Illusive Blog April 10, 2018

Preemptive Deception Prevents Malicious Lateral Movement

By Gil Shulman

With cyber risk an executive- and board-level concern, it’s not enough to try to prevent attackers from gaining entry to your network. Advanced, persistent attackers can still get through even the most advanced defenses. Once they’re in, they have the arduous task of moving from their initial point of entry to their ultimate target. This is the time when attackers are most vulnerable—and where we, as defenders, have an opportunity to tip the balance in our favor.

The basic formula for lateral movement

To move laterally, advanced attackers need two things: (1) paths from one system to the next; and (2) credentials to access those systems. This need for credentials consumes a lot of attacker attention. Hence, they use a variety of methods and tools (such as Mimikatz and CrackMapExec) to dig for passwords, invent new ways to compromise Active Directory, and put considerable time into social engineering tactics to dupe users into unwittingly exposing their credentials.

The March 15, 2018, US Computer Emergency Readiness Team alert, which we discussed in a recent blog, demonstrates just how critical credentials are to advanced attackers. The alert describes how Russian government cyber attackers used credentials and connections to target US energy and other critical infrastructure. Attackers used spear-phishing emails and watering hole domains to capture credentials within trusted third-party suppliers (staging targets) of major infrastructure providers (intended targets). Using compromised credentials, they created local administrator accounts and used the staging targets’ networks as pivot points and malware repositories from which they delivered malicious files to intended targets.

Network activity is inherently “friendly” to advanced cyber attackers

Unfortunately, in most environments, finding credentials is not that hard to do. As users browse the Internet, share data, and use the organization’s applications and resources, they leave behind an invisible “access footprint”—the credentials to access systems and leverage the connections between them.

While some of this access footprint results from intentional acts that violate policy (such as password-sharing), most of it occurs as a normal—and even necessary—byproduct of everyday business activity. Credentials are easily misplaced, misused or left behind, say, as a result of a remote support session with an IT help desk professional. They get inadvertently stored in browser history and system memory, or are embedded within applications to enable IT system administration functions.

So while this “access footprint” can’t be completely eliminated, unless it is minimized, it creates a broad attack surface that adversaries can exploit to accelerate their journey to high-value assets.

Now you can perpetually reduce your attack surface

In all but very small networks, it wouldn’t be feasible for security teams to run around manually identifying and correcting the spread of credentials—you’d need a veritable army of people to do that. So Illusive has built Attack Surface Manager (ASM) to automate the process. With ASM, security teams can:

  • discover and visualize the access footprint;
  • create credential-related policies;
  • identify violations and pinpoint them in relation to critical assets;
  • remove policy violations, either manually or through various levels of automation.


Deception technology acknowledges that Targeted Attack Risk is always present; in a connected, data-sharing world, attackers will always find a way in, and there will always be “cracks” and risk elements in the environment that they can exploit. The challenge is to continuously manage and mitigate this risk—without impeding the necessary activities of the organization.

The preemptive part of a deception technology strategy

Deception technology turns advanced attackers’ tactics against them so they can be detected; and now, Attack Surface Manager tips the balance even further. By reducing the number of real credentials—the “keys” attackers need to reach critical assets—the odds are further stacked that attackers will engage with a deception.

To see Attack Surface Manager in action, request a demo now. Or download a copy of the Attack Surface Manager product brochure here.