May 21, 2022
Operationalize the MITRE Engage framework with Zscaler Deception and make your network a hostile environment for attackers.
The best defense is a good offense (almost)
As cyberattacks become more sophisticated, IT security has responded in parallel. And today, one could make an excellent case that the best defenses aren’t “defensive” at all — they’re proactive. Modern defenses can protect an organization’s infrastructure and assets and learn more about attackers, thus generating actionable intel to make the comprehensive security strategy more and more effective over time.
Deception technology, such as a honeypot, serves as a good example.
By luring attackers into a prepared trap, the honeypot gives away nothing of real value — no data, credentials, network information, or anything else — while simultaneously empowering organizations to track what attackers are doing in real time. This information can subsequently inform the security strategy by notifying security professionals precisely what attackers are trying to access, copy, compromise, or encrypt in the case of a ransomware attack.
Conventional honeypots and other legacy deception technology fall short in many respects. Most are deployed and configured manually, use reactive, static techniques, fall out of date, and can't keep up with changing attacker tactics. They also often lack integration to the rest of the infrastructure; even if a company has advanced analytics to assess an attacker’s strategy, it doesn’t mean they’re automatically tied to the honeypot. Moreover, legacy honeypots were not designed to integrate with zero trust network access (ZTNA) architectures. This nets into suboptimal insight into attacker behavior and undiscovered vulnerabilities and reduced protection in a holistic sense.
For these reasons, organizations today need a more powerful, automated, and intelligent approach to deception tech: capable of detecting, disrupting, and defeating even the most advanced human attackers, while also taking full advantage of the information attackers provide while exploring the deception.
Zscaler Deception: One-click deployment of intelligent, zero-trust-aware deception technology
Thanks to advanced lures and decoys, all instantly deployed via simple mouse clicks, Zscaler Deception can stop hidden attackers cold while fooling them into thinking they’ve made progress. You can use it to protect your organization from attackers. With its automatic integration with the larger Zscaler Zero Trust Exchange platform, you can get the most value from the attack information the attackers unwittingly donate. Plus it delivers 99% of the capabilities covered in MITRE Engage, a framework for defenders to operationalize deception defense programs.
Get instant deployment and better threat detection while restricting lateral movement
How does the solution deliver these capabilities?
Begin by understanding that Zscaler Deception gives security managers one-click power to deploy false resources, including but not limited to domains, databases, active directories, servers, applications, files, credentials, and many more. These are deployed as needed across the infrastructure, such as on servers, in the cloud, and the active directory, and appear for all intents and purposes to external parties to be valuable (though they have no value).
Because these false resources are never used in the ordinary course of business operations, any activity involving them almost certainly means there is an attacker who has managed to obtain initial access to the infrastructure. A silent alarm alerts the security to the adversary’s presence and the telemetry captured allows the SOC team to study behavior, hunt for threats across the network, or cut off access.
Because Zscaler Deception integrates with the Zscaler Zero Trust Exchange platform, user-to-app segmentation reduces the total opportunity for attackers. Thanks to logical policies that map users and their job duties to authorized apps via microtunnels, users only ever have access to the specific apps they need — not the entire suite. False resources offered to attackers are appropriate given the credentials used to obtain access. What the attacker sees will be quite legitimate in appearance and thus more likely to fool and engage the attacker, but it’s also as logically confined as any other microtunnel would naturally be — trapping the attacker in a box.
Once attackers are engaged in the false environment and detected, security managers can also take direct action based on their goals and context. For instance, they can add new, seemingly appealing assets and drive attacker conduct by creating false errors or alerts. The attacker’s response to such changes helps inform security managers what attackers are trying to achieve, how they mean to achieve it, and how best to detect and block such activity if, in the future, it’s not in a false environment.
This design, in other words, directly addresses the classic problems of (1) lateral movement within a compromised infrastructure and (2) false positives in security analysis. Actual lateral movement is impossible; it can only occur in the false environment created by Zscaler Deception (but the attacker has no way to know that). And since any activity involving that false environment is nearly certain to be a true positive, Zscaler Deception calls attention to precisely the kind of situation that demands a rapid response from the cybersecurity team. They can use these high-confidence alerts to correlate threat activity in other parts of the network and automate containment.
Track and analyze attacker activity to glean insights and drive improvement in the security strategy
Analysis of attacker activity is similarly intelligent in design. Instead of relying on old-school methods such as basic heuristics (rules of thumb) and signatures (as commonly leveraged to detect particular strains of malware), Zscaler Deception leverages advanced analytics to understand and specify what attackers are doing in real time.
The more attackers try to do, the more the analytics learn. In turn, security teams get more insight concerning the ultimate target of the attackers, the specific attack vectors involved, and other factors. This insight can then directly guide the team in improving the actual operating environment and related processes while simultaneously exposing nothing of any use to the attackers.
To sum up, in the words of Jay Chaudhry, CEO, Chairman, and Founder of Zscaler: “The appeal of deception is how it turns the tables on would-be attackers. Security teams don’t have to hunt for network threats, rather the bad actors are lured to decoys, dramatically slowing their progression in order for security teams to quarantine the threats.”
What to read next
6 Ways Deception Technology Levels Up Your SOC
You need deception and it's not what you think
The CISO's Gambit podcast: Let’s get Active about Defense
Recommended