ITWeb Security Summit 2020: Why the #@!%$ are so many South African companies still being breached on a regular basis?

By Murray Benadie, MD, Zenith Systems
Murray Benadie, MD, Zenith Systems.
Murray Benadie, MD, Zenith Systems.

It seems that every week, we see reports of massive data breaches in South Africa. Some of the most recent include Experian, which says the personal information details of as many as 24 million South Africans, and nearly 800 000 businesses, were compromised. Others include Momentum Metropolitan, which warned that hackers had accessed data at one of its subsidiaries, and in June, Life Healthcare, which has 66 hospitals in South Africa, was hit by a 'criminal attack' on its IT systems,” says Murray Benadie, MD of Zenith Systems.

“We know that these types of serious breaches are well planned and managed and that they typically take place over an extended period where the hacker has access to the target IT systems over an extended period. The dwell time is inexcusably long. Why do hackers have the luxury of reconnaissance, lateral movement, credential compromise, privilege escalation once they initiate the initial breach?” asks Murray Benadie

Benadie acknowledges: “These low and slow APTs are difficult to detect post initial compromise as they use tools, credentials and techniques that are standard within the target organisation (living off the land). Defenders thus have to turn the tables on these hackers (and malicious software such as ransomware), by denying them the cover of living off the land.

Defenders have to be right every time, hackers only need to be right once... This has to change. We need to not only detect the malicious activity, but also to create uncertainty and fear of discovery in the minds of malicious actors. This is not only a deterrent, but a mitigating control,” says Benadie

So, how do we create this fear and uncertainty in the minds of malicious actors?

ITWeb Security Summit 2020
Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on demand online. To register, and for more information, please click here.

Modern, flexible and fluid cyber deception is a critical component of any cyber protection framework:

A hacker (or self propagating malicious code such as ransomware or other malware) has to follow certain steps in the breach process. Post initial compromise (eg, through weaponised e-mail attachment, phishing, malicious download, etc), they look for credentials on the compromised endpoints, engage in reconnaissance of other connected devices and engage in lateral movement and privilege escalation. This is the dwell time that hackers have the luxury of.

Using modern fluid cyber deception, we deploy hundreds of decoys, which are fake assets such as servers, laptops, workstations, domain controllers, database servers, etc), we lure them to these decoys using thousands of lures, breadcrumbs and baits such as misconfigurations, weak permissions, fake credentials, mapped drives, files and folders, DNS entries, etc, so that if a malicious actor or software makes a move, there is a very high likelihood that they will access one of the fake decoys, breadcrumbs, baits or lures and their presence will immediately detected.

Cyber deception solutions are primarily designed to do three things:

  • Detect the presence of an attacker within the organisation’s environment;
  • Retard the attacker’s progress towards his objective; and
  • Gather forensic data related to the attacker’s motives, targets and methodologies.

Modern NextGen cyber deception:

“Modern cyber deception has evolved into solutions that are much more sophisticated than honeypots and gen1 deception tools and as such have significantly greater detection efficacy and enhanced return on investment,” says Benadie. Such solutions have the following characteristics:

Efficient high-scale deployment:

Modern deception automates the process of creating both decoys (servers) and supporting artefacts (fake data, credentials, file shares, etc) and relies on virtualisation, resource conservation and automation to enable high scale deployments at reasonable cost.

Autonomous configuration and curation:

The solution analyses the surrounding (legitimate) environment and configures the deception assets to appear credible. It also updates the assets over time to maintain this credibility as the environment changes

Automated adversary interaction:

The solution automatically detects and reacts to probing by adversaries. It can respond as the environment would, changing behaviour to slow an adversary’s attack, and gather forensic data to present to security analysts

Benadie contends: “Due to the inherent benefits of the characteristics detailed above, modern deception solutions have superior return on investment compared to honeypots, gen1 deception and in fact alternative threat detection technologies." The enhanced ROI is broadly achieved in the following three areas:

System investment:

Because the solutions are virtual and the best offerings pool resources and deploy on an as-needed basis, the initial investment is reduced substantially.

Operational investment:

Modern deception automates the most challenging tasks: environmental analysis, asset configuration and updating, and initial adversary engagement. This greatly reduces the amount of staff time required to operate the solution. It also drives extremely low false positives.

Security returns:

Autonomous deception solutions produce much greater benefits, mainly because they are far more likely to actually detect, analyse and retard a skilled attacker. They also provide environmental visibility that Gen1 tools do not. Gen1 tools may detect an attacker if they are carefully deployed and curated, but the operational requirement for that curation means that most gen1 tools won’t achieve this level of credibility, certainly not consistently. Modern, autonomous deception on the other hand is more likely to deliver on all three benefits, because it is properly configured, updated, and deployed at the appropriate scale.

As an additional benefit beyond adversary detection and engagement, modern deception solutions provide visibility and situational awareness to the defender. They analyse the internal network environment and endpoints both to provide general visibility, and to identify vulnerabilities that should be remediated. Network, host and application level data help the defender ensure that the environment is both documented and secured consistent with security policies.

To summarise, deception technology is not variable or conditional. It is not probabilistic. The detection is absolute and crystal clear. It is certain. No one should be touching any of the decoys that might be used. No one. You touch a decoy and you are caught. This sort of behaviour is clearly malicious and represents the reconnaissance activity of a sophisticated attacker moving through the network.

“Cyber attackers will penetrate your networks at some point. Once inside, these cyber attackers will move to perform reconnaissance, and identify key resources for compromise and theft. At almost every move or turn they make, properly deployed (and at scale) deception will be in their path. Once they touch a deception decoy, deception will identify them with extreme certainty and then generate alerts of the highest importance for your SOC team,” says Benadie.

Editorial contacts
MD (+11) 513 3473 or (073) 2212171 sales@zenithsystems.co.za