Deception and Counterintelligence
By: Joseph Salazar
When someone mentions Counterintelligence (CI), James Bond, the IMF’s Ethan Hunt, and three letter agencies like the FBI, CIA, and MI5 come to mind for most people. They may think that CI is limited only to intelligence agencies, government organizations, or the military. However, mention CI to those with experience in the Intelligence field and they think of it as a security discipline that can be implemented and used anywhere.
CI is defined simply as information gathered and actions taken to identify and protect against an adversary’s intelligence collection activities, operations, or attempts to cause harm through sabotage or other actions. At its very core, CI is about securing information and preventing an adversary from stealing or destroying it. If this sounds familiar to those in the Information Security field, that’s because it is. Just look at the security triad of Confidentiality, Availability, and Integrity as functions of CI as defined above. The goal of CI is to ensure that only the right people can access the information, that they can get to their information when they need to, and that their information is not modified or destroyed by a malicious actor.
CI is categorized into defensive, collective, and offensive CI. Collective CI is about learning who the adversary is, how they collect information or attack, and what tools they use. Defensive CI is about stopping those collection or attack activities. Offensive CI is about manipulation, misinformation, and deception. Without realizing it, most organizations already practice some aspects of CI, but they call it different things: Data Loss Prevention, Threat Intelligence development, Malware Reverse Engineering, Forensics, etc. In that light, an Information Security stack is an incomplete implementation of a CI strategy, where most organizations conduct defensive CI, and maybe some do collective CI, but not many really consider offensive CI (which is why the implementation is incomplete). This is where Deception technology comes in. Deception technology completes the stack, and with the right implementation provides high levels of offensive, defensive, and collective CI.
Deception technology has been a hot topic in the Information Security space, so much so that Gartner has listed it as one of its Top 10 Strategic Technology Trends for 2018. Strategically, deception technology is a core implementation of CI. Deception technology works by having decoy systems and credentials scattered throughout the network that alert when attackers engage them. Attackers who breach security measures such as firewalls, IDS/IPS, and EDR solutions now must contend with another layer of traps and sensors that can alert to their presence. This is deception technology as defensive CI. Simplistic deception solutions such as emulated honeypots stop there, but more sophisticated solutions can provide collective and offensive CI.
When talking about collective CI, one is referring to “intelligence,” not just “information.” Information is merely a data point. Intelligence is a product of analyzing information to conclude something. In Information Security, practitioners talk about Threat Intelligence. In loose terms, Threat Intelligence is about analyzing information that helps identify an attack. Think of Threat Intelligence as IOCs, data points that when analyzed allow a security analyst to find commonalities that can identify a malicious attack. Now, a higher level of Threat Intelligence is what is referred to as Adversary Intelligence. Adversary Intelligence is identifying the Tactics, Techniques, and Procedures (TTPs) of an attacker, thereby gaining an understanding of their capabilities and goals. These types of intelligence address the goal of collective CI. Where Threat Intelligence usually answers the “what” in collective CI, Adversary intelligence deals with the “how.” and collectively, Threat and Adversary Intelligence help with “who.” All this intelligence can increase the security of an organization.
A deception platform can implement collective CI, especially one that allows an attacker to fully engage with the decoys and bait. A deception platform decoy can record all interactions and activity an attacker performs when engaging. The longer the attacker engages, and the more he believes that the decoy is a production asset, the more information the deception platform collects, and the more collective CI developed. The completeness of the information gathered is therefore incumbent on an attacker engaging for as long as possible. A deception platform that the attacker can identify as a decoy or that he can not engage with deeply for long periods of time will yield incomplete or limited information. A decoy that the attacker can engage with for lengthy periods of time will garner the most collective CI data. Taking that even further, a deception platform that can track deceptive documents when they are stolen and opened helps even more with answering the question of “who,” providing complete and comprehensive collective CI capabilities.
In the realm of Information Security, offensive CI is often misunderstood to mean “hacking back” or “counter-attacking” and should thus be limited to government or military organizations. While there are some aspects of offensive CI that can be construed as such, the reality is that offensive CI can be as simple as misinformation and deception. When viewed through the lens of the Computer Fraud and Abuse Act, if an organization takes no “hostile” action on networks and systems that do not belong to them, there is no violation. Offensive CI can take various forms, but for the purposes of Information Security, deception technology is a direct implementation of Offensive CI. The goal of deception technology is to misinform and mislead attackers, thereby preventing them from furthering their attack. The decoys that help with defensive CI also function as offensive CI, because they manipulate the attacker into targeting them instead of production assets, thereby disrupting their attack operations. They misinform the attacker by feeding him false information about the network. Finally, especially with deceptive documents that can be tracked, they introduce doubt into the veracity of the information and files the attacker has collected and stolen, thereby increasing his effort and resource-utilization as he tries to figure out what is real and what is fake. This capability is powerful and helps tip the scales in the defender’s favor.
Organizations who are unfamiliar with CI as it relates to Information Security should realize that they’ve already been practicing some form of it for a long time. However, those that want to fully take advantage of a robust CI implementation should look to deception technology to complete their stack.
The Attivo Networks ThreatDefend Deception and Response Platform can provide the full gamut of collective, defensive, and offensive CI capabilities. To learn more about the latest version of the ThreatDefend platform featuring counterintelligence capabilities that identifies the types of data an attacker is attempting to steal and, through geolocation services, where the documents are being accessed, read the full press release here.