Recently, an interesting survey pointed out that malware attacks are going fileless.  In some cases, this means even using an internal employee to help with the process. For example, the attack on the Bank of Bangladesh and you quickly realize that advanced attackers continue their rapid evolution from amateur to professional.  What can enterprises do?

Today, security teams deal with insiders in a number of disjointed ways:

  • Analytics — Many UBA vendors attempted to identify insider threats using statistical analysis to flag anomalous behavior. However, this approach is prone to false positives (e.g., flagging admins for conducting patch updates is legit but looks aberrant).    Also, analytics often requires a period of data mapping and ingest.  This often proves time consuming and requires customization (aka, professional services and a really, really long deployment).
  • Endpoint monitoring —The EDR market is growing. The promise of finding Indicators of Compromise or various activities indicating malicious internal (or external behavior) is attracting a lot of security spend and attention.  However, SOC teams are finding that finding IOCs is nice, but time consuming.  Indicators of attack, they’re finding, are much more pertinent.
  • DLP —The issues with policy-driven security is well documented. DLP, arguably, is the king of false positives and in need of constant tuning.

In security, we have to follow a basic maxim:  Prepare for the worst and hope for the best.  Most insider incidents are accidents, “Ooops, I clicked on that or didn’t mean to send this.” At its worst, security teams have to prepare for a complex attack:  be ready if the attacker takes time to understand the target, prepares sophisticated attack based on knowing your infrastructure with clever plans to bypass your defense.  In the Bank of Bangladesh incident, where attackers allegedly worked with internal employees, the hackers almost siphoned off nearly $1B.

This is where deception comes in.  To counter a sophisticated attacker, “deception in depth” can be a real asset.   But what if that attacker has moved into the inside?  How does this work?  Let’s assume you have a malicious insider who knows your infrastructure and has sophisticated tools.

For the sake of illustration, let’s use the recent ATM attacks.  In this case, attackers around the world attack banks to take control of ATM machines:

To perform a logical attack, hackers access a bank’s local network,
which is further used to gain total control over ATMs in their system.
Cash machines are then remotely triggered to dispense money,
allowing criminals to steal large amounts with relative ease.

How would deception identify—and stop—the ATM attackers from moving laterally to take over the bank network?  Deception would go through a multi-step process to give the insider an option to access and download sensitive documents:

  • Step 1: Detect  the malicious motivation.  How can you know someone’s intentions?  This is where the role of fake content comes in.  It should mimic the enterprise’s environment.  Does the user want to access FTP or SharePoint for sensitive information?  If an internal user is legitimate, there is no need for a legitimate user to touch the fake deception sensors. For example, there is no need for a use to access the fake SQL or FTP server.
  • Step 2: Engage:  With deception, the attacker is supplied a decoy or virtualized networked.  How they behave in this test tube gives a clear indication of motivation.  In the first step, they have access to our fake and attractive information.  What do they do with it?  For example, In case of ATM hack, the attacker would have installed, ATM malware in the fake engagement server.  If the answer is yes to any these, onto the next step.
  • Step 3: Response. From engagement, once a malicious action is identified, the infected endpoint can be isolated to prevent further spread of infection and/or the IOC which has been generated by engaging the threat can be used to harden the internal weak links in an organization.

What is the technical underpinning that allows this to work?  Fundamentally, deception is attack agnostic.  With more attacks taking place inside the perimeter, for example, attackers constantly change their form:  executables, Javascript as well as fileless.  Eventually, the volume of attack permutations breaks down detection capabilities.  Attackers simply figure out how to outsmart the latest defense.

Deception, since gets activated during the execution of threat, it is independent of the file type and of the delivery vector. When it executes in the network—whether from an internal or external source–you know.  By giving someone the option to misbehave and they eagerly cross a Rubicon, there’s no more guesswork.

Just under a year ago, Gartner recently praised “deception in-depth as a new strategy for comprehensive threat defense against the onslaught of advanced attackers and attack techniques.” At that time, the attack du jour was ransomware.  With the CIA leak, today’s threat du jour focuses on insiders.  Tomorrow, who knows.  Whatever the threat, a pliable, effective defense is needed.