How to use deception to gain the advantage over cyber-attackers
30 April 2019
Tricking the trickster? Carolyn Crandall, Chief Deception Officer at Attivo Networks, shows us how to turn the attackers' techniques against them.
Deception plays an essential role in any game of strategy, providing an opportunity to trick the opponent into exposing their weaknesses and leaving themselves vulnerable. Given its successes, the application of deceptive techniques has been a mainstay of military tactics, sports playbooks, and gambling for millennia.
From tricking a unit of horsemen into overextending their charge to diverting a bomber squadron away from genuine targets, well-placed decoys have delivered powerful results in both offence and defence. Decoys, when paired with lures, can be indispensable in fooling an adversary into engaging or in misdirecting and slowing down their efforts.
When it comes to cyber security, deception has historically been exclusively the domain of the attacker. Almost every cyber-attack involves deceptive techniques to some degree, typically via social engineering tactics designed to trick a target into sharing their login credentials or downloading malware.
Attackers will also hide in plain sight, masked as actual users, to avoid detection.
Deception has placed the advantage with the attackers, as they have the luxury of taking their time researching targets and preparing their tactics.
The defenders meanwhile are forced to be reactive with intense time pressure to perform and quickly to deflect the attack. In the quest to protect, information about the attackers, entry points, tools, and techniques are typically lost, leaving defenders uniformed and unprepared to eradicate a threat, no less to mitigate the risk of their return.
However, organisations can use their own deception playbook to level the playing field and trick cybercriminals into revealing vital information that can be used to detect and thwart their attacks.
Also of interest: Are marketeers employing the same tactics as cybercriminals?
Turning the tables
Defensive cyber deception is, in many ways, analogous to the techniques commonly used by attackers. While cybercriminals usually trick their target by impersonating a known and trusted contact, defensive deception tricks the attacker by impersonating expected assets and enticing them into believing these fakes are actually real.
Creating a deception decoy fabric throughout a network delivers several security benefits. Most obviously, the threat actor will reveal their presence and will waste their time and resources while attempting to infiltrate the decoys and lures.
Even when an attacker realizes they have fallen prey to deception, there are still lasting benefits for the defender. Adversaries will have to start over, slow their attack as they must now do more research, assess if the economics still make sense or choose to abandon the attack altogether and seek out softer targets.
The true value of a deceptive environment starts with the detection but is also realised within the high-fidelity of its alerts. Every action taken by an adversary searching around the deceptive environment will reveal intelligence on their Tactics, Techniques, and Procedures (TTPs).
Observing the attacker’s activity will also inform the security team about their intentions and targets. Collectively, this intelligence equips the security team to respond faster and more decisively, and to be able to use this information to fortify their defences instantly.
Cybercriminals usually take pains to mask their techniques and cover up evidence of their activity, making their in-network detection challenging. Deception insights provide a powerful advantage by gathering and correlating information that is typically difficult to come by.
Not only will this intelligence help deal with the attacker at hand, but it will also empower the security team to prepare for and guard against future attacks. With this gained adversary intelligence, pre-emptive decoys can also be placed strategically within the likely attack paths and around targets of interest
One common tactic for taking care of the “look” part of the test is to use one or more virtual machines (VMs) to emulate the environment. However, while this will create the appearance of a real network, it is only a shell and cannot be properly interacted with. Once attackers try to progress their attack, they will quickly realise they have been duped.
For the deception environment to be truly effective, it needs to not only look like the real thing but behave like it too so that advanced attackers continue engaging with the deceptive environment while the security team responds to the threat and fortifies defences.
Also of interest: Five key considerations for CISOs that are easily overlooked
Tricking the trickster
In order to succeed, there are key criteria for creating believable decoys that will deceive an attacker.
First of all, the decoys need to be an attractive target that match the real network’s environment, including network attributes, operating systems, application software, services and credential identities. It should also be populated with current or recent expected content, including breadcrumb information, configuration, and administrative data, as well as data files visible to any user accessing the system from the network.
While it can be useful to lure in adversaries with a “poorly secured” decoy, access parameters such as identification, authentication and authorisation should match the production assets to be convincing. An attacker will avoid an obviously vulnerable system but will engage with a system that has vulnerabilities that appear consistent with the environment.
Finally, decoys should replicate the expected behaviour of real systems, including a high level of interaction and continued engagement to new commands and instructions. Likewise, the level of performance should reflect the original, as slow response times and non-functional services like remote desktop services that don’t allow remote control can reveal the deception.
When a decoy appears as a mirror-match to the production assets, the attackers will not be able to tell the difference without investigating. By the time they realise the tables have been turned, they will not only have wasted their time but revealed many of their closest kept secrets to the security team behind the scenes.