Illusive Blog June 7, 2021

If Your Blue Team Can’t Beat the Red Team, How Will You Beat Ransomware?

By Jeff Barker
Active Defense, Ransomware, Red Team Exercises

If Blue Teams lose to Red Teams more than they win, should we be surprised our defenses are not doing better against ransomware attacks? Should this have been the ‘canary in the coal mine’ for our vulnerability to ransomware?

Consider the following:

Success against Red Teams is one of our primary proof points for the efficacy of the Illusive Active Defense suite. However, I was recently caught off guard by an industry analyst from one of the leading firms who couldn’t believe that Illusive has an undefeated record in Red Team exercises. Not only did he not believe the claim; he asserted that customers wouldn’t believe the claim either. At first, I was taken aback. Until now, I had not received that response. Most audiences ask questions about the record and genuinely seem impressed. Why was it so difficult for him to believe that Blue Teams could consistently win?

Could it be that so many organizations regularly lose to the Red Team that it’s just not plausible for them to conceive that Illusive consistently beats them? Have we become so accustomed to Red Teams beating Blue Teams that we accept it as normal?

If attackers are using the same attack tools (i.e., Cobalt Strike, Covenant, Sharphound, Bloodhound, etc.) as used by Red Teams to defeat our Blue Teams, should we be surprised we are not faring well against ransomware and nation-state attackers? All the recent ransomware and nation-state attacks offer compelling evidence that there is a gap in our Defense-in-Depth compensating controls for lateral movement detection. In the MITRE ATT&CK model, it is steps 6 through 9. Are Blue Teams being provided with the tools that proactively eliminate the specific attack tool exploitation targets?  Are there opportunities for Blue Teams to exploit the use of these attack tools?

At this point, background on Illusive and our solution will be helpful to better understand the Red Team and Blue Team perspectives. Illusive helps organizations go on the offensive, creating an environment that is hostile to attackers, and giving Blue Teams attacker countermeasures that prevent the undetected lateral movement associated with ransomware and nation-state attacks before damage is done. Since Illusive is not a household name (yet!), our claims of filling the lateral movement detection gap are met with a healthy level of reasonable skepticism from prospective customers.

Over the years, security teams have heard a consistent drumbeat of new companies pitching themselves as THE solution to their security challenges. It seems that for every new breed of attack, there is a group of security companies pitching a new Defense-in-Depth “layer” required to mitigate this new threat. They are happy to walk you through the new PowerPoint that deconstructs the challenge to describe why this problem requires a new “thing.” I know, because I have been on the other side of the table (now Zoom) as the buyer doing it longer than I care to admit. Security teams have learned to not just accept the claims and seek concrete proof that it is worth the cost and effort. Ironically, security vendors are now victims of the problem they created through their noisy campaigns, and as a result security teams are desensitized to new claims of value.

This is true for Illusive too when we talk about our new approach for preventing the undetected lateral movement of ransomware. To convince potential customers, we must often provide a way to back up our claims with irrefutable evidence, and the most common way to prove the efficacy of the Illusive solution is through a Red Team exercise.

A typical Red Team exercise involves a defined section of their environment. The Illusive Active Defense Suite is deployed, utilizing an agentless architecture to ensure Blue Teams can detect attacker reconnaissance and lateral movement, while preventing attackers (the Red Team) from detecting Illusive’s presence. Consequently, attackers are unable to disable or take over Active Defense, while incorrectly assuming they are operating stealthily in the environment.

The first step in preparing the environment for the Red Team exercise is to audit and remove unnecessary cached credentials and connections that violate policy and make it easier for attackers to harvest valuable credentials. Across more than 100 Illusive customers, we have found that:

  • 1 in 5 endpoints contain cached privileged account credentials.
  • 37% of endpoints contain policy-violating credential and connection information.

Cleaning those violations up with strict cyber hygiene denies attackers a form of low-hanging fruit they typically leverage to evade security agents and hop to other devices.

Next, deceptions are deployed directly on the endpoints to make it difficult for attackers to move laterally undetected. When the attacker makes an incorrect decision and engages a deception, an alert is triggered and telemetry on attacker activities are collected directly from the endpoint where the attacker is interacting with a deceptive story – in a sub-second context.

There are also typically questions and concerns about ease of deployment and deception techniques. For deployment, we leverage existing endpoint management tools like SCCM to automate the initial install and regular updates. When many hear deception, they think honeypots and the challenges and limitations that come with them. These challenges include the correct observation that honeypots are poor at threat detection, and are often relegated to collecting threat intelligence on the rare occasion an attacker operates within a honeypot.

Illusive’s next generation deception architecture does not rely on successful lateral movement to a honeypot, rather multiple deceptive authentic stories are deployed to, and maintained for, each endpoint. When an attacker engages a deception to see if it connects or authenticates, regardless of the result, information is collected directly from that source endpoint immediately. There is no need to entice the attacker to move to the honeypot to collect data on their behavior. The benefit of this approach is obvious when you consider the possible scale of these deceptive environments. For example, we have customers with 100,000 endpoints and over 2,000,000 deceptions deployed. When an attacker establishes a beachhead and attempts to move laterally, 95% of their possible options are deceptive and will trigger an alert. That creates an environment that is much more hostile to the attacker. Vetting over 2 million choices takes a lot of time and slows attackers to a crawl.

Hopefully, this description shows you that outfitting the Blue Team with Illusive Active Defense can change the prevailing attitude that accepts Blue Team defeat as normal. Additionally, it offers insight into how organizations use their Red Team exercise to validate the efficacy of Illusive Active Defense to fill their lateral movement detection gap exploited by ransomware, nation-state, and insider threats.

One final note: Illusive Active Defense defeated the FireEye Red Team, the same Red Team the FireEye CEO said succeeds 90% of the time.