Not having the means to detect and stop advanced persistent threats (APTs) from nation-state attackers and sophisticated cyber criminals has been one of the most serious issues facing business leaders and the cyber community. I spent many years working at Check Point. A few years ago, I was tapped by Team8 to address this issue. After months of brainstorming and research, we came to the conclusion that an entirely new methodology was needed. If you’re reacting to the attacker, who constantly updates his mechanisms and attack tools, you’ll always be a few steps behind. Furthermore, using legitimate credentials, these attackers often evade detection through traditional means. So we asked ourselves, is there a paradigm where we could put the attacker in a reactive position? That is the premise on which our deception technology is based.
Put simply, what exactly is deception technology?
The power of the illusive product is really activated only after the attacker has penetrated the network. Once they are in and moving laterally, that’s when we come into play. To answer your question, one must first understand the nature of a targeted attack. Let’s say a bank is being attacked via a phishing campaign. An employee has downloaded a malicious PDF and the attacker is now inside the network. The attacker has a well-defined objective to get to a specific set of data or systems. He’s situated on an endpoint, but he’s not sure where his target is, or how to get to it. Imagine trying to find your way in a dark house you’ve never been in before, with only a small flashlight, looking around to see what you can exploit, assessing where the valuables are and how to reach them. This is very complex and can take an attacker several months to figure out. Naturally, this process involves a significant amount of trial and error. Our deceptions magnify this challenge for the attacker. We infuse the environment with fake information alongside the real information to alter the attacker’s view of reality. For instance, if an attacker lands on an endpoint that provides access to see three real corporate shares, the attacker might see 10. Once an attacker acts upon a deception, an alert is triggered, and illusive starts collecting granular source-based forensic data.
How do you set out a deception that is both easy to deploy and relevant to the attacker, with a completely agentless solution?
At the heart of our solution is our artificial intelligence-driven Deception Management System (DMS). It analyzes the environment and suggests the deceptions that are needed, which are installed without an agent, and with very little human management effort. Once operational, the DMS continuously monitors the network and auto-adjusts to changes in the corporate environment, and to attacker behavior. It’s critical that deceptions appear authentic to the attacker so they can’t distinguish between what’s real and what’s fake. With the Attacker View and forensic features of our product, the analyst can see the attacker’s moves in real-time. Each decision the attacker makes gives us more information about their intent and tactics, which is further used to mislead and trap them. As our customers include leading global organizations. Because our solution is agentless, it does not put an extra burden on the IT organization, and we’ve been careful in our design to build a product that is transparent to the end-user.
Who is your typical client?
We have dozens of leading companies around the world as our clients. Our technology is deployed across multiple sectors, from healthcare and insurance providers to telecommunications companies, though we have a primary focus on financial institutions. We’ve had a lot of success with big banks, and invest in creating unique solutions, such as Wire Transfer Guard, to help with their specific challenges.
How do you handle false positives?
One of the major benefits of our technology is that you can always trust our alerts. Our system never generates a false positive, only real alerts, which are sent straight to the incident response team. This was one of the most important features when we designed our system because false positives waste resources and can cause significant damage. You might miss real alerts if you have so many false positives, or spend hours analyzing something that looks significant but probably isn’t. This was an issue in some of the most recent publicly exposed security breaches; in the flood of false positives, the real, important alerts never got the attention they deserved.
How do you catch attackers in real-time?
The first stage is to set up deceptions to enable detection. Once operational, illusive can tell if there’s an attacker inside the network. Once caught, we don’t just say ‘you have an attacker’. We grab forensic data from the systems to tell you which processes are running, what network connections their using, and a lot of other detail. We give analysts the ability to then monitor their movement and tactics. Illusive knows how far the attacker is from critical assets. With all of this information, responders can determine the most advantageous time to act—before the attacker gets to the crown jewels. There is an art of deception. By understanding attacker behavior we can create relevant deceptions to lure the attackers – and codify it into an automated solution that puts control back in the hands of our customers.
