TRICKS of the CYBER TRADE
Deception technology chief explains how decoys and traps can be planted to catch hackers once they have breached a network
These days it’s not enough to try to keep cyber thieves and online spies out of your company’s network — there’s a good chance they’re already in.
That’s the rationale behind “deception technology,” a sector of the cybersecurity business that grew out of the reality that no matter how good a firm’s “perimeter security” may be, a global army of extremely clever, morally compromised technologists is working diligently to break it. The trick, according to Carolyn Crandall, the “chief deception officer” of Attivo Networks in Fremont, is to catch them once they’re inside. In cybersecurity parlance, this is known as “detection.”
“The premise of security was originally built on having a perimeter. Build your castle or your fortress and nobody can get in,” Crandall said. “And we know that that’s not realistic, if you look at the simple number of breaches that happen. The innovation that attackers are able to use is outpacing that of typical cybersecurity.”
Online attackers can be very sophisticated, and the longer they’re poking around inside a network — the average is 100 days — the more time they have to locate what they want to steal, then trick employees, suppliers or affiliates into providing login credentials to access that data, or find vulnerabilities that let them pilfer it directly, Crandall says.
So Attivo sets what it calls decoys, traps and lures. These are faked elements in a firm’s computer network and its contents that an attacker would see, virtually represented, once inside the network — like a server, router, desktop computer, data file, or maybe some login credentials in a webbrowsing history. The elements look real to a cyber intruder, but would never be accessed by anyone who is actually authorized to use the network. If a hidden malefactor exploring the system hits one of those elements, the attacker is exposed. The victim can then take appropriate security measures, and possibly contact law enforcement.
This news organization sat down with Crandall at Attivo’s headquarters to discuss the company’s work for customers, which include consumergoods companies, tech firms, law offices and government agencies. Her comments have been edited for length and clarity.
Q
Why is it impossible to keep hackers out of business computer networks?
A
Humans. Humans are going to make mistakes, whether they click on a phishing email, whether they misconfigure something. There is this very advanced set of attackers that will use all sorts of social engineering to figure out how to get around the security systems.
Q
When did deception technology really take off? It’s pretty recent, right?
A
We started shipping product late 2014. … 2015 was a lot about, “What is this? Why is this?” 2018 was the first time that I started to hear people go, “I’m actually budgeting for the technology.” And rolling into 2019 now, in the last quarter we worked very, very actively with companies that have said, “It is in my budget for next year.”
Q
What are the main types of attackers that you’re dealing with?
A
It’s across the board. They’re collaborating with each other to leverage the best practices. They’ve got a marketplace with the dark web. They’ve got a whole orchestrated business on being able to attack organizations. We’ve seen lots of ransomware attacks on health care organizations. We’ve seen bitcoin mining attacks. Lots of insiderthreat activity, too. The things that happen in the Middle East, out of our Dubai office and what they detect, they get a lot of nation-state activity.
Q
You identify an attack and an attacker, and then what happens? A
Now I know, “How did they get in? How were they attacking?” Unlike say a firewall or another device that would simply stop the attack and would shut it down, we let it play out. When I’m done studying them, now I can go back and reinforce my defenses.
Q
What kind of lures do you create? Are you putting onto some server a file that says, “All our best intellectual property”? A
It can be financial statements. Maybe I’m at a hospital and I have research, you know, latest cure for cancer. Maybe I’m a law firm and I’ve got a big case and somebody wants to get insight into my case files and know what kind of defense or offense I’m going to play. Maybe I’m a technology company coming out with the latest new cellphone. There’s all kinds of reasons that people would want to steal information.
Q
How do you deal with the fact that you have super-sophisticated adversaries such as nation-states that know about deception technology?
A
The way we’ve designed our technology is, it’s for the anticipating attacker, and so even if they are looking for deception, they can’t tell.
Q
Did you lie a lot as a child?
A
I won’t say I lied a lot. I might be cunning in getting what I wanted.