Illusive Blog October 1, 2020

Better Together: Deterministic Lateral Threat Management and EDR

By Paul Kivikink
Active Defense, EDR, Endpoint Security, Lateral Movement

I am often asked how a lateral threat management solution, leveraging deterministic deception methods from endpoint to network and cloud, can be effective at stopping attacks in environments with an extensive threat detection stack already deployed.

In a nutshell, using attack surface management and deception methods for lateral threat detection and response provides a broad understanding of the risk of existing pathways between endpoints and critical assets that an adversary would leverage as they laterally move within an organization.  One of the primary benefits of using deceptive methods for detection on the endpoint is they are not dependent on the existence of malicious behavior (processes, powershell commands, malware, attack tools, exploits, etc), and are often deployed as a powerful complement to EDR to detect adversaries or malicious insiders using existing legitimate network connections and privileged credentials to move laterally within an organization .

Illusive’s philosophy is to employ deterministic endpoint detection to alert on attack movement (aka lateral movement) from compromised hosts to critical assets.  These deceptive capabilities are agentless and quick to deploy, low-cost/effort to maintain, and work across IT, OT (e.g. Medical and Industrial) and IoT environments from on-prem to cloud.  Illusive provides a view of all attack pathways within the entire organization, continuously assesses attack surface risk, while preventing and detecting potential lateral movement.

Why organizations need Illusive and EDR – 6 use cases

1.   Identify and stop malicious insider activity without needing a baseline

Malicious insiders are already within the perimeter, with legitimate credentials and reasons to connect to high-value assets to carry out their jobs. Consider an employee that has stolen administrator credentials and uses them to access endpoints within the network. EDR solutions may not identify if a legitimate administrator account is being used by an insider with malicious intent. In contrast, Illusive can place deceptive versions of network connections, privileged credentials, and beacon files that can entice the insider into interacting and revealing themselves to the organization. This synergistic functionality has been proven many times over in environments where deception and EDR are deployed in a complimentary manner.

2.   Immediately see how close a security incident is from critical assets

Illusive + EDR is a powerful combination to efficiently identify and mitigate security incidents. Illusive provides crucial information to analysts when responding to an alert from an EDR by immediately answering the questions “How many hops is this incident from a critical asset?” and “What pathways does an attacker need to reach a critical asset?”. Illusive’s insights into attack pathways informs the analyst where the next move will be for the attacker – Illusive provides unique intelligence about where an attacker needs to move to reach a critical asset even if the attacker has not yet moved laterally. The perspective of an “attacker view” of the organization provides invaluable context about risk level and increases the speed of a response by helping the SOC to prioritize which endpoints need the most immediate attention.

3.   Risk scoring to expose routes to critical assets and remove high-risk attack pathways

Illusive continuously analyzes and risk scores an organization’s environment to visualize high-risk pathways and see how an attacker or malicious insider could reach critical assets. Illusive empowers the SOC by revealing which connection pathways and privileged credentials pose the highest risk and provides the capability to automatically remediate high-risk attack pathways as they are created. The provides a powerful tool to rapidly increase cyber hygiene and reduce attack surface risk within an organization and prevent the conditions that cause attackers to set off incident alerts in the first place.

4.   Protection and visibility for environments where placing an agent is impossible

Adversaries are increasing their focus on non-traditional IT attack surfaces, in environments such as health care (medical devices) and industrial (operational technology). In these critical scenarios, where placing an agent is technically not feasible, agentless emulations of IT and OT devices can be used to detect malicious activity in areas such as an MRI machine or an industrial programmable logic controller.

5.   Alignment with MITRE ATT&CK and MITRE SHIELD

For organizations aligning their detections capabilities with MITRE ATT&CK and MITRE SHIELD framework, Illusive and EDR form perfect complements. Although EDR and deception are both forms of detection, they work at different stages of the attack process and are fundamentally different though complementary security technologies.

Illusive provides the privileged credential and lateral movement context regarding what credentials and connections the attacker will use to reach high value or critical assets.  Illusive’s detection capabilities provide acute visibility into knowing what identities and pathways will be used by an attacker to blend in with normal network behavior, which is essential for detecting insider threats where an adversary or insider is using authorized connectivity and legitimate credentials (aka “living off the land”) to move laterally towards critical assets.

MITRE Shield Active Defense organizes a framework of active defense tactics and techniques (think defenders version of MITRE ATT&CK). MITRE Shield is structured similarly to the ATT&CK framework and MITRE has even provide a complete mapping from all ATT&CK Tactics to Active Defense. Illusive’s “active defense” capabilities are a key advantage in protecting organizations against advanced adversaries; in fact, Illusive deception provides coverage for a total of 27 of the 33 active defense requirements suggested by the MITRE Shield framework, including application diversity, burn-in, decoy account, decoy content, network diversity, pocket litter, and many more.


6.   Deterministically detect attackers in network who are leveraging stolen credentials or stealing sensitive data

Illusive provides robust and unobtrusive deception capabilities that protect critical assets by automatically planting targets of value to attackers inside the network to detect threats that may not be using any malware or known attack tools. EDR is effective at detecting malicious attack tools and techniques but can have difficulty when differentiating between a normal system/user behavior, while deception is designed to discover it. Since Illusive is agentless and customizes the deceptive story to each endpoint to enhance what appears to be normal activity, this presents a difficult scenario for the attacker to ensure that their tools and techniques will be successful without triggering Illusive.

Illusive + EDR – Better together

Illusive has several integrations with EDR vendors and we believe these ‘better-together’ integrations provide customers with more efficient detection and automated response. Illusive’s EDR integrations pair Illusive’s deterministic alerting with EDR’s ability to respond and contain a compromised host until the threat is removed.  Many customers – especially those that lack extensive security resources – appreciate the option for full detection-response automation that combining Illusive and EDR allows.

The value of Illusive alongside EDR in a customer’s security stack is Illusive’s ability to preempt attacks by removing high-risk pathways containing privileged credentials and risky connections to high value assets, a cyber hygiene capability not found in most endpoint solutions.  In an environment cleansed of the residue attackers need (and expect to find) to live off the land in their campaign, Illusive’s active defense capabilities force attacker engagement, resulting in instant delivery of detail-rich lateral movement context and forensics that saves valuable hours of manual investigation efforts.

Want to learn more? Speak with one of our cybersecurity experts about how Illusive can help you protect critical business assets. Request a demo today.