Deception a Hot Topic for 2016 and Next Week’s RSA
By Carolyn Crandall
Deception looks like it is shaping up to be a hot topic at next week’s RSA event in San Francisco—as well as all of 2016. So you may ask… What is the noise all about? Is it hype, a fad or something you should really check out?
Deception technology is designed to make your entire network a trap for detecting attackers. Think of it as a finely tuned motion sensor for your network. The goal of deception technology is to prevent attackers who have already entered the network from reaching their goals by misdirecting their operations and delaying or preventing their ability to go deeper into the network or reach an intended target. Fundamentally, there are engagement servers; decoys; deception lures; analytics engines; and threat intelligence dashboards and reporting that make up a deception platform.
Since deception is coming into vogue in 2016, there are numerous companies starting to hang a shingle on their door saying they offer deception. These solutions however, can be vastly different in their breadth and depth. The logical questions one may ask are: Why detection? Why deception? Which deception type?
There a variety of reasons… even the most sophisticated prevention systems cannot keep every attack out. Why… zero day attacks, insider threats, stolen credentials, phishing emails, etc., all by-pass prevention systems and since they may not come with known signatures, will easily slip by even the most sophisticated security solutions. Over 600 breaches were reported last year and there are daily reports of new strains of malware that are getting more and more difficult to prevent. With the need for visibility to threats that have made their way inside the network, Gartner has also been cited saying that enterprises will see a shift to 60% prevention and 40% detection by 2020. (“Shift Cybersecurity Investment to Detection and Response”, by Ayal Tirosh and Paul Proctor)
Deception technology solutions are designed for inside the network threat detection and to enhance, rather than replace other security products. The technology is not reliant upon attack signatures, which makes it extremely effective for gaining real-time visibility into an attack that has bypassed all other prevention efforts. Detection and its associated forensic reporting enhance the tasks that the organization’s regular security information and event management (SIEM) system carries out, ensuring that infected devices are identified, substantiated alerts are raised, and information shared so that blocking and the quarantining of infected devices occur as quickly as possible.
Deception technology products rely on a series of decoys that the deception solution distributes throughout the network. The solution designs the decoys to mimic genuine IT assets. They run either a real or emulated operating system (OS) and provide services that tempt the attackers into thinking they have found a way to steal credentials or escalate privileges. In reality, however, the deception solution has simply lured attackers into scanning or attacking a decoy, which then notifies a special dedicated server, called an engagement server or a deception server. Correlation engines within the deception server identify which decoy the attacker has scanned or tried to attack and what attack vectors he used.
Because deception technology providers design their solutions to detect inside-the-network threats and their lateral movement, alerts are always event-driven and automatically supported by forensics that can be analyzed with other log data from the organization’s SIEM system should the need arise. Should even more information be required during an attack, some advanced deception systems can open communications with the attacker’s Command and Control (C&C) server to learn more about the attacker’s methods and the tools he is using.
Which deception type?
The key to an effective deception platform is creating authentic decoys and enticing lures that fool the attacker into engaging, with an engagement server to analyze, alert, and report on the attack. The two dominant approaches for deception platforms today are based on emulation, or real operating systems and services. In an emulation approach, one or more virtual machines (VMs) emulate an organization’s network, services and operating systems based on that network’s architecture. The VMs deceive the malware into attacking the emulated environment versus the actual one. The benefits are obvious, but there are downsides.
Any emulated service or device is by design, not active, which can make it easier to detect. Emulated systems contain popular services, however they are limited in their configurations and lack depth of protocols and services. Additionally, emulation does not permit customization with golden images to match an operating environment. Emulated decoy alone will also not be able to engage with the attacker beyond initial detection. Without the ability to have additional engagement, response teams cannot gather the Techniques, Tactics and Procedures (TTP) of the attack and the forensics to block and quarantine infected systems. . Notably, since an emulated system can’t fully engage and complete the attack cycle it is easily identifiable by the attacker as this shortcoming is a “fingerprint,” which can clue in attackers.
A deception strategy built on real operating systems that are also running expected protocols or services, on the other hand, has many advantages. By running real operating systems and customizing services by only turning on applications that are used in an organizations environment, the deception server becomes an authentic decoy that can be virtually indistinguishable from an actual server. The ability for a company to load a “golden image” on the decoy or install custom applications will create an environment with the highest degree of deception. Additional techniques to broadcast traffic, open communications to Command and Control Centers, and to let attacks play out in a threat analysis engine will provide additional engagement for authenticity and produce valuable attack forensics.
The other major elements in a deception platform include the quality of the deception lures. The most comprehensive systems will have server, endpoint, data, and other forms of deception to entice the attacker into engaging. Scalability will also be a major factor for organizations seeking to deploy not only on user networks but also in data centers, cloud environments, and on ICS- SCADA devices.
If you’ll be at RSA (February 29 – March 4 at San Francisco’s Moscone Center), please come see us in the North Expo at booth N3022. There, you can see a demo of the Attivo deception solution, recently named a Cloud Awards winner and a Finalist in the Tech Trailblazers and the Info Security Global Excellence Awards programs. Attivo technical expert Joe Salazar will also be speaking 8:00 AM to 8:50 AM on March 3rd in Moscone North, room 130. (Open to anyone with a Full Conference or Discover RSA conference badge.)
Organizations are realizing that inside-the-network threat visibility is a must, and deception offers the most efficient and cost effective way to quickly detect and prevent against even the most complex cyber threat. I welcome you to visit Attivo at RSA for a demo and to learn more on why organizations are choosing Attivo for their deception solution.