Secured integration to the future

Secured integration to the future

Utilizing Deception Solution in the Implementation of SOC for Galnaftogaz

Майстер-клас: секрети випікання найсмачніших млинців!

17.04.2024

Cybersecurity constitutes an ongoing battle between defence teams and adversaries. Tools and attack methods undergo perpetual evolution, yet one axiom remains immutable: hackers perpetually seek the weakest links in a company's cyber defence. Indeed, even organizations that are entirely confident in the protection of their external networks may suffer from vulnerabilities within. In this case study, we investigate applying deception solutions to address internal network security challenges.

Client's Challenge

One of our clients, Galnaftogaz, operates a network of gas stations in Ukraine. Providing uninterrupted services to customers in this sector is paramount, so ensuring the 100% security of their IT infrastructure is pivotal.

We've been collaborating with Galnaftogaz for a considerable period, and this client has consistently been open to our unconventional solutions and proposals. Fostering a built trust, they are unafraid to venture into risk in pursuit of innovation, willing to try out new solutions and employ cutting-edge cybersecurity tools.

Previously, we implemented a series of cybersecurity measures for Galnaftogaz, including establishing a Security Operations Center (SOC) and other cybersecurity tools. During routine penetration tests utilizing attack simulations (red/blue teams), we identified the necessity for additional protection within the internal network. It became apparent that in the event of a hacker breach, they could remain undetected within the system for a long time before starting the attack.

Our team started to look for suitable internal network defence measures, recognizing that attacks on a business's IT infrastructure can be exceptionally destructive. Hackers could lurk within the system for extensive periods before initiating active actions. For instance, in the case of the Kyivstar breach, hackers remained undetected within the system for over nine months.

Why Choose Deception Solutions for Protection?

Deception represents a sophisticated class of cybersecurity tools aimed at proactively detecting potential threats and alerting organizations to the risk at the earliest stages of intruder infiltration into the internal network. Often called a labyrinth, this system constructs a network of traps or simulated targets that mimic real assets within the information system. This technology not only facilitates the identification of attackers in the initial phases of network infiltration but also enables the neutralization of potential threats before they inflict tangible harm.
“We decided to propose this solution for 'Galnaftogaz.' The Labyrinth Deception Platform is a product from a team of Ukrainian developers whose solutions we periodically integrate into our projects. At the time of the tender, the platform was in an active development phase, allowing for customization and adding features tailored to the client's requirements — a significant advantage. Before this, we had explored alternatives from Western developers, but they lacked the flexibility in pricing and toolsets,” notes Dmytro Petrashchuk, CTO IT Specialist.
The effectiveness of deception technologies lies in creating the illusion of easy prey. This entices hackers to interact with a controlled environment containing simulated resources, such as fictitious user accounts or databases. It's crucial to note that these resources remain inaccessible and isolated from the real network under normal circumstances. Therefore, any attempt to engage with them becomes highly suspicious and effectively serves as a clear indicator of intrusion.

Solution Implementation Features

Initially, we deployed a pilot solution, and the client was somewhat dissatisfied because the system always operates smoothly during the demonstration, and threats were not observed. However, during deeper penetration testing with simulated hacker attacks, this deception system demonstrated its strengths in identifying atypical behaviour from within.
“Deception is a highly promising direction. Such solutions create conditions where the advantage during attacks remains with the cybersecurity professional. It changes the game's rules, where attackers have no room for error, and IT professionals only need to react and halt the attack. This product is designed based on real needs and real daily tasks. For us, this case serves as a portfolio, reference, and a source of recommendations for other clients,” says Yuri Gatupov, head of the iIT Distribution company.
A notable aspect of the project implementation was the deep integration with existing monitoring systems, particularly with the SIEM system. This enabled the creation of a bidirectional communication channel between the deception system and security analysis tools. This interaction facilitated the detection of attacks in the simulated environment and the analysis of activity on real hosts, expanding capabilities for threat detection and neutralization.
“Above all, this solution suited us because it met our internal protection needs. Secondly, it's the balance between price and quality. Thirdly, we received a highly personalized solution that cannot be found on the market in a ready-made form. Thus, we achieved a 3-in-1 solution and addressed our requests in several directions,” notes Oleg Matata, head of the cybersecurity department at Galnaftogaz.
Furthermore, this integration creates another sense organ for incident analysis by the security management system. This enables the company to identify and verify atypical activity, including using fake accounts on other hosts.
Our collaboration with Galnaftogaz in the cybersecurity sphere using deception solution is an example of how new tools can benefit companies that have already established SOCs.During this collaboration, we identified the client's need for internal network protection and proposed a solution that helped address this issue. We advocate for a personalized approach and strive to build trusting relationships with clients. Hence, we are confident in suggesting new tools and approaches. On the other hand, clients trust us, so they are not afraid to experiment with our solutions and provide feedback for product improvement. This allowed us to address multiple requests simultaneously with one tool, offer the best solution in terms of price and quality, and add features to the product that the client truly needed.