Traditional cyberdefences still have their part to play in the battle against cybercriminals but as their techniques become ever more sophisticated an increasing number of organisations are putting their trust into Deception Technology. The Ministry of Energy, Industry and Mineral Resources in Saudi Arabia is leveraging Attivo’s ThreatDefend Deception and Response Platform to ensure early detection of threats and flush out the bad actors.
With breaches continuing to hit organisations at unprecedented levels new approaches to uphold cybersecurity are heavily in demand. Traditional prevention-based security solutions are no longer seen as the only weapons enterprises can arm themselves with.
For instance, more organisations are putting their faith in Deception Technology which set a series of traps that force the attacker to reveal their identity, stopping them dead in their tracks. One such deception technique solution is Attivo’s ThreatDefend Deception and Response Platform which is being leveraged by the Ministry of Energy, Industry and Mineral Resources in Saudi Arabia.
The sector has been heavily hit by cybercriminals intent on exploiting its wealth by any means possible but platforms such as ThreatDefend are being utilised to up the game against the bad actors.
The platform is recognised for its comprehensive network and endpoint-based deception, which turns user networks, data centres, cloud, remote offices and even specialty environments such as IOT, ICS-SCADA, point-of-sale, telecom and network infrastructure systems into traps and a ‘hall of mirrors’ environment that will confuse, misdirect and lead the attackers to reveal their identity.
The solution is designed for continuous threat management, which starts with deception-based detection of in-network threats and adds in automated attack analysis, forensic reporting and third-party integrations (Firewall, NAC, end-point, SIEM) to accelerate incident response (block, quarantine, threat hunt).
Visibility tools empower organisations to proactively strengthen overall security defences by showing exposed attack paths and attacker movement in a time-lapsed replay.
The platform comprises Attivo BOTsink engagement servers, decoys, deceptions, the Multi-Correlation Detection Engine (MCDE), the ThreatStrike end-point deception suite, the Attivo Central Manager (ACM), ThreatPath and ThreatOps.
Together, the product suite creates a comprehensive early detection and continuous threat management defence against advanced threat actors. Intelligent CIO spoke to both the vendor and end-user to find out exactly how the platform is being leveraged.
Here we speak to Ray Kafity, Vice President, META, Attivo Networks, to find out more about his company’s solution.
What verticals are able to use the platform?
The solution is the Attivo ThreatDefend Detection and Response Platform. All companies and organisations across the Middle East, Turkey and Africa can use it so it spans financial services, ministries, governments, oil and gas, all across the board.
The solution we offer is basically an inside-of-the-network threat detection and response so for those various verticals it lays out a deception network to lure the attacker. If there is somebody lurking inside the network who shouldn’t be there then the deception will automatically alert and lure the activity to a safe haven, not the actual network itself.
Can you explain how deception fools the cybercriminal?
The way we have done it is we’ve taken human behaviour, we have understood what the attacker does usually and what is the purpose of compromising and penetrating networks all across the world. We understood the motives of why hackers do it and we also understood what they do in a typical network to reach their objective.
We can plant many different decoy servers or decoy assets to mimic the customers environment providing what appears to be authentic assets to the attacker. The beauty of those decoy assets, is that the attacker does not distinguish it from the real server because we use their gold images if they wish, which is why it is so authentic and hence effective. A properly designed deceptive environment will quickly shrink adversary dwell time and potentially help mitigate the impact of a breach.
We can plant many different decoy servers or decoy assets to mimic the customers environment providing what appears to be authentic assets to the attacker. The beauty of those decoy assets, is that the attacker does not distinguish it from the real server because we use their gold images if they wish, which is why it is so authentic and hence effective. A properly designed deceptive environment will quickly shrink adversary dwell time and potentially help mitigate the impact of a breach.
We use machine learning to learn the topology of the network and the types of operating systems and then we build decoy servers that are almost identical to the one next to it (the real one), so the attacker does not think that he has fallen into a trap.
We plant our servers in unpublished IP addresses – as soon as the attacker does lateral movement in an unpublished IP they are guilty by association because there is no need for anybody to come and touch it.
Therefore, once they do this they are actually captured because this IP address is mapped all the way up to the Attivo appliance which sits inside the network. That is how we capture the attacker inside our network and we now take over dealing with him but he doesn’t know that. We are watching all his moves and recording it in a forensic file.
What are the main benefits the ministry can get from the ThreatDefend Platform?
Dynamic, real-time threat detection and accelerated and orchestrated incident response. The emphasis is on early detection and also accelerated and orchestrated response with the whole eco-system that the company or organisation has.
Here we speak to Wahid S. Hammami, Information Technology Consultant and CIO at Ministry of Energy, Industry and Mineral Resources.
What are the main security considerations in the region right now?
The biggest threat posed by cybercriminals in the region today is their ability to remain undetected in the network for months, once they have bypassed perimeter defences. Closing this detection gap is critical for defending against an attack. The reality is that any organisation can be a target of information theft and ransomware attacks.
In Saudi Arabia, financial institutions, governments and the energy sector are especially targeted due to their wealth of official information and personal data. Often, the attacks are extremely sophisticated and specifically targeted to increase the chances of success.
Organisations in these industries need to invest in solutions that efficiently detect and respond to advanced attackers that breach their traditional security controls. Moreover, we in the Ministry of Energy, Industry and Mineral Resources are one of the highest targeted agencies in the kingdom, due to multiple factors such as government data, energy, and minerals etc.
How are you aiming to overcome these cybersecurity arrangements?
Our aim is to detect attacks at an early stage to break the cycle and implement an effective actionable response. New technologies like deception-based threat detection are one of the techniques and investments we adopted to close the security gap and strengthen our overall defences.
We chose the Attivo Networks ThreatDefend solution because it easily aligns with our business processes and other security controls to equip the ministry with post-breach early threat detection, accelerated cyber incident response and vulnerability visibility for attack prevention, thereby providing an additional and essential line of defence.
Is there one security threat you are particularly concerned about?
We are particularly concerned about targeted attacks, which are growing more sophisticated and numerous with every passing day. The energy sector is among the top five most targeted industries globally, and many organisations in this sector fear disruptive attacks regardless of whether they originate internally or externally.
Deception Technology has been critical for mitigating the risks associated with these targeted attacks and has provided early and accurate detection so that we can promptly remediate in-network threats.
Click below to share this article