Deception in Government Isn’t Always a Bad Thing (Learn More, Multi-Video)

By Carolyn Crandall, Chief Marketing Officer at Attivo Networks, Inc.

Using the word deception and government together is not viewed as surprising and will typically elicit a chuckle or possibly, even a groan.

Deception in the government dates back to Franklin Roosevelt when he colluded with the media to hide the effects of polio, to President Kennedy when he made a secret deal with the Soviet Union to remove missiles in Turkey after the Cuban missile crisis, to Watergate.

And then there’s today’s political landscape, but I will choose to not open that Pandora’s box!

Deceptive techniques have also been used for years in the military for offensive countermeasures.

Deception is now being applied to cybersecurity practices in order to detect cyberattacks and protect critical information and infrastructure.

In this situation, deception is an incredibly good thing.

(See a brief introduction to deception technology and the Attivo Networks ThreatDefend™ Deception and Response Platform. Courtesy of Attivo Networks and YouTube)

Cyber attacks are on the rise, with government remaining in the top list of targets.

Existing security infrastructure is deeply entrenched in prevention controls and has many gaps that provide opportunity for breach.

Agencies are actively looking at methods to close these gaps and deception-based detection technology is proving to be an attractive and viable option for early detection and protection of government networks.

Courtesy of the General Accounting Office (GAO)
Courtesy of the General Accounting Office (GAO)

In 2016, the General Accounting Office (GAO), published results of a survey that found among 24 U.S. federal agencies, the number of cyber attacks had climbed 1,300 percent between 2006 and 2015, from 5,500 to more than 77,000 per year.

Among those 24 agencies, 18 possess “high-impact systems” information that if lost could cause “catastrophic harm” to individuals, the government or the country.

In addition to the increase in the number of attacks, the rationale behind attacks is becoming increasingly murky.

Attacks are eventually being discovered, but all too often, after the attacker’s tracks are wiped clean.

Attivo Networks

Without verification of what hackers are trying to steal and attribution, it’s difficult to know what paths to information assets to protect or to understand the motivation.

Better insight into motivation can be invaluable in not only protecting one agency, but also in understanding which agency might be next.

For example, in the 2016 Office of Personnel Management (OPM) breach, where 21 million records were stolen, the reason behind the attack remains unclear.

(More than 21 million Americans had personal data stolen from files held by the Office of Personnel Management. Anyone who went through background checks to apply for a government position since 2000 has been affected, according to the OPM. Courtesy of PBS NewsHour and YouTube)

While fingers point to the Chinese military as the culprits, there is still no definitive evidence of the hackers’ long-term intentions.

Among the theories: that the Chinese government wants to track down dissidents, that it is collecting potentially embarrassing information to compromise U.S. government officials, and even that they want to graft fingerprints of U.S. government personnel with high security clearance onto their own agents!

Tony Scott, the former U.S. federal CIO, responded to OPM with creation of the Cybersecurity National Action Plan (CNAP).

Tony Scott, the former U.S. federal CIO
Tony Scott, the former U.S. federal CIO

While a giant leap forward, one significant flaw is that CNAP continues to focus on prevention and does not focus sufficiently on in-network threat detection, which is needed to reduce the time to detection.

Lengthy time to detection provides attackers the advantage they need to mount and complete their attacks.

Prevention technologies, such as antivirus, firewall and secure gateway solutions attempt to stop cyber attacks at a network’s perimeter.

These are critical to protecting a network, but are not effective against new strains of malware, stolen credential attacks or the employee, contractor or supplier that already has access within the network.

In today’s connected society, it is imperative that government IT teams take an assumed breach security posture and augment traditional prevention technology with detection technology.

Access control and monitoring are important, but should also be augmented by detection technologies that take a different approach to pattern matching or data base look up.

Deception technology has been growing in adoption based on its efficiency in detecting in-network attackers by laying traps and lures designed to deceive attackers into revealing themselves.

Deception-based detection technology, such as Attivo Networks’ ThreatDefend™ Deception and Response Platform, provide the eyes and ears visibility to the threats that have evaded prevention solutions.

When placed as a layer of defense inside the network along with traditional prevention security controls, this creates a formidable, comprehensive adaptive defense to prevent breaches before maturation.

Attivo Networks Distributed Deception Response Platform

The ThreatDefend solution is designed for efficient, early detection of advanced cyber threats targeting sensitive government information such as employee PII, communications systems, missile systems and infrastructure such as dams and power plants.

In particular, ThreatDefend provides detection of attacker reconnaissance, stolen credential, and Active Directory attacks, while providing automated attack analysis that can be used to better understand the attack and accelerate incident response.

Government organizations including DoD, civilian and the intelligence community have long qualification processes for new products, run on systems that are not easy to take off-line or run on older systems that cannot be patched, making them more vulnerable to attack.

An aggressive detection capability that lets them know when security controls fail should be a part of every agency’s modernization plans.

Why deception technology?

Deception accurately and efficiently detects in-network threats that have bypassed prevention and evaded other detection security controls.

Designed for in-network detection, the solution will outmaneuver modern-day attackers and deceive them into revealing their presence.

Authentic decoys that appear identical to production assets, attractive lures, and adaptive deception campaigns make the entire network a trap and creates a setting where what is real and what is not becomes unclear to the attacker.

ThreatDefend high-interaction network and end-point deception reduces the time to detection, cutting into that critical window between attack and discovery, while automated attack analysis, high-fidelity alerts, third-party integrations, and playbooks are used to accelerate incident response.

Additionally, the ThreatDefend platform addresses alert fatigue and will only alert based on substantiated attacker engagement.

This eliminates the false positives that can drain a government IT team’s time and resources.

Visibility tools also help agencies avoid and understand attacks by providing attack path vulnerability assessments and time-lapsed replays, empowering teams with insight into attacker lateral movement and security gaps.

Designed for scalability, the ThreatDefend platform gives agencies the flexibility to start with base detection capabilities and expand platform usage based upon their business requirements.

ThreatDefend is Common Criteria EAL 2+ certified, FIPS 140-2 certified, and is available for procurement on many popular federal contract vehicles, including GSA Schedule.

Attivo Networks Kill Chain
Attivo Networks Kill Chain

Moving forward, there are several trends that government IT teams should be aware of as they formulate and execute their security infrastructure strategies.

Enterprises have traditionally spent approximately 75 percent of their security budgets on prevention solutions.

That ratio is now roughly 50/50 for prevention as compared to detection. 

It is in Government IT team’s best interest to mirror that shift.

A second trend is that enterprise IT teams are focused not just on detecting a threat, but:Attivo Networks

  1. Being able to accelerate response actions such as blocking, quarantine, and threat hunting
  2. Sharing threat intelligence information in order to eradicate the threat and help other agencies strengthen their defenses, and
  3. Integrating products to create more value from existing security controls.

For example, the Attivo ThreatDefend platform will detect a breach, and share full attack techniques, tactics and processes (TTP) with firewalls, SIEMs, NAC, and end-point devices, which will block and isolate infected endpoints from the network and prevent additional infection or harm.

There’s an old saying, “Be careful who you trust, the devil was once an angel.”

In today’s environment where threats lurk everywhere and it’s well known that government agencies are still modernizing their defense strategies, it pays to be extra vigilant.

An adaptive defense that includes deception will create a powerful adversary for the modern-day attacker, derailing their attacks and increasing their costs.

(Hear More from the author Carolyn Crandall, on the philosophy Behind Deception Technology. Courtesy of Attivo Networks and YouTube)

Attivo Networks ThreatDefend in 2017 ‘ASTORS’ Homeland Security Awards Program

The 2017 ‘ASTORS’ Homeland Security Awards Program, is organized to recognize the most distinguished vendors of Physical, IT, Port Security, Law Enforcement, First Responders, (Fire, EMT, Military, Support Services Vets, SBA, Medical Tech) as well as the Federal, State, County and Municipal Government Agencies – to acknowledge their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

As an ‘ASTORS’ competitor, Attivo ThreatDefend will be competing against the industry’s leading providers of Innovative IT Intrusion Detection & Prevention Solutions.

American Security Today will be holding the 2017 ‘ASTORS’ Awards Presentation Luncheon at 12:00 p.m. to 2:00 p.m, Wednesday, November 15th at ISC East, the Northeast’s largest security industry event, in the Jacob Javits Exhibition Center in New York City.

At ISC East you will have the chance to meet with technical reps from over 225 leading brands in the security industry, allowing you to find out about new products and stay ahead of the competition.

Encompassing everything from Video Surveillance and Access Control to Smart Home Technologies and Unmanned Security, you’re sure to find products and services that will benefit your company and clients.


Good luck to Attivo ThreatDefend on becoming a Winner of the 2017 American Security Today’s Homeland Security Awards Program!

To learn more about ThreatDefend and Attivo Networks wide range of offerings, please visit the company’s website at