When Skyhawk set out to develop a new cloud security solution it was already clear that traditional security paradigms were not appropriate for cloud environments. Traditional security was built to secure on-premises environment. These environments were protected by numerous security means (firewall, sandbox) and malicious software was introduced by USB drives, email or clicking on malicious links.
Then, threat actors established a foothold in the organization, performed reconnaissance, gained permissions, found what they were looking for and tried to encrypt it or extract it. These activities usually took a long time to execute and were rather “noisy”, allowing security systems to alert and security teams to respond. Alas- when it comes to the cloud, things move quicker and are harder to detect. Hence, the notion of adoption traditional EDR /Threat detection (Endpoint detection and response) to cloud environment was not successful. The solution is passive, it analyzes cloud telemetry and tries to identify malicious patterns. An alert is shown to the analyst, which is required to investigate whether it is an actual intrusion, or simply false positive caused by user behavior.
More AI and automation was needed, but where?
Since cloud attacks are increasing (with over 80 percent of data breaches involved data stored in the cloud) the velocity of AI-empowered attacks is increasing too. SOC teams will be overwhelmed and most likely fail to respond on time (not to mention that attackers are aware of organizational weaknesses such as weekends and holidays and tend to strike when the organization is less prepared). Many vendors acknowledge these pitfalls and have suggested countering these with increased post-breach automation. The idea, however valid, seems to falter when tested in real environments. Setting off a pre-planned set of actions when an alert occurs can seriously interfere with production environments and have an adverse effect on business operations (bear in mind- these solutions were designed for on-premises environment, not the cloud). These can cause more harm than good when put to action in a real, “messy” production environment. In fact, many organizations are reluctant to use automated responses because of such fears.
Harnessing AI and automation BEFORE the breach
At Skyhawk, we’ve acknowledged both the shortcomings of Threat detection and post-breach automation and decided to leverage AI and automation PRIOR to the breach.
We built a machine that perpetually “attacks” the cloud environment, tests and validates responses to real attacks and helps the organization prepare for an actual attack. When such an attack occurs, the security staff will have a set of validated responses which can be activated to counter a specific attack pattern and mitigate it quickly.
We know that attackers are already using AI to create novel attacks. Only by using a similar technique, the defenders stand a fighting chance. Hackers will use AI not only to generate large scale attacks but also to find the “path of least resistance” and exploit it.
It is important to note that the simulated attacks are based on real-world methods and techniques and are augmented by AI to represent actual threats (and additional ones which can occur in the near future). Also, these attacks aren’t actually activated (as to not cause damage to production environments), they produce a significant outcome of tested responses, that in case of need, will be activated without the fear of causing harm.
How does this work?
Skyhawk automatically maps the organizations’ inventory, and present the network topology and assets, with an emphasis on the “Crown Jewels”.
All the probable attack paths leading to these Crown Jewels are mapped, including utilization of compromised identities to “hop” between environments.
Then, the simulation engine runs attacks using available attack techniques and presents the synthetic data illustrating how the attack will appear. This is transferred to the CDR to build automated responses and also displayed to the administrator who can change permissions to reduce unnecessary risks (such as unused permissions or unnecessary permissions given to employees). After each risk the simulation is run again to ensure that everything works well. Since an organization’s environment changes on a daily basis (for example, users are added or removed, permissions are changed as employees’ roles change) the simulation has to be run daily to keep up with the changing environment. During this ongoing process, new techniques are identified and added to the simulation data base, and the engine keeps utilizing these building blocks to create new attacks, every time in a different way.
Benefits
Prioritization: Any organization with a modern IT infrastructure has thousands of software vulnerabilities. To remedy all of these would be impossible, so organizations must prioritize, focusing on the most acute vulnerabilities and the ones which are exposed to the outside world. This gives the sense of false security, but the fact is that internal vulnerabilities could easily be exploited as well. With Purple Team simulation technology, organizations can now prioritize the fixing of internal vulnerabilities too.
Trust: The ongoing simulation process shows a complete view of the attack, including not only the probable path but also all the means to exploit the vulnerability. The response is presented (before approval) so the user can understand the impact prior to operating it. This helps build trust in the automation process.
Summary
Skyhawk Purple Team CTEM solution is available and used successfully by multiple security team who use it to pre-verify alerts, reducing the risk of responding to false positives and providing immediate and precise remediation of threats. Interested in a Purple Team Assessment? Learn more!