Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Fidelis Adds Risk Simulation and MITRE ATT&CK Mapping to Elevate Platform

Fidelis Cybersecurity has announced a raft of enhancements to its Fidelis Elevate platform, which comprises a network product, an endpoint product, and a deception product. The purpose of the platform is to help defenders understand their environment better than attackers — which is not always true — and to arm the defenders with the ability to detect and respond to evasive incursions.

Fidelis Cybersecurity has announced a raft of enhancements to its Fidelis Elevate platform, which comprises a network product, an endpoint product, and a deception product. The purpose of the platform is to help defenders understand their environment better than attackers — which is not always true — and to arm the defenders with the ability to detect and respond to evasive incursions.

“Elevate,” Fidelis CTO Craig Harber told SecurityWeek, “focuses on continuous real-time network visibility rather than periodic scans. This requires understanding every device in the environment, and the risk factor — applications, patch level, etcetera — it contains.

Fidelis Cybersecurity logoThe latest version of Elevate, announced February 19, 2020, dives deeper, improves the presentation of the visibility, adds new features to increase analysts’ understanding of the network and threats to its security, and adds improved defensive mechanisms. Endpoint defense is improved through the combination of several new features: improved cloud sandbox and analytics; ability for analysts to connect directly to the endpoint and see the file system and processes; mapping to the MITRE ATT&CK; and the ability to search the entire network for any suspicious files.

Suspicious files are automatically submitted to the sandbox for analysis, but can also be submitted manually by the analysts. If a file is found to be concerning, the analyst can create a hash and search the rest of the network for any further instances of that file. If an intrusion is detected, the ATT&CK mapping can give clues on who might be involved and what might be expected.

A second major defensive improvement is to the deception product. “This includes faster decoy deployment and customized breadcrumbs, delivered by a new executable rather than the previous scripts,” Harber told SecurityWeek. “You don’t want ‘standard’ breadcrumbs, that can be learned, recognized and ignored by the attacker. You need breadcrumbs that can be customized per asset.”

 A typical breadcrumb could be a weak or plaintext password to a decoy asset, left in memory. “The purpose,” continued Harber, “is to switch the attacker’s attention away from a real asset to a decoy — and if anyone uses that password, you have a high fidelity alert on what is either an intruder or a malicious insider.” This allows the enterprise to control the attack surface. 

However, “the real benefit of the deception technique is that it will detect lateral movement,” he added. “The alerts created are high confidence alerts. From the customer perspective, this means that customer knows he has the opportunity to respond or observe to better understand the attackers’ objectives.”

This leads to a major new feature in Elevate: risk simulation. The risk simulator uses the new graphical visualization to introduce a risk score per asset (based on a combination of parameters that demonstrate the vulnerability of a particular asset), together with multi-hop communication paths to that asset.

“This allows me to understand the potential avenues for attack,” explained Harber, “and allows me to improve the overall security of the network. Patching, for example. I may not be able to patch everything, but the risk simulation can highlight areas that I really ought to patch to protect downstream high value assets; or perhaps apply additional deception decoys and breadcrumbs along the potential attack route.”

Advertisement. Scroll to continue reading.

The risk simulator, potentially enhanced by knowledge of possible TTPs gleaned from the MITRE ATT&CK mapping where an intruder has already been detected on an endpoint, allows the analysts to engage in a variation of red team/blue team defending without the need to employ a separate white hat red team. Purple teaming may be a better description.

The defenders are as usual the blue team. Fidelis Elevate — and any detected intruder already on the network — are the red team. Since the intruder has already been detected, the ATT&CK mapping may have already identified likely candidates for the attack group, and indicated potential TTPs and targets. 

The blue team can start from high value target assets and then use the risk simulator to assess the risk level associated with that target asset — and the possible inward paths that might be used by the attacker laterally moving in on the target. The basic process is valid whether there is a real intruder or not: the blue team can examine any high value asset and assess how it could theoretically be attacked through potential lateral movement. Those possible paths can then be better fortified by ensuring all the surrounding nodes are fully patched and perhaps by laying a new decoy and breadcrumbs deception along the path. The deception process will both detect the attacker and divert him away from the real target.

“While many cyber security solutions focus on a point in time, the reality is that the threat is dynamic and always evolving,” said Harber. “Fidelis Elevate provides a comprehensive solution that automatically detects in real-time individual attack techniques and alerts on critical technique sequences which give strong indications of both APTs and potential zero-day attacks, allowing threat hunters to proactively respond to attacks before it’s too late.”

Related: MITRE Releases ATT&CK Knowledge Base for Industrial Control Systems 

Related: How Deception Technology Can Defend Networks and Disrupt Attackers 

Related: Randori Arms Red Teams With New Automated Attack Platform 

Related: Network Traffic Analysis Provides Visibility, Detection and Investigation Capabilities 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.