Fidelis Cybersecurity has announced a raft of enhancements to its Fidelis Elevate platform, which comprises a network product, an endpoint product, and a deception product. The purpose of the platform is to help defenders understand their environment better than attackers — which is not always true — and to arm the defenders with the ability to detect and respond to evasive incursions.
“Elevate,” Fidelis CTO Craig Harber told SecurityWeek, “focuses on continuous real-time network visibility rather than periodic scans. This requires understanding every device in the environment, and the risk factor — applications, patch level, etcetera — it contains.
The latest version of Elevate, announced February 19, 2020, dives deeper, improves the presentation of the visibility, adds new features to increase analysts’ understanding of the network and threats to its security, and adds improved defensive mechanisms. Endpoint defense is improved through the combination of several new features: improved cloud sandbox and analytics; ability for analysts to connect directly to the endpoint and see the file system and processes; mapping to the MITRE ATT&CK; and the ability to search the entire network for any suspicious files.
Suspicious files are automatically submitted to the sandbox for analysis, but can also be submitted manually by the analysts. If a file is found to be concerning, the analyst can create a hash and search the rest of the network for any further instances of that file. If an intrusion is detected, the ATT&CK mapping can give clues on who might be involved and what might be expected.
A second major defensive improvement is to the deception product. “This includes faster decoy deployment and customized breadcrumbs, delivered by a new executable rather than the previous scripts,” Harber told SecurityWeek. “You don’t want ‘standard’ breadcrumbs, that can be learned, recognized and ignored by the attacker. You need breadcrumbs that can be customized per asset.”
A typical breadcrumb could be a weak or plaintext password to a decoy asset, left in memory. “The purpose,” continued Harber, “is to switch the attacker’s attention away from a real asset to a decoy — and if anyone uses that password, you have a high fidelity alert on what is either an intruder or a malicious insider.” This allows the enterprise to control the attack surface.
However, “the real benefit of the deception technique is that it will detect lateral movement,” he added. “The alerts created are high confidence alerts. From the customer perspective, this means that customer knows he has the opportunity to respond or observe to better understand the attackers’ objectives.”
This leads to a major new feature in Elevate: risk simulation. The risk simulator uses the new graphical visualization to introduce a risk score per asset (based on a combination of parameters that demonstrate the vulnerability of a particular asset), together with multi-hop communication paths to that asset.
“This allows me to understand the potential avenues for attack,” explained Harber, “and allows me to improve the overall security of the network. Patching, for example. I may not be able to patch everything, but the risk simulation can highlight areas that I really ought to patch to protect downstream high value assets; or perhaps apply additional deception decoys and breadcrumbs along the potential attack route.”
The risk simulator, potentially enhanced by knowledge of possible TTPs gleaned from the MITRE ATT&CK mapping where an intruder has already been detected on an endpoint, allows the analysts to engage in a variation of red team/blue team defending without the need to employ a separate white hat red team. Purple teaming may be a better description.
The defenders are as usual the blue team. Fidelis Elevate — and any detected intruder already on the network — are the red team. Since the intruder has already been detected, the ATT&CK mapping may have already identified likely candidates for the attack group, and indicated potential TTPs and targets.
The blue team can start from high value target assets and then use the risk simulator to assess the risk level associated with that target asset — and the possible inward paths that might be used by the attacker laterally moving in on the target. The basic process is valid whether there is a real intruder or not: the blue team can examine any high value asset and assess how it could theoretically be attacked through potential lateral movement. Those possible paths can then be better fortified by ensuring all the surrounding nodes are fully patched and perhaps by laying a new decoy and breadcrumbs deception along the path. The deception process will both detect the attacker and divert him away from the real target.
“While many cyber security solutions focus on a point in time, the reality is that the threat is dynamic and always evolving,” said Harber. “Fidelis Elevate provides a comprehensive solution that automatically detects in real-time individual attack techniques and alerts on critical technique sequences which give strong indications of both APTs and potential zero-day attacks, allowing threat hunters to proactively respond to attacks before it’s too late.”
Related: MITRE Releases ATT&CK Knowledge Base for Industrial Control Systems
Related: How Deception Technology Can Defend Networks and Disrupt Attackers
Related: Randori Arms Red Teams With New Automated Attack Platform
Related: Network Traffic Analysis Provides Visibility, Detection and Investigation Capabilities