Good morning. Good afternoon. Good evening, ladies and gentlemen, welcome to another call webinar. Our topic for today is how to stop attacker movement in your network before they reach your crown jewel. My name is Alexei Alexei, Abel Cameron Analyst call. And today I am joined by Wade lens, who is a principal solutions architect at illusive networks. Before we begin just a few words about keeping our call ourselves. We are an Analyst Analyst, Analyst, Analyst house headquartered in VIBA in Germany.
We are focusing on three major areas of market research, covering identity and access management cybersecurity. And recently also artificial intelligence. We offer a number of, I guess, the usual services you would expect from an Analyst company, research, publications, webinars, and other events, as well as online learning and advisory projects. On this slide, you can see a short summary of our advisory services for vendors and end users.
I won't spend much time on the slide.
They will find more information on our website, speaking of the events, or we have a whole range of different events starting with a small three online webinars like this one today, up to pretty big physical world conferences. If you will, and you'll see a list of dates and locations on this slide. So the next one actually starts in a week or so in Franco Germany. And we already have a few plant both in Europe and in the us for the rest of the year.
And of course our head of the flagship event is always the European identity cloud conference, which will take place next may in Germany, if you housekeeping rules, everyone is muted centrally. You don't have to worry about your microphone. We are recording this webinar and we will publish the webcast, won with the slides from both the speakers on our website.
And everyone will get an email with a link to those materials. We will have a Q and a part at the end of the webinar, but you are encouraged to submit your questions as soon as you have them.
And you can use the questions panel on the go to webinar control panel, which is probably on your, in the low right corner of your screen at the moment. And our agenda for today is traditionally split into three parts.
First, I will do kind of the more general introduction to the topic of our today's webinar. And then we'll talk about balancing of real time visibility and proactive infrastructure Harding to more efficiently mitigate and prevent the modern threats, cyber cyber threats. And I will hand over to wait to talk more in detail about approaching this idea, kind of implementing it into a software platform, designing a strategy, and basically explaining how it all works in the end.
And of course, we'll have a Q a session and without further ado, let's jump directly into the first slide.
And this is of course could be call favorite slide, which shows what least attempts to show the state of typical corporate it infrastructure in the modern hyper connected world.
So what we used to have 20 or even 10 years ago, a typical castle, the wall and the mold protecting all your crown jewels, all your data behind those walls was probably a single gateway to outside world just does no longer exist your data, your resources, your systems, and more importantly, your users and partners and customers are spread all around the world, definitely outside of your corporate network, a pyramid and the more data, the more resources you have outside, the less control you have.
And of course, sometimes you even hand that control over to a third party, like a cloud service provider.
And of course, with this perimeter eroding the traditional approach toward cybersecurity, just no one works, the firewall won't help you much. And all this has led to this well known paradigm shift in it security in the recent years, basically many people would say, okay, we give up, we cannot protect you from a security breach anymore. And the best thing you can do is just to focus on detection.
So the earlier you detect a hacker within your network, the more chances you have to survive that bridge as little impact as possible, though, many security tools have been focusing on giving you the best visibility into your infrastructure, into everything happening within the network with some threat intelligence and in the recent years, also machine learning and other fancy stuff thrown into the box. The problem is of course, that visibility alone, threat detection alone, won't save you from a breach.
One, save you from a data loss from a potential disaster, which will just stop your business processes and force you to spend a lot of time and money into recovery. So let's look at the bigger picture. We know this traditional niche cybersecurity framework, which has defined five traditional kind of pillars of comprehensive cyber security architecture, which covers P protection, realtime detection, obviously quick response, quick recovery, but first of all, first just knowing what's going on. So I kind of identifying your attackers even before an attack happens.
This still is valid.
This is still relevant, but for kind of practical reason for today's webinar, which just kind of boiled down to three major areas, which are still very relevant for your cyber threat defense or architecture, the one we would call preempt. This includes all the traditional proactive security tools, which help your harden, your infrastructure, how in your assets, or even before anything bad happens to them.
It's like, you know, it's like a vaccine for your it body. So to say, detection of course is still relevant, is still very much important. And it's still has to be a mix of traditional security tools like antiviruses and more advanced like AI based security intelligence. And of course, as soon as you detect something, you, you need tools to quickly understand what is, what is it actually that has happened or to do a forensic analysis and to mitigate the problem as quickly as possible through some kind of automated security orchestration, and finally deal with all the norm.
It consequences of a breach talking to the press legal entities, authorities, and so on everything that's included on the incident response. So this is a bigger picture. The question is, or do traditional tools, which we have in our toolkit for decades. Are they still relevant? Are they still able to cover all the potential and emerging new types of attacks?
Well, just like I have summarized not specific new attack types, but more like the general trends we have observed recently, the attackers are, first of all, they're shifting the focus from targeting the infrastructure towards attacking humans. Humans are easy to trick. Humans are the biggest link. Definitely. There is unfortunately still more antivirus, which you can install into your brain and protect you from fishing and social engineering.
And so on, of course, the actual cyber attacks, if you will, are designed in a way to avoid that monitoring detection as best as possible, both by traditional signature based antiviruses and the more modern indicator of compromise based tools like behavior analytics, and to do that, they are aimed to leave as few tracks and traces in your infrastructure as possible, which is why we are talking about three major new tactics today.
So this will be file malware where malicious code is just not saved on a hard drive or any other persistent media it's to resides in the memory.
For example, in windows registry, it utilizes non-binary technologies to deliver the payload. Like for example, the power show scripts, w although it can still of course, deliver on the traditional exploits and malicious toolkits like mimick, for example, to assist in collecting the necessary information for lateral movement within your network.
These file of Mobilex are generally undetectable by traditional antiviruses, another trend, which is we would call kind of living of the land, meaning that the attackers avoid using any external malal B at all, and are only focusing on using that legitimate admin administrative utilities with like again, power shell or any other tool which any system already has installed. And which is typically also whitelisted in our security tool, they would also mimic usual admin activities or in order not to trip the behavior based security tools.
So they are very difficult to detect even with advanced security analytics solutions. And finally, again, inside the threats are tactics, which are aimed at people, humans, not computers. You already know of course abouting and spam, and all those business email compromise, which basically involve like human to human attacks.
But of course there are also attacks which are targeting the traces left by humans on their systems, which are, are this native connections and credentials, which are always left when you're doing your daily job on your computer, be a remote session, or just a, an open application or a connection to a privileged system for maintenance, although this credentials and connections, then they remain in the memory or saved into log files and can be harvested by attackers and used against you. So on this slide, I've attempted to create a diagram show, the typical cyber attack phases.
It always starts with attacker kind of getting information about your network, doing some external research. If you build reconnaissance and then finding a, a single place to in for intrusion. And then the biggest and the longest phase is always lateral movement. The attempt for a hacker to discover other systems within your network and find a possibility to move to those systems, maybe to gain some extra privileges on the way.
Anyway, this is lateral moment phase. It can actually last for hundreds of days. And when done right, the hackers, the really advanced those PT groups, it can do it low and slow, and they have the resources and time to spend kind of lurking around your network for 200 days. For example, when they know that the crown jewels kind of the, the ultimate goal is really worth it, but, or of course, or they would really appreciate if they can do it easier with a shorter period of time.
This is why they're always looking for those tracks, those credentials and interconnections between systems.
It could be those credentials, which you save in your browser. For example, it could be a SSH key left on your computer. It could be admin credentials, local for local admins, or for domain admins, which are cashed in your computer's memory. It can be harvested with a tool like we make ads, for example, could be hot code access, tokens within applications or lots of other things even, or kind of getting access to your application lock file can provide some food for those attackers living off the land.
So when you think about it, in many cases, the real life scenario of a cyber attack looks much more like this. The hackers do not need to spend hundreds of days looking around. They just breach the first machine or a system. They harvest all those connectivity traces, and they already know they're the shortest through to the next machine to breach and the credentials to do it.
And they just kind of hop directly towards the, towards your crown tools in the sort of hundreds of days, they only need hours. Maybe the question is, how do you prevent it?
Or when we discussed this webinar, sometime earlier, I heard this really nice term cyber hygiene basics. And I put it into quotes because they aren't really that basic.
So yeah, to do this traditional way, you need to deploy a combination of various security tools, endpoint detection, and response, behave analytics. Of course, you need to manage your privileged accounts properly with a key vault and stuff like that. You need some kind of identity and access governance tool to detect improper accesses tool systems, or to detect users who have two excess privileges. And of course you need the network monitoring tool to look for anomalies in the traffic, within your network. These are the quote unquote basics.
Unfortunately, for many companies, they tend to pile up to a level where they just don't have either budget or skills to implement it. The old, the proper way the question is, do we have an alternative? And in fact, we do ruin, this is exactly the topic of our today's webinar.
We are going back to this term. I used earlier lateral moment defense instead of kind of trying to cover each gap in each system, within your network against all possible attack scenarios. You start thinking like a hacker, you start looking for things which a typical attacker would be looking for.
And you kind of, you apply your cyber hygiene directly to those things. And those things include some fancy sounding technologies like next generation, vulnerability management, or deception technologies, or quote unquote, next gen key management. But in reality, it's not rocket science, it just doing what you have done for years with firewalls and or vulnerability scanners.
So just, you have to start looking in, in other corners of your network, have to focus, not on the systems themselves, but on those connections between the systems. And if you manage to implement some kind of a consistent platform, if you build technology and architecture to do the same job, those hackers would be doing could of to scrap your network for those tasteful models, those credentials and interconnections, and then just preemptively remove those.
You will make the lateral movement for potential hacker, way, way more complex and complicated.
This is exactly what we are talking about today. So in a sense, we are talking about starring that hacker, and this is my masterpiece of PowerPoint animation, where I can, where try to show how national tech would look for hacker. So they would try to attack the network as they expect, looking for those pathways and credentials. Unfortunately, you have already invested into removing those unnecessary pathways. So you have blocked them as a manually or through a firewall policy, or maybe through some kind of automation tool.
That's not my job Analyst to explain that will be task for wait later today, but you do cut those unnecessary later moments, opportunities for him. And then of course, you start removing all those unnecessary credentials. You are clearing up your user browser cashes, for example, you force them to remove those statically hard, coded credentials from applications and so on.
And finally you deploy, and this is optional, but pretty useful as well.
You deploy those deception technologies, some kind of mouse traps, which would on one hand, detect the presence of a hacker, trying to access exactly that piece of information you have just removed. On the other hand, they will create many distractions with a hacker where they would be forced to spend some time looking at Phantom systems, Phantom credentials, which look just like real ones, but don't work anywhere. So in a sense, you are starting the attacker, removing all those leaving of the land opportunities for him. And of course you always end up doing all the rest, the proper stuff.
Like for example, you connect your privileged account management and you also put all those really secure kind of really relevant, secure keys to your highly secure systems, your crown jewels under that privilege management, in a sense, you end up with our network, which leave for an attacker, no possibility to do it the easy way if you will.
So you have proactively preemptively hardened your network without spending a lot of effort on the actual kind of system security. You're just cleaned up the garbage. If you build the digital garbage.
So ideally such a tool should be completely automated. You don't have to do it manually because otherwise you will spend at least as much time as attacker. And this is exactly what way to be talking on his part. But before I give him the stage, let me just quickly summarize what, what I've been talking about today. So first of all, yes, traditional productive security is dead. Still. You cannot rely on forensics alone on detection alone to save you from the auto attacks. Those new types of attacks cannot be detected by traditional tools.
So you do have to think about these new types of advanced techniques and tactics. And for that for dealing with them target, how is still relevant. You just have to look in the different into the different corners of your infrastructure, if you will. So this native connectivity, these credentials and pathways are the new food for the traditional living of the lens attack, sorry. And the lateral movement prevention is the new ground for next generational vulnerability management.
And finally, you still have to think holistically, still have to think about integrating this new type of security technology with your existing identity management security and operational tools as well, living no gaps for the tech in the end and with that weight stages use.
Excellent.
Thank you, Alexei. And thank you for the opportunity to partner with cupping your call for this, for this presentation. So appreciate that overview on the method and the problem. And so today at elusive, we wanna take a minute and just describe the method that we use to stop attack or movement in a network.
The idea, I, I think we've acknowledged that, you know, attackers will get access to systems. The, the question gets to our ability to deny them access to the really sensitive bits in the network and to keep business continuance and sensitive data sensitive. So let's see. So what we're gonna do is look at two different elements in this process. The first being the hygiene process that is essential and really just acknowledging that the normal business activity creates these opportunities for attackers.
And so how are we cleaning up behind ourselves in an automated fashion to simply as Alexei said, starve the attacker and deny them these elements.
And then we're gonna look at some capabilities for managing the attack surface itself and, and really putting the burden back on the attacker as they, as they attempt to exploit our environments. So the first thing I wanna point out is that what attackers leverage to move laterally with a living off a land method or, or, or whichever method that they employ is the actual data that is on our systems.
We we're really moving below the application layer now on our host and examining the data that the attacker leverages to, to make these movements. So, like they talked a little bit about living off the land. Obviously lateral movement can be done a number of ways living off the land is one of the more difficult to deal with because as an attacker avoids using custom binaries and whatnot of this signature, our signature based systems become less effective.
Also, you know, there's this tendency to avoid the use of unknown vulnerabilities, you know, zero days and zero hour type type attacks. Once those objects are used, they become known to us. We build defenses for 'em.
So as a, as a cybersecurity team, once an attacker has leveraged a vulnerability, we become aware of it and we build IOCs. And so it's it's and signatures. And so they're, they're hesitant the attacking community is to use those, unless it's kind of a last resort. One of the things that, that we find is that the native passwords and connections created by, by the business become very effective tools for movement within the environment.
And, and this becomes the preferred method for the attacker in many cases, even waiting to see what the user does on the system that they've gained access to before they're willing to make a, to make a move also.
So what we realized is that if we think like an attacker, we can actually manage the credential and connection data that fuel lateral movement and deny attackers really their favorite weapon, which is to, to live off the land. So we'll get into a little more specifics about how this is being played out. And I'll just go ahead and go ahead and build this out.
What we're seeing in post-breach investigation is that stolen credentials, privilege abuse. You know, the main goal of fishing now is credential theft. And we see this not just rising, but rising dramatically that, you know, one of the things Alexei talked about was the speed and efficiency that an attacker can move through our environment when these kind of credentials and these kind of connection data is, is gathered and collected.
So when we, when we look at this data from post-breach investigation, what we realized is that our vulnerability management programs, you know, as security organizations generally have not adapted to this kind of vulnerability.
It's true. We look at, at vulnerabilities in applications and operating systems, but the data layer that the credential and connection data layer, most organizations haven't adapted to that yet. And as tax become more and more automated, we are seeing a movement towards attacker tools harvesting this data in an automated fashion.
Not that long ago, harvesting this information was generally more of a manual process. And we're definitely seeing that move to being an automated process. So when we're looking at these pathways and the data, let's get a little bit more specific about exactly what we're, what we're talking about. One of the elements in this is domain user credentials and, and connection information.
And we see it all over the place, whether it's in, in browsers, historical connections using, you know, other applications like putty or win SCP and different tools, obviously domain, user credentials can be stored in the local operating system in the windows credential manager.
And we look at how these credentials are being stored and saved on the, on the endpoints themselves, just like an attacker is doing. And I think Alexei made a great point is one of things that we're doing is we're taking the attacker perspective to look at our systems the same way they do RDP connections.
This is the favorite tool of attackers. We use RDP in a lot of windows environments for remote administration, and that when this is done in a sloppy manner, there are ways to take advantage of this, both on the source of this system, but also on the target, depending upon people that are saving credentials in the RDP client or leaving behind orphan sessions, that aren't shut down correctly.
And these are just a, a gold mine for attackers unmanaged, local administrator accounts, local administrator accounts continue to be a, a source for attackers and a, and an area of difficulty for us as security teams.
There's newer tools in the, in the market, obviously with now windows 10, there's a native active directory capability in lapse to, to manage one local administrator account. But we tend to see higher numbers of these that are unmanaged. And it's a, it's a huge opportunity for the attackers shadow administrator accounts, very powerful.
These are privileged accounts that are not members of a privileged group, but through ACL, this individual account has been given all the permissions to function like a, a, a more capable user. And these shadow administrators definitely are a source of concern, especially when these credentials again, can be stored on systems throughout the environment. And then also service accounts.
You know, we see things, you know, elusive. When we look at people's environments, we, they see things like, you know, service accounts logged in interactively.
You know, why is this service account that's typically used for application connections to a database?
Why is it running an interactive session over on, on this particular host? So these examples are just a few there's many, many more that create a lot of pain for us and opportunity for the attackers and looking at that gives us an advantage.
So when we, when we go out to look at how large this problem is, I'll just draw your attention to this PO and study in particular, the last data point here is when organizations were surveyed and these are, you know, these are solid security organizations about their ability to know when just, just when credentials are being improperly stored on systems. And it was, you know, slightly better than a quarter of organizations felt like they had a grip on that.
This is a, this is certainly a, a, a scary example that talks about how pervasive this issue is. So at elusive, one of the things that we've done is gone out and worked with our customers to do some assessments of different environments and, and get a grip on what we actually see in the real world.
And so I've got some, some data here, this first column kind of shows from the customer, how many hosts were a part of this assessment?
You can see, they go from anywhere from 500 to, you know, over 20,000 systems and then the different kinds of issues that we identified in these living environments. And so I'm just gonna give you a couple of examples. I think that that kind of show how the problem works out this first organization, just over 2,500 endpoints there, we found 30 different instances where a domain admin credential was stored in the windows credential manager of a local host.
You know, certainly not, not egregious, but not very helpful either. That's, you know, 30 different systems where getting access to that system or through another system to that system provided full domain admin access in the environment.
And it, you know, the attackers problems are all solved for them in another organization, slightly larger, just over 2,750 endpoints, they're doing a much better job in this space, in that same, same basic size organization.
Only one instance of a domain admin found in the windows credential manager.
So, you know, half off to them, good management in that category. However, when we look at shadow administrators here, they're struggling 20 different shadow administrator accounts. And this is interesting. Those 20 different shadow admins were operating on nine different systems. So here's where multiple instances of shadow administrators operating on single hosts, a, a, a giant opportunity for attacker that can identify this level of data. So let's look at one more, one more facet, we'll jump up to some larger organizations and a different, a different kind of data.
This organization, 10,000 endpoints. When we scan them, we identified 84 existing domain admin based RDP sessions that were stale disconnected, and hadn't been used in, in days, but still living in the memory of that target system. And so there's a huge opportunity for an attacker that it can identify these sessions in operation.
It's very, very straightforward to scrape those credentials out of memory.
And again, you know, gain domain admin is, is captured in another organization doing fantastic work on this facet, 23,000 systems, not a single instance of a stale RDP session based on a domain admin credential. So very nice work, solid hygiene for them in that facet.
However, when we look at unmanaged, local administrators, again, a painful situation, 852 different local administrator accounts not being managed on only 743 systems. Meaning some of these hosts have multiple local administrator accounts, which are, which are not being managed. So what this story tells us is that the, the problem is, is quite large, even organizations that do well in one space, struggle to do well in them all. And of course, attackers identify this information and, and leverage it to their success fairly consistently.
So let's move on to managing the attack service and, and what we can do.
Kind of some of the tools that we've developed at elusive that allow organizations to impede this kind of process and, and manage this kind of vulnerability. So the first thing that we do is we use an automated perpetual discovery method to actually look at the data that's on production systems, across several facets.
These four are key, there's additional ones as well, but we look at how credentials are being stored, and we find all kinds of things in, in this space, but to give the security organization direct visibility into what credentials are stored, where on which systems, and to update that as it changes, right? Cause it does day in day out basis. People's behavior changes. These processes. One of the next things we look at are crown jewel connection. We look at where in the production environment hosts are persisting data, which would point directly to a crown jewel host or application.
And again, that could be data in the memory of this system. It could be in an application like a browser.
I mean, the last thing you would want is someone's browser to have not just a bookmark to a favorite spot, which happened to be a crown jewel in your environment, but also to save the credentials in that, in that link, basically saying that anyone that got access to that host would have immediate access to a crown jewel. They just had to be smart enough to go look in the browser history. And it's a, it's a, it's a one hop win. And we see these kind of persistent, sensitive connection history to sensitive objects and environments all the time.
Obviously local administrator accounts, huge, huge opportunity for the attacker. Interestingly, a lot of security organizations don't capture full windows logs off of workstation class entities. And so local administrator accounts become a way to not just perform administrative functions and potentially across a series of hosts.
If the username and password are replicated off of on multiple workstations, we, we do see that, but the, the monitoring typically not able to see some of that behavior because we may not be kept be collecting windows logs off of workstation class systems.
And so elusive provides direct access and visibility into how local administrative accounts are being leveraged, which local administrative accounts are being managed, which are not when passwords been updated, et cetera. And then of course, shadow administrators. Obviously there are other tools out there that will examine active directory, give you some visibility into which accounts through ACLS have been granted privileges that are, are, are, are high or excessive, but elusive actually looks into the production environment.
Not only identifies the shadow administrator accounts, but shows you where those credentials are in operation and where they're stored a huge advantage in the environment.
So this crown jewel focus and how we build this out of elusive, I'll just, I'll just use this quick kind of visualization to show, show you what this looks like when we take an attacker perspective in our environments. And we start by thinking about our crown jewels and visualizing.
This is a, this a visualization out of an elusive elusive interface, the system over to the right, the glowing star that's crown jewel host in the environment and all the pathways between these systems are marked. And, and, and what we've identified basically is where credential and connection data is being stored on these hosts, such that if I examine the host the way an attacker would, and I look for data, it will point me directly at other hosts and potentially gimme the credentials to access those systems.
Once we visualized all of the connections that are available, we actually can look at the violating paths to policy.
We set policy and say, look, this kind of a connection in this environment provides no value to us organization, and it actually presents a fair amount of risk. And so if an attacker gets access to this, it's a, it's a very easy step to the next host and perhaps onto something sensitive.
Once we've identified these paths that violate your security policies, this elusive system allows for automated removal of that connecting data from the production systems in an ongoing process, and then alerts you, Hey, we've had to clean up this host again, someone has saved this information and this basically is, is why we call this a, a cyber hygiene played dealing with a next generation.
If you will, of vulnerabilities that can be managed, take the attacker perspective to identify this information and simply remove it from the environment to starve the attacker of the kind of connections they can ride that are the simplest for them to use, and the hardest for us to detect.
So jumping back and looking at the elusive platform, there's really three different pillars to our capability. The first is a tool we called a tax surface manager.
This is the platform that identifies privilege credential and connection data that persists on workstations and server class hosts in your environment. And then automatically cleans that information out of the environment in an ongoing basis, the rest of the platform. There's another tool that is our attack detection system. That includes an intelligence and response capability. And what this does is really forces an attacker to reveal themselves using deceptive methodology, to really exploit the attackers affinity for privileged credentials and connection data.
We can actually use that against them. So let's take a look at how the whole system plays together in an environment and what that solution would, would look like. So the first part of the process is again, to manage the attack surface.
This is critical to, as a security team, be able to focus in on our own systems and identify the persistent information on them that can be exploited.
So on this visualization, the green host represent the actual production host in this environment, the little white call outs there represent connections either to crown jewel systems or the little person shaped icon represents credentials that are on the system. And what attack surface manager does is it specifically identifies either connection paths or credential data that provides no value to the organization. But in fact is a vulnerability and a, and a great opportunity for the attacker and simply removes removes that data. This form of continuous cleanup really starves the attacker.
One of the things about this capability that I think is super effective is that allows us to look at the particular host that create the greatest number of vulnerabilities here in this visualization.
We're seeing this windows dash seven dash one host has access to a lot of different either groups or credentials or crown jewel systems.
And one of the things that the elusive platform does, you can see over on the right that out of a score from one to a thousand, this first connection to this it admin group, simply removing that connection from this win seven host provides a huge impact based on the number of other systems that potentially could connect through windows seven dash one. Right?
So, so we're looking for those choke points where we can get the most bang for the buck, with the cleanup and, and cutting off the easy flow of movement for the attacker. One thing about this process is that there are general rules included with the system provide great visibility, but customization becomes an important element. And by that we would mean that let's say storing credentials, there are places where storing credentials could, could be completely fine.
That's a part of your business process that needs to be maintained in this environment.
You know, particular credentials can be stored on hosts in this OU that's, that's fine. We, we expect that. And so that's not a problem.
However, those same credentials stored in another environment might be a, a giant risk that's that's unacceptable. And the elusive attack surface manager has the ability to differentiate those situations and take action accordingly. The next part of the process is where elusive uses the deceptive methodology to disorient the attacker and to feed them information that makes it extremely difficult now to move without being detected.
And so, you know, we can see how this looks to an attacker. Everything in white and green of course is legitimate hosts or connection in credential information that we can't remove. These are the workflows within the organization. So the orange objects are all deceptive history and objects that are planted throughout this environment on the production systems themselves.
So when an attacker lands on a system and begins to intro, inspect that host for credential and connection data, they're now presented with highly logical, highly believable, deceptive history, and they now have a big data problem trying to determine what's real and what's not real.
And when they attempt to move laterally, leveraging the credential and connection data that we've planted on the production system, we detect for that behavior shutting down the attack and giving access to a differentiation that, Hey, this, that what normally might look like normal user behavior is in fact malicious. I can, I can give you one quick example about how these detection, these deceptions become somewhat inescapable to the attacker. Here. We can see a very common tool being used on this host. This is windows credential, editor functions, much like mini cats.
If you will just gives us visibility into the memory of a system and the credentials are stored in that memory, we can see in this account, the John Smith account and a DB admin are both logged in, but when elusive has operated on the system, what happens is that an additional credential has been planted on this system, this admin account, the hash password, and it becomes a juicy target for an attacker.
They now are having to pick between the credentials in this system. And what's, what's great about this is that it doesn't matter what tool the attacker brings to bear.
Whether they use windows, credential, editor, Ori cast, or some variant of their, you know, the memory scraper of choice. We're not trying to solve the application, the attacker tool problem. We've gotten down below that at the data layer. So it doesn't matter what tool they bring to the attack. The data that they operate from is where we have manipulated the environment.
And then the last element in the process is where, when we see attackers attempting to move laterally, using the deceptive information that we planted in the environment, we then send a binary to the source of the behavior and gather realtime forensics off the source machine itself. This gives us outstanding realtime context into what's happening on the system.
You can see here, we've gathered screenshots directly from the source host, and this gives us great context. And of course we gather all the usual information.
You'd expect running processes and logged on users and network connections and all this kind of stuff. But this is a great way to get instant understanding of what's what's happening on these systems. So I wanna leave time for questions today in the session, but we're very excited about this continuous attack service visibility, and how it really supports the, the other tools that are in the space identity and access management privilege privilege access management are, are, are key elements in, in our security posture.
As, as security organizations, elusive really provides a, an outstanding audit capability for those kind of platforms to show security teams exactly how effective these tools are and where the exceptions are, are being operated. Obviously vulnerability management.
This is a new layer in that kind of discovery and management for organizations.
And so it, it, the combination of the two, both traditional vulnerability data, but then also credential and connection based opportunities for the attacker. Putting those together gives an organization, a holistic look at, at what ha what can happen in our environments and where attackers could leverage that data.
And again, this is how the attacker views our, our environment. And so there's a huge advantage to us to do the same and then other layered defenses as well. So with that, I'd like to pass the Baton back over to Alexei, thank you for the opportunity to talk about this problem and the elusive solution.
So, Alexa, let me, let me turn it back over to you.
Well, thank you very much.
Wait, just let me quickly switch back to my screen. All right. Well again, thanks a lot. That was really, really insightful presentation or, and we still have some time left for the Q and a a part. So let me quickly remind you, you, you, you can use the questions tool on the go to a control panel to type in your question. I will read them aloud and we will answer them together, or I will let wait, answer them. And we already have a couple of questions in the queue and the first one, or I would like this one.
So if a company already has a Pam, a privileged management system in place, what added value does your solution can provide on top of that?
Yeah, this is, this is a great question. So one of the things about Pam and IM solutions is that that's a control function, right, where we're attempting to control and manage privilege credentials and, and sensitive identities. But most of those tools don't provide and audit function to actually go out and look into the environment and query all the hosts to identify what credentials are in place that perhaps aren't being managed.
We see situations where there in many cases are particular accounts that operate outside of, of, of Pam and IM solutions. And elusive can show you where those accounts are being used. And a lot of organizations use the data that comes out of elusive to continuously modify and update the rule sets in their Pam and IAM platforms.
It's like, it's like, you know, most organizations obviously do data backups, but you wouldn't trust your backups unless you've done a restore process to audit the effectiveness of your backups, right. And elusive becomes the audit function behind your Pam and IM solution. Great question.
Okay. And let me just quickly on top of that.
So even those companies who actually use Pam and unfortunately not all do, even those companies who do, they're usually focusing those solutions on administrators, contractors, or their own admins, stuff like that, what they often kind of overlook that nowadays the most privileged users aren't admins, those are like CFO or CEO. For example, the one person who can authorize a million dollar transfer to an African country. For example, if your Pam does not cover those users, then your Pam is kind of useless in this particular scenario. Okay. Let's move on to the next question.
Let should be an easy one. So are you present in Germany? Do you have a team here in Germany money?
Ah, yes, we do. And so we can absolutely connect you with the team. If you reach out to the cupping or cold team or to myself, we will connect you to the folks that work in Europe.
Okay. Next question.
And again, please keep them coming. Can most of this functionality be provided by built in policy controls like GPOs in active directory.
Ah, great, great question. So this, this question kind of deals with the same issue that we find in identity and access and, and Pam side, right? We set policy in GPO, but to actually audit for the effectiveness of those policies, we have to look at the endpoints themselves, right?
So some things can be controlled by group policy objects in active directory, some things can't right where we're looking at things like sure, we can define controls for RDP sessions in GPO, but we don't define things in, in GPO, like how browsers are storing data connected to sensitive hosts and, and crown jewels in our environment, GPOs deal with domain based objects, but they don't necessarily affect local administrator accounts.
And so there's a, there's a wealth of information that the elusive platform Sur provides that really shows you how effective your policies are and gives you an opportunity to tune those policies to the greatest effect in your environment. Yeah. Great question.
Yeah. And I guess those are active directory policies to not apply to Linuxes makes routers and other yeah. Windows device. Absolutely great point. And by the way, kind of following up on this, the next question is very, very relevant. So how actually do you do that?
Do you deploy agents on endpoints or do you do it on the network level? How does it work?
Right.
So, so this is, this is a part of what makes elusive unique. I think other organizations, other security tools have tried to do this from the network perspective and it's just, it's extremely difficult to do. And so we've taken an approach of gathering this data directly from the endpoint, but without using a persistent agent. And so what we do, it's, it's a unique method.
I think, to elusive, it's gonna be more common as we go forward, but elusive sends a dissolvable binary to the endpoint. It's a, it's a small executable that runs typically for about a half a second. And it examines, the host gathers the data, enforces policy deploys, deceptions, and then it completely deletes itself and removes itself kills the process. There's no residual on the endpoint itself, other than the fact that the data on the system has either been cleaned off or re-added, depending upon what's happening.
We do this process slightly more often than once a day, about every 20 hours is the default. It's obviously something you can tune. This gives us a number of advantages. First of all, it's just very lightweight on the endpoint. There's no persistent agent there. Second of all, attackers leverage the data that they see when they look at our endpoint and basically look at our security capabilities based on the tools that are running on the endpoint.
So the, the fact that elusive doesn't deploy an agent is, is a great news for it, operational teams that aren't having to support that overhead. And then again, another layer of difficulty for the attacker. We're not giving away our presence there.
And again, there's no, there's no agent to attack, right? We, the system is effective and it really can't be turned off by an attacker.
So in other words, basically, you are a file of malware.
I didn't say that Alexei
Yeah.
File of,
You said that.
Okay.
So what can I say? The company thinks like an attacker and so that's, that's the method we use.
Right. Okay. Next question.
So how, or is your solution different from other detection methods in terms of speed of detection?
Great question.
So, one of the things that we like about it is the speed, a lot of competitive competitive technologies in our space. A lot of other technologies that are trying to deal with this problem tend to be behavioral analytics solutions, right, where you're, you're trying to differentiate this behavior from normal when an attacker attempts to move and, and really we've shifted that burden over to the attacker themselves. And so it's a very low, false, positive, very low noise system.
And when it throws an alert, what that means is that we have a positive detection that a process or a user on a production system is leveraging the credential and connection data that we planted on that system. They're attempting to move using that information. And so the system automatically responds to that endpoint in real time to gather the context off of that system, the speed is outstanding.
As a matter of fact, our response to end points is so efficient that most security teams leverage our response when they get detections from their other tools to say a proxy system in their environment identifies an outbound connection out of the network to a very low reputation host and DNS their system scripts through the elusive API, elusive to reach out to that internal system and gather the forensics data off of it.
The user's completely unaware that we're doing this it's fast and light, but that data has been captured as it's happening before the attacker gets an attempt, gets the time to alter logs or kill processes or, or hide their tracks. And so speed is critical and the speed of the elusive response is, is outstanding.
Great, great question.
Okay. And we think, I think we have time left for one last question, which would be in this one. Can you work in, well, I assume in non windows environments, like industrial networks, IOT devices, stuff like that.
Great, great question. So the solution works in windows environments. We also have capabilities in Linux as well as max based. And so in the Linux environment, we're, we're not actively deploying onto, you know, black box Linux systems, but we do deal with the workstation and server class host that interact with those kind of OT and infrastructure base, you know, SCADA and, and other devices like that. One of the things that we do is we identify networks that have everything from mainframes to swift wire transfer to, you know, the printer infrastructure. We identify all of those objects.
And then we use that as part of our deceptive storytelling to lure attackers into, into interacting with the objects that we plan. So we absolutely leveraged that, that data today.
Okay, great. Well, thanks again. Wait. And with that, we have reached the end of our allocated one hour time slot. Thank you very much for all attendees. I hope to see you to meet you virtually in one of our future webinars and have a nice day.
