Attivo Networks revealed industry validations that its deception effectively fools attackers. Validating deception’s ability to serve as a reliable security control for closing in-network detection gaps, the company has released results of a penetration test conducted by a top computer forensics company that specializes in penetration testing, announced the ThreatInject simulation tool for testing deception resiliency, and embedded deception into the ISSA International Conference Capture the Flag (CTF) event. By creating an authentic synthetic network based on deception, organizations change the asymmetry on attackers by placing high-interaction traps and lures that efficiently reveal an attacker’s presence.
Pen testing is used for compliance and to test the resiliency of an organization’s security controls. A mission is often defined by a Red Team’s ability to capture an embedded flag without being detected. Blue Teams, the “defenders,” are using deception to obfuscate the attack surface and trick the Red Team, much like an attacker, into making a mistake and revealing their presence. In this test scenario, an advanced pen tester gathered information and attempted to execute their attack over the period of a week in order to capture the flag. Immediately upon activating their attack, Attivo was alerted to the tester’s presence and captured and recorded all of his actions. This test scenario validated the authenticity of deception and the accuracy to provide early detection of a threat, and proved that even expert pen testers can be fooled by deception.
To validate the resiliency of deception and stolen credential detection, Attivo Networks released its ThreatInject simulation tool. Credential theft attacks are inherently difficult to detect because perimeter and anti-virus solutions are not designed to detect attacks based on credential use or lateral movement. Credential-based attacks start with attackers extracting user credentials from various places like Credential Manager and Registry and Memory using tools like Mimikatz and utilizing them to move laterally or compromise remote systems. Once an attacker steals credentials, they will either assume they are all real, as they are unable to validate them, or they will try to verify them against Active Directory. Deploying deception on the endpoints changes the credential landscape by adding deceptive credentials and deceptive hosts that appear valid and authentic.
The ThreatInject simulator provides the ability to discover managed and unmanaged credentials, and test their authenticity along with the computers that these credentials point to. The simulator will demonstrate an attack launch using the selected credentials, query Active Directory to calculate authenticity and understand credential access, and to simulate attacker behavior. Similar to a pen test, the ThreatInject simulator empowers an organization with a window into what an attacker would see for credentials and computer hosts, verifies that an attacker is unable to determine fake credentials, and demonstrates that their deception environment is working accurately and reliably.