Blog.

Healthcare institutions are heavily targeted by cyber attackers. The critical services these institutions provide, the volume of sensitive data they handle, the mix of IT and OT infrastructure, and unpreparedness make healthcare institutions very attractive and vulnerable to cyberattacks. While several strategies exist to mitigate risk, deception technology in healthcare is a proven and effective method to detect and respond to cyber attacks.

The previous post in the Identity Security blog series covered identity-based attacks and why there has been an increase in the number and types of such attacks. This blog describes the identity security ecosystem. The blog covers the components of an identity security ecosystem, what each component does in an enterprise, and describes some limitations. In any enterprise, there is an existing ecosystem for identities and their management. Starting with the identity repositories, authentication, and access policies, and covering the trust relationship definitions at macro and micro levels. Organizations have multiple solutions in place for managing this ecosystem.

Over 80% of cyber attacks involve identity compromise. This includes malware threats, Ransomware, and advanced persistent threat (APT) actors. Attackers leverage identities for Lateral Movement and to escalate privileges as part of an offensive campaign. Cyberattacks have become a persistent threat to organizations across sectors. As the cyber threat landscape grows more complex, attacks are becoming larger and more scalable. Attackers are making use of superior digital and economic resources, allowing them to develop attacks that are increasingly sophisticated stemming from a large variety of attack vectors. In this blog series, we look at identity-based attacks, the identity ecosystem, and the importance of identity security.

Acalvio Technologies and CrowdStrike Falcon® Identity Protection help customers combat increasingly sophisticated identity-based attacks. Acalvio has introduced the industry’s first and only enterprise-scale implementation of Honey Accounts and HoneyTokens with automated life cycle management.   Available on the CrowdStrike Store, the integration empowers CrowdStrike customers to use Acalvio’s Honeytokens and Honey Accounts seamlessly to detect identity threats.

A Chinese hacking group breached email accounts of several US and Western European government agencies. What was their modus operandi and primary motive? On July 11 2023, Microsoft released information indicating that the email accounts of multiple US federal agencies and Western European government agencies were accessed by threat actors, and sensitive data was exfiltrated. This attack had been underway for several weeks but went undetected. Threat actors gained unauthorized access to Outlook Web Access (OWA) in Exchange Online and Outlook.com to obtain access to sensitive emails.

Identity based attacks are rising dramatically. According to Verizon’s 2022 Data Breach Investigation Report, credential-based attacks have become the top path for threat actors to reach enterprise information assets. Microsoft estimated that they blocked almost 26 billion identity attack attempts in 2021. Similarly, Akamai estimates 193 billion credential attacks were blocked in 2020. As more organizations transition to the cloud and a work-from-anywhere model, securing the enterprise network against identity threats is vital. A comprehensive Identity Threat Detection and Response (ITDR) solution is the best defense against identity attacks.

As discussed in this whitepaper, the MITRE ATT&CK framework is a critical technology resource that can help you systematically evaluate your security measures against the potential threats you may encounter. Understanding the weaknesses in your current cybersecurity posture is a crucial step in protecting your digital assets.

In May 2017, the WannaCry ransomware attack made front-page news around the world, with at least 150 countries and over 200,000 customers affected by the attack. The WannaCry ransomware made use of an exploit that targeted the SMB protocol of Microsoft Windows. The ransomware attack was able to propagate quickly in the space of a few hours. The rapid spread of this ransomware attack and the dramatic way in which the attack was finally stopped have made this attack an important case study for Security teams around the world. This blog details the lateral movement techniques used in the WannaCry ransomware attack, the impact of the attack, and other aspects of the attack. For details about other types of lateral movement techniques that have been employed by malware, refer to the published paper in Virus Bulletin.

Generative AI has taken the world by storm. It has become an exciting and rapidly developing field that involves the creation of images, videos, music, text, and other data using generative AI models. According to a Gartner article, AI-powered chatbots are just the beginning; enterprise uses for generative AI are far more sophisticated. The Gartner article summarizes several applications of generative AI in healthcare, marketing, and other industries. Here, we discuss how Generative AI can be leveraged for cybersecurity, specifically for identity protection. Most data breaches involve attacks on identities. The SolarWinds/APT 29 attack, Twitter breach, and ransomware attacks by LockBit and REvil are examples of high-profile attacks that involved identity compromises. Attackers can launch identity attacks by using openly available tools such as Mimikatz and LaZagne to access cached credentials on endpoints. Attackers might also use brute force techniques like password spraying and credential stuffing to attack identity artifacts such as NTLM hashes, Kerberos tickets, and SAML tokens. They can exploit user/service account misconfigurations that provide credential access through identity-specific offensive techniques, such as Kerberoasting and AS-REP Roasting. They are attacking identity stores such as Active Directory (AD), AzureAD, Azure AD Connect, Active Directory Federation Services (ADFS), and Active Directory Certification Services (ADCS). By using DCSync/DCShadow attacks against AD, attackers can gain access to the credentials of any account and disable MFA policies. Identity threats are a serious problem, and enterprises need to prioritize and make identity defense an integral part of the overall cybersecurity strategy. Acalvio’s Active Directory Protection solution discovers identities from various enterprise identity stores such as AD, ADCS, AzureAD & M365, and identifies attack surfaces that an attacker can exploit. The solution also identifies key assets that are at high risk of being attacked. Typically, attackers target key assets and privileged user/service accounts associated with them. For example, network shares may have cached credentials of domain admins/privileged accounts. An attacker would attempt lateral movement to a network share to gain access to these credentials. Similarly, an enterprise may have several Kerberoastable service accounts and their credentials may be cached on various endpoints. The Acalvio solution discovers all such attack surface elements that can be exploited by an attacker.   Figure 1: Combining Generative AI with Systems Engineering Creates Disparate Deceptions In recent years, the use of Generative AI has shown great potential for enhancing cybersecurity. The Acalvio solution employs Generative AI to recommend decoy identities to be added to AD and decoy tokens to be placed on real endpoints. The deception types and their placements are determined by AI algorithms so that the deceptions can lure, deceive, and divert advanced threats lurking inside the enterprise network. These AI algorithms can recommend thousands of decoy identities and decoy tokens that can be added to identity stores like AD and endpoints, respectively. As shown in the above figure, by combining systems engineering with Generative AI, the Acalvio solution creates deceptions for all types of assets, such as decoy identities for Active Directory, decoy tokens for endpoints, decoy computers for networks, decoy IOT devices, and so on. The Al algorithm computes the number of deceptions (or deception density), deception types, and deception placements, and also makes the deceptions attractive so that attackers interact with them. By combining Generative AI with other AI algorithms, the Acalvio solution can ensure that the deceptions blend well with enterprise identities and network assets. Deceptions deployed by the Acalvio solution raise alerts when an attacker interacts with them. These alerts are high-fidelity alerts because enterprise users would not interact with the deceptions. AI algorithms in Acalvio’s solution can also identify thousands of attack paths to key assets and the attack surface that an attacker can exploit to take over key assets. These attack paths are identified by combining data from multiple data sources (AD, Azure AD, endpoints, applications). Information about these attack paths is leveraged to determine the best placement locations for deceptions. The Acalvio approach is free of false positive challenges associated with traditional, anomaly-based detection mechanisms. Also, deception-based identity threat defense does not leverage signatures or rules and so it does not need to be updated for new identity threats. Acalvio’s Identity Theft and Detection Response provides a solution to protect identities using a novel set of AI algorithms, Generative AI, and systems engineering.

For most enterprise security staff, the answer is “Hmmm, not sure if that’s for me”. It’s true that threat hunting is a bit daunting: What goals am I going to achieve? What will I do if I actually find an adversary? Do I have the skills needed? Isn’t this just going to generate more work and “issues” to track down? A recommended approach is to start with limited, clear objectives – ones that you really can’t ignore. Our first example: Post-compromise. Here’s the scenario: you identify the endpoints that have malware on them and you remediate them. But you have no idea if the adversary has established additional footholds within your network. Since “Hope is not a strategy”, you should initiate an active response to try and find him.   Now it’s time for a bit of threat hunting. Hunting boils down to two steps: Defining a hypothesis Testing that hypothesis (as effectively and cheaply as possible)

Today’s breaches are overwhelmingly carried out in a series of sophisticated, multi-stage attacks. The stages of such attacks can best be described by a “Cyber Kill Chain,” which as per MITRE ATT&CK Adversary Tactic Model [1] breaks down cyber intrusions into the steps shown in figure 1.0. Figure 1.0 MITRE ATT&CK Adversary Tactic Model In the table 1.0, I have discussed six critical multi-stage attacks. I have precisely listed the breadcrumbs and lures that are required at the endpoint and deceptions on the network to detect and divert these threats. The table further lists the conditions which when triggered will raise the alarm for breach and the stage where the threat will get discovered. This stage is as per the ATT&CK Matrix for Enterprise[1]. Based on the nature of the threat, once an alert for a breach is raised it can trigger appropriate automated responses. Examples of responses include: isolation of the infected endpoint, SOC Alert for remediation, etc. The six threat families considered in this blog are: Ransomware[5] Crypto Miner[2] Breaches leveraging Web Servers for entry [4] Destructive malware (such as Shamoon[3] and Petya[6]) Information stealers Password stealers In our blogs listed in references, we have discussed the exploitation steps of these threats. These threats also have been covered extensively within the research community. By using a distributed deception platform, two of these threat families (ransomware and password stealers) is detected in the execution phase. The other four are identified during the lateral movement phase when the attacker is attempting to spread to other machines. Based on the analysis shown in the table following is the takeaway: Deception centric architecture detects the second or subsequent stage of payload, and hence the detection of distributed detection becomes independent of the vulnerability which is exploited at the first stage. The first stage can make use of 0-days, or it can make use of the known vulnerability or even socially engineer humans into giving them access via phishing or socially-engineered malware, a deception-centric architecture will raise an alert if the second or subsequent phase touches the deceptions. In many of the cases such as breaches involving web server, detection of information stealer, detection of crypto miners, detection of destructive malware presented in the table above, distributed deception architecture is capable of detecting threat actor or worm after it has breached an organization before the final intent is completed. The algorithm or the techniques leveraging deception which is used to identify the threat is generic, i.e., it is independent of the purpose of the worm or the threat actor. The capability of detecting worm or an adversary independent of the first stage and detecting a breach in a generic manner independent of the final intent makes it a recommended architecture to prevent sophisticated breaches. References [1] ATT&CK Matrix for Enterprise, https://attack.mitre.org/wiki/Main_Page [2] WannMine lateral Movement techniques, /resources/blog/wannmine-lateral-movement-techniques/ [3] How to outfox Shamoon, put deception to work, /resources/blog/how-to-outfox-shamoon-put-deception-to-work/ [4] Deception Centric Architecture to prevent breaches involving Web Server, /resources/blog/deception-centric-architecture-to-prevent-breaches-involving-webserver/ [5] Deception centric defense against the Ransomware /resources/blog/deception-centric-defense-against-ransomware/

Honeypots. Just those three syllables are enough to cause instant nausea with a cyber security professional. Why? Honeypots are hard to operationalize into an effective, easy to use and consistent defense. But times are changing with the proliferation of deception technologies (Gartner tracked 16 vendors in a September 2016 report). Can deception be easily rolled into a cyber security defense? The problem so far has been properly operationalizing deception. Implementing is a lot of work. Today’s deception approaches, like camouflage in the physical world, rely on consistent surroundings for concealment. When soldiers wear camouflage for snow, the desert or a forest and surroundings remain constant, you’re fine. But ascend from the forest to a snowy mountaintop and, unless you can rapidly change, you’re exposed. Every IT environment constantly changes. If deception can’t adapt like a chameleon, it’s useless. That’s Deception 1.0. Enterprises need something that morphs. Modern deception must update dynamically with the environment being protected. For example, can your deception technology detect and recognize that you just updated a Linux installation? That’s Deception 2.0. That’s the defense philosophy behind Deception 2.0. But the question is: how do security teams make deception deployable and effective? It has to be easy. And we mean dirt effing simple. A no brainer, easy as pie or any of other appropriate idiom. A recent report found that enterprises average 17,000 malware alerts per week so it’s a safe bet that alert number 17,001 won’t be investigated. In such an environment, deception must be operationalized quickly, easily and with tremendous impact. How would that look? It should meet several key business, technical and usability criteria. Technically, one should learn from the mistakes of many of today’s security vendors who have built products with long deployments and complex configurations. Deception tools must able to: Hide in plain sight. For a Deception Solution, this tops the list. How does this work? A deception technology needs to have some machine learning to understand and conform to your ever-evolving organization. By implication, this also means deception should be autonomous—the tool runs on its own, no tuning required. Deploy within minutes: Tool is deployed easily and let it understand your environment. Once installed, the deception tool provides a list of recommendations within just a few hours. The UI says here’s what you should do. Integrate with other security tools: Most security teams have their favorite tools of choice. At a minimum, a deception tool quickly integrates into your ecosystem. From a usability perspective, security tools should: Fit into your current workflow. Rather than do health checks every morning in a separate UI, an alert from a deception system should go into whatever event monitoring tool you’ve got deployed. Enhance productivity. Deception, with its attack visibility, can help tune, for example, Splunk logs and reduce alerts. At the end of the day, you have a secondary, more reliable tool to understand if something is true or false, reducing alert fatigue. This also means accelerated investigations with improved breach response and visibility as well as augmenting the ROI from other security tools. Lastly, and most importantly, does the deception tool help the business? It should have clear, quantifiable impact that allows the security team to stand in front of the CEO and say, “here’s how we reduced risk.” Stops data/IP loss. The name of the game—enough said. Reduce time to discovery. We all know that stats that dwell times are long, often starting around the Mesozoic Era. As security professionals, compressing this time is critical for many reasons. For example, you have a better idea of who did it. What were they after? What did an employee click on? Improves executive awareness and understanding. With security in headlines almost daily, C-level’s often ask, “Are we safe from [insert name of whatever spooky attack group a vendor’s marketing geek came up with]?” You want to respond, “Yes, and here’s how we kept them out. Also, we aware of their attack methods and what they’re hoping to do.” In other words, the tool should help show that your team has its act together. Deception, if done properly, can be a transformational shift in security strategy. By duping attackers and decreasing the attack surface, more of a burden of effort shifts back to the attacker. To succeed, deception efforts need to be inexpensive and usable by any enterprise, large or small, well staffed or under staffed. Today, many Deception 1.0 technologies are on premise and focus on large, well-established companies. But deception should become foundational, a cornerstone of everyone’s security strategy. If anyone tells you that an expensive, professional services heavy deployment is required—don’t be deceived. Get notified of the next blog post