How CounterCraft Supports Zero Trust

The U.S. White House’s Office of Management and Budget  has mandated that agencies meet specific cybersecurity standards related to a Zero Trust Architecture (ZTA) strategy by the end of Fiscal Year 2024. The goal is to reinforce the US government’s defenses against increasingly sophisticated and persistent threat campaigns targeting federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government. In essence, FY2024 will be ALL about Zero Trust.

The path to zero trust is an incremental process that may take years to implement. However, in the long term, zero trust will enable a more prudent allocation of security investments toward the most critical data and services, across the entire enterprise. Complying with this mandate, allows an agency to look at making holistic changes to its cybersecurity architecture and incorporating solutions like CounterCraft Deception Technology to promote a defend forward (Proactive) approach to warding off cybersecurity threats.

Take our quiz today to find out how deception technology can work for your organization >

Recently we’ve been asked by our advisors to outline how CounterCraft’s solutions specifically match up to the Department of Defense’s (DoD) Zero Trust Roadmap. The mapping below correlates with the DoD’s Roadmap, so read on to find out how our capabilities complement DoD’s ZTA goals and a guide to follow for the DoD baseline course of action (COA).

• 1.3.1 – Organizational MFA/IDP
• 1.5.1 – Organizational Identity Life-Cycle Management
• 1.5.2 – Enterprise Identity Life-Cycle Management Pt1
  •   The CounterCraft Platform supports the SAML federation protocol. This allows CounterCraft to seamlessly integrate with MFA or IdP solutions.
  •   Natively to the CounterCraft Platform user’s passwords are hashed using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. There is a minimum password length requirement of 8 characters.
  •   Users can also protect their accounts by enabling two-factor authentication (2FA) that uses Google Authenticator.

• 2.7.1 – Implement Endpoint Detection & Response (EDR) Tools and Integrate with C2C
• 2.7.2 – Implement Extended Detection & Response (XDR) Tools and Integrate with C2C Pt1
  • CounterCraft Deception when integrated with XDRs provides high-fidelity alerts that allow organizations to protect legitimate assets early, while the attacker is still in the decoy environment, allowing enterprises to learn from the attacker’s TTPs and IoCs.
  • CounterCraft Deception adds the ability to deflect and quarantine an adversary while collecting real-time, actionable, and relevant intelligence to enable intelligent response and risk mitigation to the powerful XDR detection and response capability.
  • CounterCraft facilitates the Correlation of early detection telemetry provided by deception with other cyber vendor products for maximum coverage, context, and insight.
  • Deception provides high-confidence alerts when integrated with XDR, allowing organizations to protect legitimate assets while the attacker is in the deception environment.

§  Note – The CounterCraft Product team is currently working on Integrations with leading EDR/NDR/XDR providers.

• 3.2.1 – Build DevSecOps Software Factory Pt1
• 3.2.2 – Build DevSecOps Software Factory Pt2
• 3.3.2 – Vulnerability Management Program Pt1
• 3.3.3 – Vulnerability Management Program Pt2
  • CounterCrafts Deception Platform can identify exploitable vulnerabilities in software used across the corporate network in microservice architectures. This will allow an organization to gain advanced insight into production service weaknesses to enable actionable counterintelligence and observe subsequent threat methodology in highly instrumented decoys.
  • The CounterCraft Deception Platform provides file hashes, malicious binaries (if planted by a threat actor), and forensic data i.e., memory dumps + PCAP files.
  • Rules can be configured within the CounterCraft Platform to detect the exploitation of specific CVEs within the deception environment.

• 4.3.1 – Implement Data Tagging & Classification Tools
• 4.3.2 – Manual Data Tagging Pt1
• 6.3.1 – Implement Data Tagging & Classification ML Tools
• 7.3.1 – Implement Analytics Tools
  • Within the CounterCraft Deception Platform, a Tag is a label that can be affixed to different entities in the Console to categorize them.
  • There is a pre-existing list of Tags. These are special Tags that the system uses to categorize Events and Objects to assist with their analysis.
  • Most Tags are used by the system to automatically categorize MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs). For example, the attack::T1003 Tag will be added to any Events or Objects where the MITRE ATT&CK TTP with an ID of T1003 has been detected.
  • Other system Tags include: TOR_NODE Known Tor exit node, VPN: Known VPN exit node (added if you are using an IPABUSE integration), Datacenter: IP address belongs to a known Hosting Provider, Data Center, or Content Delivery Network (added if you are using an IPABUSE integration), Public Proxy: IP address known to act as a Public Proxy (added if you are using an IPABUSE integration), and Web Proxy: IP address known to act as a Web Proxy (added if you are using an IPABUSE integration)

• 5.4.4 – Protect Data In Transit
  • All the connections between CounterCraft the web console, Deception Support Node(s) (DSN), and deception Hosts are authenticated and encrypted using digital certificates.
  • The agent that resides on the deception hosts communicates with the DSN using TLS 1.3. Clients must authenticate either with client certificates or signed and encrypted tokens. All the traffic is encrypted. All the traffic from the ServerHello message onwards is encrypted. The communication between the Deception Director and the DSN is done via SSH. All the traffic is encrypted. It provides forward secrecy for all connections. All traffic after the SSH server hello is also encrypted.

• 6.2.2 – Enterprise Integration & Workflow Provisioning Pt1
• 6.5.1 – Response Automation Analysis
• 6.5.2 – Implement SOAR Tools
• 6.6.2 – Standardized API Calls & Schemas Pt1
• 6.6.3 – Standardized API Calls & Schemas Pt2
• 6.7.1 – Workflow Enrichment Pt1
• 6.7.2 – Workflow Enrichment Pt2
  • CounterCraft addresses active attacker engagement by sending machine-readable intel collected from the deception environment into other security systems i.e. SOAR platforms, so they can be reconfigured instantly to protect assets from the attacker. There is also out-of-the-box integration with several different SIEMS and SOAR platforms so alerts can also be sent too in real-time.
  • The CounterCraft API is a standard REST API that supports basic CRUD operations. Our API has predictable, resource-oriented, URLs and uses HTTP verbs and response codes.
  • Automated, conditional, responses to adversary activity can be programmed into each Campaign using Rules. Automated rulesets change the deception environment in real-time by reacting to attacker activity – this engagement aims to prolong the attacker’s dwell time in the deception environment to gather more intel and deflect the attacker further away from their aim. Once in the deception environment, the adversary can be manipulated through the use of rules-based adversary manipulation thereby degrading and slowing down the attackers.
  • The CounterCraft Deception Platform provides a wealth of information including PCAP, Memory Dump, IOCs, Telemetry, TTPs, file hashes, malicious binaries, and post-breach activity (commands/calls made by threat actors). frameworks and forensic data and post-breach activity.

• 7.2.1 – Threat Alerting Pt1
• 7.2.2 – Threat Alerting Pt2
• 7.2.4 – Asset ID & Alert Correlation
• 7.5.1 – Cyber Threat Intelligence Program Pt1
• 7.5.2 – Cyber Threat Intelligence Program Pt2
  • Security alerts are generated in real time and can be sent via email, Telegram, or mobile devices. There is out-of-the-box integration with several different SIEMS and SOAR platforms so alerts can also be sent too in real-time.
  • The CounterCraft Deception Platform provides a wealth of information including PCAP, Memory Dump, IOCs, Telemetry, TTPs, file hashes, malicious binaries, and post-breach activity (commands/calls made by threat actors). We have ~50 out-of-box connectors and a RESTful API that allows us to integrate with various SIEMs in addition to Syslog Servers and CTI tools like Virus Total.
  • The CounterCraft Deception Platform reports in real-time all activity that happens within the deception environment no matter if it’s a BOT or APT (human threat actor). All of these events, alerts, notifications, and Threat Intelligence are stored within our platform for a specified amount of time.
  • You can use the real-time tailored actionable threat intelligence with context (MITRE ATT&CK/ENGAGE) in addition to the high-level gap analysis information via NIST 800-53 to harden your production defenses.

If your agency is currently working towards implementing zero trust principles into your environment and you want to take this opportunity to implement proactive cybersecurity measures feel free to reach out to us for more information on how CounterCraft can be a force multiplier to your ZTA strategy, contact us for a demo today.

---