sb-as logo
Story image

Improving network security by ‘deflecting’ cybercriminals

10 Aug 2020

Article by Attivo Networks solutions engineer Vlado Vajdic.

Keeping corporate IT networks secure from external attack is a constant task for security teams. However, spotting threats that have already breached defences can be an even bigger challenge.

Sophisticated phishing attacks can trick users into downloading infected files or visiting compromised web pages. A simple mistake can mean that, even with the best perimeter defences in place, malicious actors can still gain access to a network and resources connected to it.

Once inside a network, cybercriminals can lurk for long periods, quietly moving around and assessing what data is available and what it might be worth. This activity can often continue without triggering alarms or providing warnings to the security team.

Overcoming this situation means using a new technique that makes it significantly easier to spot cybercriminals who have successfully entered a network. It allows security teams to identify the threat and then take steps to remove it and minimise any damage or loss.

Security deflection in action

The strategy works by monitoring east/west traffic to unused ports and services on any system within a network. There is no reason why legitimate users would be accessing these closed ports or services, so any activity is almost certainly the work of a cybercriminal.

For example, a personal computer on the network may have become infected with malware when a user plugged in a USB drive. Attackers can then use this infected PC to scan the network and seek out data that is of value. 

As the attackers look around for systems to jump to, they will fingerprint hosts by probing for open ports and services they can compromise. With a deflection capability, any port they probe can potentially respond to their connection requests, giving them a false fingerprint of the device.  

Furthermore, if they attempt to connect to one of these ports, the deflect function will redirect the malicious traffic to a decoy service somewhere else on the network containing data of no notional value. 

It will take the attacker time to figure out that the resources they have accessed are of no use, and this delay gives the security team a chance to understand what the attacker is doing and remove them from the network.

This deflection capability can be added to all endpoints on the network, affording each better protection from attack and providing the security team with a comprehensive view of any malicious activity that is taking place.

Improved security

A deflection strategy provides an extra level of protection against a wide range of cyberattacks against a corporate network. These could be anything from ransomware attacks and others designed to cause disruptions to criminals seeking sensitive corporate data for commercial gain.

The strategy ensures that cyber-attackers are no longer able to lurk on a network and seek out potential targets without revealing themselves. As soon as they access an unused port or service, they announce their presence.

The addition of decoys adds further to overall security. By delaying the attacker and giving the security team sufficient time to respond, it improves overall infrastructure security.

Generally, using a strategy of deflection makes networks much more defensible by increasing resistance and friction for unwanted visitors. It essentially allows security teams to use a ‘home advantage’ to detect and neutralise threats that have managed to breach the secure perimeter.

It complements other network defences that are likely to already be in place while also making it easier to collect forensics and intelligence data that the organisation can use to strengthen security for the future.

Deflection is also particularly important when networks incorporate cloud platforms and other resources that sit outside the conventional corporate firewall. Continually monitoring for unusual traffic to unused ports and services will allow the organisation to detect attackers regardless of the location of the compromised endpoint.

The strategy is yet another tool at the disposal of security teams, and one that will help them to stay well ahead of cybercriminals at all times.