Deception Essentials for Cyber
By: Edward Amoroso
Years ago, I became aware of a cable TV company whose customers were ripping off pay-per-view content. One root cause involved teenagers replacing their set-top box CPU with a test version of the chip purchased from an on-line TTL dealer. Because the test CPU descrambled everything, these clever teens no longer had to squint to make sense of those scrambled images on the Spice Channel.
Now, you might be delighted to learn that the cable company security team opted to use deception to deal with their issue. The approach they followed – absolute genius, in my opinion – was to create a scrambled banner message that they scrolled across a popular pay-per-view heavyweight fight. Paying fans would see scrambled nonsense, because while their set-top box would descramble the video images, it would not descramble the banner.
But because the test CPU would descramble everything, teen hackers would see the banner. And here is what it said: “Welcome to this pay-per-view event! To commemorate the event and to receive your free tee-shirt, please send us your name, address, and phone number.” My recollection is that this sting caught literally thousands of young fraudsters – who must have had some serious explaining to do to their parents.
Now, in my role as an industry analyst, I’ve had the good fortune to gain first-hand exposure to the most promising techniques for cyber defense. And I will tell you that few protection methods carry the potential wallop of deceptive computing – so long as it is executed correctly. To derive maximum value, cyber security teams must select the right vendor, deploy decoys properly, and integrate the deception into their overall architecture.
To that end, I spent some quality time this past week with one of the most knowledgeable teams in the deception business: Attivo Networks. Led by my friend Tushar Kothari, Attivo has developed one of the most comprehensive deception platforms in our industry. We spent the greater part of an afternoon going through the most promising current and emerging methods for deception – and I think you will benefit from a summary of that discussion here.
First, there are the basics: Every deceptive computing method, as our cable company example illustrated, includes decoys and lures that collect data for detection, analysis, and response to intruder activity. This set-up is both familiar and powerful, but remains insufficiently deployed across global enterprise. This is a curious omission, especially since modern frameworks such as NIST 800-53 Rev. 4 include deception as a control.
One explanation for this gap involves coverage. That is, since it is challenging to cover the entire corporate network with lures and decoys, some teams question whether deception should be deployed at all. This decision, I believe, misses the entire point of deceptive computing – namely, that it creates a diverse means for detecting even the subtlest incident, with little operational risk. This seems like a good equation to me.
Attivo’s platform includes an extensive suite of decoy and server processing support for both detection and response. The platform redirects the targeted activity of a hacker from customer endpoints or servers to special Attivo engagement servers for correlative analysis. The deception platform can also be extended to special IoT environments, which represents a promising new protection vector for industrial control.
I was pleased to hear from Attivo of the advances being made in machine learning for deception. I’ve long believed that label assignment based on training data is perfectly suited to the use of lures and analytics. “Attivo embeds self-learning into our platform,” Attivo CMO Carolyn Crandall explained, “and the combination of such powerful processing with decoy-based detection will produce powerful results.”
I was also delighted to see focus in the Attivo platform on reducing the risk of lateral traversal across an enterprise. For the life of me, I cannot understand why more CISOs are not embedding traps, lures, and decoys into the enterprise, so long as they continue to rely on their perimeter. “Active Directory is included in virtually every APT campaign,” Carolyn said, “and the risk of lateral compromise can be significantly reduced with deception technology.
Many will agree that deception is hardly a new tactic, as evidenced by the air-filled tanks used in World War II. It is also not new in computing, as evidenced by the old Recourse platform that introduced deception to many security experts, including me. (If you recognize that product, then we share a generation.) So, adding deception is not revolutionary, but rather a return to a common, well-accepted means for playing defense.
Here is your homework: If you are not currently using deception in your enterprise, then you should consider thinking more like that awesome cable company security team with their clever sting catching content thieves. Spend some time today investigating deployment and use of deception into your enterprise. Then pull the trigger and get this important control embedded into your cyber security infrastructure. Attivo Networks will be more than happy to help.
Let us know your progress.