My guess? Someone not expecting to encounter it will probably be significantly hampered but someone else targeting that site specifically who knows about and expects (or can recognize) the system will just use some form of alternate topology mapping technique, much like a special ops team is trained in the use of IR-goggles if they expect to operate in the dark.
Security startup Cryptonite dropped out of stealth late last week with a micro-segmentation-based technology designed to prevent hacker reconnaissance and lateral movement. CryptoniteNXT, the firm's network appliance, sits between an organisation's perimeter firewall and internal networks, blocking malicious …
Monday 30th October 2017 13:09 GMT The Man Who Fell To Earth
Monday 30th October 2017 14:21 GMT Voland's right hand
Re: Only as secure
which effecively means the system has a back door, one would think.
Not really. All large networks have such a backdoor - it is called the NMS and/or the routers in complex networks. They have no choice, but to know the topology. Attacking them in a protected network is usually non-trivial as there is little or no exposure surface. The NMS works out of bounds and the routers are configured to talk routing protos only between themselves.
This is no different from an NMS setup - proper topology is available only on the management interface which should not be inband (it should be out-of-band on a separate network). If you have managed to break in from the outside and all the way to the NMS the network is completely toast anyway. So this is not different from plenty of other setups. In fact, I have seen this before - isolating every single port on the network as a separate subnet and disallowing any discovery mechanisms out of it.
The first time I saw it was 15+ years ago - as an approach it showed up at the same time as 802.1q or shortly thereafter.
What was missing at the time was combining this with per-user policy. If we combine this with today's tech - namely 802.1x authentication + software control of the network you can easily combine per-user access policy and per-user policy driven isolation down to a port. Not difficult and not particularly revolutionary. The only "revolutionary" thing here is shrink-wrapping it as a software package and/or appliance.
Monday 30th October 2017 13:33 GMT Aodhhan
Sometimes more devices doesn't mean more security.
So they're selling a device for people who don't know how to properly setup a defensive perimeter.
Sounds like it's just another house of mirrors for packets, which should already exist if you've correctly setup your perimeter and have your firewalls and proxies correctly configured. Using this device doesn't save you any money by removing multiple defenses already in place, and it doesn't provide any protection from malicious insiders, phishing attacks, etc.
Set up too many mirrors for packets, and somewhere... something is going to get misconfigured and allow something through. Or the product will shut some application down, so an exception will have to be made which will allow a hole for something to get through.
Keep it simple so it can be done correctly.
Monday 30th October 2017 14:11 GMT Anonymous Coward
Been there, done that
It gets quickly FAR too complex to manage. It reminds me of the secure Linux thing the NSA came up with, which got mostly sidelined because it just got in the way and thus messed up the cost/benefit ratio.
I wish them luck, but micro-granular control demand macro resources to control it. It depends on your business if that's worth it.
Monday 30th October 2017 19:27 GMT rapier2
pretty cool stuff
read the article. read the comments. don't usually read the register. I'm in cyber sec and handle a few standard cyber defense products. I'm not a professional penetration tester or anything like that.
i ran into moving target at the last blackhat show when I traveled there from the U.K. to see what was up at the show. I did not like the software approach and the two moving target which I found there as any software module can be accessed and then hacked. the kryptonite box is an appliance which isolates the code about 99.9999% rom any clever network based attacker. yes, not 100%. but pretty good.
segmentation is pretty common and not working well since the biggest company in the space, cisco, required that we replace all of our switches. no way. that's an impossible request. we have many small switches in racks in closets everywhere. not a chance. segmentation stops movement but not 100% since you need to get to a few servers or whatever you are specifically authorised. so i think it fits the definition of zero trust although I did have to google it to figure it out. stopping reconnaissance by mixing up the IP's and changing them randomly is pretty cool. almost attacks, whether supported by packaged attacker malware tools or a hands on attacker rely on figuring out IP addresses or knowing them. otherwise these attacks don't work.
I think this is a good technology. on paper, it looks very capable. i'm always cautious about new stuff and new vendors. if they announce a few high profile partners then it is worth perhaps a trial or test. we can all agree that basic perimeter and endpoint defense are too easy to hack. without some new technology everyone in the soc is sitting on their hands waiting to lose their jobs when we get hacked. the word is when. so I'm open to new ideas.
Monday 30th October 2017 19:27 GMT rapier2
i'm on a soc team and investigate new tech. I don't do anything fancy like penetration testing but I work on major cyber events and help administer product deployments.
looked at moving target over the past year. a few flakey vendors.
the comment about the softwar getting compromised is valid especially when a software only approach is used. the good think about kryptonite is that they have an appliance which almost keeps it as a fully closed system.
i like it was packaged with segmentation. we like segmentation but we have not implemented. cisco had the stones to ask us to replace all of our existing switches. LMAO over that one. we have switches everyone and in every closet. an appliance to do segmentation, using existing switches, as the kryptonite website purports, is the way to go. btw, it is zero trust, but you limit each user by rule to a very finite number of servers they need to access. no looking up/down the network and wandering around.
the mtd is the cool part. if it works as advertised. basically scrambling and hiding ip addresses in the network eliminates the crappy part of how tcpip is designed. I'll wait to see if they get any credible partners or announcements. not running to the well right now. but worth watching. looks like a cool technlogy.
Monday 30th October 2017 22:32 GMT Anonymous Coward
Looks like they've got a paid spammer on the case already
Three posts in a row praising it from someone who joined today. No, that's not suspicious at all!
If they thought these obviously fake posts would fool anyone at the Reg, I see no reason to believe their product is anything but worthless.
Tuesday 31st October 2017 04:26 GMT amanfromMars 1
Tuesday 31st October 2017 13:18 GMT Anonymous Coward
Re: Looks like they've got a paid spammer on the case already
Could be, but they don't even invest in a decent quality spammer to keep up the illusion. Heck, judging by the post they couldn't even be bothered to hire someone who understands paragraphs.
Using capitals appears to be his kryptonite :)