Defending against insider threats is one of the biggest challenges an organization can face, and the COVID-19 pandemic has only made detection more challenging as remote employees continue to use virtual private networks (VPNs) to access sensitive company files and information.
Regardless of whether an attacker is a disgruntled or financially-motivated employee, contractor, or supplier, or an external actor using compromised credentials, security teams can use deception technology to detect unauthorized network scans, credential theft and reuse, or attempts to access and steal data. They do this by expertly planting deceptions – like deception servers, file shares, credentials, documents with beaconing capabilities, files, databases, and other decoy elements – to quickly detect policy violations or malicious activity from insider threats.
Here, we talk to Carolyn Crandall, Chief Deception Officer at Attivo Networks, to discuss how security teams can use deception technology to detect and prevent insider threat attacks.
Security magazine: What is your title and background? What are your responsibilities as Chief Deception Officer?
Crandall: I am the Chief Deception Officer and CMO for Attivo Networks. I have been in the high-tech industry for over 30 years. I entered the technology world straight out of college and have stayed in it since. By nature, I am curious and love to evangelize disruptive technologies. The rate of new innovation that comes out of Silicon Valley has afforded me the opportunity to work for some exceptional companies that have delivered groundbreaking technology that has shaped the world we live in.
Chief Deception Officer is a unique title and serves as an excellent icebreaker and conversation starter. Attivo, the company I work for, delivers deception and denial technologies that are founded on the premise of manipulating one’s actions and steering their path in the direction you want them to go. In the realm of cybersecurity, it works to hide production systems either amongst decoys or altogether from the view of an attacker. Under this title, I am able to educate and evangelize the merits of cyber deception by speaking at events, authoring books, writing articles, and contributing to videos, podcasts, and webinars. Under my CMO title, I manage the typical functions associated with managing a marketing and product marketing team. These include product and brand positioning, awareness, demand generation, and partner programs.
Security magazine: How has the COVID-19 pandemic added to these challenges in detecting and preventing insider threat attacks?
Crandall: The lack of visibility and limitations of detection controls are two of the biggest challenges related to insider threat detection. The insider threat challenge, including island hopping where the attacks come in through suppliers, creates material risks for an organization. The situation is compounded with COVID-19 in that any sense of a perimeter has been virtually obliterated, and permissions have been extended in ways that they were not allowed before. The risks have also increased with the lack of visibility to devices being connected, the security related to home networks, and the visibility into system hygiene. Security teams are also challenged to detect VPN-based attacks as well as misused cloud or SaaS credentials early and accurately. Combined, these create opportunistic inroads for attackers to enter corporate networks or gain access to critical data.
Security magazine: What are some recent examples of insider threat incidents?
Crandall: Insider threat incidents will typically fall into three main categories and two classes. There are insiders, contractors, and suppliers and there are intentional and accidental threat classes.
Employees, contractors, and suppliers will all have access to data with varying levels of privileges. Some attackers will target contractors with lower security standards as a way to gain access, others may try to bribe employees, and some – those that are employees – may act out for personal financial gains or vengeance. Detecting these threats early can be challenging as many policy violations are hard to see or may go undetected as baselines have changed with the pandemic, given the dramatic shifts related to remote working. Detecting the loss of data can be quite challenging as many data loss prevention tracking systems will only activate later in the attack cycle. By then, it may be too late with the data already being exfiltrated.
Accidental insider exposure can also be a significant issue. Employee misconfigurations, the use of unauthorized devices or software, or accidentally orphaned admin credentials can all also create unintentional consequences. Employees may also be downloading confidential data onto their home systems, which may lack adequate security, creating opportunities for attackers to access valuable information. As organizations push more data to the cloud to make it accessible to remote workers, improperly configuring access permissions can also result in accidental leaks.
Security magazine: How can security teams use deception technology to detect unauthorized network scans, credential theft and reuse, or attempts to access and steal data?
Crandall: Understanding the tactics and techniques of an attacker provides an excellent framework for where deception and denial technologies add value. The general assumption is that the initial system has been compromised and that security teams need visibility and early detection of discovery, lateral movement, privilege escalation, and data collection activities. Here is how deception comes in to play based upon some primary use cases.
Attacks on Active Directory (AD) and privilege escalation: AD is a prime target for attackers because it is the system that companies use to authenticate and authorize all users and computers in a Windows network. If taken over, an attacker has visibility into the structure and privileges within the network and can gain control to assign and revise security policies. Deception plays a role in detecting attackers by creating decoy AD environments that will alert on engagement. More advanced concealment and denial technologies can go so far as to hide real AD objects from an attacker’s view, intercept unauthorized queries, and return fake data designed to divert an attacker into decoys. The alert is at the point of observation, providing defenders valuable time to respond to the infected systems, gain the upper hand and control the path of the attacker, unbeknownst to them.
Attacks for Ransomware: Likely the deadliest threat to most organizations, ransomware attacks are getting more sophisticated and costly. Organizations can leverage deception to set up fake drives to trick an attacker into engaging and revealing their presence. Some will actively engage the attacker by feeding them fake data to occupy them and stall their efforts. The latest innovations in concealment and denial will completely stump attackers as real files, folders, shares, mapped network and cloud shares, as well as removable drives get hidden from the attacker’s ability to see them. The technology will also deny access to data by not allowing an attacker to delete, steal, or encrypt the information. This new form of attack prevention may be one of the single most powerful tools for stopping attackers dead in their tracks.
Lateral movement: Infecting one system is unlikely to result in a major compromise. Being able to move laterally and escalate privileges is where the larger damages and payouts will occur. To break out from an endpoint, attackers need to find more files to infect, credentials to steal, or vulnerabilities to exploit. Deception technology is very powerful for disrupting an attacker’s reconnaissance efforts with decoys and misdirections. Credential lures and artifact bait can also be placed as a way to lure the attacker into stealing fake information by giving them breadcrumbs that lead into a decoy for alerting and observation. Notably, these types of attacks will evade EDR systems, and it has been proven that, by adding deception to EDR environments, detection performance will boost by an average of 42%. Modern deception will also detect port scans that touch a closed port, forward it to a decoy, present what appears to be vulnerable access, and return a substantiated alert. Defenders can also redirect outbound traffic to decoys and automatically isolate the infected system for prompt remediation.
Cloud-based attacks: Traditional security controls are not as effective or comprehensive in cloud environments. Deception is designed to extend comprehensive detection controls to the cloud with a twist. Deception can provide additional coverage for cloud-centric security, including containers, serverless functions, and databases, as well as cloud and SaaS credentials.
Security magazine: What are some other tools that may aid security teams in preventing malicious activity from insider threats?
Crandall: Security teams can also track employee behavior to detect unauthorized activity. This can be complicated as it can result in a high number of false positives, especially when major work patterns have shifted. The significant shift in remote workers is one example where baselines were essentially obliterated, and behavior trends needed to be revised or rebuilt. There has also been some debate about infringement on personal rights regarding how closely an employer can and should track every aspect of employee behavior. Deception wins in this case as it will only alert on unauthorized access, which is every access attempt since deception doesn’t have any production value to employees. It also can capture policy violations that could easily be missed by other solutions. Deception has also provided substantiated proof that it reduces investigation time by many hours.
Decoy documents can be another useful tool for capturing the intent of an attacker. This provides an alert when the document is opened inside the company and sends a geolocation notice if opened outside the office.
Security magazine: Should security teams be involved in the continuous monitoring of employee stress?
Crandall: I would think continuous monitoring would invoke stress. It also brings up controversy related to privacy. My belief is that it is better to simply tell people there is a zero-tolerance policy for misconduct, and if they get caught with their hand in the cookie (deception) jar, it is grounds for termination or other predetermined consequence.
Security magazine: What does an effective and comprehensive insider threat plan look like?
Crandall: In addition to detection security, an organization must also factor in human resource and legal implications. Having a policy in place that openly shares the consequences for misconduct as well as a system that can provide irrefutable proof will help with HR requirements. Legal will need to be involved if the data they have stolen or altered has any legal or management disclosure requirements. One question that we often see with deception is whether to tell or not to tell employees. Some prefer to make the use of deception known as part of their policy. Others prefer to operate in stealth mode so that they can get more information on intent and to what number and extent employees are involved.
For assessing supplier risks, an organization could require formal on-site evaluations and secure written reports from a third-party risk assessor or security rating service. They should evaluate a service provider’s risk and security documentation and program materials, or ask them to complete a security assessment questionnaire that helps define the supplier’s risk and security program. Adding visibility and detection tools should also always be added to ensure that policy violations or unauthorized access is quickly uncovered.
Security magazine: As remote work may be a reality for the months (and possibly year) to come, what advice do you have for security teams, and/or those in charge of putting policies in place to deter these type of incidents?
Crandall: Data loss tracking and prevention programs are quite useful to have within an insider threat program. The challenge is that the alerting at this point may occur too late or be hidden amongst changed behavioral patterns. I would strongly advise organizations to have decoys amongst their assets that alert on unauthorized scans or deceptive credential use. I would add data concealment to the mix so that employees are not able to see, access, steal, or tamper with data they are not supposed to access. Any policy violation or nefarious act will then get promptly picked up and substantiated based on their interaction with the deception environment.