Throughout history, deception has been a key strategy in military operations and is now being applied in a cybersecurity context to not only outmanoeuvre attackers but also gain valuable information on their methods and targets. Carolyn Crandall, Chief Deception Officer at Attivo Networks, talks to us about how deception technology can help enterprises even the playing field of cyberwarfare with a proactive approach to security.
Cybersecurity is an extremely fast-moving field, with new discoveries on both the offensive and defensive sides constantly changing the rules of the game. One constant however is the use of deception.
Most attacks begin with the use of deceptive techniques to acquire key information or gain a foothold in the target’s network. Social engineering methods such as phishing emails are the weapon of choice for tricking victims into sharing their login credentials or downloading malware. Aside from fooling human users, the attacker will also need to deceive the network itself, and its protectors, into accepting them as a legitimate user once they have found a way in.
The use of deception as a technique to overcome one’s adversary is not new and has been an important tactic in winning physical conflicts since ancient times. The use of false information, feints and decoys has often provided an army with a powerful opportunity to outmanoeuvre and overpower the opposing force. Examples in modern conflicts include the use of fake tank battalions and facades of entire villages during World War II.
A one-sided conflict
While deception in physical conflict has often been an equal opportunity affair, in cyberwarfare the strategy has traditionally only been used by the attacking side. Cybercriminals have a serious advantage over their targets as they are able hide in plain sight and take their time researching and planning their attack. In this way, organisations are tricked into believing what is fake is real, not only in phishing expeditions but also when attackers masquerade as legitimate employees. Meanwhile, organisations are reliant on reactive security controls that postpone any response until after the attack is already in motion. Often too late to prevent attackers from leaving backdoors and facilitating an easy return.
Threat actors start with an upper-hand since they control the time to plan and initiate their attacks. The victims must then instantly respond to defend themselves, often with minimal knowledge to react. However, by taking a page out of a cybercriminal’s handbook, organisations do not have to be stuck in the role of a passive target. Many of the same techniques routinely used in cyberattacks can be reversed to trick adversaries into not only revealing their presence, but also giving away their secrets.
Fighting deception with deception
Much like the use of deceptive manoeuvres and decoy targets throughout military history, organisations can create a deception fabric to confuse and fool attackers into making mistakes. When decoys are well constructed, the adversary will have an extremely difficult and time-consuming job trying to decipher real from fake. This not only efficiently diverts them away from the real target, but will also cause them to play their hand, revealing clues about their intent and identity.
There are a number of key factors that will determine a decoy network’s ability to reliably trick and disrupt adversaries. The first step is to make it an attractive target which gives every sign of being genuine. It needs to mirror-match the production environment, running the same operating systems and services, and demonstrating the same network characteristics. Additionally, it also needs to encompass all attack surfaces such as user networks, endpoints, cloud, infrastructure, IoT and ICS-SCADA, among others.
Alongside this, the deceptive solution must also be easy for the organisation to deploy and operate, with a high degree of automation. Value will also be found in the high fidelity, engagement-based alerts which security teams can efficiently respond to. Collectively, these innovations keep operational overhead to a minimum, even at scale.
The principle of decoy networks has previously been seen in the form of honeypots. However, given their operational complexity, their use is primarily for research. These are typically placed outside of the real network to discover who is targeting the organisation and for intelligence on attacker techniques. Honeypots were not designed for the detection of sophisticated attackers or for scalability, which dramatically limited their deployment and usefulness.
The development of modern, commercial-grade deception technology emphasises scalability, authenticity and a high degree of automation, enabling it to be easily deployed and operated across everything from user networks to cloud data centres to specialised operational technology environments.
Falling into the trap
Older honeypots do not hold up to close inspection and are generally only effective at gathering intelligence on low-level attackers, particularly those using automated bots to scan for potential targets. Newer deception technology platforms also take deception further by incorporating deceptive credentials, mapped drives and other lures placed on endpoint devices to entice the attacker into taking bait and revealing themselves.
The presence of deception networks and endpoint lures make it far more difficult for an attacker to navigate the network as they are unable to tell the difference between real assets and elaborate fakes. Even the simplest error can land them in a decoy network and force the restart of their attack.
This provides an extremely effective and useful additional layer of defence against intruders who have managed to infiltrate the network. Every second counts during a cyberattack and the maze of traps and false starts will cause the intruder to waste precious time and impact the economics of their attack.
A full distributed deception platform offers much more than a confusing house of mirrors to detect attackers early. It also reduces the attack surface by providing visibility into attack paths and exposures that could be exploited to advance the attacks. The security team can now predict the paths an attacker will take and can actively shut these down and obfuscate attack surfaces to dramatically reduce the chances of the adversary’s success. More opportunistic attackers will often cut their losses in the face of such resistance and give up, seeking out lower hanging fruit instead.
Knowledge is power
More persistent attackers may continue their attack but will face even tougher challenges as their actions now give away useful intelligence to the defenders. One of the most powerful capabilities of high-interaction deceptive technology is its ability to reveal the methods and tactics of cybercriminals, providing the opportunity to closely observe attacker activity without risking their real network infrastructure and assets.
Engagement-based alerts are substantiated, giving defenders the information to decisively shut down an active attack. By tracking lateral movement, revealing tactics, techniques and procedures (TTPs), and gathering indicators of compromise (IoCs), security teams can confidently eradicate threats and prepare proactive defences against future threats.
Turning a cybercriminal’s own deceptive techniques against them with realistic decoy environments and assets will provide a unique and powerful opportunity for organisations to shift power away from the attackers. Would-be intruders will find themselves lost in a confusing maze of false assets, while the defenders gain the upper-hand with valuable insights for building a pre-emptive defence and for fortifying their prevention controls.