3 February 2019

How deception changes the rules of engagement in cyber security


Carolyn Crandall, Chief Deception Officer at Attivo Networks, explores how deception techniques can provide not only early detection of malicious activity but also an invaluable insight into an attacker’s methods

Throughout history, deception has been one of the classic strategies underpinning offensive and defensive tactics in military warfare. Camouflage, concealment, and fake information, such as false propaganda or physical decoys, have been used to mislead, confuse, and slow down enemy forces to gain a strategic advantage. It’s one of the classic philosophies from Sun Tzu’s The Art of War: “Rouse him, and learn the principle of his activity or inactivity. Force him to reveal himself, so as to find out his vulnerable spots.”


Strategies derived from kinetic warfare are now being successfully applied by cyber security teams to outwit and out-manoeuvre attackers. Applying deception techniques to misdirect and ultimately derail cyber attackers is now not only changing the rules of engagement between cyber attackers and cyber defenders, but also providing a rich source of intelligence on the intruder’s targets, methods, and motivation. This can, in turn, help organisations strengthen their defences and mitigate the risk of the attacker returning. Now that most organisations are continuously under attack from human and automated attackers, deception provides a way for organisations to mislead and confuse their adversary, and stay ahead of cyber incidents, instead of feeling like they’re always one step behind.

Changing the asymmetry of an attack

In the cat and mouse game between IT security teams and cyber attackers, it is the attackers who typically had the upper hand. Once they have bypassed perimeter defences to breach a network, they can lie in wait undetected for weeks, months, or even years to conduct reconnaissance and gain valuable insights on how to bypass defences and gain access to the targets they are seeking. Organisations can, and should, take all measures appropriate to prevent an attack but, given their scale, sophistication, and determination, it’s virtually impossible to defeat all the attackers, all the time. The attackers have the advantage of deciding when, where, and whom to target, and have the luxury of making multiple mistakes while still achieving their goals.

Creating an active defence against the adversary is no longer reserved only for the organisations that have the in-depth resources or have mature and sophisticated information security programs.

Deception technology re-writes the playbook and uses the most beloved game of deception against the deceivers themselves.

It gives the defenders something that they have never previously had: a real strategic advantage and the ability to change the symmetry against their adversary. In this way, it’s also changing the way that security teams engage with, respond to, and force attackers to reveal their modus operandi.

Cyber deception works through decoys that appear to be real production assets and are attractive to an adversary. This is coupled with deception baits or lures that appear to be real and attractive to the cybercriminal – such as data, applications or credentials – which will then redirect them into the deception environment. Believability and coverage are fundamentals to deception, and the more authentic systems are designed to appear identical to the production environment, running on the same operating systems and services. Deception ultimately makes it so the attacker cannot tell what is real and what is fake and through either the element of surprise or enticement, are able to trick the threat actor into revealing their presence.

The new generation of deception technology is a world away from the traditional ‘honeypots’; the earliest form of decoy systems used to bait attackers.

These latest approaches offer a more sophisticated, efficient, and scalable solution which provides a host of intelligence and automated features to detect and efficiently respond to threats from all vectors and across all attack surfaces.

This has multiple benefits – directing the adversary away from the critical assets, revealing their presence and forcing them to waste time on an ultimately fruitless endeavour as they are forced to start over or seek a different target. Making life more difficult for the attacker also serves as a significant deterrent as they are forced to waste valuable time and resources.

One of the most important advantages of threat deception is that it provides early detection of in-network attacks from all attack vectors; a critical factor in preventing an attacker from gaining any foothold in the network. The longer they are in the network, the more damage they can do and the harder it is to eradicate them. It’s the cyber equivalent of cutting them off at the pass.

Active defence and rich intelligence

While there’s a clear value in early detection, deception technology also fulfils one of the most important strategic objectives in any battle – that of understanding your adversary. While organisations can automatically stop and deflect an incident after a detection alert, there are benefits to letting the attack play out in a safe deceptive environment. If you simply stop the attacker, you won’t learn anything to better defend against them. Conversely, they will learn a little more about you each time they launch an attack.

Unlike any other form of cyber defence, luring in-network attackers into the deception environment provides a means to safely engage with them and insights into where they started, how they are attacking, and their intended targets. Once the attacker is engaged within the deception environment, an alert is raised, which gives the organisation the opportunity to block the attack but still be able to study their movements and methods in a controlled environment. The system can track lateral movement, reveal tactics, techniques, and procedures (TTPs), and gather indicators of compromise. The system will also collect forensic information from an active attack, which is often lost in other detection methods. The attacker is, unwittingly, revealing their hand.

As a result, organisations are better equipped to respond to an attack, take action to shut it down quickly and decisively and make sure that the attacker does not return. This is the very definition of ‘active defence’: drawing on the time-tested military approach of using proactive methods to outwit and slow down your adversary, not only making the attack more difficult but also gaining deeper understanding of their methods to prevent them from returning.

No comments: