sb-eu logo
Story image

Improving network security by ‘deflecting’ cybercriminals

10 Aug 2020

Article by Attivo Networks solutions engineer Vlado Vajdic.

Keeping corporate IT networks secure from external attack is a constant task for security teams. However, spotting threats that have already breached defences can be an even bigger challenge.

Sophisticated phishing attacks can trick users into downloading infected files or visiting compromised web pages. A simple mistake can mean that, even with the best perimeter defences in place, malicious actors can still gain access to a network and resources connected to it.

Once inside a network, cybercriminals can lurk for long periods, quietly moving around and assessing what data is available and what it might be worth. This activity can often continue without triggering alarms or providing warnings to the security team.

Overcoming this situation means using a new technique that makes it significantly easier to spot cybercriminals who have successfully entered a network. It allows security teams to identify the threat and then take steps to remove it and minimise any damage or loss.

Security deflection in action

The strategy works by monitoring east/west traffic to unused ports and services on any system within a network. There is no reason why legitimate users would be accessing these closed ports or services, so any activity is almost certainly the work of a cybercriminal.

For example, a personal computer on the network may have become infected with malware when a user plugged in a USB drive. Attackers can then use this infected PC to scan the network and seek out data that is of value. 

As the attackers look around for systems to jump to, they will fingerprint hosts by probing for open ports and services they can compromise. With a deflection capability, any port they probe can potentially respond to their connection requests, giving them a false fingerprint of the device.  

Furthermore, if they attempt to connect to one of these ports, the deflect function will redirect the malicious traffic to a decoy service somewhere else on the network containing data of no notional value. 

It will take the attacker time to figure out that the resources they have accessed are of no use, and this delay gives the security team a chance to understand what the attacker is doing and remove them from the network.

This deflection capability can be added to all endpoints on the network, affording each better protection from attack and providing the security team with a comprehensive view of any malicious activity that is taking place.

Improved security

A deflection strategy provides an extra level of protection against a wide range of cyberattacks against a corporate network. These could be anything from ransomware attacks and others designed to cause disruptions to criminals seeking sensitive corporate data for commercial gain.

The strategy ensures that cyber-attackers are no longer able to lurk on a network and seek out potential targets without revealing themselves. As soon as they access an unused port or service, they announce their presence.

The addition of decoys adds further to overall security. By delaying the attacker and giving the security team sufficient time to respond, it improves overall infrastructure security.

Generally, using a strategy of deflection makes networks much more defensible by increasing resistance and friction for unwanted visitors. It essentially allows security teams to use a ‘home advantage’ to detect and neutralise threats that have managed to breach the secure perimeter.

It complements other network defences that are likely to already be in place while also making it easier to collect forensics and intelligence data that the organisation can use to strengthen security for the future.

Deflection is also particularly important when networks incorporate cloud platforms and other resources that sit outside the conventional corporate firewall. Continually monitoring for unusual traffic to unused ports and services will allow the organisation to detect attackers regardless of the location of the compromised endpoint.

The strategy is yet another tool at the disposal of security teams, and one that will help them to stay well ahead of cybercriminals at all times.

Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More
Story image
ConnectWise launches bug bounty program to bolster cybersecurity strategy
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community's expertise and participation in helping us keep our products secure."More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More