This article is first in a five-part series being developed by Dr. Edward Amoroso in conjunction with the deception technology team from Attivo Networks. The article provides an overview of the evolution of deception, including its use in the enterprise, with emphasis on the practical requirements that have emerged in recent years to counter the growing number and nature of malicious threats.
Purpose of deception for cyber
The idea of modern deception in cyber security involves creating a false perception of the attack surface for an adversary. The objective is to cause any malicious activity by that adversary to be adversely affected by the deception thus reducing risk and achieving an improved security posture for the organization. The approach, by design, would work for both human and automated adversaries, and would provide the same benefit of detecting insiders, suppliers, and external threats.
This issue of human versus automated control is equally relevant to both the offensive malicious actor and the defensive team employing the deception. In both cases, the functional goal of enacting a misleading environment to trick the adversary is the same. Both use diversionary measures to redirect normal activity from real assets toward a set of deceptive or fake assets that are put in place for defense. Both cases also address how an organization can significantly improve their overall security posture via deception.
The schema for any deceptive system is straightforward. Benign and malicious users each access a common interface, although schemes do exist where the deceptive interface is hidden from typical employee workflows, which highlights anyone really looking for an entry point. The common interface then includes functionality that redirects access to the deceptive system through use of deceptive lures and decoys. This is a powerful concept that changes the nature of cyber security risk management.
One challenge in any deception-based scheme is that an adversary might be capable, and not easily fooled by a phony entry point, interface, or service. Similarly, an automated attack such as from a botnet will not be swayed by any human or subjective hints or traps that might trick a human. This does not, however, remove the possibility that deception can prevent automated attacks, but rather – it changes the required strategy…