When experts first looked at cybersecurity, prevention was the main focus. After prevention was ultimately found to be ineffective we have relied on other ideas such as encryption, two-factor authentication, strong utilization of passwords, and the idea of a cyber kill chain. These ideas have shown improvement over the original prevention theory to cybersecurity, but cybercriminals are becoming increasingly effective in their attacks through the use of social engineering and attacking the person first, not the system.
Carl Wright, GM of TrapX, believes an offensive capability is a next evolution when it comes to cybersecurity.
“The idea is if the adversary is going to achieve a data breach – they typically do this through spearphishing – they are usually compromising an endpoint machine or an IoT device. Once they compromise that device – depending on the technique that they use – they really don’t know where they are at. Chances are the machine they are on doesn’t have the data or resources required to perpetuate what they are trying to do, so they want to escalate their privileges. In order to do that, they have to move laterally, and this is really where we come into play.”
We had the opportunity to speak with Wright about TrapX, what their deception-based security is, how it is deployed, and how small and medium businesses can implement it.
Our edited conversation follows.
So when we are talking about deception-based security, what does that actually mean?
So defense in depth is a layered defense that has always had the same layers. The two major focus areas have always been perimeter defense and endpoint, with a lot of other things that have been added into the mix to help an enterprise ensure they have situational awareness and visibility. Psychologically, our focus as security folks for many years was actually trying to prevent the adversary from getting in, with the expectation that we could create this boundary in layered defense and stop the adversary from being able to get in. Clearly – as the last two years have shown – regardless of how much you spend, if a nation state or a crime syndicate targets you, they are going to be able to achieve a breach. That is kind of where we come into play.
We’re what we would call a plan B technology. Leveraging deception technology – which by the way firewalls and intrusion detection has been around for about 17 years, deception has been around for 4000 years – we have taken an age-old doctrine in modern-day speak and are using it in a defensive way, which the adversaries find very offensive.
Unlike traditional technologies, our deception grid monitors lateral and egress traffic – we don’t monitor inbound, north/south traffic. So, we really take the view of the attacker and not the view of the net defender. What we do is at the network level. We commingle fake assets with real assets. So, if you had a network with 70 endpoint machines we would create – for the sake of this discussion – 10 fake machines, and we would commingle those with the real ones, and the attacker wouldn’t be able to tell the difference between real and fake. So, when they move laterally and they come off that real machine that they compromised, they always touch one of our deception grid assets, giving us a, basically, very high fidelity alert that someone is doing something they shouldn’t do. When somebody touches something fake in the enterprise it is either something misconfigured or someone is doing something bad – there are no false-positives associated with this detection methodology.
So you want hackers to initially break into an enterprise’s system with this technology.
The ultimate objective is to create a vulnerable emulation of a target that that hacker wants to own. We actually allow them to inject the binary, compromise our fake asset, and once they do that it is like plugging into the matrix. We are not just creating fake endpoints and servers. We are creating services like databases, we emulate SCADA, we create a fake voice over IP and fake storage environments. In all of the fake assets, we are able to put in fake data. So once an adversary compromises the fake host we can actually have a very nice counterintelligence function in recording exactly what they are doing without fear that they are going to turn that asset back around against the enterprise or steal data that really matters.
Are you in any way baiting cybercriminals to attack these enterprises that utilize your services?
That is the endgame. Typically that type of technology has been known as honeypots. It has been used in research or has been deployed out in the perimeter from a research perspective. Think of this as the next generation of honeypot technology. Previous honeypots were difficult because they were manual, it took a level three engineer to build it and monitor it, and you rarely had it in the right place at the right time.
In our solution it literally is fully automated. It’s virtualized, so we can deploy in a matter of minutes and do a real-time asset discovery of everything they have, then come back and present the operator with their best options. What is interesting is once an attacker either touches or compromises one of our deception grid assets an entire automated workflow kicks in. We parse that binary, we have integrated threat intelligence, and in real-time we can tell you if it is a zero-day or polymorphic. We can use that data to automatically tune their defenses, to block that command and control network, and get firewalls to isolate their host level machines that maybe really compromised.
I think you hit the nail right on the head in the beginning of our discussion when you were talking about prevention. I have heard many experts start to talk about the cyber kill chain. How does your technology fit it with this concept?
That is absolutely a great question. The way I like to think about it is that we are actually breaking the cyber kill chain. Instead of a chain, we are creating a loop. It is called an OODA loop. An OODA Loop is Observe, Orientate, Decide and Act. Whoever spins the loop fastest wins.
As you know, we are in a cyberwar today, and the bad guys are winning. For every dollar that they are spending we are spending $100 to defend ourselves, and we are losing. We are losing economically, and we are losing our data. The question you have to ask is how do you flip this around? How do we break the kill chain?
What we want to do is break that cyber kill chain, and create this OODA loop where our service-level agreement is time to breach detection. The second that an endpoint machine gets compromised and that adversary tries to take advantage of using the access they gained to move left or right, we want to be able to catch them. We want to do it without having to deploy host-level protections – which as you probably know don’t scale very well. We are able to get this level of situational awareness and visibility by deploying this through the network, and we think we are actually breaking the cyber kill chain.
Your product sounds like it has great potential, however, it also sounds like it takes a lot of effort and resources to pull off – at least in my opinion. Concerning small and medium companies, will they be able to afford this new approach to cybersecurity if they chose to implement this into their cybersecurity strategy?
Yeah, 100 percent. We really understand small and medium business challenges. The good news is when our company was first founded the first products that came out were cloud-based solutions for managed security service providers to provide for the small and medium business market. We actually have a lot of service providers that offer this as a subscription service that small and medium businesses can pay for on a monthly basis.
Our technology is very easy to deploy. It’s software, you can download it off of our website. It automatically connects to a multi-tenant cloud management structure where each customer’s data is cryptographically separated. Each of them has role-based authentication so they can just log in and see what is happening with their enterprise.