Illusive Blog March 29, 2021

5 Things Attackers Hate About Illusive

By Nir Greenberg

Illusive invited hacker extraordinaire Alissa Knight to test whether she could get past our active defense suite. We recently showed a video of the attempted hack, along with live commentary from both the hacker herself and the Illusive “blue team –  view on-demand here. The results got me thinking about how an inability to see from the attacker point of view is a gap in many defense strategies. So put on your most intimidating black hoodie and let’s look at some of our networks’ biggest gaps through the attacker’s eyes. 

Once attackers or red teamers have established a beachhead on the network, they must ask themselves three fundamental questions:

  • Which machine did I land on?
  • Where can I move to from here?
  • Which tools can help me move undetected?

Attackers don’t have a network map, so they need to use their tools to figure out how to get to the data worth stealing from a vantage point with limited visibility. The easiest and stealthiest path towards this data is through native connectivity and credentials that employees have left lying around. 

But what if you could make the environment so hostile to attackers that they weren’t sure they could trust those connections and credentials, or even their own tools? Alissa was skeptical at first, but even though she had seen our demo and knew how Illusive deceptions worked, she still couldn’t successfully bypass them. Built by former nation-state attackers to stop attackers, it is this granular understanding of how to ruin an attacker’s easy pickings that makes them HATE Illusive. How do we do it? Let us count the ways…

1. Difficult to identify what’s real and what’s fake – “I feel like I’m in the Matrix!”

Illusive creates deceptions with varying scales of believability. Not every deception will appear authentic. Some will look synthetic to an attacker, many others will seem genuine, and the rest will fall somewhere in between. It is a mind game designed to make attackers question every move they make. 

Sophisticated attackers may recognize that they are facing a deception-mined environment, slow their roll and put away their automated tools. They might decide at one point they have identified which data is bogus and plow ahead, not realizing there are many more deceptions at different authenticity levels and locations out there. During her recent hack, Alissa Knight compared it to being in ‘The Matrix,” lacking the ability to discern between real and fake. The absence of dependable red pills is frustrating to an attacker.

2. Inability to trust their own tools

Another major hassle is attackers not being able to feel confident in the performance of their automated tools. We have told many red teams that Illusive deceptions were planted in the environment and they still get hoodwinked anyway.

Red teamers and attackers are accustomed to being able to use automated tools to run commands and gather information about the environment they are attempting to compromise – we even wrote about some of them here. The goal is to gain domain dominance – collecting and harvesting credentials to arrive at the Domain Controller. 

While the attacker might find what looks like real credentials, they will be interacting with synthetic hosts or files. Their tools might even tell them they are authenticating, but the attacker still won’t get anywhere. It’s like a hammer that goes wobbly as soon as it hits a nail. Annoying!

3. Confusion at every turn that leads to wasted time

Reducing attacker dwell time is a major objective of any security team. Attackers can go undetected for weeks or even months as they make sure not to trip any security agents while rooting around for critical data. See the SolarWinds attack for a recent example.

Illusive uses automation to tailor deceptions to any given endpoint and create additional manual work for the attacker. These deceptions don’t just stand still – they can change in the midst of an attack depending on how the attacker interacts with them. Illusive can reset the attack surface or alter and add deceptions as an attack evolves, creating even longer odds for attacker success in navigating their way out of the hall of mirrors. 

“As an adversary, I would have just moved on to the next victim,” Knight told us when thinking back on one attempted attack technique. Illusive makes potential targets not worth the headache for attackers seeking to maximize a return on their investment.

4. Just one wrong move and attackers are busted

A power imbalance drives the cat-and-mouse game between defenders and attackers. Attackers can try endless new techniques in search of paydirt, especially if funded by a sympathetic nation-state – and only one successful score to make all those attempts worth it. But defenders have to be correct every single time they try to stop attackers from accessing sensitive information. Even one successful attack out of thousands could lead to financial losses, a reputational hit, increased regulatory attention, and perhaps even job terminations.

Illusive flips this power imbalance on its head in favor of defenders. Once the extraneous connectivity attackers are accustomed to using to move laterally is replaced with deceptions, attackers become the party with an overwhelming big data problem to solve. Just one wrong move and the defenders will not only know the attacker is there, but they will also start collecting a plethora of data about what the attacker is doing. Deception gives attackers a taste of the paranoia defenders already know all too well.     

5. Defenders can collect A LOT of telemetry about what attackers are trying to do

Once the attacker has interacted with a deception, Illusive obtains a boatload of forensics and telemetry on their behavior. Whether this data is collected on the endpoint or a decoy environment, SOC and IR teams can analyze this threat intelligence to make informed decisions about how to respond. 

Illusive can collect forensics on any machine and return precise intelligence in seconds that usually requires hours of manual activity. Some of the forensic artifacts include file system and user data, memory information, and screenshots of the attacker’s monitor, all compiled in a chronological, user-friendly timeline. This intelligence is almost always collected while the attacker still hasn’t realized they are interacting with deceptions yet. Talk about being caught red-handed! Many of our customers will leverage Illusive forensics even when another tool detects an incident because it is so detailed and easy to consume. 

Learn more: watch an attacker grow to hate Illusive in real time

Unlike more probabilistic tools that wait for attackers to mimic previous attack patterns or carry out anomalous activity that falls outside of a baseline, Illusive deception brings the fight to the attackers. But don’t just take our word for it. View on-demand the event we had with experienced hacker Alissa Knight and the Illusive experts that were watching her every move as she tried to attack an Illusive-protected environment.