deception technology for financial …...without deception, detecting lateral movements inside the...

WHITEPAPER

DECEPTION TECHNOLOGY FOR FINANCIAL INSTITUTIONS

www.attivonetworks.comWhitepaper 2ANWP072619 © 2019 Attivo Networks. All rights reserved.

ABSTRACTCyberattacks continue to build in volume, severity, and complexity, with many of the most advanced attacks targeted at financial institutions. Despite highly advanced security infrastructure, financial institutions still fall victim to threat actors and malicious insiders that have evolved to bypass even the most competent preventions systems. Additionally, new technology to handle, transfer, and store critical financial information will expand the threat surface and increases the risk of a breach. As security teams work to detect and respond to an unrelenting volume of suspicious incidents, alert fatigue will become overwhelming as will the corresponding workload to address them.

This paper explores the information security challenges faced by financial organizations and how deception technology is used for the high-fidelity detection of advanced threats across all attack surfaces and lateral movement attack methods.

OVERVIEWDespite regulations that require financial organizations to adhere to strict cybersecurity measures and stringent compliance and security rules, many reputable financial institutions suffered significant breaches in 2018.Even now, many still struggle to pass required penetration tests and security audits consistently.

Advanced threat actors have demonstrated that they can regularly bypass traditional perimeter security solutions, meaning that financial organizations must continuously improve their strategies against sophisticated attackers. While many organizations have embraced a modern defense-in-depth approach that includes prevention, detection, response, and attack prediction, these measures are still proving fallible. Threat actors have become more sophisticated and have developed advanced techniques to avoid discovery and complete their attacks, resulting in unprecedented levels of financial data theft.

CHALLENGES One of the most significant challenges computer security professionals face is the inability to detect credential theft and lateral movement early within their computer systems or networks. This gap in detection is why attackers can remain hidden for extended periods, concealed by the deluge of alerts practitioners must process. Highlighting this

The average amount of time required to identify a data breach in the financial services industry is 163 days, and the average amount of time financial services organizations take to contain a data breach once identified is 54 days.

- Ponemon Institute


crucial issue the Ponemon Institute found that financial services organizations on average took more 163 days to identify a breach and about 54 days to contain it.

Deception technology adds critical functionality for detecting attacker activites early and accurately in the attack cycle. Taking a page out of military operations, Attivo applies deception-based decoys and lures within the network to deceive and misdirect attackers, tricking them into revealing themselves. It presents a unique opportunity to change the asymmetry of war against cyber attackers, altering their reality and imposing increased cost as they are forced to decipher what is real and what is fake. It is also a valuable resource for gathering company specific threat intelligence on an attackers tools, techniques, and motivations.

INFORMATION SECURITY THREAT CHALLENGESFinancial institutions have access to and implement some of the most advanced security infrastructures. However, despite substantial investments, subtle gaps in security controls – and simple human error – can impede consistent, reliable, and early breach detection. A financial organization’s sophisticated security also comes with substantial operational overhead. There are considerable operational and staffing costs required to keep up with the volume of alerts, logs, and threat information, all at a time when there is an unprecedented lack of skilled workers (and pressure to pay premiums to secure the best talent). Accurate and early threat detection is needed more than ever, along with the ability to remediate incidents quickly and efficiently.

DECEPTION FOR ADDRESSING INFORMATION SECURITY THREAT CHALLENGES

Common use cases include:

The early and accurate detection of:

• Advanced Persistent Threats

• Lateral movement and credential theft

• Attacks on SWIFT networks

• Dilegence, policy violation alerting, and attacks related to M&A

• Insider threats policy violations

• Cloud services attacks

• Application security threats

• FinTech API attacks


DECEPTION INNOVATION BRINGS ANSWERS There are many approaches organizations may choose to take in addressing these challenges. Where some may select to add layers of threat prevention technologies, others may use behavior monitoring and traffic analysis to look for abnormal behavior, while other groups will actively threat hunt for attackers within the network. Each approach has its own merit, however none are 100% fool proof. Deception technology is becoming widely adopted for its ability to set landmines, lures, and traps for detecting unauthorized activities. It has also gained broad appeal based on its high-fidelity alerts that allow a responder to act quickly and decisively.

DECEPTION TECHNOLOGY FOR EARLY DETECTION Financial organizations are actively turning to deception technology as the preferred security control for early and accurate detection of threats that have bypassed other security solutions. Some are first-time deception technology adopters, drawn to the accuracy and efficiency of the solution, while others are migrating from homegrown honeypot technology to gain additional accuracy and operational efficiency.

Deception technology works by turning the network into a web of sensors with a maze of misdirection that tricks an attacker into engaging and revealing their presence. In a deception network, any contact with a deception asset is suspicious. Attackers will reveal themselves by merely touching one of these assets. By being present at the network and endpoint layers, deception technology blankets the environment with lures and traps designed to attract and engage an attacker during reconnaissance, lateral movement, while harvesting credentials, or when seeking to compromise Active Directory (AD). Deception also addresses alert and log fatigue by only generating an engagement-based alert that it substantiates with threat and adversary intelligence.

Advanced distributed deception platforms will also save time and energy by providing automated analysis of each attack, identifying the attacker’s Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOC); and by providing actionable intelligence of the attack for improved incident response and to fortify the network better. This also delivers the defender company specific threat intelligence, which can be invaluable for fortifying defenses.

Reducing Risk and Improving Business Operations:

• Protection of high profile executives

• Addressing regulatory pressures related to breach disclosure

• GDPR compliance

• Supplier management

• Shortages of skilled workers and resources


DECEPTION FOR DISRUPTING THE ATTACK LIFECYCLE ESTABLISHING A FOOTHOLD AND PRIVILEGE ESCALATION After initially compromising a system, attackers will attempt to create a foothold in the network. They will seek to establish reliable communications with Command and Control (C2) servers outside of the environment and will often utilize custom malware to install back doors and remote access tools to maintain a presence, as well as steal credentials stored on the system to use later in their attack. These types of activities are hard to detect, as attackers can hide their C2 communications in multiple ways and it is challenging to identify credential theft and reuse, especially if the attacker does nothing out of the ordinary with those credentials.

Some conventional techniques used to steal credentials are:

• Using tools to harvest a user’s passwords, hashes, or Kerberos tickets from memory, or from applications like Outlook, database clients, browsers, FTP clients, etc.

• Performing Man-in-the-Middle (MitM) attacks to intercept credentials in transit.

• Extracting information from AD to obtain credentials and organizational data.

After harvesting legitimate credentials from an endpoint, the attacker can move from system to system, gathering and using more credentials until they gain administrative or privileged access and rights. Because the intruder uses real credentials, it is tough for most traditional security devices to detect them.

Deception systems play an essential role in disrupting credential theft and detecting privilege escalation by providing misinformation to the attacker as they seek to steal credentials. Endpoint-based deception places authentic-looking deceptive credentials and shared network drives on an endpoint or server to entice attackers into using them. The moment they attempt to use the deceptive credential, they are led to a deception server where the platform raises an alert, reveals the presence of the attacker, and analyzes attack activity. The platform can also open network connections with C2 systems to gain additional insight into the attacker’s tools, methods, and communications.

Network decoys can detect MitM attacks that try to capture credentials in transit. Since MitM activity is passive by nature, it is challenging for traditional security solutions to identify it because they must be on the same subnet as the MitM attacker to see it. Because organizations can deploy network decoys to any subnet, they can passively listen to unusual traffic that can indicate MitM activity and alert the security team when finding it.

INTERNAL RECONNAISSANCE

Attackers conduct internal network reconnaissance to identify high-value targets, or to locate assets closer to their final objective. An attacker’s in-network reconnaissance actions are often performed over weeks or months, blending in with the “normal” traffic on the network, letting them go undetected. Some reconnaissance activity, such as directly querying AD from any member system to reveal system and user accounts or trusted domains, can yield vast amounts of information without alerting anyone.


Organizations can strategically place decoys to appear as production assets and plant lures to attract attackers into engaging. They can also incorporate deception into AD. Any scan of a deceptive network asset will trigger an alert. Querying Dest decoy user and system accounts along with the production results while helping validate the stolen credentials as they will have matching records in the AD database. Additionally, deception platforms can alter AD query results to insert deceptive data or hide production data to further misinform and misdirect the attacker.

LATERAL MOVEMENT

Without deception, detecting lateral movements inside the network (east-west traffic) can be extremely challenging. An active deception platform can accurately detect lateral movement, even with sleeper and time-triggered agents. These include lateral movements originating on an endpoint. Deception platforms can identify attackers scanning for available systems and services across the network and redirect them from live production assets to a decoy environment.

In the event of a ransomware attack, high-interaction deception will feed decoy files to the malicious process to keep it continually encrypting, dramatically slowing its progress. Such delaying tactics provide the security team time to stop the attack, isolating it from the network before it can cause extensive damage.

MISSION COMPLETION

It is critical for an organization to prevent an attacker from exfiltrating sensitive financial information or company data from the environment. Deception platforms provide valuable intelligence that tools which only block or detect an attack cannot gather. With the ability to capture information about the attack’s payload, its activities, and communications with C2, deception platforms can not only detect, but also collect, analyze, and report on attacks to identify exfiltration. Within the platform, the attack plays out in a controlled and monitored “synthetic” environment that collects attack information. By collecting data from C2 servers the attacker communicates with, the organization can preemptively block those addresses with existing perimeter security tools, preventing data exfiltration while limiting the attacker’s ability to continue their efforts. The solution can also be instrumental during polymorphic attacks since it will continue to update signatures generated over time based upon time-triggered C2 communications.

ATTIVO NETWORKS THREATDEFEND DECEPTION AND RESPONSE PLATFORM Security industry professionals consistently recognize Attivo Networks as a leader for its innovation and leadership in deception-based information security defense. The company’s heritage and leadership reside in not only detecting but also in responding to both human and automated attackers. The company’s ThreatDefend Deception and Response Platform provides coverage for an evolving threat landscape and dynamic attack surface of user networks, data centers, cloud computing, and specialized environments like IoT, SCADA, and POS.


Offering the most flexible and comprehensive solution with support for network, device, credential-based, and Active Directory threat detection, Attivo Networks has become the detection technology provider of choice for many financial institutions based on the ThreatDefend Deception and Response Platform’s ability address the following

FLEXIBLE DEPLOYMENT

• Bolster endpoint defense with agentless deceptions designed to plant credential and ransomware lures

• Scale and provide operationally efficient deployments for large global networks

• Flexible deployment as an appliance, VM, or in cloud configurations, with a modular design that facilitates the seamless expansion of new functions

ACCURATE DETECTION AND SUBSTANTIATED ALERTS

• Set highly authentic and interactive traps and lures to detect threats from human (APT, insiders, 3rd-party) or automated (malware, scripts, bots) attackers

• Detect a wide variety of threat vectors, including phishing, zero-day exploits, unpatched systems, stolen credentials, end-point/BYOD, and website downloads

• Efficiently detect lateral movement, network and Active Directory reconnaissance, credential harvesting, ransomware, and Man-in-the-Middle attacks

• Detect zero-day and advanced threats with no dependency on signatures, known attack patterns, or database queries

• Deliver only high-fidelity, real-time alerts triggered by attacker detection and engagement

• Provide captured activity details to substantiate each alert, including files and network captures.

ANALYSIS AND FORENSICS


• Attack Threat Analysis engine for automating attack correlation and generating forensic reports

• Captures network, memory, and disk activity at decoy engagement, and memory forensics at the attacking endpoint for a comprehensive view of the attack

• Provides Threat Intelligence (IoCs) and helps develop adversarial intelligence (TTPs)

• Provides robust analysis tools to quicky investigate event data

• Provides a visual representation of the network and replayable attack activity for analysis

• Correlate and coalate all attacker activity to a single page that provides attack source information, attack activity, all available forensic content, and vulnerable systems the attacker can move to.

INCIDENT RESPONSE

• Provide a threat intelligence dashboard for a centralized view of all alerts and actionable drill-downs for simplified incident response

• Create repeatable incident response playbooks using the ThreatOps module

• Accelerate incident response (block, quarantine, threat hunt) through 3rd-party native integrations with firewall, NAC, end-point, and SIEM vendors

NETWORK VISIBILITY AND ATTACK PATH REDUCTION

• Provide visibility into insider, contractor, supplier, and partner 3rd-party threats as they conduct scans and move laterally through networks

• Show attack time-lapsed replay for understanding attacks and strengthening defenses

• Identify and graphically show misconfigured, misused, or orphaned credentials to shut down attack path vulnerabilities

• Automated remediation

COUNTERINTELLIGENCE

• Provides the ability to plant deception files that allow the organization to track exfiltrated documents via a beaconing function. The beacon provides the externally facing IP address and geolocation of every system that opens the file thereby supplying data that can provide additional context for proactive security measures


WHAT MAKES ATTIVO DECEPTION UNIQUE? AUTHENTICITY Deception technology no longer relies solely on the element of surprise or assumes an attacker will accept everything they encounter as real. Against sophisticated, anticipating attackers, authenticity plays a pivotal role in attracting their attention and in avoiding their detection. The Attivo Deception and Response Platform lures attackers by projecting decoys that run real operating systems and golden images used in production. These capabilities fool attackers with customized decoy engagement servers that are indistinguishable from real systems, enticing attackers away from production assets.

Additionally, the ThreatDefend platform uses machine learning to create Adaptive Deception Campaigns. These proposed deception campaigns enable automatic credential and decoy creation and refresh based on a schedule or in response to an attack that may be underway. Additionally, decoys can be automatically set to not only rebuild but redeploy after attacker engagement to avoid fingerprinting.

AUTOMATED ATTACK ANALYSIS AND RESPONSE

Attivo Networks recognizes that detection is only the first step in incident handling and provides the tools required to respond and address the situation promptly. All alerts are evidence-based with the substantiated, actionable detail necessary to identify the infected device and understand the attacker’s actions, including gathering external IP addresses, tools, and methods when the attacker establishes C2 communications. With these actionable attack details, security analysts can now quickly and confidently quarantine a device and remediate an attack.

The ThreatDefend Platform includes an attack threat analysis (ATA) engine that provides automated attack correlation and forensic-based threat reporting for all activity that occurs in the deception environment. The ATA collects full attacker TTPs, including payload drops, registry changes, identified malware propagation methods, and SHA-1 signatures. The ATA engine tracks and records the attacker’s actions for forensic evidence reporting. The Malware Analysis Sandbox (MAS) is a dedicated binary analysis VM that examines any suspicious executables from phishing emails, potential malware, and other threats to capture lateral movement methods, observe malware behavior, and identify attacker IP addresses such as Command and Control IP addresses on the Internet. The MAS provides automated, in-depth malware analysis, removing hours that the security team would traditionally dedicate to testing suspicious binary files.

The MAS can be especially useful for security teams seeking to protect high-profile executives from targeted phishing attacks through its automated mail analysis function. Security teams can configure the MAS to accept email submissions and provide users with a simple mechanism for submitting samples for review. When incorporated as

The element of surprise is no longer the foundation of deception.


part of an annual phishing awareness training campaign, recognizing and submitting suspicious emails becomes a matter of simply clicking a button on the email client.

Analysts can use the threat intelligence dashboard to drill down into specific threat detail and click-to-activate blocking and quarantine actions driven by integrated 3rd-party solutions. The platform can easily create and share attack information and details through IOC, PCAP, STIX, CSV, and other reporting formats. The platform also provides 3rd-party integration with SIEM solutions like Splunk, ArcSight, and QRadar along with integrations for popular firewalls, NAC, and endpoint software to automatically block, quarantine, and remediate infected devices. Additional integration with solutions from CarbonBlack, ForeScout, and McAfee support threat hunting and information sharing.

COUNTERINTELLIGENCE

In addition to understanding what and how attackers conduct operations, it has become increasingly valuable to understand what information they are looking for, how they collect it, and where they take it. Attivo Networks data deceptions include a tracking mechanism to identify where a file ends up, enabling the organization to learn the geographic location of the IP address of every system that opens it. The deception platform can identify and record how attackers are stealing these documents if they attack a decoy network server that stores them. The organization can also plant specially crafted fake documents that can create doubt and seed misinformation, slowing an attacker, and increasing their costs as they now must validate the integrity of the stolen information before acting on it.

The value of this deception mechanism lies not only in tracking what attackers took but in identifying when an insider gains unauthorized access to sensitive data. The tracking mechanism works both inside and outside of the network. Organizations can dupe insiders seeking to take advantage of illicitly acquired sensitive data into accessing a tracked document, unknowingly alerting the security team who can act to prevent further unauthorized access.


SCALABILITY

The ThreatDefend platform provides highly scalable implementations for both on-premesis and cloud deployments. The BOTsink engagement server connects to a trunk port, rather than in-line, for a non-disruptive installation and utilizes unused IP addresses to project decoys into the environment easily. Since the platform is also self-healing, it can automatically rebuild engagement servers after completing forensic analysis or when the attack concludes, providing easy implementation and eliminating the need for manual rebuilds or maintenance. The ThreatDefend platform has been globally deployed and is in active use amongst many Fortune 500 customers who have validated its effectiveness and ability to scale in large deployments.

STRENGTHENING ENDPOINT DEFENSE

Organizations can install ThreatStrike™ Suite’s deceptive credentials throughout the network on endpoint and server devices for credential theft detection. These deceive the attacker into believing that they are harvesting valuable user credentials, where instead the stolen credentials lead them into a deception trap within the BOTsink engagement server. ThreatStrike deceptive credential deployment and operational management are simple, as the agentless solution does not require endpoint software updates or device-level software, and is easily scalable and customizable, even for large global deployments. Deception credentials include remote access credentials (RDP/ SSH/TELNET/VPN), file-server credentials (FTP/SMB/CIFS), mapped shares, application credentials (Browser-stored/Cookies/Email/ SVN), and selective user data as rich and attractive targets.

Financial institutions can also use deceptive credentials to guard against attacks on SWIFT financial messaging software by creating credentials that map to decoy SWIFT servers. The financial organization can install SWIFT software onto the deception platform’s engagement servers, import an image with SWIFT software into the platform’s BOTsink solution, load the SWIFT web page front-end onto the deception engagement server’s web service, or use the included default SWIFT front-end web page template. The security team can attract attackers to the engagement servers by naming them in ways that suggest they are true SWIFT servers, not decoys. The platform monitors the decoys, providing timely alerts for any attempt to load SWIFT malware or send fraudulent SWIFT messages. The deception platform also captures message contents to identify the destination accounts used for fraud.

Endpoint-focused deception provides a way to guard against APT groups by detecting an attacker’s lateral movement early in the attack cycle. Attivo blankets the environment with deceptive credentials to engage attackers as they progress. Using any deceptive credential triggers an alert and activates forensic collection at the source, providing incident responders the situational awareness they need to prevent an incident from escalating into a business crisis.


EXTENDING THE PERIMETER

The ThreatDirect™ solution extends deception-based monitoring and detection from the BOTsink appliance for small remote offices or branch offices that require internal threat detection capabilities but lack the infrastructure or necessary security controls. The solution removes the need for local hardware or devices that local IT staff would have to maintain.

Support for cloud detection extends to AWS, Azure, VMware, and OpenStack environments, allowing organizations to deploy deception within their private, public, and hybrid data centers. ATTACK VULNERABILITY ASSESSMENT

Financial organizations can also strengthen their predictive defense by understanding the likely attack paths an attacker would take to traverse the network. The Attivo ThreatPath solution identifies misconfigurations and exposed or orphaned credentials that an attacker can leverage to spread laterally from one system to another. Financial institutions can use this visibility into their network environment to preemptively remediate these exposed paths before an attacker can take advantage of them.

Additionally, such visibility helps to identify routes an attacker would take to target SWIFT systems. Security teams can then remediate these open paths by removing the stored SWIFT credentials or by deploying additional deception assets. The security team can then periodically re-run the assessment to identify new exposures needing remediation. STREAMLINE INCIDENT RESPONSE

To streamline incident response, financial institutions can deploy the Attivo ThreatOps™ solution to build automated response playbooks. The ThreatDefend platform integrates with a broad range of 3rd party security solutions, allowing an automated and repeatable incident handling processes.

With integrated solutions that enable network quarantine, network access control, endpoint isolation, or threat hunting, the playbooks can automate an incident response action from start to finish. Additionally, because the ThreatDefend Platform includes a comprehensive API, security teams can access functions from their existing tools so they can react more rapidly to critical incidents. This capability also makes it easier for less skilled staff to leverage a playbook to respond to an incident quickly, helping bridge gaps in manning and experience.

COMPLIANCE AND RED TEAM TESTING

Regulations require financial institutions to prove that they meet compliance standards and that their security controls are working reliably. Deception can play a vital role in this process by validating network resiliency with early attack detection and by tracking a Red Team’s movement during their testing. Attivo Networks has an exceptional track record of catching testers, with examples of teams unknowingly being monitored by the deception environment for


periods ranging from hours to weeks. In addition to slowing the “attacker,” the platform acquired and recorded detailed intelligence on their attack. Similar to what would occur in a real attack, the attacker’s progression would have stalled, increasing their time commitment and costs as they were forced to start over or move on to a less secure target.

CONCLUSIONToday’s financial institutions require an advanced, adaptive defense with real-time visibility and in-network threat detection to protect critical data proactively from exfiltration or unauthorized access. The ThreatDefend™ Deception and Response Platform provides financial organizations a comprehensive, flexible, and scalable solution to promptly detect and respond to threats that have bypassed other security controls and infiltrated the network. Deception plays a critical role in enabling an active defense with early threat detection, high-fidelity alerts, automated attack and vulnerability assessments, attack forensic analysis, and other capabilities that significantly accelerate incident response.

With the Attivo Networks ThreatDefend solution, organizations can equip their security teams with powerful detection tools designed for the volatile and evolving nature of cybersecurity threats. Moreover, the detailed attack forensics and automated integrations included in the platform not only simplifies incident response but also provides on-demand, in-depth attack reporting for compliance, pen testing, or other investigative reporting requirements.

For more information about Attivo Networks deception solutions, visit https://attivonetworks.com/solutions/financial/

ABOUT ATTIVO NETWORKS® Attivo Networks®, the leader in deception technology, provides an active defense for early detection, forensics, and automated incident response to in network attacks. The Attivo ThreatDefend Deception Platform offers comprehensive and accurate threat detection for user networks, data centers, clouds, and a wide variety of specialized attack surfaces. A deception fabric of network, endpoint, application, and data deceptions efficiently misdirect and reveal attacks from all threat vectors. Advanced machine-learning simplifies deployment and operations for organizations of all sizes. Automated attack analysis, forensics, actionable alerts, and native integrations accelerate and streamline incident response. The company has won over 85 awards for its technology innovation and leadership. www.attivonetworks.com

deception technology for financial …...without deception, detecting lateral movements inside the...

Documents