irrefutably a new layer on the existing security solutions to provide compelling defense-in-depth capability to enterprises. We wish you a safe and vigilant Cyber Security Awareness month! Are you looking to learn more about Deception Technology or considering adopting the solution? Reach out to us at info@acalvio.com!

MGM Resorts was compromised by a threat actor, Scattered Spider (UNC3944). The threat actor gained control over the super administrator account of Okta, gained Azure administrative rights, and gained Domain Admin privileges over the Active Directory. The threat actor deployed the ALPHV ransomware on over 100 ESXi servers on premise. This caused an entire system shutdown, with MGM resorts losing millions of dollars, having to fall back to paper-based hotel admission and suffering tremendous damage to their reputation. The impact of this attack was severe. As the hospitality services experienced outages, customer service and experience took a nosedive, payment systems were down and the slot machines at their casino were completely inoperable.

The increasing adoption of cloud and mobile technologies, coupled with the rapid shift to remote work, is blurring the conventional boundaries of network security, making Zero Trust the focal point of cybersecurity. Simultaneously, destructive breaches and ransomware attacks have underscored the insufficiency of conventional perimeter-based cybersecurity strategies. As technology ecosystems and adversaries evolve, we need to rethink how we deploy security and technology capabilities, and Zero Trust provides the model we need. Zero Trust is a data-centric security strategy that follows the principle of least privilege access. A Zero Trust network is one in which no person, device, or network enjoys inherent trust. All trust, which allows access to information, depends on providing a valid identity.

Apache Log4j is used in thousands of enterprise applications across the stack and appliances with a web interface. Log4j is also an embedded component of many Java-based OT/ICS hardware and software components. Billions of IoT devices built on Java may also be susceptible to the Log4Shell vulnerability, as are many networking appliances. Multiple Apache Log4j versions are affected by Log4Shell. Log4Shell also affects many systems that are internal to enterprise networks. APTs/attackers that are already inside the network may leverage the Log4Shell vulnerability of the internal systems. The vulnerability is severe enough for CISA, FBI, and NSA to release a joint Advisory stating “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks.” Successful exploitation of Log4Shell on a system can enable the threat actor to take full control of the system. Mass scanning attempts by threat actors to identify vulnerable systems are ongoing. In addition, botnets like Mirai, remote access toolkits, and reverse shells such as Meterpreter have expanded to leverage the Log4Shell vulnerability. Threat actors are also finding new ways to exploit this vulnerability by, for example, exploiting internal systems in the enterprise and leveraging these systems to conduct post exploitation activity. Patching Log4Shell vulnerable versions of various systems and applications will take a long time. Patching may not even be possible for certain embedded systems. Existing detection methods rely on signatures and threat actors have started circumventing such simple detection methods by using payload obfuscation.