Posts

Using Dynamic Honeypot Cyber Security: What Do I Need to Know?

Honeypots are systems on your network that attract and reroute hackers away from your servers, trapping them to identify malicious activities before they can cause harm. The perfect decoy, they often containing false information, without providing access to any live data. Honeypots are a valuable tool for uncovering information about your adversaries in a no-risk environment. A more sophisticated honeypot can even divert attackers in real-time as they attempt to access your network.

How Does Honeypot Security Work?

The design of the honeypot security system is extremely important. The system should be created to look as similar as possible to your real servers and databases, both internally and externally. While it looks like your network, the actual honeypot is a replica, entirely disparate from your real server. Throughout an attack, your honeypot is able to be monitored closely by your IT team.

A honeypot is built to trick attackers into breaking into that system instead of elsewhere. The value of a honeypot is in being hacked. This means that the security controls on your honeypot need to be weaker than on your real server. The balance is essential. Too strong, and attackers won’t be able to make a move. Too weak, and they may suspect a trap.

Your security team will need to decide whether to deploy a low-interaction honeypot or a high-interaction honeypot. A low-interaction solution will be a less effective decoy, but easier to create and manage, while a high-interaction system will provide a more perfect replica of your network, but involve more effort for IT. This could include tools for tricking returning attackers or separating external and internal deception.

What Can a Honeypot Cyber Security System Do?

Your honeypot cyber security system should be able to simulate multiple virtual hosts at the same time, assign hackers with a unique passive fingerprint, simulate numerous TCP/IP stacks and network topologies, and set up HTTP and FTP servers as well as virtual IP addresses with UNIX applications.

The type of information you glean depends on the kind of honeypot security you have deployed. There are two main kinds:

Research Honeypot: This type of honeypot security is usually favored by educational institutions, researchers and non-profits. By uncovering the motives and behavior of hackers, research teams such as Guardicore Labs can learn the tactics the hacking community are using. They can then spread awareness and new intelligence to prevent threats, promoting innovation and collaboration within the cyber security community.

Production Honeypot: More often used by enterprises and organizations, production honeypot cyber security measures are used to mitigate the risk of an attacker on their own network, and to learn more about the motives of bad actors on their data and security.

These honeypots have one particular element in common: the drive to get into the mind of the attacker and recognize the way they move and respond. By attracting and tracking adversaries, and wasting their time, you can reinforce your security posture with accurate information.

What are the Benefits of Honeypot Security?

Unlike a firewall, a honeypot is designed to identify both internal and external threats. While a firewall can prevent attackers getting in, a honeypot can detect internal threats and become a second line of defense when a firewall is breached. A honeypot cyber security method therefore gives you greater intelligence and threat detection than a firewall alone, and an added layer of security against malware and database attacks.

As honeypots are not supposed to have any traffic, all traffic found is malicious by its very existence. This means you have unparalleled ease of detection and no anomalies to question before you start learning about possible attacks. This system provides smaller datasets that are entirely high-value, as your IT and analytics team does not have to filter out legitimate traffic.

Honeypot security also puts you ahead of the game. While your attackers believe they have made their way into your network, you have diverted their attacks to a system with no value. Your security team is given early warning against new and emerging attacks, even those that do not have known attack signatures.

Making Valuable Use of Honeypot Security

More recently, sophisticated honeypots support the active prevention of attacks. A comprehensive honeypot security solution can redirect opportunistic hackers from real servers to your honeypot, learning about their intentions and following their moves, before ending the incident internally with no harm done.

Using cutting-edge security technology, a honeypot can divert a hacker in real-time, re-routing them away from your actual systems and to a virtualized environment where they can do no harm. Dynamic deception methods generate live environments that adapt to the attackers, identifying their methods without disrupting your data center performance.

You can then use the information you receive from the zero-risk attack to build policies against malicious domains, IP addresses and file hashes within traffic flows, creating an environment of comprehensive breach detection.

It’s important to remember that a high-interaction honeypot without endpoint security could be used as a launch pad for attacks against legitimate data and truly valuable assets. Honeypots are intended to invite attackers, and therefore add risk and complexity to your IT ecosystem. As with any tool, honeypots work best when they are integrated as part of a comprehensive solution for a strong security posture. The best cyber-security choice for your organization will incorporate honeypots as a detection and prevention tool, while utilizing additional powerful security measures to protect your live production environment.

Virtualization and Cloud review comment that while honeypots and other methods of intrusion detection “are usable in a classical environment, they really shine in the kinds of highly automated and orchestrated environments that make use of microsegmentation.”

Honeypot security systems can add a valuable layer of security to your IT systems and give you an incomparable chance to observe hackers in action, and learn from their behavior. You can gather valuable insight on new attack vectors, security weaknesses and malware, using this to better train your staff and defend your network. With the help of micro-segmentation, your honeypot security strategy does not need to leave you open to risk, and can support an advanced security posture for your entire organization.

What is File Integrity Monitoring and Why Do I Need It?

File integrity monitoring (FIM) is an internal control that examines files to see the way that they change, establishing the source, details and reasons behind the modifications made and alerting security if the changes are unauthorized. It is an essential component of a healthy security posture. File integrity monitoring is also a requirement for compliance, including for PCI-DSS and HIPAA, and it is one of the foremost tools used for breach and malware detection. Networks and configurations are becoming increasingly complex, and file integrity monitoring provides an increased level of confidence that no unauthorized changes are slipping through the cracks.

How Does File Integrity Monitoring Work?

In a dynamic, agile environment, you can expect continuous changes to files and configuration. The trick is to separate between authorized changes due to security, communication, or patch management, and problems like configuration errors or malicious intent that need your immediate attention.

File integrity monitoring uses the process of baseline comparison to make this differentiation. One or more file attributes are stored internally as a baseline, and this is then compared periodically when the file is being checked. Examples of baseline data used could be user credentials, access rights, creation dates, or last known modification dates. In order to ensure the data is not tampered with, the best solutions calculate a known cryptographic checksum, and can then use this against the current state of the file at a later date.

File Integrity Monitoring: Essential for Breach Detection and Prevention

File integrity monitoring is a prerequisite for many compliance regulations. PCI DSS for example mentions this foundational control in two sections of its policy, For GDPR, this kind of monitoring can support five separate articles on the checklist. From HIPAA for health organizations, to NERC-CIP for utility providers, file integrity monitoring is explicitly mentioned to support best practice in preventing unauthorized access or changes to data and files.

Outside of regulatory assessment, although file integrity monitoring can alert you to configuration problems like storage errors or software bugs, it’s most widely used as a powerful tool against malware.

There are two main ways that file integrity monitoring makes a difference, Firstly, once attackers have gained entry to your network, they often make changes to file contents to avoid being detected. By utilizing in-depth detection of every change happening on your network and contextually supporting alerts based on unauthorized policy violations, file integrity monitoring ensures attackers are stopped in their tracks.
Secondly, the monitoring tools give you the visibility to see exactly what changes have been made, by whom, and when. This is the quickest way to detect and limit a breach in real-time, getting the information in front of the right personnel through alerts and notifications before any lateral moves can be made or a full-blown attack is launched.

Incorporating file integrity monitoring as part of a strong security solution can give you even more benefits. Micro-segmentation is an essential tool that goes hand in hand for example. File integrity monitoring can give you the valuable information you need about where the attack is coming from, while micro-segmentation allows you to reduce the attack surface within your data centers altogether, so that even if a breach occurs, no lateral movement is possible. You can create your own strict access and communication policies, making it easier to use your file integrity monitoring policies to see the changes that are authorized and those which are not. As micro-segmentation works in hybrid environments, ‘file’ monitoring becomes the monitoring of your entire infrastructure. This extended perimeter protection can cover anything from servers, workstations and network devices, to VMware, containers, routers and switches, directories, IoT devices and more.

Features to Look for in a File Integrity Monitoring Solution

Of course, file integrity monitoring can vary between security providers. Your choice needs to be integrated as part of a full-service platform that can help to mitigate the breach when it’s detected, rather than just hand-off the responsibility to another security product down the line.

Making sure you find that ideal security solution involves checking the features on offer. There are some must-haves, which include real-time information so you always have an accurate view of your IT environment, and multi-platform availability. Most IT environments now use varied platforms including different Windows and Linux blends.

Another area to consider is how the process of file integrity monitoring seamlessly integrates with other areas of your security posture. One example would be making sure you can compare your change data with other event and log data for easy reporting, allowing you to quickly identify causes and correlative information.

If you’re using a micro-segmentation approach, creating rules is something you’re used to already. You want to look for a file integrity monitoring solution that makes applying rules and configuring them as simple as possible. Preferably, you would have a template that allows you to define the files and services that you want monitored, and which assets or asset labels contain those files. You can then configure how often you want these monitored, and be alerted of incidents as they occur, in real-time.

Lastly, the alerts and notifications themselves will differ between solutions. Your ideal solution is one that provides high level reporting of all the changes throughout the network, and then allows you to drill down for more granular information for each file change, as well as sending information to your email or SIEM (security information and event management) for immediate action.

File Integrity Monitoring with Micro-Segmentation – A Breach Detection Must Have

It’s clear that file integrity monitoring is essential for breach detection, giving you the granular, real-time information on every change to your files, including the who, what, where and when. Alongside a powerful micro-segmentation strategy, you can detect breaches faster, limit the attack area ahead of time, and extend your perimeter to safeguard hybrid and multi-platform environments, giving you the tools to stay one step ahead at all times.

The Average Cost of a Data Breach, and how Micro-Segmentation can Make a Difference

In the US, the financial cost of a data breach is rising year on year. IBM’s Cost of a Data Breach Report, is independently conducted annually by the Ponemon Institute. This year, the report included data from more than 15 regions, across 17 industries. They interviewed IT, compliance, and data protection experts from 477 companies. As a result, the true average cost of a data breach is more accurate than ever.

Crunching the Numbers: The Average Cost of a Data Breach

According to the study, the average cost of a data breach in 2018 is $3.86 million, which has increased by 6.4% since last year’s report.

While the risk of a data breach is around 1 in 4, not all breaches are created equally. Of course, the more records that are exposed, the more expensive and devastating a breach will be. A single stolen or exposed data record costs a company an average of $148, while 1 million, considered a Mega Breach, will cost $40 million. 50 million may be reserved for the largest enterprises, but this will raise the financial cost to $350 million.

Beyond a Ransom: The Hidden Cost of Data Breach

Although many businesses worry about the rise in ransomware, the cost of a data breach is about much more than any malicious demand from a hacker could be. The true cost can be broken down into dozens of areas, from security upgrades in response to the attack to a drop in your stock price when word of the breach gets out. Research by Comparitech found that companies tend to see a stock price slide of 42% following a breach. Other costly elements of a data breach include Incident investigation, legal and regulatory activity, and even updating customers. These all contribute to the escalating cost when you fail to adequately protect your company against a data breach.

The Ponemon study found that the largest cost comes from customer churn. The US sees the highest cost in the world in terms of lost business due to a data breach, more than two times the average figure, at $4.2 million per incident. Most analysts put this discrepancy down to the nature of commerce in the United States. In the US, there is far more competition and choice, and customer loyalty is both harder to hold onto and almost impossible to retrieve once trust is lost.

Customers also have more awareness of data breaches in the US, as laws dictate they must be informed of any issues as they are uncovered. This kind of reputational damage is devastating, especially in the case of a Mega Breach. In fact, 1/3 of the cost of Mega Breaches can be attributed to lost business.

Of course, there is also the fear that even if you manage to recover from a data breach, the worst is not over. The IBM study found that there is a 27.9% chance of another breach in the following two years after an attack, making your company extremely vulnerable unless you can make considerable changes, and fast.

Preparing Your Business for the Average Cost of a Data Breach

The numbers don’t lie. The speed and impact of data breaches is something to which every company, no matter the size, should be paying attention. There are definitely ways to protect your business and to position yourself responsibly for the worst case scenarios.

According to Verizon, 81% of all breaches exploit identity, often through weak passwords or human error. Malware can piggyback onto a legitimate user to get behind a physical firewall, which is why most IT professionals agree that even next-gen firewalls are insufficient. To limit the potential repercussions of this, all businesses need to be employing a zero-trust model.

With micro-segmentation, perimeters can be created specifically for the protection of sensitive or critical data. This ensures that all networks are considered not trusted. Using a granular approach to limit communications, and tagging workloads themselves with labels and restrictions. Containment of attacks is built into your security from the outset, by limiting the attacker’s freedom of movement and restricting ability for any lateral movement at all. As the financial impact of a data breach rises with the amount of data records stolen, this is a significant weapon to have at your disposal.

Rapid Response Can Limit the Cost of Data Breaches

Efficiency in identifying an incident as well as the speed of the response itself has a huge impact. Rapid response can save money, as well as proving to your customers that you still deserve their trust. According to the IBM report, the average time it took companies to identify the data breach was 197 days. Even once a breach was detected, the average time to contain it was a further 69. When it came to a Mega Breach – it could take an entire year to detect and contain.

With micro-segmentation, the visibility is immediate. All communications are logged, including East-West traffic. This includes private architecture, cloud-based systems, and even hybrid solutions. The best solutions will offer alerts and notifications in case of any unusual behavior, allowing you to stop threats in their tracks, before any damage has been done.

The quicker this happens, the less financial damage will be done. In fact, on average, companies who suffered a breach that managed to contain it within 30 days saved more than $1 million over companies who couldn’t. The larger the breach – the more significant these savings are likely to be.

Ensure You’re Fully Armed Against a Data Breach

The complex nature of most businesses IT systems explains the growing threat of cyber-crime, and the increasing financial cost of lax security holding us all to ransom. Traditional security systems are not enough to ensure adequate protection from a data breach, or rapid detection and response in case the worst happens.

Micro-segmentation offers granular flexible security that adapts to your exact environment, detecting and limiting the force of an attack, and providing the visibility and response tools you need to keep your customers loyal.

Protecting your Business Against Attack Vectors and the Evolving Threat Landscape

Understanding Attack Vectors

An attack vector is the way that an adversary can gain unauthorized access to your network or devices. Over the years, there have been dozens of different attack vectors, many of which have adapted and evolved over time to cause harm or hold companies hostage. Today, networks and organizations are interconnected using both private and public clouds leaving the door ajar for attack vectors that are more sophisticated than ever. What should smart businesses look out for, and how can they protect themselves?

The Evolution of Cyber Attack Vectors

Traditionally, having hardened perimeter security was enough to protect data centers. Layers of security to detect and prevent a breach coming in or out of data centers meant that you could ward off attack vectors to your infrastructure and hardware, which was almost exclusively on-premise.

The Cloud and mobile solutions have changed all of this. The reality for data centers today is keeping data private and secure while running an environment that spans public, private and hybrid clouds. Companies now use a mix of compute resources: Containers, Serverless Functions and VMs. However hackers are not just targeting your compute resources, they are sneaking in via routers and switches, or storage controllers, and sensors. From this vantage point, attackers can then scale their attack, compromising an entire network with lateral movements and connected devices. The MITRE ATT&CK Framework is a great resource to dive deeper on the different initial access attempts¹.

As the way we access the internet changes, cyber attack vectors adapt their own designs right alongside. Assuming that we are plugging all the holes on the IT side is not enough. The human factor has always been a key vulnerability in the security scheme. It has become more prevalent with the advance in end-user technology in recent years. Smartphones are a good example of this. Mobile attack vectors are not something that any organization had to be aware of a decade ago, and now they are an ever-present reality providing an easy gateway into many organizations.

While most people know not to click on dangerous links that arrive via SMS from unknown numbers, and no longer fall prey to email phishing campaigns like unexpected warnings of your bank password being changed, new attack vectors come from unexpected places. The recent Man in the Disk attacks on Android devices are something no one could have anticipated. This malware relies on vulnerabilities in third-party application storage protocols that are not regulated by sandbox restrictions through Android². This careless use of external storage can lead to potential malicious code injection, or the silent installation of unrequested apps to the user’s device. From there, the journey of an attacker to leverage this access to a deeper data center one is very short.

As technology evolves, there are more ways than ever for bad actors to launch attacks. Smart devices and Cloud-solutions only serve to increase the number of platforms which can be used for malicious intent.

Which Attack Vectors Are the Biggest Threats Today?

Email and phishing schemes have been the attack vectors of choice for a large amount of malicious attacks over the past few years. However, as simple attacks are becoming more recognizable, more complex threats are increasingly in vogue. Worryingly, the trend in malware is a movement away from reliance on human error, to clever attack vectors that can strike without any conscious act by the user whatsoever³. Man-in-the-Disk was just one example of this.

Take Drive-by-Downloads. A user only has to visit a compromised website, and malicious code can be injected through their web browser. Once done, this can swiftly move laterally across a network. Mouse Hovering hacking is also growing, a technique that launches javascript when a user hovers over a link to see where it goes. This has been seen in familiar applications such as PowerPoint, showing that even what users consider to be ‘safe’ environments can be dangerous. Increasingly sophisticated attack vectors that can spread without a user’s knowledge or their initial action are only going to become more common over time. If these tactics are leveraged against a user with administrator access to your data centers, the results could be catastrophic.

Administrator access could be the weak link when it comes to keeping your data centers safe overall. By accessing admin privileges, adversaries have access to the most valuable information you store, and can therefore cause the most harm. It’s important to think about the way your business works in a crisis when you’re planning preventive security measures. Used in an emergency, local authentication options are often not logged in the same way as your admins usual activity, and the credentials may even be shared across workloads and hosts for the sake of ease of use.

As well as smarter attack vectors, the growth in threats such as file-less attacks show that attackers are getting better at learning how to cover their tracks. 77% of cyber-crime in the US last year used a form of file-less attack⁴. Research shows that this type of malware is ten times as likely to succeed as traditional file based attacks, and helps attackers stay well beneath the radar.

AI is also an area that is likely to be compromised in the near future, with many companies creating chatbots and machine learning tools as the customer-facing representative of their websites and apps. As virtual assistants are built by humans, they are subject to the same gaps that human knowledge has. Studies are beginning to show that AI has problems with hallucinations and recognition⁵. Let loose on customer data and processes, it’s easy to see how advanced malware may slip through the cracks.

More than ever, in preparation for the next stage of intelligent malware, companies need to secure their data centers effectively against the latest attack vectors.

How Can Businesses Protect Themselves from Cyber Attack Vectors?

Keeping your IT environment safe from the latest attack vectors means being able to detect threats faster, and with better intelligence.

This starts with visibility. Being able to identify application flows across your entire infrastructure means that you have granular visibility across your whole IT stack. Dynamic deception tactics automatically trap attackers, even when the end-user isn’t aware of what is going on under the surface. Reputation analysis instantly uncovers anything suspicious or out of the ordinary, from unexpected IP addresses and domain names to file hashes within application flows. Even new attack vectors are isolated in real-time, with mitigation recommendations so that incident response is streamlined.

Ring-fencing, the separation of one specific application from the rest of the IT landscape is one way that companies are limiting the reach of the latest attack vectors from their most sensitive data or valuable assets. This and other kinds of micro-segmentation allow your business to truly limit the attack surface of any potential breach.

There are a number of benefits to this. Regardless of operating system limitations, communication policy can be enforced at the layer 4 transport level as well as the Layer 7 process level. By segmenting your flows by the principle of least privilege, even if a breach occurs, you ensure that it is quickly isolated, and attackers are unable to make lateral moves or scale their intrusion any further. When micro-segmentation is enforced alongside breach detection and threat resolution, even new attack vectors can quickly become a known quantity, and are unable to pose real danger.

Staying Safe Against Future Cyber-Attack Vectors

The way that data is stored and transferred is dynamic in and of itself. Our methods and processes are always changing as the capabilities of the cloud and the hybrid nature of our IT environments continue to grow. In direct response, attack vectors will never stay the same for long, and hackers will always have new tricks up their sleeve to compromise the latest solutions and catch us unaware. As well as current attack vectors that take advantage of IoT devices and no-fault infiltration, predictions for the future include AI-driven malware and an increase in file-less malware attacks, allowing hackers to hide their activities from detection.

The only solution is true visibility of all your applications and workflows. Using this mapping alongside segmentation policy that controls communication flows can restrict attackers in their tracks at the smallest sign of an anomaly. Even against new or unknown attack-vectors, these tools enable true threat resolution that can protect your entire infrastructure in real-time.


1. https://attack.mitre.org/wiki/Main_Page
2. https://research.checkpoint.com/androids-man-in-the-disk/
3. https://churchm.ag/was-it-human-error/
4. https://www.securityweek.com/fileless-attacks-ten-times-more-likely-succeed-report
5. https://www.wired.com/story/ai-has-a-hallucination-problem-thats-proving-tough-to-fix

GuardiCore Upgrades Infection Monkey Open Source Cyber Security Testing Tool

Improved Ease of Use, New Exploits and Expanded Platform Support Enables Broader and Continuous Testing Across Data Center and Cloud Environments

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in internal data center and cloud security, today announced a new version of its Infection Monkey open source attack simulation tool with several significant enhancements. Designed to test the resiliency of modern data centers and clouds against cyber attacks, the Infection Monkey is an open source tool developed by GuardiCore Labs, originally introduced in 2016.

Read more

GuardiCore Extends Series B Funding Round to $35 Million Adding TPG Growth as a New Investor

Funding to Accelerate Growth in Large Enterprise Accounts and Expand Further into Global Markets

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in internal data center and cloud security, today announced that the company has raised an additional $15 million as an extension to its Series B funding round. This brings the company’s total funding raised to date to $48 million. The additional investment was led by TPG Growth, the middle market growth equity platform of alternative asset firm TPG, and Greenfield Partners, a TPG-Growth backed company based in Israel that focuses on investing in early growth-stage global technology and tech-enabled businesses. Existing investors include Battery Ventures, 83North, Cisco Investments and Dell Technologies Capital.

Read more