Lateral Movement Threat

Detection to Enhance Security

Consolidation

Illusive Networks and Microsoft 365 E5 Integration

What If You Could Operate in a ‘000’ World?

Zero

Privileged accounts

accessible to attackers

Zero

False positive alerts to

distract defenders

Zero

Wasted investigation

time to slow responders

Illusive Can Help Build a ‘000’ World

Create the Illusion

of an Expanded

Attack Surface

100% Agentless

Shrink the True

Attack Surface

Deliver Analytics

and Actionable

Insights

Cloud ‘A’ Cloud ‘Z’

Data Center

Cloud movementAcross/within clouds

Vertical movementTo/from cloud

Lateral movementAcross endpoints, datacenters,

networks

The Goal: Stop Attacker Lateral Movement

Credentials and Host-to-Host Connections Are

the Attacker’s “Fuel”

• Enable attack movement no matter where attacker lands

• Allow for evasion of other tools

• Disguise attackers in a veil of normalcy or false positive alerts

Excess credentials and connections:

Shrink the True Attack Surface

Attack Surface Manager• View the attack surface through the lens

of the attacker

• Identify and remove errant credentials,

connections and attack pathways

Verizon reports 80% of attacks use stolen credentials

Illusive has assessed ~500K endpoints and found:

• 19% contained accessible privileged credentials

• Many environments were much worse

Attack Detection System• Deploy agentless, highly authentic data, device, and decoy

deceptions

• Across Data Center, IIoT/IoT, Cloud

• Force attackers to reveal themselves without generating false

positives

• Undefeated vs. 110+ red teams (Mandiant, Cisco, Microsoft, DOD)

Create the Illusion of an Expanded Attack

Surface

“Organizations seeking to enhance their security

posture with highly realistic, efficient, easy-to-

deploy deception technology should take a close

look at Illusive’s real-time, automated platform.”

Enterprise Strategy Group

Attack Intelligence System• Cut research time with on-detection and on-

demand source forensics

• Build threat intelligence with rich

interactive target forensics

Analytics and Actionable Insights Speed Response

Customers report 60-90% reduction

of SOC analyst investigation time,

increasing SOC capacity at least 2X

Illusive Is Critical for an Enterprise Abiding by MITRE Shield ‘Active Defense’

MITRE Shield is a security knowledge base designed to capture and

organize what they are learning about “active defense” and

adversary engagement, and of great importance to security

customers

“Active defense ranges from basic cyber defensive capabilities to

cyber deception and adversary engagement operations”

MITRE sees Deception as a must have in the modern security stack

Shield includes 8 active defense tactics and 33 defensive techniques

Channel Collect Contain Detect Disrupt Facilitate Legitimize Test

Admin Access API Monitoring Admin Access API Monitoring Admin Access Admin Access Application Diversity Admin Access

API Monitoring Application Diversity Baseline Application Diversity Application Diversity Application Diversity Burn-In API Monitoring

Application Diversity Backup and Recovery Decoy Account Behavioral Analytics Backup and Recovery Behavioral Analytics Decoy Account Application Diversity

Decoy Account Decoy Account Decoy Network Decoy Account Baseline Burn-In Decoy Content Backup and Recovery

Decoy Content Decoy Content Detonate Malware Decoy Content Behavioral Analytics Decoy Account Decoy Credentials Decoy Account

Decoy Credentials Decoy Credentials Hardware Manipulation Decoy Credentials Decoy Content Decoy Content Decoy Diversity Decoy Content

Decoy Network Decoy Network Isolation Decoy Network Decoy Credentials Decoy Credentials Decoy Network Decoy Credentials

Decoy Persona Decoy System Migrate Attack Vector Decoy System Decoy Network Decoy Diversity Decoy Persona Decoy Diversity

Decoy Process Detonate Malware Network Manipulation Email Manipulation Email Manipulation Decoy Persona Decoy Process Decoy Network

Decoy System Email Manipulation Security Controls Hunting Hardware Manipulation Decoy System Decoy System Decoy Persona

Detonate Malware Network Diversity Software Manipulation Isolation Isolation Network Diversity Network Diversity Decoy System

Migrate Attack Vector Network Monitoring Network Manipulation Network Manipulation Network Manipulation Pocket Litter Detonate Malware

Network Diversity PCAP Collection Network Monitoring Security Controls Peripheral Management Migrate Attack Vector

Network Manipulation Peripheral Management PCAP CollectionStandard Operating

ProcedurePocket Litter Network Diversity

Peripheral Management Protocol Decoder Pocket Litter User Training Security Controls Network Manipulation

Pocket Litter Security Controls Protocol Decoder Software Manipulation Software Manipulation Peripheral Management

Security ControlsSystem Activity

Monitoring

Standard Operating

ProcedurePocket Litter

Software Manipulation Software ManipulationSystem Activity

MonitoringSecurity Controls

User Training Software Manipulation

Software Manipulation

Illusive and MITRE Shield: Enabling ‘Active Defense’ – Deception Is Essential

shield.mitre.org/matrix

Microsoft 365 E5 and Illusive

Why Target Additional Security for the Consolidating Enterprise?

• Ensuring Active Defense as advanced threats continue to evolve

• Massive global shift to working from home creates increase in insider

threat-risk, while existing incumbent anomaly detection tools are

rendered ineffective due to the WFH shift

• Current recession commands for tools that are efficient, effective, and

low overall TCO

• Well-funded nation-state attackers, or insider threats, demand an

advanced, efficient, and high-fidelity response from an innovative tool

with a proven record of being undefeated against red teams

Illusive Brings Critical Security Capabilities to a Customer Consolidating

Security Tools around Microsoft

Use Cases – Illusive Networks and Microsoft 365 E5

Find & Fix Identity Risk Conditions in Microsoft Environments

LOCAL ADMINSFinds hosts with local admin credentials that could be used to execute admin-level actions 3

1USER CREDENTIALSFinds Microsoft Active Directory creds & hosts with stored credentials that could allow attackers

to expand their foothold

2 CROWN JEWELS CONNECTIONSFinds connections to the organization’s critical assets

WINDOWS SHADOW ADMINSFinds high-privilege users & groups that are not members of known groups (domain admins, etc.) 4

5 MICROSOFT AZURE PRIVILEGED IDENTITIESMicrosoft Azure AD configuration and integration

Deception Strategy Based on Microsoft Environment & ToolsLeverage Active Directory Objects, Azure Cloud-to-Cloud

Deceptions, and MS Office Files to Create Authentic-Looking

Deceptions to stop Attacker Movement on-prem and in the

cloud

• Customize the deceptive strategy with a “story” for each endpoint

• Use a gradient of believability to further complicate the problem for the attacker

• Automatically update the deception strategy based on changes in the environment so that the deceptions are continuously relevant

Deceptive Microsoft Office Beacon Files

Detect and stop

malicious insiders

Turn real or

deceptive Word and

Excel files into a

beacon for early

attack detection

Easy, customized

deployment of

deceptions at scale

ILLUSIVE MGMT SERVER

1

OFFICE DECEPTIONS

2

ILLUSIVE CONSOLE

Beaconized

Intel

3

SOC IR

4DECEPTION /

BEACON TRIPPEDREAL-TIME

FORENSICS

MS DECEPTIONS

DEPLOYED

ISOLATE &

CONTAIN

Protect IoT, OT, and Network Devices

Eliminate threat

detection blind spots.

Capture rich forensics

for attacker tactics &

methods

Flood network with

authentic looking,

deceptive OT

infrastructure, IoT

devices, switches,

routers, printers, more…

Frictionless

deployment.

No infrastructure

interruption

ILLUSIVE MGMT SERVER

1

OT EMULATION

2

ILLUSIVE CONSOLE

3

SOC IR

4EMULATION TRIPPED

REAL-TIME

FORENSICS

SELECT & DEPLOY

DEVICE EMULATIONS

ISOLATE &

CONTAIN

Who

What

Where

Illusive Forensics on Demand for Microsoft 365 E5

• Automated forensics collection for any system generated security event - even from other cybersecurity solutions deployed

• Leverage E5 components (like MD ATP) to respond to Illusive alerts

• Agentless retrieval from target system in <1s

• Rich artifact timeline for correlation against other Microsoft security tools (like Microsoft Sentinel or MD ATP)

• Increases SOC efficiency, speeds incident response

Instant forensic intelligence for ANY alert

• Collected automatically› REST API Call

› User request

› Tripping a deception

• Volatile and non-volatile data

• Screenshots

• Powershell and command line history

• Attack Path to domain admins and crown jewels

Who benefits from real-time forensics collection?

• No EDR • EDR • Every Organization

Illusive Forensics on Demand – At a Glance

Democratized Forensic Data Enables Shift Left

Triage Time per Incident With Illusive Precision Forensics

*Times can vary depending on uniqueness of incident, triage path and technical expertise of staff

Empower Tier 1 and 2, free up Tier 3 for what truly matters

Tier 1

Before After

20min 1 to 5min

Avg 20

Incidents

per Day80 to 400

Time Saved: ~5hrs per

day/per analyst

Tier 2

Before After

60min <10min

Avg 6

Incidents

per Day>36

Time Saved: ~5hrs per

day/per analyst

Tier 3

Before After

180min <30min

Avg 2

Incidents

per Day>10

Time Saved: ~5hrs per

day/per analyst

SHIFT LEFT

Illusive and Microsoft 365 E5 Together

Deceptions based on Azure AD, Office and more

Attack surface management in Microsoft environments

Agentless protection ideal for environments beyond

Microsoft

Illusive forensics reduce triage and investigation time

Triple zero within reach – no exposed connections, false positives or wasted investigation time

THANK YOU

www.illusivenetworks.com