The severity of any infection will get multiplied when it employs spreading technique. Ransomware which has been one of the critical threat for quite some time have been able to increase its effect by spreading to the mapped and unmapped drive. In the recent past threat actors have made use of remote code execution (such as WannCry), harvesting credentials from memory (such as Petya ,Shamoon), harvesting email addresses from the address book to spread inside the network.
Traditional defenses are aimed to detect and stop an attack. Deception-centric architecture differs from the traditional architecture; it is not only used to identify an ongoing threat, but also to divert the threat to an engagement platform to gather every malicious indicator of a multistage of attack. Once every malicious indicator of attack is captured then it can be used for many purposes such as to attribute a multi-stage attack to a threat actor, quarantine the infected computers, protect against the variation of an attack.
In the technical white paper, we first dive deep at the source code level to share the details of the spreading techniques which has actively been used by the worms. The paper then discusses the static breadcrumbs or lures which is used to detect and divert these multi-stage attack to the deception platform. The technical paper also introduces dynamic breadcrumbs. Dynamic breadcrumbs are the values which get projected in real time when a process is declared to be malicious. It is a definite manner of diverting a multistage threat to a deception platform.
In future, we expect to see more and more threats which will be multistage and will make of spreading techniques. Deception centric architecture is a powerful architecture to not only detect an attack but also gather every malicious indicator of an attack. Identification of every malicious indicator of attack will then aid to identify the threat actors, and the IoC’s can be used to quarantine the infected machines.
Download technical white paper here: Spreading Techniques and Deception-based Detection – Acalvio Technical White Paper.
 Shamoon, https://securelist.com/from-shamoon-to-stonedrill/77725/
 WannaCry, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf
 Recent Resurgence in Shamoon,https://community.rsa.com/community/products/netwitness/blog/2017/02/08/recent-resurgence-in-shamoon
 New ransomware, old techniques: Petya adds worm capabilities,
 Google says the fake Google Doc worm that went viral affected fewer than 0.1% of Gmail users,