
Detection is dead! Talking about isolation and hacker deception
According to Bahat, comparative studies of antiviruses showing 100% efficacy are all lies, tests are done in a lab environment, with all the features turned “on”. But false positives are too high when all the features are “on”, no one use them all he argues.
“I have a problem with the entire idea of detection, looking at a code and deciding if it is good or not. It doesn’t matter how good detection is, it is an impossible task. With the evasive techniques they use, hackers have become experts in hide & seek. We just lie to ourselves, pretending that if we can’t see the attackers then they are not there”.
Bahat took again the WannaCry worm as an example of environment-aware attacks, noting that first the worm had been cautiously isolated in a sandbox by most antiviruses, but then because it featured a time delay and stayed put for some days, it had been released again. As a response to hackers, Bahat proposes innovative defence scenarios, based mostly on re-enforced network isolation and hacker deception.
“We want to keep malicious stuff as contained and far away as possible, we need to assume that everything is bad. You must shut down all direct access to your assets”, Bahat said, proposing what he calls “content disarmament & reconstruction” as one solution. “You take out everything that is important, take it apart and reconstruct it entirely with known safe code”.
For web browsing isolation, Bahat suggests that all the information be processed via the proxy who only sends an interactive HTML5 video stream in real time instead of the real pages. The users doesn’t even know the difference, but that keeps the end-points isolated. Then once the session is over, all the content together with the virtual browser is destroyed.
Deception is the all-time favourite of Bahat. “First we confuse the attacker, we fake the environment with simulation, it all starts with an endpoint. Since evasive malware uses environment awareness to detect what antiviruses are there, if it has been sandboxed or not, what analysis tools are there, why not put debuggers, sandboxes, virtual machines on all endpoints? Why not simulate a thousand guard dogs?
The idea is that if all the antiviruses look like they are present on the machine, with sandboxes in operation, the malware will choose to do nothing and freeze. “We are not trying to detect the malware, we stop it”, clarifies Bahat.
“Now the goal of malware is to move to other endpoints, so we want to give hackers a thousand fake servers, so they have no way to know where to go. All of it is simulation, we just make it look like they are real, and if they choose one server, they’ll trigger an alert. We want to be able to track their moves, setting up believable traps or honey-pots”, Bahat continued.
“But we need believable decoys. We can deploy fake endpoints, fake PLC machines in an industrial environment or fake files on servers”. According to Bahat, deception was the biggest trend among last year’s innovations. Next, once the attack has been identified, the malware can be removed.

malware into inaction.
Securitude Cyber Solutions offers its services to international companies, figuring out what their needs are and suggesting the best fitting solutions on the market. On its stand, partner Minerva-lab provides the anti-malware evasion platform for endpoints to deceive threats into their dormant state. Other booth partner Cymmetria advertises its decoy-creation platform dubbed MazeRunner, allowing companies to place a plethora of deception elements in the hackers’ critical path while creating a realistic environment to detect and quarantine attackers, gathering forensic data as they move innocuously in this fake environment.
“Since we create dummy endpoints, servers and webservers, all with fake credentials, the only people to use these credentials would be attackers” told us Peter Glock, Managing Director Europe for Cymmetria. So it becomes easy for the fake environment to log all of the attacker’s moves, tools and tactics within the deception network, giving an insight on the new hacking strategies while containing them.
Antivirus companies have already jumped on the deception bandwagon, as Symantec illustrated during a brilliant technical demonstration were pretty much all of these new tricks were in place.
The European Union’s looming Network and Information Security (NIS) Directive will make it mandatory in 2018 for all operators of essential services (networked utilities providers and public services) as well as digital service providers to implement “state of the art” cybersecurity technologies to manage the security risks of their networks and systems. This means that security incident response teams will need to be trained and be able to prove it. This is how CyberTest Systems claims its Cyber Range becomes an essential tool as a crisis management training ground.

CyberTest Systems’ CEO Arnaud Kopp, describes the Cyber Range as an infrastructure deployed to mimic a company’s real infrastructure. Like a test lab, where the security teams can be put to test with cyber-attacks confined to the Cyber Range rather than delivered into the wild and putting other users at risk. As well as providing safe grounds for training, the company can invite other parties such as Yes We Hack to contribute with multiple attack scenarios. A basic Cyber Range costs around 100,000 Euros revealed the CEO, adding that cost increased with the complexity of the infrastructure to replicate.
Forum International de la Cybersécurité – www.forum-fic.com
Related articles:
When AI enters the maze of cybersecurity
Intel produces white paper, benchmark on Meltdown, Spectre
Liverpool cyber-attack sparks debate
Research claims cyber-attack vulnerability to rise after UK quits EU
UK issues security guidelines for driverless car designers
