It takes a while for any technology to figure itself out, specifically, what value it brings to the table. You define, you refine, you combine, and sometimes you even whine (I did). But once a technology works, it’s inevitable. In cyber deception, ActiveSOC™ (a new module of MazeRunner) is it, and we have our customers to thank for helping us figure it out.
Cymmetria’s platform has reached a level of adoption and maturity, that we looked to automate the process of adding and subtracting breadcrumbs and decoys in a dynamic way. Not AI and not random, but instead turning the network cacophony and noise into a clear signal of life-like cyber deception.
Cyber deception is an amazing concept: it shifts the economics of security around, so now the attackers have to handle our burden of anomaly detection. What’s real? What’s not? It’s no longer about them having to succeed only once while we need to protect everything all the time. They need to make one mistake, anywhere, and they’re done.
This is due to the attackers relying on our information when they gather intelligence (credentials, shares, cookies, network traffic, etc.). And if we can control the information they use to make their decisions, we can direct where they go, generating new paths that lead them into environments we control.
ActiveSOC allows you to deterministically treat your network as if it was a clean lab environment.
In a greenfield environment, any one login attempt out of place is a critical event. In a brownfield environment, such as a production network, you are inundated with endless events of this type. ActiveSOC lets you check each and every one of them to a deterministic result – without installing any agent or disturbing IT.
ActiveSOC is about KPIs you can follow regularly.
It’s an intelligence generator. It automatically takes events that otherwise wouldn’t reach the analyst, and returns true positives.
It reduces analyst workload. It automatically validates that many of the alerts currently reaching your analysts are real.
It reduces user friction. On demand, an analyst can activate MazeRunner’s API to validate an incident before reimaging (or taking another action), which may disturb the user or IT.
An ActiveSOC rule that will deploy credentials to the machine shown when this event occurs in Splunk. If there is an attacker, they will use the credentials and MazeRunner will close the loop by feeding an alert back to Splunk.
How ActiveSOC works with your workflow
The trigger: Take any automatically discarded event from a log file, a SIEM, threat intelligence system or even an EDR solution.
The intervention: Deploy a deception element (such as a credential) so that if the original event was generated by an attacker, the attacker will be discovered.
Example: Someone logged in from a different machine.
Intervention: Deploy a credential to the machine’s memory before the attacker performs privilege escalation (secures admin privileges) and runs mimikatz (dumps credentials from memory).
An example of a popular Windows audit event (some people even turn off Windows auditing events in their Splunk because they receive too many of these events)
We are proud of our technology: Responder.py network breadcrumbs, five nation state APT attacks caught (see: Patchwork), our ability to quickly deploy and scale on huge networks… Now with ActiveSOC, it’s a whole new ball game.
We are once again first to market with this new technology, which reiterates our accrued experience in live deployments.
Ask us for a demo, we’d love to tell you more. Also, feel free to come see us at RSA, either at booth #343 or at the W hotel lobby.
You can also always email me directly: g a d i [at] cymmetria [dot] com.
Founder and CEO, Cymmetria
Gadi is the Founder and CEO of Cymmetria. Prior to founding Cymmetria, he was VP of Cybersecurity Strategy for Kaspersky Lab, led PwC’s Cyber Security Center of Excellence (located in Israel), and was CISO of the Israeli government’s Internet operations. Gadi is widely recognized for his work in Internet security operation and global incident response, and is considered the first botnet expert. He is currently Chairman of the Israeli CERT.