How organisations can adopt deception to outsmart cyber attackers
Dealing with cyberattacks on a daily basis has become the reality for businesses today. However, few organisations take a proactive response. Instead, they are left to deal with the fallout after an attack happens and the financial and reputational damage to their business has already occurred.
TechRadar spoke with Attivo Networks’ Chief Deception Officer Carolyn Crandall who suggests that businesses adopt the long established military technique of ‘deception’ to help them gain an edge over cybercriminals.
1. Deception has been long been used in the act of war: how can this now be used in the cyber security industry?
Deception has been used in war, law, sports, and gambling for millennia to create uncertainty and confusion in the adversary’s mind, which will delay and manipulate their efforts, and will influence and misdirect their perceptions and decision processes.
Military deception by definition “is intended to deter hostile actions, increase the success of friendly defensive actions, or to improve the success of any potential friendly offensive action.”
Cyber deception aligns with this definition and is based on planned, deliberate, and controlled actions designed to obfuscate the network. In turn, this influences the attacker to make a mistake, spend more time distinguishing real from fake, and makes the economics of the attack undesirable, thereby forcing the attacker to take actions that are beneficial to the defender’s security posture.
Cyber deception works by creating decoys that appear as production assets and are designed to be attractive to the adversary. This is paired with deception bait or lures that display as enticing credentials, applications, or data and will lead the attacker into engaging with the deception environment. The use of deception efficiently leads the attacker through the network, revealing motives, techniques, and intentions, which can be used for collecting adversary intelligence, generating actionable alerts, and accelerating incident response.
As with physical warfare, by using deceptive techniques, a cyber defender can mislead and/or confuse attackers, thus enhancing their defensive capabilities over time. The ability to deceive, direct, and guide the adversary away from critical assets, denies the attacker the ability to achieve his goals and reveals how he is able to move through the network. It also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over.
2. How does deception differ to the traditional honeypot?
One of my favourite questions, “Why isn’t this just a honeypot?”. It’s really like comparing a horse and buggy to a Tesla. Honeypots were originally designed for research, and a decoy was placed outside the network to determine who was attacking the organisation. It was not designed to scale and was highly inefficient to operate.
Commercial-deception technology is designed for in-network threat detection and is able to detect threats from all vectors and across all attack surfaces.
To achieve this, deception must pass 3 major hurdles. First, to be attractive and believable; second, to scale to cover all attack surfaces; and third, to be easy to operate. To be attractive and believable, deception must appear identical to the production environment, running the same operating systems and services.
Earlier honeypot technology was emulated, and it did not take an attacker long to figure out how to identify and avoid them. Comprehensive deception technology platforms support virtually unlimited scalability across everything from user networks to cloud datacenters to unique IoT or ICS deployments. It is also important to be able to plant lures on the endpoint to entice and redirect attackers into the deception environment. Honeypots lack this functionality. The last material difference is in the preparation, deployment, and operations of deception.
Machine-learning now completely automates this process in an hour versus honeypots that need to be manually set up and rebuilt after an attack. The intuitive nature of deception makes it very simple to manage whereas a honeypot required highly skilled resources. The latest approaches to deception also provide automated attack analysis, automations for incident response, as well as visibility tools for attack paths, network device changes, and attack time-lapsed replay. These features simply don’t exist in honeypots.
3. How can deception techniques enable organisations to gain the upper hand against cyber attackers?
Most traditional security controls and technologies are designed to create a boundary around computer systems and are solely focused on trying to stop illicit access attempts at the perimeter. These “walls” are constantly pummeled by automated exploitation tools and attackers will continuously conduct reconnaissance on computers or conduct phishing campaigns until they find a vulnerability to infiltrate the network unstopped and undetected.
Unfortunately, throughout the process of stopping the attack, system defenders will typically learn very little - or nothing at all - about the intruders’ targets or motivations during this process. The desire to immediately deflect an attack, sadly, also comes at a price. One that can inadvertently make the task of defending a computer system harder, but the adversary stronger after every unsuccessful attack.
Deception technology changes the asymmetry of an attack by preparing an organisation regardless of the type of cyberattack, providing early detection regardless of attack surface, collecting information on the origin of the attack, tools, techniques, and motivation, along with providing attack analysis that empowers the defender to act decisively, automate response, and build proactive defences.
The organisation will also benefit from high-fidelity alerts that are actionable and automations for understanding an attack, information sharing, and responding to incidents.
4. How does a cyber deception plan add value to risk management ?
The value of having a cyber deception plan is multi-fold and can add value in both IT asset risk management and in digital risk management:
1. Early and accurate detection of threats that have bypassed perimeter defences. This includes early reconnaissance, lateral movement, and often hard-to-detect credential theft.
2. Insight into the reliability of the defender’s security posture and how an attacker is able to breach defences. This will provide a more complete view of your network’s strengths and weaknesses and identify the areas where the adversary will most likely try to gain access.
3. Awareness of risks and business functions likely to be attacked. Properly planning, designing, and implementing a deception campaign can identify previously unknown and potentially vulnerable assets along with the paths an attacker could utilise to move through an environment.
4. The ability to deceive, direct, and guide the adversary away from critical assets, denying the perpetrator of his goals and revealing how he wants to move through the network. This power to mislead and/or confuse attackers without their knowledge can then be applied to strengthen overall defensive capabilities.
5. Mitigation of increased security risk models associated with the use of new technologies such as IoT or cloud, which may be needed for competitive business offerings and services.
6. Collection of adversary intelligence that can be applied decisively to stop an attack, threat hunt, and eradicate a threat. Then, an organisation can set up deceptions and traps to mitigate the risk of return.
7. Proof during pen testing or for ongoing vulnerability assessment of security program resiliency or risks associated with insiders and supply chain.
8. Deception also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over or abandon their efforts completely. Increasing the complexity of an attack can be a strong deterrent and result in the reduced likelihood of being a primary target for attack.
5. Advanced threats are proven to bypass perimeter defences so how can deception benefit an organisation once breached?
Many will argue that cyberwarfare has now moved inside the network and that there is no realistic way to keep attackers completely out. Deception technology is built for an active defence that detects in-network attackers early and accurately, and which provides the root cause analysis required to understand where an attacker started, their tools, techniques, methods, and motivation.
Benefits include the ability to change the asymmetry of an attack and force the attacker to be right 100% of the time or reveal their presence.
It provides the defenders with offensive strategies designed to detect a threat early and accurately regardless of attack vector or surface, and the adversary intelligence required to quickly stop an attack and fortify defences.
The very nature of deception technology gives the organisations a number of advantages: they are forced to waste time and resources and are directed by the defenders to a particular pattern of behaviour. It also causes the adversary to reveal their own weaknesses and methods; this creates an active loop through which defenders can improve their own defences.
6. What can deception techniques help us to understand more about the cybercriminals’ activities?
Unlike other security controls that are designed to simply stop an attack, deception technology provides a high interaction deceptive environment where the attacker’s activities can be studied for threat intelligence and information on tools, techniques, targets, and how the threat moves through the network. Credential and application deceptions will also offer insight into attempted theft and reuse of legitimate credentials. Functionality to safely communicate with Command and Control will also offer valuable insight into polymorphic or time-triggered activity and will improve a defender’s ability to eradicate threats and prevent their return. Advanced features like decoy documents are also useful in understanding the attacker’s target and providing geo-location information.
7. How do you see deception technology advancing in the future?
Given its accuracy and efficacy, deception is becoming a de facto detection control within the security stack. Many organisations are specifically budgeting for deception projects for 2019 and I expect this will continue to fuel the rapid trend of adoption. Additionally, over the next two years, the deception technology market is estimated to grow 684% according to the Cybersecurity Imperative report.
Deception technology has matured immensely over the last few years and now has globally proven technology for network, endpoint, application, and data deceptions across a wide range of attack surfaces including data centres, cloud, user networks, remote offices, IoT, ICS, POS, and infrastructure. Additionally, comprehensive deception platforms facilitate the collection of adversary intelligence, and through native integrations, automate incident response. The use of machine-learning has also removed deployment and operational complexity, making deception suitable for both large and smaller organisations. Managed service offerings will also be more widely available to support midmarket and smaller business needs. It is important to note that there are very substantial capability differences amongst deception providers. It is critical to do the research to make sure the solution will meet the business’s current and future requirements.
Industry: Cyber Security News
- Senior Cyber Security Analyst / Engineer. Exclusive role
- United Kingdom
Senior Cyber Security Analyst / Engineer. Exclusive role Hybrid role- Travel to London once a month. ROLE Day to day operations, management and scalability of existing cyber security systems. Advanced triaging and troubleshooting security alerts. Improve tooling, reducing false positives. Improve processes and documentation Reviewing, approving, escalating security change management requests. Implementing new cyber security systems. Managing of and maturing security tooling such as; SIEM Vulnerability management Firewalls Patch management CASB Ideal technical experience Vulnerability Management: Qualys Forcepoint: CASB, DLP, web security, email security Microsoft Defender for Endpoint SIEM (Splunk) Firewalls: Cisco, Palo Alto, Juniper, Sonicwall IDS: Alert Logic Microsoft Cloud App Security Microsoft Azure ManageEngine ADAudit Plus Darktrace, Cloudflare, Cisco Umbrella, Imperva WAF Appreciation of ISO27001, GDPR, PCI, etc
- Security Operations Senior Technical Analyst, Financial Services. Exclusive to DCL Search
- 75000 + benefits
Exclusive Security Operations - Senior Technical Analyst (x2) needed within a forward thinking financial services business head quartered in London. DCL Search have been engaged on an Identifier Project to attract the very best cyber talent to this business. Influence the cyber security capability and direction within the business. Learn new skills working within a collaborative team. Grow as a security professional. ROLE Triaging and troubleshooting security alerts. Improve tooling, reducing false positives. Improve processes and documentation Reviewing, approving, escalating security change management requests. Day to day operations, management and scalability of existing cyber security systems. Implementing new cyber security systems. Managing of and maturing security tooling such as; SIEM Vulnerability management Firewalls Patch management CASB Ideal technical experience Vulnerability Management: Qualys Forcepoint: CASB, DLP, web security, email security Microsoft Defender for Endpoint SIEM (Splunk) Firewalls: Cisco, Palo Alto, Juniper, Sonicwall IDS: Alert Logic Microsoft Cloud App Security Microsoft Azure ManageEngine ADAudit Plus Darktrace, Cloudflare, Cisco Umbrella, Imperva WAF Appreciation of ISO27001, GDPR, PCI, etc 2 days a fortnight in London- or more if you want.. Hybrid reworking.
- It's Pen Testing Chris, but not as we’ve know it.
- United Kingdom
5 reasons, as long as you are a skilled penetration tester (and a nice person) this may be different enough for you. Healthy package for the right talents- before you ask up to 95k+ (depending on skillset). Yes permanent only. Remotely based with the occasional time to meet up- unless you enjoy retiring from society. BUT UK based but not UK client focused. Research and training time- A dedicated trainer with budget for you to sharpen / develop skills. You can make your stamp. It’s a new role for someone technical to deliver, lead and shape a testing capability. No political shenanigans etc Exclusive to DCL Search and not one of the usual names. So you can dramatically increase your chances of securing it. Infrastructure pen testing and Web app / Manual penetration testing experience highly valued. Someone that can scope, deliver pen testing, report and not be useless in front of clients. Apply today to find out more. Or email Chris.Holt@dclsearch.com Or call 07884666351 This is a UK based role.
- Ping Contractor-
- Depends on skills and experience
Looking for experienced PIng Consultants, Looking for consultant with Implemenation or Architect experience in the Ping product set (Ping Identity, Ping Federate, Ping Access, Ping Directory, Ping Adapter development, SDK etc) This would be for implementation projects, working across UK. You will be responsible for providing implementation services to our clients from information gathering through to implementation. Evaluating client business, process, systems, and technology requirements and advise clients on best practices to help guide and solidify proposed designs. Manage Client expectations, Stakeholder Managment, ensuring design Matches business requirements