High-interaction Decoys and Deception Techniques Misdirect and Automate Quarantine of Attackers
Jeddah: Attivo Networks®, the award-winning leader in deception for cybersecurity defense, challenged not only healthcare, but all industries to take immediate steps in the wake of Friday’s global ransomware attacks. “The recent massive cyberattack manifested a significant change in the cyber realm. It was indicative of cybercriminals crossing the lines of ethical boundaries at the expense of public safety” says Ray Kafity, Vice President, Middle East, Turkey & Africa at Attivo Networks.
WannaCry Ransomware hit globally and has been referred to as a weapon of mass destruction based on its ability to spread like wildfire once it has gained access to unpatched computers. The impact has been significant and has targeted financial, energy, transportation, government, and hospitals. In Britain, attacks not only blocked doctors’ access to patient files, but also forced emergency rooms to divert people seeking urgent care.
The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.
“There are solutions in the marketplace today that can isolate ransomware immediately upon an attacker’s attempted access to networked drives or their in-network lateral movement,” added Kafity. “It is noted that Attivo’s high interaction deception techniques have been Attivo Labs tested to slow down the encryption process by 25x. This slows down the WannaCry Ransomware and provides incident response teams valuable time to respond and isolate the attacks either manually or automatically through 3rd party integrations”.
The Attivo Networks solution for ransomware starts by providing a “motion sensor” that alerts the organization of an attacker that tries to encrypt the decoy drive or compromise a Windows SMB vulnerability. The decoy drives are set up as networked drives and designed with high-interaction technology and lures to attract the attacker to engage with the deception asset instead of production drives. What makes this solution unique is its ability to slow down and block the ransomware by tricking the attacker into believing it is being successful, where in reality, the attacker is being occupied with technology that is engaging and occupying the attention of the attacker. Capturing the attention of the ransomware provides security organizations the much-needed time-to-respond advantage to quarantine the infected system off of the network and prevent further infections. Third party integrations with current security infrastructure can also be set up for automated quarantine and isolation of an infected system. This time-to-respond advantage can make the critical difference between the loss of a single system or widespread outage.
Another important differentiator of this technology is that the solution does not depend upon signatures, so the decoys are accurate and effective regardless of the variant of ransomware (WannaCry, WannaCrypt0r, WannaCrypt, WCry or Wana Decrypt0r or other ransomware strains). Technology that is based on signatures or pattern matching can often miss new strains of ransomware and the alerts often become lost in what appears to be a benign looking alert, buried in streams of log data.
“Ransomware attacks can be highly damaging, but this can be avoided if the right early detection tools are deployed” Kafity concludes. “Regardless of the threat vector of an attack, organizations using deception technology are efficiently alerted to in-network breaches and are provided the tools for accelerated cyber incident response. Moreover, upon breach, deception technology automates the containment of the infected system.”
The Attivo advanced ransomware detection solution that added high-interaction engagement techniques was announced as part of its 4.0 release and was made generally available in April of 2017. For more information please see our blog and solutions.
About Attivo Networks:
Attivo Networks® is the leader in deception technology for real-time detection, analysis, and accelerated response to advanced, credential, insider, and ransomware cyber-attacks. The Attivo Deception and Response Platform accurately detects advanced in-network threats and provides scalable continuous threat management for user networks, data centers, cloud, IoT, ICS-SCADA, and POS environments. Attivo Camouflage dynamic deception techniques and decoys set high-interaction traps to efficiently lure attackers into revealing themselves. Advanced attack analysis and lateral movement tracking are auto-correlated for evidence-based alerts, forensic reporting, and automatic blocking and quarantine of attacks.