Well before the extraordinary claims Russia launched a cyberwarfare campaign to install Donald Trump as US president the issue of computer security was easily one of the top concerns of organisations globally. The incredible $80m cyber heist of Bangladesh Central Bank in early 2016 is just one of the high profile hacking successes in recent years that have ensured corporates, especially financials, remain on ultra-high alert against intruders.
There are many cybersecurity techniques and solutions available to organisations but an intriguing proposal from Illusive Networks, an Israel-based start-up, stands out from the crowd, seeking as it does to turn the tables on network intruders, trick them into believing something is real when it isn’t, and maintain that fiction long enough for the hackers to make mistakes and perhaps even reveal their identity and location.
Illusive’s solution in fact places the company at the forefront of a new category of cybersecurity called deception-based technology. Expectations of this type of cybersecurity are running high, with Gartner, one of the world’s leading IT consultancy firms, identifying it as one of the top ten information security technologies. Gartner reckons that by 2018 ten per cent of enterprises globally will use deception tools and tactics and actively participate in deception operations against attackers.
Shlomo Touboul, strategic adviser to Illusive Networks and a serial cybersecurity entrepreneur, is clear about the massive challenge for organisations in preventing intruders from compromising their networks: “As it stands, there is this huge asymmetry between defender and attacker. On the one hand, the attackers can make many, many mistakes but they only have to be right once to win the campaign. The defenders, however, can be right nearly every time in preventing attack but if they make one mistake, they have lost everything.
“At the same time defenders never know when potential intruders will arrive at their door – it’s the attackers that control events. Also, defenders get so many false positives in their security operations center that they quickly reach what we call ‘alert fatigue’. It’s like your house alarm is ringing all the time, so you get fed up with the false signals and shut it off or ignore it. All these factors ensure there is a big, big asymmetric overwhelmingly in favor of the attacker.”
It’s an asymmetric state of affairs that, according Touboul, all existing tools – including the current generation of deception technology – still cannot truly address: “Attackers can put their hands on all of existing technologies, reverse engineer them, talk to them remotely, walk around them, whether they be based on anomaly detection, behavioral detection or intrusion detection. All of them are well known to attackers.”
Illusive’s proposal, by contrast, uses deception technology “in a way never seen before”, says Touboul, with the explicit aim of twisting the asymmetric in favour of defender. With the existing asymmetric it is the defender that is hamstrung by lots of uncertainties and false positives. For Illusive the key to really effective cybersecurity is to instead bombard up the attacker with searching questions and conundrums to address, turn the tables on them, tease them into making a mistake.
Creating mirror worlds
In explaining how intruders operate Touboul says typically they will infiltrate one machine in a network and then move laterally across it in a process of infiltration of an organisation that can take months. With the Bangladesh Central bank cyber heist funds were siphoned off using wire transfer in the blink of an eye but Touboul points out that the hackers spent six months roaming around the bank’s network, learning about all the objects, privileges and domains that they needed in order to actually launch their attack: “Only when they got all the information did the attackers create the malware and everything was programmed into it. It was hard coded to go straight into the money and even hide the wire transfers they had been actioned.”
Illusive Networks is a highly apt name for the company because, as Touboul explains, at the heart of the firm’s solution is that it creates a veritable hall of false mirrors for the intruder to navigate across every endpoint be it desktop PC, laptop, printer or smartphone linked to an organisation’s network. “At Illusive we want to make sure that whenever the attacker is trying to move laterally he or she is finding on every endpoint [internet enabled device on the network] information that is wrong and that they can’t tell which information is good, which is wrong. We become like a deceiving entity and if the attack lands on every machine the intruder is up against an unbelievable numbers of false mirrors. On every endpoint, we plant deceptions. It’s like you take a pot of honey and paint the entire network with a thin layer of it but there’s no software running to give the game away. If they use the wrong information even once, they get detected. That gets reported and we can then obtain real time forensics, mitigate the attack on the spot.”
Illusive is one of many innovative cybersecurity firms that have emerged in recent years from Israel – the sector is booming in the country. Founded two and half years ago by its CEO Ofer Israeli, the firm has moved quickly since the early hectic startup months when it developed and finely tuned its novel deception technology concept. The firm has grown fast and now boasts a 65 strong workforce. Notably, it has big, experienced, well connected team in the US where demand for its expertise is buoyant: “We started with financial institutions in the US because there is clearly a strong need there. But we are now also selling to lawyers, insurers, technology companies, manufacturing companies and healthcare firms in the US,” says Touboul. “The need for really strong cybersecurity solutions though is global so we expect to grow our footprint. Look what happened in Bangladesh. The attack was there but the wire transfer of funds came from the Federal Reserve Bank in America. Attackers don’t care about geography and borders.”
Of the several dozen Illusive Networks customers secured so far around half are financials. The number of endpoints amongst these customers being given the Illusive treatment solution range 500,000 to as small as 1000-5000. The identities of the customers, which span large, medium and small in size, are being kept under wraps for now.
Legacy systems not a problem
One of the big problems banks have been grappling with in recent years is legacy IT systems. So how difficult is it to incorporate Illusive’s a state-of-the-art cybersecurity solution in IT environments that in many institutions where installed decades ago? Happily, it’s no problem at all: “No agent software is installed on any devices on the network – we’re agentless – and the deceptions are propagated by our solution automatically. That means we do not disturb any IT process for the banks. Because we don’t have any software running on any of their machines or devices, we don’t have any conflict with legacy systems.
“Rather, we distribute false data on the cache memory of those machines. The attacker invariably looks for the cache to obtain information so we go and poison the cache in a way that only the intruder can see. It’s all invisible to the applications so we don’t run into conflicts with them.”
He cites the remarkable experience of one financial institution very recently to illustrate the ease and efficacy with which the Illusive solution can be installed within organisations. The financial was interested in ordering Illusive’s product for application to around 120,000 endpoints but wanted to test it first on just 100 of its machines to make sure it was safe. Illusive’s policy for initial testing of the product covers thousands of machines but it appreciated the cautious client wanted to proceed more slowly: “So they get the product, install the product for like an hour or two but they didn’t limit the counter [for the number of endpoints to be treated]. Within two hours, it was deployed on all the machines in their headquarters – about 7000 to 8000 machines!
“They told us what had happened but also that they were very happy with the product and wanted the purchase order to go up 110,000. It took just hours to fully deploy successfully at their headquarters. They were nervous initially but then they are very happy because they can see it working properly. Even for me it’s always really refreshing to see a very effective security tool that is so easy to deploy and manage.”
The Illusive product, which in the UK is distributed via Ignition, is offered on an annual subscription basis with customers updated with new deceptions as they are developed by Illusive’s cyber boffins. “We are committed to bringing more and more value to the customer all the time they are with us,” says Touboul.
Not surprisingly considering the potential of its solution and impressive progress it has made in securing clients, Illusive Networks has attracted considerable high profile investor interest. In June 2015 it secured $5m from Team8, an Israeli firm that doubles up as cybersecurity think tank and VC and boasts the like of Microsoft Ventures, Qualcomm and Cisco as backers. In August of that year it secured a further $25m in a Series B round led by US-based venture capital giant New Enterprise Associates.
The firm is now in the process of scaling very quickly: “Initially we thought it would be the big companies we attracted as clients. But we’re getting a lot of traction from the mid and even the smaller sized enterprises that have a lot of sensitive material to protect. We have customers like lawyers with only 3,000 employees but they hold contracts of very large enterprises. Sometimes it’s easier to attack the lawyer than the big enterprise they handle affairs for so the lawyer too sees value in becoming our customer – it’s a knock-on effect that perhaps we had not thought would so prominent but we are more than happy to embrace it !”