The Mercury News

TRICKS of the CYBER TRADE

Deception technology chief explains how decoys and traps can be planted to catch hackers once they have breached a network

- B y Ethan Baron » ebaron@bayareanew­sgroup.com

These days it’s not enough to try to keep cyber thieves and online spies out of your company’s network — there’s a good chance they’re already in.

That’s the rationale behind “deception technology,” a sector of the cybersecur­ity business that grew out of the reality that no matter how good a firm’s “perimeter security” may be, a global army of extremely clever, morally compromise­d technologi­sts is working diligently to break it. The trick, according to Carolyn Crandall, the “chief deception officer” of Attivo Networks in Fremont, is to catch them once they’re inside. In cybersecur­ity parlance, this is known as “detection.”

“The premise of security was originally built on having a perimeter. Build your castle or your fortress and nobody can get in,” Crandall said. “And we know that that’s not realistic, if you look at the simple number of breaches that happen. The innovation that attackers are able to use is outpacing that of typical cybersecur­ity.”

Online attackers can be very sophistica­ted, and the longer they’re poking around inside a network — the average is 100 days — the more time they have to locate what they want to steal, then trick employees, suppliers or affiliates into providing login credential­s to access that data, or find vulnerabil­ities that let them pilfer it directly, Crandall says.

So Attivo sets what it calls decoys, traps and lures. These are faked elements in a firm’s computer network and its contents that an attacker would see, virtually represente­d, once inside the network — like a server, router, desktop computer, data file, or maybe some login credential­s in a webbrowsin­g history. The elements look real to a cyber intruder, but would never be accessed by anyone who is actually authorized to use the network. If a hidden malefactor exploring the system hits one of those elements, the attacker is exposed. The victim can then take appropriat­e security measures, and possibly contact law enforcemen­t.

This news organizati­on sat down with Crandall at Attivo’s headquarte­rs to discuss the company’s work for customers, which include consumergo­ods companies, tech firms, law offices and government agencies. Her comments have been edited for length and clarity.

Q

Why is it impossible to keep hackers out of business computer networks?

A

Humans. Humans are going to make mistakes, whether they click on a phishing email, whether they misconfigu­re something. There is this very advanced set of attackers that will use all sorts of social engineerin­g to figure out how to get around the security systems.

Q

When did deception technology really take off? It’s pretty recent, right?

A

We started shipping product late 2014. … 2015 was a lot about, “What is this? Why is this?” 2018 was the first time that I started to hear people go, “I’m actually budgeting for the technology.” And rolling into 2019 now, in the last quarter we worked very, very actively with companies that have said, “It is in my budget for next year.”

Q

What are the main types of attackers that you’re dealing with?

A

It’s across the board. They’re collaborat­ing with each other to leverage the best practices. They’ve got a marketplac­e with the dark web. They’ve got a whole orchestrat­ed business on being able to attack organizati­ons. We’ve seen lots of ransomware attacks on health care organizati­ons. We’ve seen bitcoin mining attacks. Lots of insiderthr­eat activity, too. The things that happen in the Middle East, out of our Dubai office and what they detect, they get a lot of nation-state activity.

Q

You identify an attack and an attacker, and then what happens? A

Now I know, “How did they get in? How were they attacking?” Unlike say a firewall or another device that would simply stop the attack and would shut it down, we let it play out. When I’m done studying them, now I can go back and reinforce my defenses.

Q

What kind of lures do you create? Are you putting onto some server a file that says, “All our best intellectu­al property”? A

It can be financial statements. Maybe I’m at a hospital and I have research, you know, latest cure for cancer. Maybe I’m a law firm and I’ve got a big case and somebody wants to get insight into my case files and know what kind of defense or offense I’m going to play. Maybe I’m a technology company coming out with the latest new cellphone. There’s all kinds of reasons that people would want to steal informatio­n.

Q

How do you deal with the fact that you have super-sophistica­ted adversarie­s such as nation-states that know about deception technology?

A

The way we’ve designed our technology is, it’s for the anticipati­ng attacker, and so even if they are looking for deception, they can’t tell.

Q

Did you lie a lot as a child?

A

I won’t say I lied a lot. I might be cunning in getting what I wanted.

 ?? PHOTOS BY ANDA CHU — STAFF PHOTOGRAPH­ER ?? Carolyn Crandall is “chief deception officer” at Attivo Networks in Fremont. The cybersecur­ity company offers clients “deception technology” to deceive and detect cyberattac­kers.
PHOTOS BY ANDA CHU — STAFF PHOTOGRAPH­ER Carolyn Crandall is “chief deception officer” at Attivo Networks in Fremont. The cybersecur­ity company offers clients “deception technology” to deceive and detect cyberattac­kers.
 ??  ??
 ?? ANDA CHU — STAFF PHOTOGRAPH­ER ?? Carolyn Crandall says Attivo Networks’ “deception technology” is designed for the “anticipati­ng attacker, and so even if they are looking for deception, they can’t tell.”
ANDA CHU — STAFF PHOTOGRAPH­ER Carolyn Crandall says Attivo Networks’ “deception technology” is designed for the “anticipati­ng attacker, and so even if they are looking for deception, they can’t tell.”

Newspapers in English

Newspapers from United States