Illusive networks, one of Israel’s most talked about cyber security startups, announced that they are releasing a new set of tools to limit ransomware’s damage
Ransomware has been one of the most talked about cyber threats of the past year as it has gone from targeting individuals for low stakes of a few thousand dollar, to a lucrative criminal enterprise threatening hospitals, banks, and other institutions with a lot to lose.
As opposed to previous attacks by hackers aimed at stealing valuable information for their own gain or selling it to the highest bidder, ransomware offers a much simpler proposition. For the hacker to make money, they do not have to remove the information, but just deny its owners access through encryption. Faced with the choice of losing that data, many will decide to just pay up.
In the digitized world, all of an institution’s information — whether patient records or bank account details — are stored on a vast network that are vulnerable to attackers, and it can all become compromised with a single breach.
Responding to this threat, illusive networks — one of Israel’s most talked about cyber security startups — announced this week that they are releasing a new set of tools to limit the damage of ransomware, cutting attackers off before they become a real threat.
Co-founded in 2014 by CEO Shlomo Touboul and Ofer Israeli, who serves as VP of R&D, illusive is a progeny of the Team8 cyber security initiative. The combination of VC and accelerator which Geektime has written about in the past, Team8 seeks to create new companies as a response to security challenges. With their main office based in Tel Aviv for R&D, management, and regional sales, they have recently opened a sales and marketing office in New York. Since their launch, they have been working with dozens of clients and appear to be growing.
According to Touboul, a more sophisticated attacker will breach the system and start moving laterally in search of the juiciest bits of data. This process can go on for long stretches of time without being discovered.
“It takes on average 185 days to uncover an attack, so about 7 months,” he tells Geektime, describing the challenges of Advanced Persistent Threats (APT). “In those cases, 69% of cases in the U.S., they only know about it because the FBI or another outsider tells them that they have been attacked.”
He believes that advanced ransomware (Advanced Ransomware Threats – ARTs) is the next evolution of attacks for hackers. With exploit kits so easy to buy and execute, ransomware represents an easy path to an illegitimate pay day.
Unfortunately, Touboul says that most companies are not prepared for these threats. The vast majority of their budgets are still being spent on tools that he says cannot detect the attacks.
Calling it the Advanced Ransomware Guard, illusive’s new package is built on their concept of “Deceptions Everywhere,” setting up a maze of smoke and mirrors that serve as traps for any attacker attempts to navigate their way through the system.
They flood the network with fake entities and wait for the attacker to bump into one. “We do it with no software running on the machine, but there are plenty of deceptions on every machine,” Touboul tells Geektime.
If a breach occurs, the hacker will be forced to choose from dozens if not more options, forcing them to gamble. And like any good casino, the house always wins.
Unlike traditional honeypots that have been around for a while now, requiring some kind of computer, whether it be a server, router, virtual machine or otherwise, illusive works with a different kind of deception concept that they claim is far more scalable. They scatter dummy files throughout the network at strategic spots where only an unauthorized attacker would have reason to visit. This could be the cached memory dump, or other locations where the attacker would have to hit as they move through the network, seeking higher permission credentials.
The deceptions are files that are made to look like databases, servers, passwords, profiles, and other desirable tools that an intruder would look for to reach their final target. When the hacker accesses the data and then tries to use it, illusive’s automated response shuts them down before they are able to encrypt any of the real files, and alerts the team of the intrusion.
The company says that by making it a “Two-Step” process, they eliminate the issue of false positives that can clog up a security team’s docket. “They are getting billions of notifications every month, of which only 200 or so are real attacks,” explains Touboul. “As a result, they lose attention. They are getting false positives because they are looking for anomalous, but human beings are always exceptions. The attacker will learn normal activity, and figure out how to run undetected.”
With companies facing severe shortages of qualified security professionals, a solution for dealing with the overload of alerts can prove invaluable.
Along with the deceptions and response aspects of the product, they have a visibility tool called Attacker View that collects all the existing attack vectors that allows the advanced attacker to move laterally within the network. “We draw a map that includes all of the endpoints and servers within the company so now the company can see all of the possible paths of the attacker during an advanced attack,” Touboul tells Geektime, adding that, “It can show all the servers and workstations, showing you how many moves he needs to make until he reaches the important files.”
Once illusive detects an attack, they are able to pinpoint when an attack occurred and the time right before and after, giving them more useful forensic evidence from the origin of the attack for the post mortem.
In looking at security, there are always debates about how to balance protection with efficiency. Machines need to be able to speak to one another. “You can’t break those connections because you still need them to function,” says Touboul, emphasizing the point. Techniques like segmentation can enforce policies limiting communication, which while very useful in putting up barriers, are by their nature restrictive. By laying traps that only attackers are likely to run into, illusive leaves open the path for greater freedom of movement for legitimate users.
The illusive team appears to be firmly in the “You’ve already been breached” and “Don’t bother worrying about prevention” camp, downplaying the need for high walls that anti-malware are there to provide. While this may be the popular sentiment at the moment, I reject the notion that there is only one way to provide security. Touboul agrees that even with a solid solution like his, multiple layers are needed.
It is worth remembering that when former NSA contractor Edward Snowden stole his massive data dump, he was already an insider with many, albeit not all, permissions that allowed him to access the files. What barriers there were in front of him, he was able to overcome through ingenious social engineering to borrow the necessary credentials.
No solution will ever be impenetrable, but illusive brings hardening to a whole new level, creating beautiful mayhem and confusion for hackers.