It is a long-held maxim in cybersecurity that the bad guys have the advantage. They only have to succeed once, but the good guys have to stop them every time. So it is always interesting and often important when a new method comes along that seeks to change that balance of power.
Deception technology gives defenders a rare advantage against attackers by doing something that other forms of cybersecurity don’t: Provide early and accurate detection by laying a minefield of attractive decoy systems and content to trip up attackers. This is all done within the organization’s networks and serves as a high-fidelity warning system of attacks that have bypassed perimeter security controls.
Decoys are designed to catch threat activity as the adversary looks to understand the network and how to find its target. Whether through a simple scan or an attempt to download malware, once an attacker goes after a decoy, it is safe to observe what they do in a contained environment. In most cases, when an attack is detected, the right thing to do is shut the attack down right away. But with deception you have the option to watch what is happening, learn more about the nature of the attack, and better understand the way that the attackers intend to spread through your network. Once you feel you’ve learned enough, you can then easily shut the attack down.
In this article, I am going to summarize how deception-based cybersecurity works and provides defenders the upper hand using Attivo Networks as an example. I spoke with Carolyn Crandall, Chief Deception Officer and Chief Marketing Officer at Attivo for her insights on this topic. For a longer explanation of how deception-based systems work to enhance cybersecurity, see Active Defense: How Deception Has Changed Cybersecurity and the related research mission Creating a Balanced Cybersecurity Portfolio, both published on Early Adopter Research.
What Is Deception?
Deception is the evolution of the idea of the honey pot — external sites that would attract people who had bad intentions so that they could be identified. While honey pots were often used by security researchers, it was not a popular threat detection technique for enterprises. Deception takes a new approach and moves decoys inside the network, offering more valuable insight into threats that have penetrated perimeter defenses.
Today, deception methods depend on decoy assets, fake credentials, and information that should never be accessed by anyone legitimately. If someone does access these assets, you know you have an intruder or at a minimum a policy violation that has created security risk. This detection mechanism is particularly valuable for reducing what is called dwell time, which is the length of time an attacker remains undiscovered inside the network. The current industry average has hovered at around 100 days for the last couple years and these long dwell times provide the attacker the time needed to successfully complete an attack.
Remember Katherine Zeta Jones’ iconic scene in Entrapment where she weaves in and out of laser beam tripwires during a big heist? That’s what deception inside a company is now like. When anyone attempts to access those internal decoys or deception credentials, the digital equivalent of a laser sensor is triggered, and you know you’re under attack, where the attack is located, and what it’s attempting to do. You can then respond immediately and confidently.
“With detection, there can be a tremendous amount of information accumulation, attack analysis, and correlation. Deception simplifies and automates these processes in order to make sure the attack is stopped, purged, and prevented from returning,” said Crandall.
Changing the Balance of Power
Deception is also unique in that an organization can safely watch attacks unfold, using a deception sandbox to engage attackers for deeper forensics. Security analysts can observe attackers in a safe manner because the assets under attack are high interaction decoys that are designed to trick an attacker into thinking they are escalating their attack, all while actively collect forensics. With deception, you can therefore engage an attacker and then use this threat intelligence to activate countermeasures. This is perhaps the most unique aspect of deception, as it changes the balance of power between attackers and defenders, and you learn more about them than you would otherwise.
“A fundamental problem with traditional detection technologies is that they are designed to stop once they have detected an attack. Unfortunately, when you only block an attack, you don’t get the opportunity to study it,” said Crandall. “Yes, you stop it from coming in, but you’re not learning from it. Valuable information is lost, information that can be critical to quickly eradicating the attack and preventing the attack from returning.”
What Type of Activities Do Deception Systems Detect?
State of the art deception systems detect a wide variety of threats and are not reliant on known signatures, database lookups, or pattern matching:
| Credential Theft | When somebody tries to attack and lift username and passwords from OLAP directories or other places they are stored. |
| Lateral movement | When someone in one part of network tries to access other parts of the network that are off limits to them. |
| Attacks on directory systems | These can be directories of users or file directories. |
| Man-in-the-middle | These are attacks where an attacker intercepts and possibly changes communication between two parties who do not know their exchanges have been infiltrated. |
| Sensitive data | This is sensitive, high-value data. |
| Geo-fencing | The attacker steals planted deception files that provide geo-location data and intelligence when opened. |
| Detecting attacks on data distributed outside your organization | It is often possible, using decoy docs, to put essentially GPS trackers on your data to see when it’s been accessed even after it has left your system. |
Putting Deception Into Practice
There are a wide array of deception tactics available to enterprises. But before putting these to use, companies should understand what makes deception most effective.
- Deception must be authentic: For deception to work, the decoy must seem real so you can lure the attacker in and learn about how they want to attack your system. You must be able to offer a view of reality that seems real and is attractive to the opponent. If you offer decoys or targets that seem fake, the attacker will avoid them and as such, the solution will not work. “For deception to be effective, first and foremost, it needs to be authentic,” said Crandall. “Attackers are sophisticated. To fool them, deception needs to be identical to production assets and credentials. It needs to be believable enough for them to fall for it.”
- Deception must be comprehensive: Deception must be able to cover an ever-changing attack surface. Some vendors that provide deception-based cybersecurity only focus on one form of deception — like credentials, decoys, or data files. But it’s better if you can cover all attack methods and services by putting in credentials and mapped drive objects to attract engagement and decoys in the network, in the cloud, and in specialized places like the IoT, POS, ICS, SWIFT, network and telecommunications environments.
- Deception must be scalable: Deception is more efficient than other means of detecting cybersecurity threats because it is not attempting to analyze traffic or behavior or attempting database lookup, which are all prone to high false positive alerts. Instead, you’re putting in decoys or bait and if those are accessed, you know there’s a problem. There are no false positives. Scalability is thus not about processing power, but about designing and implementing a comprehensive and authentic set of decoys and bait that can then be put in place throughout your environment. Once those deceptions are deployed, you must then be able to automate management and refresh them periodically to maintain authenticity. Machine learning has dramatically simplified the processes of generating, deploying, and operating deception environments. Deception campaigns are now self-learned, proposals automatically created, and at a push of a button, can be globally executed.
What Are the Benefits of Using Deception?
Deception brings with it a variety of benefits for both large and mid-size enterprises. These include:
- Reduction in dwell time and the mean time to detection and remediation.
- High-fidelity alerts that simplify and accelerate incident response, while eliminating alert fatigue.
- Through engagement, it provides deeper forensics of adversary intelligence including indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).
- It is also not reliant on knowing every attack vector or method and is designed to detect early reconnaissance, credential theft, and lateral movement.
- If you suspect that an attack is underway, you can automatically add additional decoys around at-risk critical assets or simply reset the attack surface, upping the complexity for an adversary.
- Gain visibility to device adds and changes on a network and at risk credentials so that you can mitigate risk and reduce the attack surface the attacker is targeting.
Deception-based cybersecurity technology like Attivo Networks allows companies to gain internal threat visibility where before attacker reconnaissance, lateral movement, and credential theft would often evade them. Whether it is the industry average of dwell time or the unrelenting number of breaches we see each year, it is clear that attackers can and will get inside an organization’s network and a different approach is needed to get a different result. “I would say one of the biggest myths about threat deception is that this is a technology that you would want to do last, versus doing earlier on,” said Crandall. “Whether you have the most sophisticated security controls or not, you need to know as quickly as possible about the threats that are inside your network and whether they can cause you harm. Being overly confident in one’s perimeter defense has left all too many companies in precarious positions.”
Attivo’s technology implements a full stack of deception in order to achieve these benefits. It reduces dwell times of attacks by setting up decoys, traps, and bait for attackers. Its native partner integrations with a wide variety of other cybersecurity products ensure that as much information as possible can be automatically shared when an attack occurs and that traditional knowledge silos are removed. With Attivo’s system, knowledge about an attack is gathered safely within its built-in sandbox and its attack visualization tools can help an organization quickly gain actionable threat intelligence. It also allows companies to learn from attacks to create automated response processes and repeatable playbooks to shut down current attacks and to prevent or detect future attacks.
The value in using deception to change the asymmetry of the attack becomes very evident when using it in conjunction with a security test, in a Red/Blue exercise or as part of a penetration test. Adding deception gives the defenders an offense-based advantage they did not have before, and a capability to reliably detect the attackers once they get inside the network. By effectively slowing down attacks, it can also be a powerful deterrent as attackers experience increased costs and are forced to restart their attacks or seek easier targets.
Ultimately, as I mentioned earlier, deception provides a way of changing the balance of power between the attacker and the defender. With deception, the defender can quickly detect the attack, learn the attacker’s tactics, and create an offensive playbook of countermeasures to outsmart their adversary. Multiple Attivo customers have shared that it is their expectation that deception will become a widely deployed de facto security control over the next few years.
“It’s not enough to detect alone,” said Crandall. “You need to be able to take action on it, understand the attack, run the forensics on the attack, and then respond to it. Block it, quarantine, threat hunt it, build a better defense for the future. That’s all part of active defense. So detect early, reduce your dwell time, and ultimately improve your time to respond and remediate.”
