Dealing with cyberattacks on a daily basis has become the reality for businesses today. However, few organisations take a proactive response. Instead, they are left to deal with the fallout after an attack happens and the financial and reputational damage to their business has already occurred.
TechRadar Pro spoke with Attivo Networks’ Chief Deception Officer Carolyn Crandall who suggests that businesses adopt the long established military technique of ‘deception’ to help them gain an edge over cybercriminals.
1. Deception has been long been used in the act of war: how can this now be used in the cyber security industry?
Deception has been used in war, law, sports, and gambling for millennia to create uncertainty and confusion in the adversary’s mind, which will delay and manipulate their efforts, and will influence and misdirect their perceptions and decision processes.
Military deception by definition “is intended to deter hostile actions, increase the success of friendly defensive actions, or to improve the success of any potential friendly offensive action.”
Cyber deception aligns with this definition and is based on planned, deliberate, and controlled actions designed to obfuscate the network. In turn, this influences the attacker to make a mistake, spend more time distinguishing real from fake, and makes the economics of the attack undesirable, thereby forcing the attacker to take actions that are beneficial to the defender’s security posture.
Cyber deception works by creating decoys that appear as production assets and are designed to be attractive to the adversary. This is paired with deception bait or lures that display as enticing credentials, applications, or data and will lead the attacker into engaging with the deception environment. The use of deception efficiently leads the attacker through the network, revealing motives, techniques, and intentions, which can be used for collecting adversary intelligence, generating actionable alerts, and accelerating incident response.
As with physical warfare, by using deceptive techniques, a cyber defender can mislead and/or confuse attackers, thus enhancing their defensive capabilities over time. The ability to deceive, direct, and guide the adversary away from critical assets, denies the attacker the ability to achieve his goals and reveals how he is able to move through the network. It also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over.
2. How does deception differ to the traditional honeypot?
One of my favourite questions, “Why isn’t this just a honeypot?”. It’s really like comparing a horse and buggy to a Tesla. Honeypots were originally designed for research, and a decoy was placed outside the network to determine who was attacking the organisation. It was not designed to scale and was highly inefficient to operate.
Commercial-deception technology is designed for in-network threat detection and is able to detect threats from all vectors and across all attack surfaces.
To achieve this, deception must pass 3 major hurdles. First, to be attractive and believable; second, to scale to cover all attack surfaces; and third, to be easy to operate. To be attractive and believable, deception must appear identical to the production environment, running the same operating systems and services.
Earlier honeypot technology was emulated, and it did not take an attacker long to figure out how to identify and avoid them. Comprehensive deception technology platforms support virtually unlimited scalability across everything from user networks to cloud datacenters to unique IoT or ICS deployments. It is also important to be able to plant lures on the endpoint to entice and redirect attackers into the deception environment. Honeypots lack this functionality. The last material difference is in the preparation, deployment, and operations of deception.
Machine-learning now completely automates this process in an hour versus honeypots that need to be manually set up and rebuilt after an attack. The intuitive nature of deception makes it very simple to manage whereas a honeypot required highly skilled resources. The latest approaches to deception also provide automated attack analysis, automations for incident response, as well as visibility tools for attack paths, network device changes, and attack time-lapsed replay. These features simply don’t exist in honeypots.
3. How can deception techniques enable organisations to gain the upper hand against cyber attackers?
Most traditional security controls and technologies are designed to create a boundary around computer systems and are solely focused on trying to stop illicit access attempts at the perimeter. These “walls” are constantly pummeled by automated exploitation tools and attackers will continuously conduct reconnaissance on computers or conduct phishing campaigns until they find a vulnerability to infiltrate the network unstopped and undetected.
Unfortunately, throughout the process of stopping the attack, system defenders will typically learn very little - or nothing at all - about the intruders’ targets or motivations during this process. The desire to immediately deflect an attack, sadly, also comes at a price. One that can inadvertently make the task of defending a computer system harder, but the adversary stronger after every unsuccessful attack.
Deception technology changes the asymmetry of an attack by preparing an organisation regardless of the type of cyberattack, providing early detection regardless of attack surface, collecting information on the origin of the attack, tools, techniques, and motivation, along with providing attack analysis that empowers the defender to act decisively, automate response, and build proactive defences.
The organisation will also benefit from high-fidelity alerts that are actionable and automations for understanding an attack, information sharing, and responding to incidents.
4. How does a cyber deception plan add value to risk management ?
The value of having a cyber deception plan is multi-fold and can add value in both IT asset risk management and in digital risk management:
1. Early and accurate detection of threats that have bypassed perimeter defences. This includes early reconnaissance, lateral movement, and often hard-to-detect credential theft.
2. Insight into the reliability of the defender’s security posture and how an attacker is able to breach defences. This will provide a more complete view of your network’s strengths and weaknesses and identify the areas where the adversary will most likely try to gain access.
3. Awareness of risks and business functions likely to be attacked. Properly planning, designing, and implementing a deception campaign can identify previously unknown and potentially vulnerable assets along with the paths an attacker could utilise to move through an environment.
4. The ability to deceive, direct, and guide the adversary away from critical assets, denying the perpetrator of his goals and revealing how he wants to move through the network. This power to mislead and/or confuse attackers without their knowledge can then be applied to strengthen overall defensive capabilities.
5. Mitigation of increased security risk models associated with the use of new technologies such as IoT or cloud, which may be needed for competitive business offerings and services.
6. Collection of adversary intelligence that can be applied decisively to stop an attack, threat hunt, and eradicate a threat. Then, an organisation can set up deceptions and traps to mitigate the risk of return.
7. Proof during pen testing or for ongoing vulnerability assessment of security program resiliency or risks associated with insiders and supply chain.
8. Deception also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over or abandon their efforts completely. Increasing the complexity of an attack can be a strong deterrent and result in the reduced likelihood of being a primary target for attack.
5. Advanced threats are proven to bypass perimeter defences so how can deception benefit an organisation once breached?
Many will argue that cyberwarfare has now moved inside the network and that there is no realistic way to keep attackers completely out. Deception technology is built for an active defence that detects in-network attackers early and accurately, and which provides the root cause analysis required to understand where an attacker started, their tools, techniques, methods, and motivation.
Benefits include the ability to change the asymmetry of an attack and force the attacker to be right 100% of the time or reveal their presence.
It provides the defenders with offensive strategies designed to detect a threat early and accurately regardless of attack vector or surface, and the adversary intelligence required to quickly stop an attack and fortify defences.
The very nature of deception technology gives the organisations a number of advantages: they are forced to waste time and resources and are directed by the defenders to a particular pattern of behaviour. It also causes the adversary to reveal their own weaknesses and methods; this creates an active loop through which defenders can improve their own defences.
6. What can deception techniques help us to understand more about the cybercriminals’ activities?
Unlike other security controls that are designed to simply stop an attack, deception technology provides a high interaction deceptive environment where the attacker’s activities can be studied for threat intelligence and information on tools, techniques, targets, and how the threat moves through the network. Credential and application deceptions will also offer insight into attempted theft and reuse of legitimate credentials. Functionality to safely communicate with Command and Control will also offer valuable insight into polymorphic or time-triggered activity and will improve a defender’s ability to eradicate threats and prevent their return. Advanced features like decoy documents are also useful in understanding the attacker’s target and providing geo-location information.
7. How do you see deception technology advancing in the future?
Given its accuracy and efficacy, deception is becoming a de facto detection control within the security stack. Many organisations are specifically budgeting for deception projects for 2019 and I expect this will continue to fuel the rapid trend of adoption. Additionally, over the next two years, the deception technology market is estimated to grow 684% according to the Cybersecurity Imperative report.
Deception technology has matured immensely over the last few years and now has globally proven technology for network, endpoint, application, and data deceptions across a wide range of attack surfaces including data centres, cloud, user networks, remote offices, IoT, ICS, POS, and infrastructure. Additionally, comprehensive deception platforms facilitate the collection of adversary intelligence, and through native integrations, automate incident response. The use of machine-learning has also removed deployment and operational complexity, making deception suitable for both large and smaller organisations. Managed service offerings will also be more widely available to support midmarket and smaller business needs. It is important to note that there are very substantial capability differences amongst deception providers. It is critical to do the research to make sure the solution will meet the business’s current and future requirements.
Carolyn Crandall, Chief Deception Officer at Attivo Networks
- We've also highlighted the best antivirus