Counter Craft Calsecure Plan .png

The Calsecure plan is a 5-year maturity roadmap created by the California Department of Technology with the goal to fill critical gaps in cybersecurity programs at state departments within the executive branch.


CounterCraft is a pioneering provider of cyber deception and counterintelligence products to detect targeted attacks. Although primarily a threat intelligence platform, CounterCraft's solution ultimately tackles 4 out of the 7 priorities listed in the Calsecure plan.


  1. Operational Technology Security - YES
  2. Application Security - Partially
  3. Threat Intelligence Platform - YES
  4. Network Threat Protection - YES
  5. Network Threat Detection - YES
  6. Log Management - No, but does provide logs
  7. Data Loss Prevention - No

Operational Technology Security - YES


As mentioned in Gartner:

 

CounterCraft has developed a deception solution that can mimic specific operational technology (OT) environment architectures. Through the use of breadcrumbs with spoofed credentials, the CounterCraft solution can identify how threat actors try to move laterally across OT systems to understand their activities and targets. The CounterCraft platform can also be deployed externally beyond the network perimeter to detect attackers before they compromise the internal network. The targeted real-time intelligence can be used to initiate real-time threat hunting on the internal network and can be used to identify potential weakness in the current security toolset deployment.

 

The CounterCraft Cyber Deception Platform is capable of supporting deception deployments to protect OT/SCADA infrastructures. The deception deployment is designed to create a credible digital twin environment - that mimics the systems found in the production environment into which the threat actor can be safely deflected and monitored

 

The CounterCraft technical approach to deploying deception in OT environments uses the following three phases to firstly map out the threat landscape, secondly to deflect the adversary into a deception environment to interact with the IT side of the OT network and finally deploying a simulacrum OT network using the simulated services that can be configured to represent different OT equipment such as PLCs within the OT network.

 

Phase One: Detection and Identification of point of compromise.

Breadcrumbs are deployed pointing to a portal to access the OT network. The portal is merely a web-front end that not only detects attempts to access the OT network, but also indicates the point of compromise. For example, if breadcrumbs with credentials to the portal are distributed on endpoints, we can track the compromised endpoint by the credentials used.

 

Phase Two: Deflection and Monitoring.

The next phase involves activating the previously deployed gateway and providing access to a simulated OT network control center. This network has an HMI server, historian and other engineering stations that simulate a control center. If possible, the systems deployed are the same as used by the real network and the concept is to provide a realistic environment so that the threat actor believes that they have gained access to the real control center. At this point we can monitor and collect behavior patterns and the TTPs of the adversary and they have been safely deflected into the deception environment and pose no risk to the real production network.

 

Phase Three: OT Emulation.

The third phase is to introduce a deception OT network with simulated PLCs. CounterCraft has PLC simulations for specific OT equipment such as terminal servers, antennae, specific switches and also Conpot PLC simulation servers. The Conpot server by default responds to queries as a Siemens S7 PLC but can be configured to simulate multiple SCADA protocols.


Phase Four: Real OT Equipment.

This stage is currently in development but will provide a tunnel from the control center into a real OT environment where real PLCs and OT hardware can be set up as an accurate replica of the production environment. ETA for this functionality H2 2022.

Application Security - PARTIALLY (Application Vulnerability Exploits (Active SCA))


Also mentioned in Gartner's report:


CounterCraft has developed a deception solution that can mimic production environment architectures to include the software deployed on production assets. These deception assets can gather valuable intelligence on how your organization’s software is being attacked to include identifying vulnerabilities not previously reported. While CounterCraft’s deception solution does not inspect the codebase itself, it provides a vehicle to observe how attackers go after the software looking for vulnerabilities.

Threat Intelligence Platform - YES (Deception Driven Threat Intel)


The CounterCraft Cyber Deception Platform is designed to provide a robust platform to design, deploy and manage cyber deception in diverse and sometimes unreliable network infrastructures. It is designed to respond to the needs of threat hunting, and threat intelligence collection campaigns deployed with a wide range of credible, high-interaction deception assets, data, and identities. The image below courtesy of Gartner details the use cases for deception technology and are listed from 1 to 5. Use cases 1 and 2 are the basic use cases and the CounterCraft deception can meet these use cases. What sets the CounterCraft solution apart from other vendors in this space is our ability to meet the use cases 3-5: the more advanced requirements for deception technology. This illustrates one of the key strengths of the solution.

Counter Craft maturity.png

The CounterCraft solution will collect and automatically extract indicators of compromise (IOC) and tactics, techniques and procedures (TTPs). This enables proactive threat hunting. More specifically the TTP’s and IOC provided will enable intelligence led threat hunting to take place and alleviate some key pain points for the SOC which are primarily a lack of resources and time to carry consistent and regular threat hunting activity. Finally active attacker engagement is provided through the use of adversary manipulation which allows the analyst to engage the attacker and obtain real time intelligence on the attackers possible strategic objectives.

 

Finally, active attacker engagement is provided through two approaches:


(a) directly via our automated ruleset which changes the deception environment in real time reacting to attacker activity – the aim of this engagement is normally to prolong the attacker dwell time in the deception environment to gather more intel and deflect the attacker further away from their aim.


(b) the other approach for active engagement is to send machine readable intel collected from the deception environment into other security systems (for example via SOAR platforms) so they can be reconfigured on-the-fly to protect from the attacker.


The CounterCraft automated deception platform will deliver real time intelligence to the analyst. The level of granularity of the intelligence includes but is not limited to:

 

i. Calls to command-and-control servers

ii. Tools and ports used on the deception asset

iii. Malware and other tools kits deployed onto the deception assets

iv. Programs initiated and commands called

v. DNS calls and ports used

vi. IOCs & TTPS

vii. Process and memory dumping


The IOCs will be automatically mapped to CounterCraft's Threat Actor database and will identify any IOCs that are being used by threat actor groups that CounterCraft is tracking. It is possible for the ESM to add its own threat actor intelligence to the data that comes built into the solution. This automated mapping of IOCs will save time, money, and resources in responding to alerts.

Network Threat Protection - YES


As described in the excerpt above,

"The targeted real-time intelligence can be used to initiate real-time threat hunting on the internal network and can be used to identify potential weakness in the current security toolset deployment."

 

Network Threat Detection - YES


Also described in the excerpt above,

"The CounterCraft platform can also be deployed externally beyond the network perimeter to detect attackers before they compromise the internal network."


External and Internal Deception:

The CounterCraft solution has the ability to deploy campaigns both inside and outside of the traditional enterprise network boundary. This means you do not have to wait for an attacker to breach your network. You can be proactive in your security operations and deploy CounterCraft on the external attack surface of your organization to gather intelligence on those targeting your organization from outside.


This in turn will allow you to meet a wide range of use cases. You are not limiting yourself to the post-breach detection of lateral movement on internal networks. This is the main use case that our competitors are optimized for. You can use the CounterCraft solution for the detection of lateral movement and many more uses cases. A few are listed below:

 

External deception campaigns (Network Threat Detection):

In addition to deploying deception campaigns externally the CounterCraft automated deception platform will allow an organization to deploy deception environments that are based within the network perimeter and externally co-currently. This will allow a customer to protect their internal network and focus on threats such as insider threat yet at the same time run detection campaigns detecting nation state threat actors or cybercriminals whilst they are in the reconnaissance phase of the attack cycle. This delivers real time threat intelligence but in addition clients are able to capture detailed patterns of attacker behavior that goes beyond what is delivered as threat intelligence. For example, a customer can capture what are the first five behaviors the advisory displays and is that pattern repeated across of the deception artifacts they come across. If yes, this can form the basis of a structured threat hunting exercise. So, in summary the tool will allow the customer to:

 

1. Run deception campaigns co -currently (inside and beyond the organizational perimeter)

2. Collect real time intelligence

3. Collect observed behavioral patterns

4. Feed the patterns into a threat hunt

 

Early detection within customer environments (Network Threat Protection):

Due to the unique ability to run co-current campaigns simultaneously CounterCraft can gather intelligence on pre-staging activity and provide early detection of attacks within the customer environment. Breadcrumbs can be seeded on to digital assets that are part of the corporate network and will detect attackers redirecting them to a range of deception assets that can be stood up for the customer. These include simple file and print servers, application servers all the way through to creating fake active directory controllers. Once in the deception environment the adversary can be manipulated through the use of rules-based adversary manipulation thereby degrading and slowing down the attackers. The rich telemetry of IOC and TTP that are collected can seamlessly be integrated into a range of 3rd party tools that allow for real time threat hunting to take place. The objective of the hunt is to provide the customers with the data

they need to understand what other beachheads the attackers may haveelsewhere in the network.

Log Management - NO (Although they do provide logs that can be used in your log management systems}


While every event that is captured within our platform produces a log that is stored in one of our two internal databases. We are not a traditional log management system like a SIEM or Syslog server. Typically, our customers will take the logs that we generate and pass them off to those systems specifically designed for the purpose of Log Management.


CounterCraft’s deception solution can gather complete logs of actions actors take within the deception environment. The Deception Director provides a management console to map these events to the MITER Attack framework as well as analyze these logs. The analysis tools include presenting events in a timeline, by location, what TTPs observed and EQL/FTS search capability. Also, our Deception Director integrates with the major SIEM/SOAR solutions, automating the transfer of logs collected within the deception environment for consolidated review and analysis.

Data Loss Prevention - NO


Truest sense of the form no we are not a DLP solution. This would be more Forcepoint or Digital Guardian. However, Deception environments are architected to lure threat actors into deception assets, keep them busy, provide real time alerts of active threats, as well as give the security team time to mitigate risks and minimize data loss. With pre-breach or reconnaissance detection, this gives security teams time to respond and prevent a catastrophic event and minimize data loss.

For more information about Counter Craft, please reach out to our sales team at sales@acuitytechnical.com.