The current remote work trend has opened up new opportunities for cybercriminals to attack enterprises of all sizes. And stealing a single credential can open doors to the entire business network.
Even though professional antivirus solutions can catch malicious programs, it’s much harder to identify an attacker who’s logged into the system with stolen credentials.
We’ve talked with Carolyn Crandall, the Chief Security Advocate at Attivo Networks, to learn more about identity detection and response solutions that can help companies improve their cybersecurity posture.
How did Attivo Networks go from an idea to a business?
Attivo Networks was founded on the premise that even the best cybersecurity solutions and strategies cannot prevent all attackers from entering an enterprise’s network. The company’s mission is to help organizations proactively identify vulnerabilities that attackers will use to break out from an initially compromised system and move laterally through a network to conduct their attack.
The company was also determined to address the alert fatigue that defenders faced as they tried to respond to a growing variety of threats. To achieve its mission, the company designed cyber deception technology that worked by setting high-interaction traps and lures for attackers. Although honeypots had been around before Attivo, the company’s design removed the scalability and operational challenges that allowed it to be effective for enterprise-class deployments.
As Attivo became an expert in detecting lateral movement activities, the portfolio was enhanced to include protection against identity-based attacks. This expanded the company’s focus to include the protection of credentials, privileges, and infrastructure systems (Active Directory) that manage them. The continued velocity and destructiveness of ransomware have fuelled the company’s growth, and the need for its identity threat detection and response (ITDR) solutions, which are consistently deployed alongside endpoint protection solutions. The explosion of remote and hybrid workforces has also driven cloud adoption and expanded the attack surface for cybercriminals.
This has created an additional opportunity for Attivo to add end-to-end identity visibility tools that prevent privilege escalation by identifying exposures at the endpoint, within Active Directory, and for cloud – Infrastructure Entitlements Management (CIEM) and Cloud Security Posture Management (CSPM).
You take great pride in your Cyber Deception Technology. What are its advantages over other security solutions?
We’ve been the global leader in the cybersecurity deception space, and in the past decade, it’s taken off enormously. A strong cybersecurity posture requires the ability to detect privilege escalation and lateral movement. Driven by the efficacy of decoys and concealment technology, cyber deception has rapidly become an integral part of any strong security posture and a foundational element of Zero Trust architectures.
Today’s cyber deception technologies offer in-network defenses and lateral movement visibility often missing from other security solutions. They focus on:
- In-network detection
- Closing visibility gaps
- Concealing sensitive and critical information
- Denying access
- Misdirecting attackers away from production assets
Innovations in concealment technologies hide and deny access to credentials, sensitive or critical information files, folders, and data locally and on Active Directory, while deflection technologies efficiently derail attacker discovery, lateral movement, privilege escalation, and collection activities early in the attack cycle.
Additionally, lures and decoy environments enable defenders to gather unprecedented levels of adversary intelligence. It's because adversaries that do not realize they are in a deceptive environment will attempt to continue their attacks and reveal their attack paths and tactics.
With this capability, cyber deception technologies provide defenders with critical insights that they can use to improve their security posture against current and future attacks.
Cyber deception has proven to be an elegant and accurate way to detect lateral movement activities. Unlike traditional systems that rely on known attack data, Attivo’s solutions build a defense based on attacker techniques and use various forms of trickery to stop them.
What are your thoughts on identity-first security being named one of the top security trends of 2021? Do you think it’s going to stay this way throughout the upcoming years?
Its place as a top trend is well-earned, and it shows no signs of diminishing. This year, a significant number of the most impactful cyberattacks resulted from credential theft, Active Directory (AD) vulnerabilities, cloud misconfigurations, and other identity-based weaknesses. Attackers have found success with identity-based ransomware attacks and will continue until enterprises adopt stronger defenses that monitor, mitigate, and derail them.
With today’s distributed workforce and the explosion of unmanaged devices, enterprises need to step back and assess their identity security capabilities, including any gaps in coverage that attackers could potentially exploit. These gaps may include a lack of visibility into credentials stored on endpoints, AD misconfigurations, and cloud entitlement creep.
Identity security will continue to be an area of focus as attackers find new and innovative ways to exploit these vulnerabilities. In fact, it will likely become even more critical as human and non-human identities proliferate beyond users and into the data of devices, applications, servers, and other identities.
What’s the worst that can happen when someone’s identity is stolen?
It only takes one stolen identity or set of credentials to compromise an entire enterprise. Once attackers have a single foothold, they can use that entry point to elevate their privileges and move laterally throughout the enterprise network.
In short, someone’s identity or credentials getting compromised is one of the worst things that can happen to a company. It is harder to detect an attacker using stolen credentials because the system sees it as an authorized user if those credentials are valid.
This is part of what makes deception so critical – it allows defenders to identify suspicious behavior, even if that behavior comes from a seemingly valid user identity.
It’s stated on your website that 60% of today’s attacks involve lateral movement. What are the risks associated with it?
Attackers are consistently getting past traditional perimeter defenses and entering the network, escalating their privileges, and moving laterally within the network to get the information they need. Firewalls and other perimeter defenses just aren’t enough to stop them anymore. Identity has become the new perimeter to defend. Unfortunately, traditional defenses are not designed to detect identity-based attacks.
Once an attacker has a beachhead on an internal system, they’ll conduct discovery and reconnaissance, looking to steal and reuse credentials to escalate their privileges. Typically, once an attacker is inside the network, they’ll move laterally and go straight for AD because compromising it can grant them the keys to the kingdom.
Implementing lateral movement defenses will impede their ability to traverse the network undetected. It will quickly alert on any credential theft and privilege escalation activities so that the organization can react early in the attack cycle.
You often stress the importance of Active Directory protection. Could you briefly explain what it is and how companies can keep it in check?
Part of what makes credential-based attacks so insidious is that they bypass traditional perimeter protections by entering the network directly with valid credentials. A vast majority of enterprises use AD to manage and protect identities, credentials, and privileges in the network.
Active Directory is an essential element of an enterprise’s network infrastructure, but it is intrinsically insecure and notoriously difficult to protect. Attackers are well aware of its weaknesses and diligently target AD to increase their privileges and escalate their attacks, such as mass data encryption for ransom.
Analysts cite Active Directory exposures as the top reason ransomware attacks continue to be successful. Business leaders and IT decision-makers cannot afford to let visibility and organizational divides leave exposures unaddressed and open for attack.
Have you noticed any new cyber threats arise as a result of the pandemic?
The most prominent cyber threats resulting from the pandemic are those related to the ongoing remote and hybrid work environment. During the pandemic, attackers took advantage of remote workers and the use of unmanaged computer systems. Many are still waiting for these devices to reconnect to corporate networks as individuals return to the office.
To reduce risk, defenders should properly patch systems and do the following to make sure they are only running authorized software:
- Get continuous visibility to exposed credentials on endpoints. Look for exposed admin accounts, duplicate credentials, and dangerous delegations such as shadow admin accounts. These credentials can create attack paths for attackers to advance their attacks.
- Protect Active Directory by adding data concealment technology. It prevents an attacker from seeing production AD objects during discovery activities. Security teams can also gather attack details by returning fake information to unauthorized queries. This misinforms the attacker and steers their path to an engagement server for observation.
- Obfuscate real credentials by adding deceptive lures among employee credentials. Attempted use will breadcrumb the attacker to an engagement server and raise an immediate alert.
- Deny access to attackers by binding applications to credential stores. This can be a powerful way of preventing attackers from misusing credentials.
- Protect real data from attacker view and access. Hide files, folders, and mapped network or cloud shares from attackers, so that it would be impossible to see, encrypt, or delete the data.
More enterprises have recently moved their workload to the cloud as a way to upgrade security. However, it’s still not a bulletproof solution. In your opinion, what are the most concerning vulnerabilities of the cloud?
The public cloud provides access to applications, databases, data stores, and other identities, and as such, it requires a more robust approach to security. In fact, a recent report from Gartner found that 75% of cloud security failures would result from inadequate management of identities, access, and privileges. The most concerning vulnerabilities of the cloud include:
- The Volume of Identities. Organizations used to dealing with hundreds of identities are now dealing with thousands or more. This makes it challenging to track access and accountability.
- Privileged Access. The static and longstanding access that traditional IAM tools and techniques grant increases the overall risk.
- Excessive Access. Some organizations sync AD identities with the cloud. This means an endpoint exposure can quickly become a cloud breach. There is also a vast overprovisioning in both AWS and Azure environments of entitlements. In these environments, over 90% of users use less than 5% of the entitlements they are given.
- Limited Visibility. Multi-cloud environments, each with its own user interface, can exacerbate visibility into the entire cloud environment, making it difficult to assess risk.
Share with us, what’s next for Attivo Networks?
On March 15, 2022, SentinelOne announced its intent to acquire Attivo Networks for its identity security and deception technology. The company plans to integrate Attivo solutions into its Singularity XDR platform, becoming the first XDR provider to natively include identity security for endpoints, identity infrastructure (Active Directory), and cloud environments. We are excited to join SentinelOne and believe that this creates a tremendous opportunity for our companies, customers, and partners.