How organisations can adopt deception to outsmart cyber attackers
Dealing with cyberattacks on a daily basis has become the reality for businesses today. However, few organisations take a proactive response. Instead, they are left to deal with the fallout after an attack happens and the financial and reputational damage to their business has already occurred.
TechRadar spoke with Attivo Networks’ Chief Deception Officer Carolyn Crandall who suggests that businesses adopt the long established military technique of ‘deception’ to help them gain an edge over cybercriminals.
1. Deception has been long been used in the act of war: how can this now be used in the cyber security industry?
Deception has been used in war, law, sports, and gambling for millennia to create uncertainty and confusion in the adversary’s mind, which will delay and manipulate their efforts, and will influence and misdirect their perceptions and decision processes.
Military deception by definition “is intended to deter hostile actions, increase the success of friendly defensive actions, or to improve the success of any potential friendly offensive action.”
Cyber deception aligns with this definition and is based on planned, deliberate, and controlled actions designed to obfuscate the network. In turn, this influences the attacker to make a mistake, spend more time distinguishing real from fake, and makes the economics of the attack undesirable, thereby forcing the attacker to take actions that are beneficial to the defender’s security posture.
Cyber deception works by creating decoys that appear as production assets and are designed to be attractive to the adversary. This is paired with deception bait or lures that display as enticing credentials, applications, or data and will lead the attacker into engaging with the deception environment. The use of deception efficiently leads the attacker through the network, revealing motives, techniques, and intentions, which can be used for collecting adversary intelligence, generating actionable alerts, and accelerating incident response.
As with physical warfare, by using deceptive techniques, a cyber defender can mislead and/or confuse attackers, thus enhancing their defensive capabilities over time. The ability to deceive, direct, and guide the adversary away from critical assets, denies the attacker the ability to achieve his goals and reveals how he is able to move through the network. It also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over.
2. How does deception differ to the traditional honeypot?
One of my favourite questions, “Why isn’t this just a honeypot?”. It’s really like comparing a horse and buggy to a Tesla. Honeypots were originally designed for research, and a decoy was placed outside the network to determine who was attacking the organisation. It was not designed to scale and was highly inefficient to operate.
Commercial-deception technology is designed for in-network threat detection and is able to detect threats from all vectors and across all attack surfaces.
To achieve this, deception must pass 3 major hurdles. First, to be attractive and believable; second, to scale to cover all attack surfaces; and third, to be easy to operate. To be attractive and believable, deception must appear identical to the production environment, running the same operating systems and services.
Earlier honeypot technology was emulated, and it did not take an attacker long to figure out how to identify and avoid them. Comprehensive deception technology platforms support virtually unlimited scalability across everything from user networks to cloud datacenters to unique IoT or ICS deployments. It is also important to be able to plant lures on the endpoint to entice and redirect attackers into the deception environment. Honeypots lack this functionality. The last material difference is in the preparation, deployment, and operations of deception.
Machine-learning now completely automates this process in an hour versus honeypots that need to be manually set up and rebuilt after an attack. The intuitive nature of deception makes it very simple to manage whereas a honeypot required highly skilled resources. The latest approaches to deception also provide automated attack analysis, automations for incident response, as well as visibility tools for attack paths, network device changes, and attack time-lapsed replay. These features simply don’t exist in honeypots.
3. How can deception techniques enable organisations to gain the upper hand against cyber attackers?
Most traditional security controls and technologies are designed to create a boundary around computer systems and are solely focused on trying to stop illicit access attempts at the perimeter. These “walls” are constantly pummeled by automated exploitation tools and attackers will continuously conduct reconnaissance on computers or conduct phishing campaigns until they find a vulnerability to infiltrate the network unstopped and undetected.
Unfortunately, throughout the process of stopping the attack, system defenders will typically learn very little - or nothing at all - about the intruders’ targets or motivations during this process. The desire to immediately deflect an attack, sadly, also comes at a price. One that can inadvertently make the task of defending a computer system harder, but the adversary stronger after every unsuccessful attack.
Deception technology changes the asymmetry of an attack by preparing an organisation regardless of the type of cyberattack, providing early detection regardless of attack surface, collecting information on the origin of the attack, tools, techniques, and motivation, along with providing attack analysis that empowers the defender to act decisively, automate response, and build proactive defences.
The organisation will also benefit from high-fidelity alerts that are actionable and automations for understanding an attack, information sharing, and responding to incidents.
4. How does a cyber deception plan add value to risk management ?
The value of having a cyber deception plan is multi-fold and can add value in both IT asset risk management and in digital risk management:
1. Early and accurate detection of threats that have bypassed perimeter defences. This includes early reconnaissance, lateral movement, and often hard-to-detect credential theft.
2. Insight into the reliability of the defender’s security posture and how an attacker is able to breach defences. This will provide a more complete view of your network’s strengths and weaknesses and identify the areas where the adversary will most likely try to gain access.
3. Awareness of risks and business functions likely to be attacked. Properly planning, designing, and implementing a deception campaign can identify previously unknown and potentially vulnerable assets along with the paths an attacker could utilise to move through an environment.
4. The ability to deceive, direct, and guide the adversary away from critical assets, denying the perpetrator of his goals and revealing how he wants to move through the network. This power to mislead and/or confuse attackers without their knowledge can then be applied to strengthen overall defensive capabilities.
5. Mitigation of increased security risk models associated with the use of new technologies such as IoT or cloud, which may be needed for competitive business offerings and services.
6. Collection of adversary intelligence that can be applied decisively to stop an attack, threat hunt, and eradicate a threat. Then, an organisation can set up deceptions and traps to mitigate the risk of return.
7. Proof during pen testing or for ongoing vulnerability assessment of security program resiliency or risks associated with insiders and supply chain.
8. Deception also holds the benefit of increasing the attacker’s cost as they must now decipher what is real from fake and often have to restart their attacks over or abandon their efforts completely. Increasing the complexity of an attack can be a strong deterrent and result in the reduced likelihood of being a primary target for attack.
5. Advanced threats are proven to bypass perimeter defences so how can deception benefit an organisation once breached?
Many will argue that cyberwarfare has now moved inside the network and that there is no realistic way to keep attackers completely out. Deception technology is built for an active defence that detects in-network attackers early and accurately, and which provides the root cause analysis required to understand where an attacker started, their tools, techniques, methods, and motivation.
Benefits include the ability to change the asymmetry of an attack and force the attacker to be right 100% of the time or reveal their presence.
It provides the defenders with offensive strategies designed to detect a threat early and accurately regardless of attack vector or surface, and the adversary intelligence required to quickly stop an attack and fortify defences.
The very nature of deception technology gives the organisations a number of advantages: they are forced to waste time and resources and are directed by the defenders to a particular pattern of behaviour. It also causes the adversary to reveal their own weaknesses and methods; this creates an active loop through which defenders can improve their own defences.
6. What can deception techniques help us to understand more about the cybercriminals’ activities?
Unlike other security controls that are designed to simply stop an attack, deception technology provides a high interaction deceptive environment where the attacker’s activities can be studied for threat intelligence and information on tools, techniques, targets, and how the threat moves through the network. Credential and application deceptions will also offer insight into attempted theft and reuse of legitimate credentials. Functionality to safely communicate with Command and Control will also offer valuable insight into polymorphic or time-triggered activity and will improve a defender’s ability to eradicate threats and prevent their return. Advanced features like decoy documents are also useful in understanding the attacker’s target and providing geo-location information.
7. How do you see deception technology advancing in the future?
Given its accuracy and efficacy, deception is becoming a de facto detection control within the security stack. Many organisations are specifically budgeting for deception projects for 2019 and I expect this will continue to fuel the rapid trend of adoption. Additionally, over the next two years, the deception technology market is estimated to grow 684% according to the Cybersecurity Imperative report.
Deception technology has matured immensely over the last few years and now has globally proven technology for network, endpoint, application, and data deceptions across a wide range of attack surfaces including data centres, cloud, user networks, remote offices, IoT, ICS, POS, and infrastructure. Additionally, comprehensive deception platforms facilitate the collection of adversary intelligence, and through native integrations, automate incident response. The use of machine-learning has also removed deployment and operational complexity, making deception suitable for both large and smaller organisations. Managed service offerings will also be more widely available to support midmarket and smaller business needs. It is important to note that there are very substantial capability differences amongst deception providers. It is critical to do the research to make sure the solution will meet the business’s current and future requirements.
Industry: Cyber Security News
- IAM Product/ Project Manager
- Upto €80,000 plus benefits
IAM product/project manager is need for this expanding service provider to help develop their IAM (CIAM) strategy roadmap. This role will have two main functions, to work between the front end digital team and the backend IAM development team to ensure that the current deployment of the solution runs smoothly and is fit for purpose, the Second function is to look at the business’ future digital offerings and to understand how the IAM/CIAM solution will develop with the new digital strategy, you will be looking at the future technology and the ensuring the IAM solution is fit for purpose. The business is an agile environment and you will require agile experience. This is a great opportunity to help shape a key product within the future digital strategy of this expanding service provider. We are looking for someone with both IAM and strong product management experience Project management experience would be beneficial. If you are interested speak to Robert Anderton on 0044 (0) 7957 493501 and he will be able to discuss the role in more details IAM product/project manager is needed for this expanding service provider to help develop their IAM (CIAM) strategy roadmap. This role will have two main functions, to work between the front end digital team and the backend IAM development team to ensure that the current deployment of the solution runs smoothly and is fit for purpose, the second function is to look at the business’ future digital offerings and to understand how the IAM/CIAM solution will develop with the new digital strategy, you will be looking at the future technology and the ensuring the IAM solution is fit for purpose. The business is an agile environment and you will require agile experience. This is a great opportunity to help shape a key product within the future digital strategy of this expanding service provider. We are looking for someone with both IAM and strong product management experience Project management experience would be beneficial. If you are interested then speak to Robert Anderton on 0044 (0) 7957 493501 and he will be able to discuss the role in more details
- Cyber Incident Manager, Proactive planning and management. SC
Cyber Incident Manager, Proactive planning and management. Cyber incident Manager needed to join a large and complex business to help them prepare for a cyber related incidents. SC clearance will be required. Current or the ability to achieve. This role does not require specific current hands on technical Incident response experience, but this background would give a distinct advantage. The role has two key functions: to help the business prepare for an event and to steer them through when / if that happens. The Cyber Incident response managers role will include, but not be limited to; working with internal stakeholders to develop a security incident management plan along with its and supporting policies. Developing plans and implementing strategies on how incidents are detected, reported, assessed and responded to. Engaging with leadership teams both internal and external, proactively mapping out this large business to identify and engage the various other stakeholders and their teams. Build out and document incident scenarios and their processes, ensure incident management procedures are updated, playbooks and key training etc. You should have experience working with both internal teams and external suppliers. The role will also focus on liaising with the various teams to ensure the security incident response plan is delivered effectively. CCIM, GCIH, CIPR (NCSC-Certified Cyber Incident Planning & Response) Looking to interview immediately.
- SOC Manager. SC Clearance. Immediate opportunity.
Permanent SOC Manager. SC cleared / clearable, London / Birmingham. SOC Manager needed to replace a SOC contractor I placed into a client who is due to complete their assignment at the end of March. The ability to achieve SC clearance is essential. Looking for someone that is a blend of strategic stakeholder engagement with strong technical skills. The role will sit in a relatively new SOC environment. The position is to setup, implementation and management of resources to help with the initial and on-going stages of a new SOC. Experience engaging with and managing client stakeholder relationships as well as 3rd party relationships is critical. The role will involve; setting up, implementing and fine tuning the various initial stages of a SOC environment. Experience establishing and building out technical process / operational capability, managing of technical teams (analysts, engineers and architects, creation of policy / playbooks, fine turning is key. SPLUNK is the tooling of choice… Interviewing immediately. Set up a call with me today on https://calendly.com/chris-holt/arranged-call-with-chris-holt-soc-manager-role Direct contact details Chris.Holt@dclsearch.com or 07884666351
- Security engineer. Financial Services. UK. Permanent
CH7863 Security engineer. End User . Financial Services Security Engineer needed to monitor and manage a security suite of tools within an End User environment. The Security Engiener will be responsible monitoring, configuring, fine tuning, incident management and generally improving the security tool capability. Specific experience with CyberArk, Tripwire Log Center and Tripwire Enterprise is highly desirable). Current experience with Vulnerability management and penetration testing is highly desirable. Specifically the ability to effectively manage 3rd party pen tests. You will be working within a specialist security team reporting to the CISO. Experience working within an end user environment within financial services is highly desirable. Flexible location. This is an exclusive role to DCL Search & Selection. To book a call please use my Calendy link https://calendly.com/chris-holt/arranged-call-with-chris-holt-soc-role-