Illusive Blog

How to Detect a Breach & Get Alerted - An APT Solution

By Nir Greenberg

Cybersecurity is in the headlines as never before, commanding greater executive attention. As the need for cybersecurity solutions has grown, record numbers of new technologies have emerged to fill the demand. But despite growing cyber spending, budgets for most organizations are finite—and so are the human resources to support and maintain the vast range of security tools they already own. It’s therefore essential to carefully scrutinize vendor offerings before signing on the dotted line.

In particular, a number of new products promise to help protect from Advanced Persistent Threats (APTs). Because APTs occur with less frequency than other kinds of attacks, investing in an APT solution is a bit like investing in insurance: the expense can be hard to swallow, but you certainly don’t want to be without it when something bad happens. After all, a targeted attack can be far more damaging than an opportunistic one. But if you’re going to invest, you certainly need assurance that the product you’re buying is effective. Short of seeing how they perform in the face of a real attack, how can you put these products to the test?


Capture-the-flag exercises simulate the conditions of an APT, allowing you to test whether a product can detect breaches early in the attack lifecycle, provide reliable alerts and support responders with actionable, context-sensitive forensic information. In a capture-the-flag exercise, a file containing a secret message (the “flag”, representing the organization’s “crown jewels”) is hidden somewhere in the network, along with clues about its location. The Red Team – the team of attackers who are unfamiliar with the target environment—performs reconnaissance to find the flag using the various tools available to hackers to break into machines that are running either real or simulated activity.

A good Red Team proceeds with the energy, creativity and persistence of real attackers to expose the “flag.” They carefully exploit the activities and traffic patterns of the target organization to map the location of sensitive information and progress laterally toward their goal. They’re facing off against a Blue Team—the defenders, usually people who work for you— that uses the cybersecurity tools and skills at their disposal to protect the organization as they would in real life.

By installing in the simulation environment, a pilot of the technology you want to test, you can get a good sense of the product’s effectiveness. The output of a capture-the-flag exercise is a report on the Red Team’s attack tactics, the outcome at each stage, the overall results of the attack, and the resilience level of the various systems. It can also help reveal areas where the Blue Team may need to improve their skills, approach and understanding— and, of course, it will provide a useful window into the effectiveness of the defensive and detective tools you’re using.

What is required to execute a successful capture-the-flag exercise?

To some extent, this depends on how much you can safely use parts of your production environment, or whether new sandbox systems need to be set up. They can be relatively low-budget or fairly elaborate depending on your objective. They can be designed to mimic many types of attack and address a range of business risks the company may face—for example, a need to mitigate intellectual property exposure, disruption of critical infrastructure components, fraudulent financial transactions, or large-scale theft of Personally Identifiable Information (PII). For purposes of evaluating a vendor, it doesn’t take hundreds or thousands of systems; a very useful product challenge can be done with dozens of systems or virtual machines, and executed by a couple of dedicated people on each team.

Our Advice: Given the devastating impact a successful Advanced Persistent Threat can have on your bottom line, a capture-the-flag exercise is a worthwhile investment of time and money before you commit to another line item in your budget and another tool in your SOC!  Be wary of any product vendor that doesn’t welcome the chance to perform under pressure.  illusive networks is ready to face your Red Team. Put us to the test!

Read more about how illusive’s Deceptions Everywhere® technology performed in a bank’s Red Team exercise.