Skip to content
Tanmoy S
|
April 6, 2023
Using Generative AI to create deceptions for Identity Protection
Generative AI has taken the world by storm. It has become an exciting and rapidly developing field that involves the creation of images, videos, music, text, and other data using generative AI models. According to a Gartner article, AI-powered chatbots are just the beginning; enterprise uses for generative AI are far more sophisticated. The Gartner article summarizes several applications of generative AI in healthcare, marketing, and other industries. Here, we discuss how Generative AI can be leveraged for cybersecurity, specifically for identity protection. Most data breaches involve attacks on identities. The SolarWinds/APT 29 attack, Twitter breach, and ransomware attacks by LockBit and REvil are examples of high-profile attacks that involved identity compromises. Attackers can launch identity attacks by using openly available tools such as Mimikatz and LaZagne to access cached credentials on endpoints. Attackers might also use brute force techniques like password spraying and credential stuffing to attack identity artifacts such as NTLM hashes, Kerberos tickets, and SAML tokens. They can exploit user/service account misconfigurations that provide credential access through identity-specific offensive techniques, such as Kerberoasting and AS-REP Roasting. They are attacking identity stores such as Active Directory (AD), AzureAD, Azure AD Connect, Active Directory Federation Services (ADFS), and Active Directory Certification Services (ADCS). By using DCSync/DCShadow attacks against AD, attackers can gain access to the credentials of any account and disable MFA policies. Identity threats are a serious problem, and enterprises need to prioritize and make identity defense an integral part of the overall cybersecurity strategy. Acalvio’s Active Directory Protection solution discovers identities from various enterprise identity stores such as AD, ADCS, AzureAD & M365, and identifies attack surfaces that an attacker can exploit. The solution also identifies key assets that are at high risk of being attacked. Typically, attackers target key assets and privileged user/service accounts associated with them. For example, network shares may have cached credentials of domain admins/privileged accounts. An attacker would attempt lateral movement to a network share to gain access to these credentials. Similarly, an enterprise may have several Kerberoastable service accounts and their credentials may be cached on various endpoints. The Acalvio solution discovers all such attack surface elements that can be exploited by an attacker.   Figure 1: Combining Generative AI with Systems Engineering Creates Disparate Deceptions In recent years, the use of Generative AI has shown great potential for enhancing cybersecurity. The Acalvio solution employs Generative AI to recommend decoy identities to be added to AD and decoy tokens to be placed on real endpoints. The deception types and their placements are determined by AI algorithms so that the deceptions can lure, deceive, and divert advanced threats lurking inside the enterprise network. These AI algorithms can recommend thousands of decoy identities and decoy tokens that can be added to identity stores like AD and endpoints, respectively. As shown in the above figure, by combining systems engineering with Generative AI, the Acalvio solution creates deceptions for all types of assets, such as decoy identities for Active Directory, decoy tokens for endpoints, decoy computers for networks, decoy IOT devices, and so on. The Al algorithm computes the number of deceptions (or deception density), deception types, and deception placements, and also makes the deceptions attractive so that attackers interact with them. By combining Generative AI with other AI algorithms, the Acalvio solution can ensure that the deceptions blend well with enterprise identities and network assets. Deceptions deployed by the Acalvio solution raise alerts when an attacker interacts with them. These alerts are high-fidelity alerts because enterprise users would not interact with the deceptions. AI algorithms in Acalvio’s solution can also identify thousands of attack paths to key assets and the attack surface that an attacker can exploit to take over key assets. These attack paths are identified by combining data from multiple data sources (AD, Azure AD, endpoints, applications). Information about these attack paths is leveraged to determine the best placement locations for deceptions. The Acalvio approach is free of false positive challenges associated with traditional, anomaly-based detection mechanisms. Also, deception-based identity threat defense does not leverage signatures or rules and so it does not need to be updated for new identity threats. Acalvio’s Identity Theft and Detection Response provides a solution to protect identities using a novel set of AI algorithms, Generative AI, and systems engineering.
Read More
Team Acalvio
|
November 10, 2022
Detection of Prevalent Threats by Distributed Deception
Today’s breaches are overwhelmingly carried out in a series of sophisticated, multi-stage attacks. The stages of such attacks can best be described by a “Cyber Kill Chain,” which as per MITRE ATT&CK Adversary Tactic Model [1] breaks down cyber intrusions into the steps shown in figure 1.0. Figure 1.0 MITRE ATT&CK Adversary Tactic Model In the table 1.0, I have discussed six critical multi-stage attacks. I have precisely listed the breadcrumbs and lures that are required at the endpoint and deceptions on the network to detect and divert these threats. The table further lists the conditions which when triggered will raise the alarm for breach and the stage where the threat will get discovered. This stage is as per the ATT&CK Matrix for Enterprise[1]. Based on the nature of the threat, once an alert for a breach is raised it can trigger appropriate automated responses. Examples of responses include: isolation of the infected endpoint, SOC Alert for remediation, etc. The six threat families considered in this blog are: Ransomware[5] Crypto Miner[2] Breaches leveraging Web Servers for entry [4] Destructive malware (such as Shamoon[3] and Petya[6]) Information stealers Password stealers In our blogs listed in references, we have discussed the exploitation steps of these threats. These threats also have been covered extensively within the research community. By using a distributed deception platform, two of these threat families (ransomware and password stealers) is detected in the execution phase. The other four are identified during the lateral movement phase when the attacker is attempting to spread to other machines. Based on the analysis shown in the table following is the takeaway: Deception centric architecture detects the second or subsequent stage of payload, and hence the detection of distributed detection becomes independent of the vulnerability which is exploited at the first stage. The first stage can make use of 0-days, or it can make use of the known vulnerability or even socially engineer humans into giving them access via phishing or socially-engineered malware, a deception-centric architecture will raise an alert if the second or subsequent phase touches the deceptions. In many of the cases such as breaches involving web server, detection of information stealer, detection of crypto miners, detection of destructive malware presented in the table above, distributed deception architecture is capable of detecting threat actor or worm after it has breached an organization before the final intent is completed. The algorithm or the techniques leveraging deception which is used to identify the threat is generic, i.e., it is independent of the purpose of the worm or the threat actor. The capability of detecting worm or an adversary independent of the first stage and detecting a breach in a generic manner independent of the final intent makes it a recommended architecture to prevent sophisticated breaches. References [1] ATT&CK Matrix for Enterprise, https://attack.mitre.org/wiki/Main_Page [2] WannMine lateral Movement techniques, /resources/blog/wannmine-lateral-movement-techniques/ [3] How to outfox Shamoon, put deception to work, /resources/blog/how-to-outfox-shamoon-put-deception-to-work/ [4] Deception Centric Architecture to prevent breaches involving Web Server, /resources/blog/deception-centric-architecture-to-prevent-breaches-involving-webserver/ [5] Deception centric defense against the Ransomware /resources/blog/deception-centric-defense-against-ransomware/
Read More
Team Acalvio
|
November 6, 2022
Hiding in Plain Sight: Streamlining Deception for Security
Honeypots. Just those three syllables are enough to cause instant nausea with a cyber security professional. Why? Honeypots are hard to operationalize into an effective, easy to use and consistent defense. But times are changing with the proliferation of deception technologies (Gartner tracked 16 vendors in a September 2016 report). Can deception be easily rolled into a cyber security defense? The problem so far has been properly operationalizing deception. Implementing is a lot of work. Today’s deception approaches, like camouflage in the physical world, rely on consistent surroundings for concealment. When soldiers wear camouflage for snow, the desert or a forest and surroundings remain constant, you’re fine. But ascend from the forest to a snowy mountaintop and, unless you can rapidly change, you’re exposed. Every IT environment constantly changes. If deception can’t adapt like a chameleon, it’s useless. That’s Deception 1.0. Enterprises need something that morphs. Modern deception must update dynamically with the environment being protected. For example, can your deception technology detect and recognize that you just updated a Linux installation? That’s Deception 2.0. That’s the defense philosophy behind Deception 2.0. But the question is: how do security teams make deception deployable and effective? It has to be easy. And we mean dirt effing simple. A no brainer, easy as pie or any of other appropriate idiom. A recent report found that enterprises average 17,000 malware alerts per week so it’s a safe bet that alert number 17,001 won’t be investigated. In such an environment, deception must be operationalized quickly, easily and with tremendous impact. How would that look? It should meet several key business, technical and usability criteria. Technically, one should learn from the mistakes of many of today’s security vendors who have built products with long deployments and complex configurations. Deception tools must able to: Hide in plain sight. For a Deception Solution, this tops the list. How does this work? A deception technology needs to have some machine learning to understand and conform to your ever-evolving organization. By implication, this also means deception should be autonomous—the tool runs on its own, no tuning required. Deploy within minutes: Tool is deployed easily and let it understand your environment. Once installed, the deception tool provides a list of recommendations within just a few hours. The UI says here’s what you should do. Integrate with other security tools: Most security teams have their favorite tools of choice. At a minimum, a deception tool quickly integrates into your ecosystem. From a usability perspective, security tools should: Fit into your current workflow. Rather than do health checks every morning in a separate UI, an alert from a deception system should go into whatever event monitoring tool you’ve got deployed. Enhance productivity. Deception, with its attack visibility, can help tune, for example, Splunk logs and reduce alerts. At the end of the day, you have a secondary, more reliable tool to understand if something is true or false, reducing alert fatigue. This also means accelerated investigations with improved breach response and visibility as well as augmenting the ROI from other security tools. Lastly, and most importantly, does the deception tool help the business? It should have clear, quantifiable impact that allows the security team to stand in front of the CEO and say, “here’s how we reduced risk.” Stops data/IP loss. The name of the game—enough said. Reduce time to discovery. We all know that stats that dwell times are long, often starting around the Mesozoic Era. As security professionals, compressing this time is critical for many reasons. For example, you have a better idea of who did it. What were they after? What did an employee click on? Improves executive awareness and understanding. With security in headlines almost daily, C-level’s often ask, “Are we safe from [insert name of whatever spooky attack group a vendor’s marketing geek came up with]?” You want to respond, “Yes, and here’s how we kept them out. Also, we aware of their attack methods and what they’re hoping to do.” In other words, the tool should help show that your team has its act together. Deception, if done properly, can be a transformational shift in security strategy. By duping attackers and decreasing the attack surface, more of a burden of effort shifts back to the attacker. To succeed, deception efforts need to be inexpensive and usable by any enterprise, large or small, well staffed or under staffed. Today, many Deception 1.0 technologies are on premise and focus on large, well-established companies. But deception should become foundational, a cornerstone of everyone’s security strategy. If anyone tells you that an expensive, professional services heavy deployment is required—don’t be deceived. Get notified of the next blog post
Read More
Subscribe to Our Newsletter
Acalvio, the Ultimate Preemptive Cybersecurity Solution.