Deception technology turns the tables on attackers by altering their cyber terrain – so 1000 endpoints become 10,000 endpoints – slowing down attackers and increasing the cost of doing business. At Fidelis, we liken this to the art of deceiving enemies on the cyber battlefield. To defeat increasingly sophisticated and aggressive threat actors, we use Deception technology to enable our warfighters to take advantage of their adversaries.
- Why should we be arming ourselves with Deception technology?
- The unique capabilities of Fidelis Deception
- Fidelis Deception’s detection vs. containment strategies
Introduction: Welcome to the Fidelis Cybersecurity Threat Geek podcast. My name is Dave Ayoub, Army Account Manager at Fidelis and a U.S. Army Combat Veteran. I’ve spent my career arming warfighters with the solutions needed to fight our most advanced cyber attackers. I’m joined by our VP of R&D for Deception, Rami Mizrahi. Welcome, Rami.
Rami: Hi Dave, thank you.
Dave: Today we’ll be discussing the importance of Deception technology to best prepare and tool the army, and any other enterprise for that matter, for the next-gen cyber battlefield.
Dave: At Fidelis, we liken our Deception technology to an art. Specifically, the art of deception and deceiving enemies on the cyber battlefield. I’d like to start by asking if you can quickly go over the goal of Deception technology – what is its purpose and why should we be arming ourselves with it?
Rami: The main goal for Deception is to proactively detect attackers that are inside the organization before damage is done. These are advanced attackers, that already bypassed existing prevention mechanisms and have infected assets inside the organization.
A good deception solution should first learn the organization and then deploy the matching deception elements in different layers, all with very little overhead to the admin user. We should deploy deception based on how the real network behaves and we should quickly adapt to any changes.
The ROI for a Deception solution is very high because – first the deployment is easy and almost automatic, and next – there are almost no FP for such a solution. Since the deception elements are not part of the real network, no one should be accessing them, so any alert triggered is an actionable alert that should be handled.
Dave: Can you go over our capabilities of Fidelis Deception? And what makes our capabilities unique?
Rami: Fidelis Deception focuses on full automation of the deception deployment and maintenance.
- Continuously learning the organization’s terrain including in-depth knowledge of networks, OSs, applications, communications habits and more
- Next, Deploying the different deception elements based on the terrain: – we’ll deploy –
- Emulated and RealOS decoys – these act as different resources inside your networks.
- Breadcrumbs on assets and on the network that point attackers from the real assets to the decoys
- And Active Directory deception – which adds a layer of deception to your real AD server
All elements are tailored for your environment based on how your terrain looks. The Deception coverage shows how well the elements deployed cover the organization resources.
As a final sentence, I’ll mention that Fidelis Deception is part of the Fidelis XDR solution. This gives us many enterprise features, including Terrain risk analysis & assessment based on traffic. It also makes it easy to upgrade from Fidelis Deception to the full XDR solution, by just updating the license.
Dave: We excel at providing visibility, in-depth understanding of the terrain for deploying deception, risk analysis, as well as a couple other things. Can you explain more about each of these points and why they are key in detecting and containing attackers?
Rami: Well, let’s start with the terrain.
Fidelis terrain is based on sniffing the traffic and continuously analyzing it to have a complete understanding of the environment. The idea behind it is that in order to deploy the right deception you need to understand the various components of your environment. This gives you the most accurate data on your terrain – it will reveal your managed assets, your un-managed assets and in most cases, assets that you are not even aware of.
Then the terrain is used to automatically build the deception layer, now that we you know exactly what type of decoys and breadcrumbs should be deployed.
The terrain controls the types of decoys we create – Windows, Linux, databases, IOT devices and more. And it controls the breadcrumbs that are deployed – which application on your assets will lead to which service on the fake decoys.
Next, based on the terrain and the assets’ behavior the platform can evaluate the risk associated with subnets and assets and recommend where to deploy decoys and which assets should get which breadcrumbs.
All this data together is visualized, so we can easily see how the environment looks and the admin can act accordingly. This covers the subnets, assets, interactions between them, protocols being used, internal and external servers in use and more.
Dave: What is unique about Fidelis protection for Active Directory? How is it different from other deception solutions?
Rami: The Active Directory server is one of the most targeted resources during an attack campaign.
Since all assets send queries and collect data from the AD, attackers can also do it without raising suspicion. Attackers will enumerate the environment, identify high privilege accounts, and use those credentials to access other resources. Many tools, like Bloodhound, can even do this automatically.
Our deception solution for Active Directory includes placing fake information on the real AD server, on the real assets you have and also around the network. The goal is to deceive attackers and to direct them to the decoys.
This is achieved by planting lucrative, fake accounts in the AD and binding these accounts to the decoys. These decoys operate like other resources in the organization – communicating with the AD server, logging in to it, publishing SPN’s and more. We also place breadcrumbs on the assets and generate traffic in the network that includes information about the fake accounts and computers.
The usage of those accounts is then monitored on the AD server and on the Decoys, revealing the attackers’ activities and presence on the infected assets.
Dave: Can Fidelis deception serve for detection as well as containment and learning adversaries TTPs? Is this unique to Fidelis?
Rami: With regards to deception, detection is very different from containment.
For containment, the goal is to keep the attacker inside the deceptive environment for as long as possible and gather information on his methods and his goals. High interaction decoys, such as the Fidelis RealOS decoys, are perfect for those purposes. They allow the attacker to operate within a real machine that has real applications, valuable data and is part of the corporate network. Anything happening on the machine is logged and analyzed for forensic purposes. This will include network activity, file system, memory and registry usage.
For detection, on the other hand, the security team’s focus is on quickly identifying the infected assets and resolving open security holes. Our Emulated decoys, which are medium interaction are the best match for this goal. Using emulation, Fidelis can create multiple decoys that mimic the corporate assets – desktop, servers and IOT devices.
Fidelis deception provides the ability to deploy RealOS decoys and emulated decoys, both on the same appliance. This allows the security team to decide based on their goals and available resources which method of deployment they choose. Typically, it will be a combination of both.
Dave: This has been very insightful, thank you for coming on here today to talk about why there’s no better trap than Fidelis Deception. And to our audience, thanks for tuning in! If you’d like to know more about our cybersecurity solutions, visit www.fidelissecurity.com or our dedicated page for Army Warfighters.