Deception and Sandboxing

Leveraging Deception Technologies to Outsmart Hackers

Hackers live and breathe deception. In fact, deception is the cornerstone of most of their attack strategies. Lately, enterprises have become increasingly interested in using deception themselves as a way to get into the minds of cybercriminals and thwart them. In other words, they are using deception to improve detection.

Honeypots and Sandboxing

Honeypots, which are decoy computer systems designed to trap hackers and uncover malicious activities, have been in use for quite some time. They are built to lure hackers and to be attacked, so any network traffic that’s going to them is bound to be malicious. Their chief purpose and benefit is to collect and store accurate attack data that may be missed by network intrusion detection tools, thereby reducing false alerts and “noise.” As a honeypot is getting hacked, it collects logs of IP addresses, ports, files, and hosts that are being accessed. This data provides valuable threat intelligence for security teams—especially when it comes to zero-day attack techniques. Some of the disadvantages of honeypots are that they only attract threats for the type of systems they are simulating and they do little in terms of prevention.

Sandboxes work in a similar way, but focus on applications. These automated detection and analysis systems allow malware programs to execute in a controlled environment. The sandboxes perform analysis, capturing as many details as possible. Some can even scale up to allow for analysis of multiple malware samples. Sandboxes are good at spotting zero-day malware and stealthy attacks. Unfortunately, we’re seeing more malware cropping up that can evade sandboxes.

Next-Generation Deception Tools

Today, deception technologies are becoming more automated and sophisticated. Gartner notes that “A new class of products with distributed endpoint decoys is emerging with threat deception capabilities that can enhance our defenses,” according to Gartner. “In this new class of security products, distributed decoy systems are used to portray deception across multiple layers of interaction by attackers.”1

This is precisely what enterprises need to detect multistage targeted attacks and keep them from coming back. Two Intel Security Innovation Alliance partners that are at the forefront of deception technology are Attivo Networks and TrapX. Let’s take a look at the capabilities of each one.

Attivo ThreatMatrix Platform: BOTsink deception servers

Integrated with McAfee Network Security platform, the ThreatMatrix solution uses real operating systems and a variety of enterprise application, endpoint, and server-level deception techniques, which are deployed across the network to lure attackers to the Attivo deception server and away from production assets. The ThreatMatrix platform includes ThreatStrike end-point deceptions that plant credential and ransomware bait to attract attacker engagement. When the attacker strikes, the BOTsink analysis engine identifies the attacker IP address, identifies methods of lateral movement, and can generate signatures for zero-day and polymorphic attacks. The full TTP of the attack, attack cycle information, and forensic reports simplify and accelerate incident response, remediation, and reporting.

The Attivo ThreatMatrix platform can be configured to forward events to McAfee ESM and users can view events within the ESM Dashboard.

Here’s how it works with McAfee Network Security Platform. Let’s say a user clicks on a malicious link in a phishing email that drops malware on the endpoint and directs it to connect with a command-and-control (C&C) server. Instead of allowing the endpoint to go through with that operation, McAfee Network Security Platform intervenes and sends the connection request to the BOTsink virtual engagement server, which acts like the targeted machine, launching the URL and engaging with the C&C server. Once the BOTsink deception server is infected, and the connection with the C&C server is made, the threat carries out its attack behaviors in the BOTsink sandbox, where it’s isolated and safely observed. The BOTsink advanced analytical engine then analyzes the botnet traffic. And, beyond just analyzing the threat, it reports attack data to endpoint and network security applications and network security, so they can check for the presence of the infected file or check for communications with malicious domains across the entire enterprise infrastructure.

TrapX DeceptionGrid

TrapX DeceptionGrid, which complements McAfee Advanced Threat Defense, provides a multitier deception platform that uses both DeceptionTokens or lures on end-points and emulations (fake assets). It deploys a rich set fake assets that look and act like your high-value real assets that are intermingled with actual information technology resources at scale in an enterprise network. These assets can take the form of traditional workstations, servers with enterprise application and storage or IoT devices such as ATM, PoS, SWIFT systems, medical devices, VoIP, SCADA, ICS, or routers/switches. The second attackers come in contact with an emulation, an alert is triggered and injected malware is sent to McAfee Advanced Threat Defense, which swiftly and accurately analyzes the threat and then, working with McAfee Threat Intelligence Exchange, incorporates the threat intelligence into enforcement processes across other Intel Security solutions. DeceptionGrid also monitors egress traffic for known and previously unknown C&C traffic.  When the ATD sandbox detonates malware that has bypassed traditional defenses, actionable intelligence is transmitted back into TrapX DeceptionGrid to hunt for additional attacker activity.  This type of advanced deception technology enables IT security to find advanced threats that may bypass other security solutions and significantly reduce the time it takes to detect a breach.

Visit Attivo Networks and TrapX during Intel Security FOCUS 16 Conference at the Aria Hotel,  Las Vegas, Nov 2- 4, 2016.