How deception technology is used to provide accurate and scalable threat detection and response
In “The Art of War,” Sun Tsu wrote, “Successful war follows the path of deception.” Using deception to thwart adversaries is an age-old strategy. Deception techniques have been used in warfare for ages — disinformation, camouflage, concealment and lies. Deception is considered one of the most effective forms of military strategy to date.
The most elaborate example of deception in warfare is Operation Bodyguard, employed by Allied forces in World War II, and considered one of the largest and most successful deceptive campaigns in military history. The campaign consisted of several operations, which culminated in the tactical surprise of the Germans during the Normandy landing on June 6, 1944 (also known as D-Day), and delayed German reinforcements to the region. Allied forces used inflatable tanks, inflatable military vehicles, dummy aircraft, dummy landing craft, fake wireless activity, misinformation purposely leaked through diplomatic channels and double agents. They successfully deceived the Germans into believing that they were planning a massive strike to the north of Normandy, thereby diluting German troop presence in Normandy.
We’ve all been deceived by attackers at some point
Cyber attackers have been using deceptive techniques against organizations and people for decades, with phishing and social engineering probably being the best examples of these techniques. Famous hacker Kevin Mitnick defines social engineering in his book “The Art of Deception” writing, “Social engineering uses manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.”
Cyber deception uses similar techniques to invoke an emotional response from attackers, thereby giving them the illusion of a successful attack but instead luring them away from real assets, revealing themselves to IT security teams and allowing us to track their every move.
Why is Deception Technology becoming more relevant today?
We now live in a time where security breaches are unfortunately commonplace. Almost every week we hear about organizations that have fallen victim to cyber attackers.
So why are security breaches occurring more regularly? Well, for one, threat actors are stealthier, more resilient and more persistent than ever. Organizations are struggling to keep up due to many factors, including the lack of skilled resources, lack of cybersecurity awareness, inadequate patching, legacy security technology, lack of threat intelligence and lack of security automation. Solving these problems takes time and budget, but it is vital that organizations address these challenges.
There is another reason traditional security defenses are failing: organizations have focused on reactive instead of proactive approaches to security. Security transformation starts with changing how we think about security. Moving from a reactive approach to more of a proactive one may be the only way to thwart today’s adversaries.
Organizations must be able to rapidly detect cyber attackers who have managed to breach security defenses. The longer cyber attackers go undetected within the organization, the more havoc they can wreak. According to cybersecurity firm FireEye in their recent M-Trends report the global average dwell time for cyber attackers who have penetrated an organizations defenses is 99 days. The recent Equifax breach which affected nearly 44 percent of the U.S. population saw a dwell time of approximately 60 days.
Dwell time is a huge problem for organizations – typically the longer the dwell time the more extensive the impact of the breach is. During this dwell period, attackers move laterally, gain access to other endpoints, escalate their credentials and exfiltrate data.
Organizations need solutions that will reduce dwell time, rapidly detect threat actors and yield zero false positives. Deception technology can reduce detection time from months to minutes — yes, minutes!
It’s this efficacy that’s sparking a lot of interest in deception technology. Research firm Technavio forecasts that the deception technology market is growing at a compound annual growth rate of 9 percent, and is predicted to reach $1.3B by 2020.
The Evolution of Deception Technology
I get this question a lot when speaking about deception technology: “Isn’t deception just honeypots?” Well, yes and no. Both are built on trapping technology, so both technologies were designed to mislead, confuse and delay attackers by misdirecting their intentions. But deception is really the evolution of the honeypot from limited, static capabilities to adaptive, machine learning and AI-driven platforms which are scalable and easy to operate.
Next generation deception platforms deploy attractive, authentic and scalable deception which is operationally easy to manage and can integrate with existing security technologies for rapid incident response.
Enter the Distributed Deception Technology Platform
Deception technology is still regarded by many as an emerging arena, and the vendors leading the pack have a few attributes which make them stand out as true distributed deception platforms. For one, enterprise class deception should be deployable everywhere within an organization — endpoint, network, cloud, application and even data. Deploying deception in a single area does have its use cases, but if an organization wants the ability to detect threats wherever they penetrate, deception needs to be deployed enterprise wide.
In terms of architecture, deception technology solutions differ considerably; some are endpoint focused, some network focused, some cloud focused and others are a combination of all. Some have physical appliances, others are completely virtual, some have agents and others are agentless.
There are two types of decoys in deception technology used by vendors: low-interaction decoys, which are emulation based, and high-interaction decoys which are real systems (virtual).
WWT’s security experts use the capabilities of our Advanced Technology Center (ATC) to help our customers navigate this emerging and exciting arena via consultation, workshops, proofs of concept and the testing integration of deception technology with other security tools.
Attracting attackers to decoys is performed using lures, breadcrumbs and baits, with the most common type being credential lures. Credentials are the first thing attackers go after when they compromise a system. Other examples of common lures and breadcrumbs are fake network drive maps, fake network connections, fake browser history, fake registry entries, fake files and many, many others.
Most leading deception technology solutions have forensic analysis and reporting capabilities built into their platforms. This gives an organization quick access to the analysis of the attack as it’s occurring and is very useful in accelerating the incident response lifecycle.
Attacker behavior and intelligence gathered can also be shared with other security tools like firewalls, SIEMs, NAC solutions and EDR tools through integrations. These integrations are very important for rapid containment of threats. Automated threat blocking is becoming more popular through these advanced integrations. Popular integrations with deception technology for rapid containment of endpoints include Tanium and Cisco ISE, but are not limited to them.
Keeping deception fresh and indistinguishable to the attacker is very important. This is to ensure the attacker cannot fingerprint deception, evade traps and detection. Tools already exist to fingerprint decoys – remember if attackers can spot which assets are real and which are fake, your entire deception strategy falls flat.
Leading vendor solutions have AI and machine learning built into their deception platforms to achieve this. These features are also very important to reduce operational overhead and burden as organization’s security teams will not need to constantly define deception campaigns. Instead the deception platform is constantly analyzing and adapting deception to meet organizational changes. Organizations are dynamic, and your deception solution needs to be as dynamic as well. This is crucial to stay one step ahead of attackers.
Deception must be invisible to employees but visible to attackers
This is probably the most important aspect for any deception technology solution. Deception should never be advertised or visible to employees; this is important for detecting insider threats and increases the likelihood that any engagement activity with decoys is likely to be an attacker and you can take immediate action to stop their invasion.
The attackers’ toolbox generally consists of command line dual-use tools like PsExec, PowerShell, WMI and RDP to gain deeper network access and move laterally. It’s here where deception is visible to the attacker only, as normal network users should not be running these sort of reconnaissance commands as part of their daily duties.
However, deception must be advertised to internal IT, security and network operations, as they should be aware of the deception solution deployed so they can distinguish between real and fake assets. A great example of this is adding exceptions into vulnerability management for deception decoys.
Use cases for Cyber Deception
There are many business cases for deploying deception technology to allow for early detection and containment of threats that have evaded traditional security defenses.
If we break it down even into more granular potential applications for the technology a few come to mind. For example:
- Adding deception technology as a complement to an enterprise segmentation strategy
- Detection of threats on purpose-built systems (e.g. POS systems, SWIFT, SCADA, ICS and IoT)
- Insider threat detection – an employee or contractor who hits a decoy could be performing reconnaissance
- Security during merger and acquisition transactions – deception technology is low-friction and easy to deploy with very little tuning
Deception technology is the new darling of the intrusion detection market. It builds on the fundamental pillars of intrusion detection: faster and more accurate detection of attackers, producing zero false positives.
We have already seen deception as a feature set added to existing security tools in the market. We should see this trend continue as the deception market grows, transforms, acquisitions get made and leaders in enterprise deception platforms are clearly defined.