[eForensics Magazine]: Hello Matan, thank you for agreeing to do this interview! Could you tell our readers a little bit about yourself and what you do?
[Matan Kubovsky]: I was born in Jerusalem, where I grew up and studied at university. During the last 10 years, I’ve spent most of my time between Tel-Aviv and London working on an array of cyber security products, ranging from protecting media devices on the Windows kernel to application layer encryption of sensitive documents. These days, I head up the R&D division of illusive networks, a promising startup at the forefront of cybersecurity. I worked alongside illusive’s founder Ofer Israeli at Israel’s seminal cybersecurity company Check Point for many years where we shared countless hours brainstorming cybersecurity, amongst other things. I fully believe in illusive’s pioneering technology as an effective solution to counter Advanced Persistent Threats, as well as Ofer’s capabilities, so I decided to join. Another added attraction was the promising and professional cadre behind the company called Team8 – Israel’s foremost cybersecurity think tank and foundry with deep ties to the Israeli Defense Force and their elite 8200 unit.
We operate four teams within our department, two working in development, one team covering quality assurance and the other conducting research. This means we are responsible for the entire release life cycle of our technology. A new idea will be fully researched prior to being worked on by our product and our development teams. Once fully certified by our high-end QA group, the product or feature receives a main release. As a department, we aim to remain ahead of both competition and cyber attackers across all areas we touch. This includes research, where we are first to investigate major events (such as the recent WannaCry ransomware outbreak), and in engineering, where we adopt and employ new methodologies to remain as agile as possible.
[eFM]: Can you tell us a bit more about illusive networks?
[MK]: illusive networks was founded in 2014 by Ofer Israeli, a cyber expert who pioneered deception-based technology.
Deception-based cybersecurity starts with the assumption that hackers are already in the network and tricks them with an endless stream of false information, capturing them when they are at their most vulnerable.
Aiming to prevent the most sophisticated attacks organizations suffer from nowadays, illusive’s Deceptions Everywhere™ technology deceives attackers in an active-defense manner. Our technology detects and identifies with precision the existence and location of cyber attackers as they begin their inside reconnaissance efforts and lateral movements, mitigating an advanced attack at the earliest stage.
Team8 led the first round of funding with participation from Marker LLC, Bessemer Venture Partners and Eric Schmidt’s Innovation Endeavors. NEA, Cisco, Citi Ventures and Microsoft Ventures have since joined as investors.
[eFM]: Your company employs deception techniques to protect networks. How is it different from setting up honeypots?
illusive networks and several of its competitors have a deceptions portion and a honeypot portion to their solution, the difference being where the focus and IP of the vendor lies – the deceptions vs. the honeypot. illusive’s competitors stem from and focus heavily on honeypots, which are passive by nature. Honeypots have to be stumbled upon by the attacker, so they leave detection up to chance. iilusive’s approach is deceptions-centric and proactively traps attackers by putting deceptions at every place attackers need to visit in order to collect information to fuel their lateral movement. As there are hundreds – sometimes thousands – of decisions and lateral movements that are necessary for attackers to make in order to execute a sophisticated attack, the odds of an attacker guessing correctly every single time is virtually zero.
The whole premise of the solution is based on the fact that the attacker cannot differentiate reality from deceptions and, hence, has to guess. The art of cyber deceptions is that illusive AI-based deceptions are planted in an optimal way to be tailor-made, appear real and so they are effective, and scalable. This is as opposed to vendors offering solutions that spray random pointers to lure attackers to their honeypot, making them visible and, in fact, act as a fingerprint (breadcrumb) to expose the honeypot to attackers.
[eFM]: What is the purpose of the deception layer? Is it to detect an attack, to stop them, or to track them?
[MK]: Essentially, any organization employs a myriad of solutions to address their security concerns. With our Deceptions Everywhere™ solution, attacks can be detected shortly after a holding of a first endpoint has been achieved. On top of that, using our tight integration with Cisco pxGrid, attacks can also be mitigated in an automated fashion. Lastly, using illusive’s Attacker View, a sophisticated breakthrough technology that exposes hidden attack paths, which is built into our product, attacks can also be tracked and their subsequent risk can be analyzed, in order to provide actionable decisions and a high-level executive summary.
[eFM]: Does the technology lend itself to forensic uses at all?
[MK]: Most definitely, and I must share a confession here – I am a big fan of Digital Forensics! When we initially devised deception technology, we realized that adding a comprehensive source-based forensics collection would contribute significantly towards improving our offering. Once illusive detects an attack in the network, we reach the source of the attack and collect real-time information. The magic here is that despite the agentless modus operandi of our product, we are able to gather information about what happened before, during and even after the actual event.
[eFM]: Do you think businesses are ready to introduce deception into their cybersecurity strategies?
[MK]: Absolutely. We’re seeing more and more businesses in the finance, healthcare, energy, insurance, retail and telecommunications markets adopting and integrating deception into their security arsenal. On top of that, there are several research and analysis firms now advocating deception-based cybersecurity and indicate that the Global Deception Technology market is planned to grow significantly in the next couple of years.
[eFM]: Is there any way a company could easily start integrating some deception tactics in their networks?
[MK]: Good question. In order to provide a simplistic answer, it’s important to first understand how an APT works: When an attacker lands inside a network, he usually asks himself “where should I go?” and “how can I get there?” With this information, the adversary is forced to make hundreds or even thousands of lateral movements in order to reach the desired destination. This implies that these advanced attacks can span many months. With that in mind, companies should start with mapping the core assets they are so eager to protect and, specifically, the various ways to get to these assets (to begin with, these could be high-profile users or business services). Once that is accomplished, they can pick a few steps in this long chain of actions and break it by adding some deceptive information that would lure an attacker to act upon it instead of the real data. Obviously, in mid-large environments, this becomes a very cumbersome operation that requires a rather sophisticated orchestration as the deceptions being distributed should be as diverse as possible.
[eFM]: How do you think the threat landscape will change in the next few years?
[MK]: Threats and the adversaries that produce them are much like gas in the free air, they spread all over and adapt to whatever environment they exist in. With the advancement of active defense, such as Deceptions, threat actors will be forced to think very carefully where they want to put their efforts. As they work under budget and with tight schedules, it is inevitable that they will reconsider operations on vendors that embraced such technologies. I also believe that additional frontiers in the attack chain will have to be addressed. As a one example, exfiltrating data in what seem to be legitimate ways (i.e., ICMP or DNS traffic) is definitely something that has not yet been addressed. In addition to that, further leaks of offensive arsenal and TTP’s (Tool, Techniques and Procedures) are going to take place. This causes tremendous damage to the groups that got breached (i.e., CIA, EquationGroup which is tied to NSA and so forth), as thousands of years of work get exposed. But it doesn’t stop there, because almost every time it happens, many malicious groups take advantage of those newly released exploits for easy money. I truly believe that new security solutions will spring up, ones that can easily understand the nature of such breaches, and easily orchestrate security patches to the organizations who adopt them.
[eFM]: What do you think are the biggest challenges the industry is facing right now?
[MK]: Organizations have to deal with a swarm of security vendors these days, almost lurking at their doors. This red ocean of solutions is making the decision much harder for companies but once they understand the criteria to choose upon, the challenge reverts to the security vendor. Obviously, when a security provider breaks down the following, a quick match can occur:
- Near zero number of false-positives
- Easy setup and seamless integration with other products customers use (i.e., SIEM solutions, System Management Tools)
- Lastly, demonstrating value to the customer is key, even during a pilot program.
[eFM]: Do you have any advice for our readers? Any thoughts you would like to share?
[MK]: Sure, don’t wait for an attack to happen. Networks are big, credentials are spread in the wild. Act.
About illusive networks