Moving Target Defense (MTD) and Attack Surface Segmentation Cyber Security

CRI Advanatage Inc. (CRI) has been providing Cyber Security solutions to Commercial, Federal and State and Local Government markets for over 20 years.  From the Morris Worm to present day Ransomware attacks, CRI’s Cyber Security professionals have seen just about every hacker trick imaginable and have grown up with advances in Cyber Security technology.  Therefore, armed with the knowledge we gain through Penetration Testing and our attempt to stay one step ahead of the hackers, we are constantly reviewing new Cyber Security technologies.  The most recent technology that caught our attention was Cryptonite NXT.

Cryptonite NXT has two primary technologies, Moving Target Defense (MTD) and Attack Surface Segmentation. MTD creates an abstract, dynamic view of the network to conceal the network’s topology and vulnerabilities. Cryptonite NXT’s Attack Surface Segmentation takes this further by customizing each device’s MTD-generated view of the network and maps it into the real world. Each user and device has fine-grained controls applied to place hard limits on what can be accessed via the network. The combination of these two technologies plus authentication and cryptography widely disrupts many malicious behaviors including reconnaissance, spoofing, and lateral movement which are the building blocks of insider threat attacks.

Ron Gula with Gula Tech Adventures recently published an interview with Mike Simon, CEO of Cryptonite NXT.  Following is the content of that interview:

At GTA, I’ve been working with a variety of companies that have new approaches to security. Cryptonite NXT drew me to it because it stopped insider attacks and gave organizations more visibility and control over their security. It also let me mention Rapid 7 in a blog post. I caught up with Cryptonite NXT CEO Mike Simon in the following interview.

How does Cryptonite NXT stop insider threat attacks? 

An insider threat could be someone clicking on an email attachment putting that device under control of a malicious actor, or from a true insider threat such as a rogue employee. Cryptonite NXT’s focus is on stopping and containing attacks once someone gets into your network and before anyone is aware that a breach has occurred. This is increasingly recognized as the critical point in the attack that determines whether just that one device is malicious and the attack fails, or the attack spreads across the network and your organization is on the front page of the news.

Cryptonite NXT has two primary technologies, Moving Target Defense (MTD) and Attack Surface Segmentation. MTD creates an abstract, dynamic view of the network to conceal the network’s topology and vulnerabilities. Cryptonite NXT’s Attack Surface Segmentation takes this further by customizing each device’s MTD-generated view of the network and maps it into the real world. Each user and device has fine-grained controls applied to place hard limits on what can be accessed via the network. The combination of these two technologies plus authentication and cryptography widely disrupts many malicious behaviors including reconnaissance, spoofing, and lateral movement which are the building blocks of insider threat attacks.

Rapid7’s pen testing team did attacks on a network with and without Cryptonite NXT protection. How did they do against the network protected by Cryptonite NXT? 

As the makers of Metasploit Pro, Rapid7 is one of the leaders in penetration testing technology. We had the pleasure to work with them for a few weeks on and off site. In the average network not protected by Cryptonite NXT, it only takes a skilled penetration tester a few hours once inside your network to go from zero to having full administrative access on your domain controllers and effectively “owning” your network. That is the sobering reality of insider threats today. When Rapid7 attacked the Cryptonite NXT protected network the story was quite different.

We had a seasoned professional telling us he hadn’t seen anything like this before and who was pulling his hair out that he couldn’t find a way to scan or monitor the network. We eventually gave him a list of what was in the network, a diagram of the network with IPs and hostnames, and had an extended brainstorming session on how our system works. However, none of that knowledge was actionable as the actual network was invisible to him. Just as important, none of the hacking tools in his toolbox worked on our network. Overall, Rapid7 helped us improve a few loose ends and the security of the system was validated.

How is this deployed? Do I need to replace my switching hardware? 

We realize that organizations want to trade as little as possible even for great security and have built our technology around that principle. Cryptonite NXT integrates with common tools like Splunk, application layer firewalls like PaloAlto, Active Directory, and common intrusion detection systems. Our product can also provide network infrastructure improvements like two factor authentication, network access control, IP address management, and other functions in a unified, security-centric way. Customers can choose to incrementally deploy Cryptonite NXT. One of the advantages Cryptonite NXT has is that there is no software agent, so literally any IP capable device can be protected. These are devices like printers, thermostats, security systems, and MRI machines that are otherwise unprotected. Since our hardware operates at line speeds, there is no significant performance penalty as with an agent approach.

In terms of physical deployment, Cryptonite NXT is a 1U hardware appliance that is positioned between your core and access switches. We sit such that all traffic, including “east-west” traffic within a VLAN or subnet is seen by our appliance. Cryptonite NXT was designed not to replace, but rather to extend the life of, your existing infrastructure investments. We have carefully designed the system following industry standards to break malicious actions while maintaining legitimate operations.

Besides locking down access to applications and preventing lateral movement, how much “east-west” lateral movement does this log and give visibility to? 

First, our goal is to stop the attack as it happens, meaning drop packets before they reach their target. With the speed of attacks today, if you’re not doing this you’re potentially too late. We also realize that it isn’t enough to contain an attack. We should be alerting you so that the initial entry points can be sanitized. Because of where Cryptonite NXT sits in the network, we see all of the “east-west” or lateral movement traffic that occurs. This is the key to containing an attack. After stopping the traffic, we send appropriate alerts to Splunk or other standard SIEM tools. These alerts include contextual information about the offending user and device rather than IPs or MAC addresses that are easily spoofed. The alerts also happen in response to clear security events, such as a user attempting to access something clearly outside of their corporate policy, rather than things that are often false alarms. Cryptonite NXT’s MTD also provides many opportunities where we detect that a device is trying to enumerate the network or making some of an attacker’s favorite assumptions about the network that our approach to security eliminates. These actions give us opportunities to generate reliable alerts.

In addition to alerts, we provide monitoring ports and other tools so that administrators and third party tools can receive a “normalized” view of the network when appropriate and continue to understand how the network is operating for troubleshooting and management. This includes east-west traffic that is otherwise hard to monitor. When a network is believed to be under attack, we provide the ability to totally change the network’s security posture with a single click. This change allows the alerts and visibility to be acted upon in a concrete way. Pre-planning and positioning a response encourages good security hygiene.

A link to the original interview can be found at: https://www.linkedin.com/pulse/stopping-insider-threats-interview-cryptonite-nxt-ceo-ron-gula?published=t&trk=v-feed&lipi=urn%3Ali%3Apage%3Ad_flagship3_profile_view_base_recent_activity_details_shares%3BzYEOPk0thzw7R7uNt2rgkg%3D%3D

By | 2017-11-03T11:03:18+00:00 June 2nd, 2017|Categories: Attack Surface Segmentation, Cyber Security, Moving Target Defense, MTD|Tags: , , |Comments Off on Moving Target Defense (MTD) and Attack Surface Segmentation Cyber Security

About the Author:

Technology thought leader, speaker, author, Digital Transformation guru, sales and marketing expert and RAINMAKER specializing in ServiceNow, The Internet of Things (IoT), Cloud Computing, Digital Government, Artificial Intelligence, Machine Learning, Information Technology Operations Management (ITOM), IT Service Management (ITSM), IT Operations Analytics (ITOA), Big Data Analytics, Information Governance and Compliance (GRC), eDiscovery, Cyber Security, Predictive Analytics, Advanced Cloud Based Applications Development and Mainframe Migration and Modernization.