Products
- Products
  
  Platform
  ShadowPlex Advanced Threat Defense
  Deception for early detection of cyber threats with precision and speed
  
  ShadowPlex Identity Protection
  Visibility, management and protection of identity stores and attack paths
  Acalvio Active Defense Platform
  Comprehensive and Award-winning Distributed Deception Platform
  
  What is Active Defense?
  Active defense detects and diverts attacks.
  
  Why do I need Acalvio Active Defense?
  Active Defense deceives and disrupts attackers.
Solutions
- Technology Solutions
  
  Industry Solutions
  Early Threat Detection
  Detect cyber threats early in the attack lifecycle to prevent adversary breakout
  
  Identity Threat Detection & Response
  Detect identity threats with precision and protect the identity architecture
  
  OT Security
  Protect OT environments from cyber threats with an easy-to-deploy and non-intrusive solution
  
  Red Teaming
  Strengthen defenses to detect red team activities
  
  Threat Hunting
  Active threat hunting to confirm latent threats and gain visibility to attacker TTPs
  
  Ransomware
  AI-driven deception to protect against known and zero-day ransomware variants
  
  Honeytokens for CrowdStrike
  Enterprise-scale honeytokens to protect against current and evolving identity threats
  
  Active Directory Protection
  Visibility to AD attack surface and detection of AD attacks
  
  Zero Trust
  Advance Zero Trust maturity through improved cyber visibility
  
  Insider Threats
  Unmask hidden dangers. Cyber deception for high-fidelity insider threat detection
  Public Sector
  Targeted solution for protecting Federal agencies in conformation with NIST and CISA recommendations
  
  Financial Services
  Transform Financial Cybersecurity with Innovative Cyber Deception and Active Defense
  
  Healthcare
  Active defense solutions thwart healthcare attacks before they can inflict real damage.
Resources
Partners
Company

Detection of Prevalent Threats by Distributed Deception

by Team Acalvio | November 10, 2022

Today’s breaches are overwhelmingly carried out in a series of sophisticated, multi-stage attacks. The stages of such attacks can best be described by a “Cyber Kill Chain,” which as per MITRE ATT&CK Adversary Tactic Model [1] breaks down cyber intrusions into the steps shown in figure 1.0.

Figure 1.0 MITRE ATT&CK Adversary Tactic Model

In the table 1.0, I have discussed six critical multi-stage attacks. I have precisely listed the breadcrumbs and lures that are required at the endpoint and deceptions on the network to detect and divert these threats. The table further lists the conditions which when triggered will raise the alarm for breach and the stage where the threat will get discovered. This stage is as per the ATT&CK Matrix for Enterprise[1]. Based on the nature of the threat, once an alert for a breach is raised it can trigger appropriate automated responses. Examples of responses include: isolation of the infected endpoint, SOC Alert for remediation, etc.

The six threat families considered in this blog are::

Ransomware[5]
Crypto Miner[2]
Breaches leveraging Web Servers for entry [4]
Destructive malware (such as Shamoon[3] and Petya[6])
Information stealers
Password stealers

In our blogs listed in references, we have discussed the exploitation steps of these threats. These threats also have been covered extensively within the research community.

By using a distributed deception platform, two of these threat families (ransomware and password stealers) is detected in the execution phase. The other four are identified during the lateral movement phase when the attacker is attempting to spread to other machines.

Based on the analysis shown in the table following is the takeaway:

Deception centric architecture detects the second or subsequent stage of payload, and hence the detection of distributed detection becomes independent of the vulnerability which is exploited at the first stage. The first stage can make use of 0-days, or it can make use of the known vulnerability or even socially engineer humans into giving them access via phishing or socially-engineered malware, a deception-centric architecture will raise an alert if the second or subsequent phase touches the deceptions.
In many of the cases such as breaches involving web server, detection of information stealer, detection of crypto miners, detection of destructive malware presented in the table above, distributed deception architecture is capable of detecting threat actor or worm after it has breached an organization before the final intent is completed. The algorithm or the techniques leveraging deception which is used to identify the threat is generic, i.e., it is independent of the purpose of the worm or the threat actor.

The capability of detecting worm or an adversary independent of the first stage and detecting a breach in a generic manner independent of the final intent makes it a recommended architecture to prevent sophisticated breaches.

References

[1] ATT&CK Matrix for Enterprise, https://attack.mitre.org/wiki/Main_Page

[2] WannMine lateral Movement techniques,

/resources/blog/wannmine-lateral-movement-techniques/

[3] How to outfox Shamoon, put deception to work,

/resources/blog/how-to-outfox-shamoon-put-deception-to-work/

[4] Deception Centric Architecture to prevent breaches involving Web Server,

/resources/blog/deception-centric-architecture-to-prevent-breaches-involving-webserver/

[5] Deception centric defense against the Ransomware

. ./resources/blog/deception-centric-defense-against-ransomware/